What is cyber warfare? This is a term that has been inaccurately used to describe cyber-attacks against companies. While we have seen several cybersecurity-related events that have had dire consequences against their targets, very few of them should be called an act of cyber warfare.
Take Newt Gingrich for example. Gingrich wrote an article for CNN back in December where he talks about the Sony Breach. Gingrich describes the events pertaining to the Sony breach pretty accurately and with a touch of prideful patriotism.
“This was a deliberate assault on sovereign American soil against an American company, costing it millions of dollars in direct damages and hundreds of millions in reputational damages while blocking most of its employees from using their internal systems to get routine work done”
Gingrich does a good job explaining what happened at Sony. What Gingrich goes on to say next, however, is where he gets it wrong.
Pure cyber warfare
“This attack is pure cyber warfare.”
Pure cyber warfare? No one is going to deny that the cyber-attack at Sony Pictures left the company in bad shape. But should this attack really be considered an act of war?
“Cyber warfare is often used as a catchall term that does not explain cyber attacks in general, just as the term cyber-attack has come into common usage, but should not be confused with an armed attack activating the law of war,” said Scott Shackelford, Fellow at the Center for Applied Cybersecurity Research. “In other words, the vast majority of cyber attacks – on the order of 99.9% – are not acts of war. That is not to say that these aren’t serious, but rather that they are more accurately described as cybercrime, espionage, etc.”
James Phelps Ph.D., Angelo State University, agreed with Shackelford and gives his definition of cyber warfare.
“Warfare, because it is conducted by nation states, implies that it is a component of conventional aggression towards other nation states. Therefore, for something to be called cyber warfare it must be carried out not with intent of blackmail, but with the intent of causing direct harm to another nation-state or military’s cyberinfrastructure. By harm, not just stealing information, but destructive harm. … Everything else falls under espionage. When you hack and steal somebody’s F-35 aircraft drawings, that’s espionage; that is not cyberwar.”
Targets Involved In Cyber Warfare
Here is an example of a real cyber threat that could have been considered an act of cyber warfare. In early 2014, a Chinese cybercriminal known as “Ugly Gorilla” posed a severe threat to our nation.
“Earlier this year, the FBI released information on Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States,” said Michael Assante, Director of Industrial Control Systems for Sans Institute, in a Forbes article issued November 2014. “While the FBI suspects this was a scouting mission, Ugly Gorilla gained the cyber keys necessary for access to systems that regulate the flow of natural gas.”
Imagine what someone could do to the United States if they had access to our natural gas operations. Phelps says there is another target that is even more valuable to our enemies.
“Within the United States, the single largest and most vulnerable to the significant impact that would affect the overall nation’s ability to fight in the event of cyber war is going to be the power system, the actual electrical grid distribution system,” Phelps said. “Without electricity, you can’t run rail switches, you can’t run airports and aviation systems and navigation, you can’t run harbors, you can’t run anything. You can’t even distribute food without electricity today. So if you really wanted to attack the United States and cause warfare-equivalent destruction impact you go after the power grid. It is the only thing you could hit that could have a significant impact that would cause that type of a problem.”
Battle outside cyberspace
When talking about cyber war, it is inevitable that the battle will not remain through cyberspace alone. The Russian invasion of Georgia demonstrates this.
“There have been cyber-attacks used in international armed conflicts, such as the 2008 Russian invasion of Georgia,” Shackelford said. “Such ‘blended’ – cyber plus kinetic – attacks are likely going forward, but a ‘pure’ cyber war like Die Hard 4.0 is probably unlikely. Having said that, exploits like Stuxnet have shown what’s possible, and it will be up to states to define acceptable rules of the road including what should count as a use of force in cyberspace.”
We have seen the warning signs, cyber warfare is seemingly inevitable. We have heard Admiral Mike Rogers, Director of the NSA, warn of potential attacks against critical infrastructure within the next decade. We have yet to see what a cyber warfare-level attack would look like with our eyes, but we can imagine. Heaven helps us if we are attacked and our critical infrastructure was taken offline. If that were to happen, I bet elite government officials like Newt Gingrich would reconsider describing your run-of-the-mill cyber-attack as an act of cyber warfare.