Cyber space is a confusing place. As current discussions highlight the possibility of ‘major’ cyber attacks causing a significant loss of life or large scale destruction, it is becoming harder to determine whether these claims are hype or are in fact justified fears. A new report, published this week by VERTIC, commissioned by the Remote Control project, offers some clarity on the subject by assessing the major issues in cyber security today to help better inform the debate and assess what threats and challenges cyber issues really do pose to international peace and security.
How much of a threat are cyber attacks?
Cyber attacks have been identified as one of the greatest threats facing developed nations. Indeed, the US is spending $26 billion over the next five years on cyber operations and building a 6,000-strong cyber force by 2016 and the UK has earmarked £650 million over four year to combat cyber threats. This level of investment suggests that states view issues of cyber security as a question of national security. But how much of a threat do cyber attacks pose to national security and how much damage have they caused?
There is a need for caution when assessing the risk posed to national security by cyber threats. Indeed, although states are heavily investing in cyber security, to date, the majority of cyber incidents that have made the news have not directly impacted on a state’s sovereignty, or threatened a state’s survival. For that to happen, an attack would have to significantly affect a government’s ability to control its territory, inflict damage to critical infrastructure or, potentially, cause mass casualties.
Nevertheless, some notable instances of cyber attacks have had a significant impact on international relations over the past decades. These are ‘Stuxnet’, the cyber attack targeting Iranian uranium centrifuges (allegedly launched by a combined US-Israeli operation), the ‘Nashi’ attacks on the Estonian government and private sector websites and web-based services, and the many instances of cyber-espionage that form the so-called ‘Cool War’ currently taking place between China and the US. Furthermore, cyber attacks have also been used as instruments of war in conjunction with conventional military operations, for example during the Russo-Georgian conflict in 2008 and most significantly during the Israeli air raid against a nuclear reactor facility in Syria in 2007.
However, to date no attack has led to largescale destruction or fatality, suggesting that the potential for this is unlikely. This is due to the great amounts of technological expertise, material resources and target intelligence required to carry out such an attack. These resources are currently only in the hands of states, that might hesitate in using cyber attacks in such a way, when other means are available. This could of course change, especially if different political actors acquired the necessary means.
What should we be concerned about?
This is not to say we have nothing to be concerned about. Although a largescale cyber attack that inflicts mass casualties is unlikely to occur in the near future, cyber activities can still affect civilian lives in other ways. The hyperbolic language used to describe the potential consequences of cyber attacks, combined with a lack of reliable, concrete information on the real risks posed by cyber threats has contributed to the ‘securitisation’ of the debate around cyber security issues. It is feared that this process will lead to possible dangers being overestimated, and vulnerabilities cast as national security threats of immediate concern. States’ reactions to these perceived risks may cause negative implications on both citizens and international peace and security.
Already we are seeing a potential consequence of securitization as governments turn to surveillance as a preventative measure against cyber attacks. In addition, the difficulty of attributing cyber attacks, as well as the widespread fear that other countries will constantly engage in cyber espionage, has led some to claim that the ‘cyber realm’ favours the attacker. This, in turn, may lead states to engage in a ‘cyber arms race’, as well as foster a ‘Cool War’ dynamic of continuous attrition and escalation between states. This erosion of trust between states, as well as the diminishing of civil liberties, are two serious concerns with regards to the militarization of cyber space.
Cyber attacks also pose serious transparency and accountability issues due to the above-mentioned technical complexities of cyber attack attributions, as well as the ambiguous relationship between state and non-state actors (in the ‘Nashi’ attack in Estonia for example, the relation between the youth group responsible for the attack and the Russian government remains an ambiguous one). The lack of legal clarity in this area is also worrying, meaning attackers will often not face consequences for their actions.
The only existing international legislation in the field - the Budapest Convention - solely addresses cybercrime and no further issues (such as military use of cyberspace). The Convention also does not have enough support to provide enforcement of its objectives, has no monitoring regime and has not been signed by Russia or China. Furthermore, an attempt to set out ‘rules’ on the legal implications of cyber war - in The Tallinn Manual - found that the complexities of cyber conflict means there are many instances that do not easily adhere to current legislative standards. The speed of technology further hampers drafting of law and international legislation.
Growth of remote control warfare
The rise in cyber activities cannot be examined in isolation. Its growth is part of a broader trend of warfare increasingly being conducted indirectly, or at a distance. This global trend towards ‘remote control’ warfare has seen an increasing use of drones, special forces, private military and security companies as well as cyber activities and intelligence and surveillance methods by governments in the last decade.
Indeed the global export market for drones is predicted to grow nearly three-fold over the next decade, and a broader range of states are now using drones, including France, Britain, Germany, Italy, Russia, Algeria and Iran. The US has more than doubled the size of its Special Operations Command since 2001, and private military and security companies are playing an increasingly important role in both Afghanistan and Iraq, with over 5, 000 contractors employed in Iraq this year.
The idea of countering threats at a distance, without the use of large military forces, is a relatively attractive proposition as the general public is increasingly hostile to ‘boots on the ground’. However, the concerns highlighted in this latest report with regards to cyber activities are echoed in all ‘remote’ warfare methods as their covert nature means there are serious transparency and accountability vacuums.
As well as this, wider negative implications have been identified where these methods are in use, from the detrimental impact of drone strikes in Pakistan to instability caused by special forces and private military companies in Sub-Saharan Africa. The militarisation of cyber space is part of this growing trend and, like these other new methods of warfare, increased transparency and accurate information is essential in order to assess the real impact they are likely to have.