Book Review: Cyber War Will Not Take Place

Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013.

Cyber war is possibly the most dangerous buzzword of the Internet era. The fear-inducing rhetoric surrounding it is being used to justify major changes in the way the Internet is organized, governed, and constructed. And in Cyber War Will Not Take Place, Thomas Rid convincingly argues that cyber war is not a compelling threat. Rid is one of the leading cyber war skeptics in Europe, and although he doesn't argue that war won't extend into cyberspace, he says that cyberspace's role in war is more limited than doomsayers want us to believe. His argument against cyber war is lucid and methodical. He divides "offensive and violent political acts" in cyberspace into: sabotage, espionage, and subversion. These categories are larger than cyberspace, of course, but Rid spends considerable time analyzing their strengths and limitations within cyberspace. The details are complicated, but his end conclusion is that many of these types of attacks cannot be defined as acts of war, and any future war won't involve many of these types of attacks.

None of this is meant to imply that cyberspace is safe. Threats of all sorts fill cyberspace, but not threats of war. As such, the policies to defend against them are different. While hackers and criminal threats get all the headlines, more worrisome are the threats from governments seeking to consolidate their power. I have long argued that controlling the Internet has become critical for totalitarian states, and their four broad tools of surveillance, censorship, propaganda and use control have legitimate commercial applications, and are also employed by democracies.

A lot of the problem here is of definition. There isn't broad agreement as to what constitutes cyber war, and this confusion plays into the hands of those hyping its threat. If everything from Chinese espionage to Russian criminal extortion to activist disruption falls under the cyber war umbrella, then it only makes sense to put more of the Internet under government -- and thus military -- control. Rid's book is a compelling counter-argument to this approach.

Rid's final chapter is an essay unto itself, and lays out his vision as to how we should deal with threats in cyberspace. For policymakers who won't sit through an entire book, this is the chapter I would urge them to read. Arms races are dangerous and destabilizing, and we're in the early years of a cyber war arms race that's being fueled by fear and ignorance. This book is a cogent counterpoint to the doomsayers and the profiteers, and should be required reading for anyone concerned about security in cyberspace.

This book review previously appeared in Europe's World.

Posted on October 25, 2013 at 9:26 AM • 25 Comments

Comments

Stanislav DatskovskiyOctober 25, 2013 9:50 AM

"Cyber War" has already taken place. Microsoft won. (What else do you call it when one nation coerces, bamboozles, or otherwise corners every other into installing remotely-controllable malware on their machines?)

DilbertOctober 25, 2013 9:54 AM

Cyber War
Cyber 9/11
Electronic Pearl Harbor

It's all FUD! Finally someone is taking a more reasoned approach to the subject. I think this one is next on my reading list.

Aaron VanAlstineOctober 25, 2013 10:17 AM

Cyber war, the Chinese Anti-Ship Ballistic Missile, Iran's nuke program are all scary monsters promoted by the MIC to keep the government money spigot wide open.

kingsnakeOctober 25, 2013 10:43 AM

If one accepts von Clausewitz's assertion -- and I do -- that war is an extension of politics by other means. And one realizes that any nation engaged in war will use every weapon at its disposal to win that war, then cyber war is not only likely, but guaranteed. (Indeed, had already occured: e.g. Stuxnet crippling the Iranian nuclear effort.)

The only reason for someone telling you otherwise -- that cyberwar is a myth -- is because they are either idiots, or liars who want to keep you blisfully ignorant.

Clive RobinsonOctober 25, 2013 10:56 AM

@ Bruce,

Whilst "Arms races are dangerous and destabalising" they are extramly profitable for those selling them, especialy as history shows us you are selling to both sides at the same time.

And whilst there is money to be made in truckloads, the protagnists will borrow on their grandchildrens futures to buy them and step up to the line as was demonstrated by nukes.

The problem is history shows us again that some idiot will cross the line unless it's abundantly clear that they will be destroyed in the process (ie Nukes and MAD).

Thus the way to stop a conventional war is to make those in charge realise the compleate decimation that will result if they do cross the line.

Only with cyber-war this won't work because it's the most asymetric form of attack there can be in that a single person can with knowledge and some skill take down just about all routers and most computers almost simultaniously, and the suffering is felt most where technology is highest. If you also know how to also farm goats and live in a cave/hut then you can launch your various attacks with their timed payloads and be sitting peacfully in your hut on a hill tapping on your drums when the lights go out in the WASP / First world nations and the panic starts.

Three months later you can come down off of your hill and see what panic buying and gas pump mania has done to so called civilised society...

Brian M.October 25, 2013 11:55 AM

Can nations stage a cyber war entirely by itself? It's possible, but it doesn't have quite the same consequences as massive physical attacks.

While a "cyber war" can fit Clausewitz's definitions of war, the computer attacks can be widely mitigated, if not ignored outright. When the Y2K patching was happening, the electrical switching equipment was installed with overrides. The closest to catastrophic failures we've had have been the blackouts on the east coast of the US, like the 2003 blackout from a tree limb touching a power line. Southern California still suffers from blackouts due to a lack of available power. But it was only the 1977 NYC blackout that there was looting and arson.

In order for a systemic failure to have anything other than monetary consequences from business being shut down, the populace has to go out and do some damage. The 1977 NYC blackout, and the L.A. riots are two that come to mind. Otherwise, it's just an inconvenience.

jonesOctober 25, 2013 1:36 PM

> Arms races are dangerous and destabilizing

Bingo! The "War on Terror" is just another excuse for a new Cold War, and all the subsidies that entails.

Today we have about 3,000 nukes in our strategic arsenal. In 1967 that number stood over 30,000. All those weapons didn't pay for themselves. They didn't fund looting associated with territorial expansion. They were subsidized. They were stockpiled because they were never meant to be used (since doing so would mean "mutual assured destruction").

Furthermore, all the theatrics of the Cold War were mostly for show: for all the duck-and-cover drills, the only radioactivity Americans were ever exposed to came from OUR OWN weapons testing. Nuclear explosions were a tourist attraction in Las Vegas -- and all those tourists were showered with fallout. A cloud of strontiuim-90 floated over New York and made the milk undrinkable. An underground nuclear weapons test that went wrong -- called Mighty Oak -- was actually responsible for the domestic fallout blamed on Chernobyl. I have a feeling that the rise in autism has more to do with the fallout the baby boomers were exposed to than the vaccines their kids were given.

But the same logic applies in this war on terror: almost every high profile terror case has involved a paid FBI informant who identified targets and provided them operational plans. Put "paid informant fbi terrorism" and see what you come up with.

The fact of the matter would seem to be that there are very few terrorists stateside. Guns are abundant, but no jihadi shooting sprees. Powerlines crisscross the countryside but don't seem to get bombed that often. Planes come in for landings at airports in coastal areas, but nobody seems to sit in a boat taking potshots with a high powered rifle.

All the most devastating attack vectors are both remarkable simple and almost impossible to defend against -- but don't seem to be a problem.

If the "War on Terror" and the surveillance state are really about saving American lives, that money could be better spent investing in effective intercity mass transit. Every month as many people die in car accidents as died on 911. We're our own worst threat.

ScottOctober 25, 2013 4:20 PM

The trend is against calling activist disruption cyber warfare, and instead calling it cyber terrorism. Because, you know, I am living in constant, debilitating fear that one of the websites I visit will be temporarily down while someone makes a political statement.

When we have these hacker groups criticizing the US government for things like being in bed with corporations, massive abuse of drone warfare, and trampling on first ammendment rights, what better way to silence the dissidents than calling them all anti-American communists? Well, passing laws to legally define them as terrorists!

kashmarekOctober 25, 2013 5:26 PM

Cyber war is already taking place. It is against the population that makes use of the internet, including at times, officials in high places in governments outside the U.S. When no use is found in the data for fighting "terrorism", the only practical thing left to do is use that data for influence, intimidation, and control of same. Simply by announcing that a large number of world leaders have had their phone conversations tapped, is intimidation.

Brandioch ConnerOctober 25, 2013 5:46 PM

A lot of the problem here is of definition. There isn't broad agreement as to what constitutes cyber war, and this confusion plays into the hands of those hyping its threat.
It isn't "war" until an otherwise healthy person dies as a direct result of it.

People tend to focus on things that happen during a real war and then incorrectly extrapolate those into defining "war". It makes selling products and services to the government much easier.

Muddy RoadOctober 25, 2013 6:08 PM

The Eternal Cyber War is on, it's here and our own government started it.

I agree no one will ever suffer a physical paper cut from Cyber War, but our losses have already been huge in loss of power, liberty and freedoms not to mention billions of dollars of taxes flushed by the NSA et al.

I am not happy about by own country treating me and all of us as enemy combatants. I want the government to leave me alone. I don't want them to know anything about me without my specific express permission.

I don't have to prove my innocence. Nor does anyone. Who I call, write, talk to or do is my business unless they can get a real warrant in a real court. That's my terms.

I am hoping the technical people are in the trenches working on new tactics and strategies to defeat attackers.

Eventually, we may get a legal or political solution bringing us peace, but in the meantime as far as I am concerned:

It's on!

Clive RobinsonOctober 25, 2013 7:43 PM

@ Brandioch Conner,

    It isn't "war" until an otherwise healthy person dies as a direct result of it.

This is not the first nor I suspect the last time I disagree for
perfectly valid reasons with this view point you have.

For instance a foreign government injuring individuals is an act of war. As is capturing and imprisoning / enslaving people or causing them to become dispossessed or refugees or in otherways denying them recognised human rights.

Also a foreign government damaging or destroying infrastructure, and rendering land uninhabitable or unusable for economic activity, or causing the loss or destruction of other resources is an act of war (see history of water rights wars).

Also acts of economic sabotage with the intent to bring about either of the above is an act of war.

Further some attacks may not cause immediate death of individuals but will at some future point of time will cause death (ie puting malware on medical equipment).

Ignoring these and similar as acts of war will only encorage tyrany and oppression.

Muddy RoadOctober 25, 2013 8:03 PM

Clive is right, war is not limited to killing people. When the enemy shoots a cannonball over the wall destroying the mess hall, that's still an act of war.

When someone uses the electronics to "collect" your personal data illegally and without your permission, that's cyber war.

It's on. No doubt in my mind.

Wesley ParishOctober 26, 2013 12:44 AM

I had a flashback to some thoughts I'd had about "Star Wars" aka the Budgetary Defense Initiative launched by Ronnie Raygun and Regime during the 80s - namely, that there's more to war than merely acquiring and controlling territory. There's ICC - information, control and command - then you have propaganda.

When you venture into "cyberspace" you have the potential to control the flow of information. You have the potential to harvest protected information. You have the potential to control an opponent's control mechanisms.

None of this is "war" in itself; it's part and parcel of the war-waging mechanism.

And that's where I think America's enemies have the jump on America - America's own "defense" aka NSA and the rest of that alphabet soup have spent the last few decades in sabotaging America's - and the rest of the West's - cyberdefenses.

Mike the goatOctober 26, 2013 1:04 AM

Clive: agreed. You could certainly use network pwnage to, for example obtain information on what your opponent intends to do next. You could also actually cause harm by attacking networked infrastructure - which in this day and age includes telematics for power grids, water plants etc. Stuxnet proved that even ostensibly air gapped equipment could indeed be vulnerable. Whether you could actually have a "cyber war" is debatable but you could certainly use networks to assist you in achieving a favorable outcome in a physical war.

Brandioch ConnerOctober 26, 2013 9:51 AM

@Muddy Road

Clive is right, war is not limited to killing people.
No one has said that war was "limited to killing people".

But if an otherwise healthy person does not die as a direct result of it then it is not a war.

When the enemy shoots a cannonball over the wall destroying the mess hall, that's still an act of war.
You are confusing "act of war" with "war". An act of war does not have to include any death or destruction. Depending upon the definition, moving troops into another country can be an act of war.

Even if they do not shoot anything or destroy anything.

When someone uses the electronics to "collect" your personal data illegally and without your permission, that's cyber war.
And if they just go through your mail then it is a conventional war?

If they steal your wallet then it is a conventional war?

There is nothing about "uses the electronics" that makes any difference in the activity. All it changes is who can do it from where.

Muddy RoadOctober 26, 2013 10:27 AM

Bradioch, I believe Tom Rid said war must involve physical violence.

Thus, we all know electronics cannot inflict physical harm, like a gun or a person holding a gun (or the General ordering the cannon fired over the wall).

Thus his definition is flawed.

I guess it all boils down to whether there can be war without physical violence and indeed I would say a DOS attack by a country/political group on another country/pg is cyber war.

Cyber thus cover the instrument of attack.
(Cyber = computer)

Brandioch ConnerOctober 26, 2013 11:01 AM

@Muddy Road

Thus his definition is flawed.
No.

You may not agree with his definition but that does not mean that it is flawed.

I guess it all boils down to whether there can be war without physical violence and indeed I would say a DOS attack by a country/political group on another country/pg is cyber war.
If you are a soldier and an enemy soldier with whom you are at war is shooting at you from someone's house, it is acceptable to return fire. Possibly killing the person who lives in that house. It is even acceptable to call in an artillery strike.

By your usage of "cyber war" then it would also be allowable to fire upon a house containing a computer that is actively participating in the DoS attack.

I say that if an otherwise healthy person has not been killed as a direct result then it is not "war", cyber or otherwise. Therefore there would be no military action.

Michael MoserOctober 26, 2013 6:51 PM

There is no 'Cyber war' because currently you can't expect to cause any real/significant damage (so far). Even if you damage some centrifuges then that is not really a great deal.

Also important is that if you shoot then you expect to cause some damage within a manageable degree of certainty; you don't have that - therefore no real 'cyber war'.

However I think that they are throwing an alarming amount of money at the problem, so maybe they might get some 'offensive capabilities' some day.

Archibald BomwitzOctober 27, 2013 5:51 AM

In Clausewitz'own words about war: "to impose our will on the enemy is the object of war". Read also Unrestricted Warfare by two Chinese air force colonels. They have defined war as not only shooting and killing and weapons as not only bombs and cannons.

Lil' Jimmy DickensOctober 27, 2013 5:01 PM

Hey, maybe we can have a Drug War, a Cyber War AND a CyberPrison System. Then we'd have THREE massive money-gobbling bureaucracies simultaneously "creating jobs" and "protecting the children".

OR we could have a sudden outbreak of common se.....

Nah.

Wesley ParishOctober 28, 2013 2:57 AM

Stanislaw Lem is I suspect, the current ├╝bertheorist on this topic. Read Fiasco for an example of war being fought on terms totally unfamiliar to humanity. Imaginary Magnitude, A Perfect Vacuum and One Human Minute are also of great interest. While the profle (prognosticated rifle, in Vestrand's Extelopedia in 44 Magnetomes) is good for a laugh, Golem XIV is much more serious and a forerunner of skynet, and The Upside-Down Evolution is deadly serious - and very much well worth reading.

tOM, OttawaOctober 28, 2013 3:07 PM

War. War on drugs. War on poverty. War on terrorism. Rather overused.... I think we now have an opportunity to downscale the Cyber"conflict" by moving to more widespread encryption and securing of internet resources like routers by technical and political means.

Perhaps set up "safe havens" for major routers run by an internet organization of the biggest rivals (1st, 2nd, and 3rd world) that will be safe from spying by anyone?

Perhaps https://www.grc.com/sqrl/sqrl.htm may facilitate individual security & key exchanges?

LinkedIn profileMarch 4, 2014 7:16 AM

It's rather a trendy as well as beneficial bit of info. We are content which you contributed this useful information about. Remember to stay united states up to par like this. Many thanks discussing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..