The weaponisation of code is the most significant development in warfare since the development of nuclear weapons.
Alec Ross
17 September 2019
Will the next war be a cyberwar?
Alec Ross
ALEC ROSS: All you need for a cyberweapon is a computer, internet and the right coding skills
This piece was originally written for the Policy Institute's new Policy Review publication, which features essay contributions on a range of different issues by the institute’s researchers and Visiting Faculty.
Read the full collection of essays
Cybercombat is a distinctly 21st-century form of conflict, and the norms and laws that were developed in prior centuries to de-escalate conflict and create clear distinctions between combatants and non-combatants, between the battlefield and the home front, between a just war and an unjust war simply do not apply. The weaponisation of code is the most significant development in warfare since the development of nuclear weapons, and its rapid rise has created a domain of conflict with no widely accepted norms or rules that could well lead to the next war.
The analogy that most foreign policy hands point to as a possible precedent for containing cyberweapons is nuclear nonproliferation: the creation of arms control agreements, treaties, United Nations resolutions, and international monitoring programmes to govern the spread and use of nuclear weapons. Under this international framework, nuclear war is still a threat, but nuclear weapons are well understood and there are processes in place to manage them. Similar sets of procedures and rules have also developed for the weaponisation of airplanes, space, and chemical and biological weapons.
But the confounding factor when it comes to cyberwar is that the barriers to entry are so much lower in cyber than in any of these other domains. Any country, or even any rogue group or individual, that puts a little bit of time and effort into it can develop some nasty offensive cyber capabilities. It is, in fact, the near-opposite of the development of nuclear arms, which requires years of work, billions of dollars, and access to the scarcest of scarce scientific talent and trans-uranium elements.
To create a cyberweapon, all one needs are a computer, an internet connection, and the right coding skills. Will the next war be a cyberwar? There are two scenarios in which I could imagine this happening.
Shooting back
During my time working for President Obama, a massive cyberattack traced to China hit more than 30 American firms including aerospace, defence and technology companies, most famously Google, who went public with the charge that the Chinese government was trying to steal its most precious algorithms.
Google and many of the other companies on the receiving end of the attack came to the US government and left it to us to engage on their behalf diplomatically.
This won’t always be the way companies respond. It is only a matter of time before some hotshot group of engineers recognises and stalls a cyberattack, and instead of calling law enforcement or some other part of government, launches a counterattack against the aggressor. They shoot back, so to speak. I wonder what would have happened if, when Google had identified the source of the hack, it had responded in kind with an attack designed to disable its attacker’s network and computers. The Google engineers are some of the best in the world. Would China have considered this an attack or some other form of invasion? It might have. What’s interesting here is that the combat would not be between two countries, but between a country and a company. And if there were a war between Google and China (or between a company and any country) would the United States assume some sort of role or responsibility given Google is based in the United States? It could. It probably would. And in that case we suddenly have something that looks very much like a cyberwar.
This was tested a few years ago when Sony was cyberattacked by the North Korean government. Sony did not have the cyber skills in house to respond in any sort of counterattack (as Google could have). The Japanese (Sony is a Japanese company) and American governments denounced the attacks and it was reported that some combination of the US and China shut down networks in North Korea for a brief period as a warning in response, but the conflict was largely measured and contained. That won’t always be the case.
An attack on the internet of things
The second scenario in which I could imagine the next war stemming from or being rooted in cyberconflict would result from an attack on the “internet of things”, where any object has the potential to transmit and receive data on a network, from cars and farm equipment to watches and appliances, even clothing.
An attack on a power grid, transportation system or other digitally enabled system that breaks or harms something non-digital would trigger a different reaction to that set off by an attack on computers or corporate IP. It would be treated more like a bomb being detonated, something targeting citizens in a more tangible and less forgivable way.
The ways this could happen are varied and difficult to anticipate. Systems are being put in place that connect pacemakers to the cloud. There’s a benefit to that – it could automatically shock you if it senses something is wrong. But what if a terrorist, or a country trying to cause disruption decides to shock all the pacemakers in a given country?
If international norms and treaties are not agreed to, setting definitions and boundaries for cyberconflict, a cyberwar is increasingly just as likely to be fought at some point between a country and a company as it is between two countries.
Well, if there are voters involved – if grandfathers have their pacemakers shocked by a rogue state hacking the cloud – then there is likely to be more than a cyber response or a cyber response soon followed by a more conventional act of war.
In each of the two scenarios above, and in any of a half-dozen more that we could imagine, what complicates matters even further is that the layout of the internet scrambles the traditional idea that both sovereign countries and warfare are tied to geography and physical place. A company may be headquartered in one country but have networks and servers in another. If those networks and servers are attacked, is it the responsibility of the headquarters country or the country where the servers are located to respond? If neither government responds and the corporation defends its network with a cyberattack of its own, who else does this entangle? If international norms and treaties are not agreed to, setting definitions and boundaries for cyberconflict, a cyberwar is increasingly just as likely to be fought at some point between a country and a company as it is between two countries.
Sadly, there is little to no prospect for any sort of short-term progress to be made developing international law, treaties, or other frameworks establishing norms and rules for cyberactivity. The United States won’t agree to anything that the Europeans would demand that limits intelligence-gathering activities. The Chinese won’t admit to, much less agree to, anything related to industrial espionage. The Russians have gone on the attack. And the non-state actors that supply much of the conflict in the cyber domain will never accede to the niceties of agreements forged by governments.
Alec Ross is a former Senior Advisor for Innovation to Secretary of State Hillary Clinton, and Visiting Professor at the Policy Institute, King’s College London.