Is There Such a Thing as “Cyberwarfare”?

“Cyberwar” as a discrete phenomenon—fighting only in cyberspace—is as meaningless as a war only at sea, on land or in the air

One of the early books on cybersecurity that gained substantial notoriety was Cyber War (sic) by Richard Clarke and Robert Knake. The title, an inspired choice—if for no other reason than it sold books—was about the only thing inspired about the book. Cyber War reads like what it was: two men who knew a lot about war and were aware there was such a thing as computers, trying to explain why computers were going to kill you and your family, steal all your stuff and spit on your grave. The book was a successful polemic, if nothing else.

Book Cover of Cyber War by Richard A. Clarke and Robert K. Knake
Cyber War by Richard A. Clarke and Robert K. Knake

For all of its flaws in reasoning, the biggest problem Cyber War caused, however, was to derail discussions about the internet’s international effects into a series of naval gazing arguments about whether “Cyberwar” is a “thing.” The first, and most, important contribution to this argument was Thomas Rid’s much needed paliative Cyberwar Will Not Take Place, which puts cyberwar in the context of warfare more generally. The important take away from Rid should be 1) yes, cyberattacks can be a big deal, but 2) whenever cyberattacks are that important, it will always happen in the context of a larger war, either underway or that they will start. Cybersecurity should, thus, must exist within international security, and treating it separately diminishes our understanding.

Book Cover of Cyber War Will Not Take Place by Thomas Rid
Cyber War Will Not Take Place by Thomas Rid

We would have been much better off if the discussion ended there, because Rid was right, but it continues to this day (for reasons that will probably make it into another blog post). Unfortunately, the framing of the argument as “there is such a thing as cyberwar” vs. “there is no such thing as cyberwar” has derailed many would-be reader who cannot get past book titles.

There is such a thing as “cyberwar,” exactly as much as there is such a thing as “air war,” “sea war,” and “land war.” If war could ever be fought only on land or sea, that time has long past. The importance of air, land and sea to modern society is so great no state at war could afford to deliberately ignore even one domain. Part of the US’ strength derives from its ability to shut opponents out of the air and sea in many cases, but even when fighting opponents completely deprived of aerial or naval capacity, those domains remain crucial for the war, itself.

So, too, is the importance of cyberspace to modern society, and it is naïve to expect future wars will not include online warfighting elements. However, just as we should never decieve ourselves that modern combatants would ever restrict themselves to fighting only on land, sea or air because that is the domain they were attacked in, we should not expect that any attacks in cyberspace will remain only in cyberspace. The current buzzphrase Multi-Domain Operational Strategy—to the extent it means anything at all—recognizes adversaries will escalate attacks to other domains. Since cyberoperations are relatively cheap compared to naval or air operations it is even likely that land and cyber might be the only contested domains in conflicts between major and minor powers, because even deprived of access to air and sea, minor powers will still be able to fight in cyberspace.

Diogenes by John William Waterhouse, 1882

In military strategic scholarship, at least, the tendency towards pseudo-egg-headery is far beyond what outsiders might expect, and that has not served us well. It is easy to get lost in endless discussions of taxonomies, because it seems fruitful in comparison to the frustrating complexities of military operations in the complex global environment. From time to time we need a remedial visi from a Diogenes who presents us with a plucked chicken to point to the absurdities of pasttimes, and put us back on track for valuable inquiry. We must take those palliatives seriously, however, and on their own terms. It would be just as fruitless to read Rid, and his fellow-travellers, as implying cybersecurity is unimportant, because a well written argument avails us nothing, if we only read the title.