chips in pets) that constitute the Internet of Things (IoT) are added as potential “recruits” for cyber attackers’ robot networks (“botnets”), the offensive potential of cyberwarfare seems close to limitless.
And all this takes, as Libicki has sagely observed, is guile. Thus, it seems that, aside from providing a strong affirmation of Clausewitz’s general point about conflict having chameleon-like properties, the many faces of cyberwar undermine his three base elements. There is no need to commit acts of overarching violence, or even for a connection to higher-level policy, when, for example, millions of “smart refrigerators,” designed to send their owners an email when they need milk, can be hacked, controlled, and ordered to overwhelm their targets with millions of emails. As to chance, the vast range of targets available to cyber attackers – who often remain hidden behind a veil of anonymity, a “virtual sanctuary” – suggests that luck is a much less included factor. This undermining of Clausewitz’s base elements leads to a serious challenge to his firmly held belief that “defense is a stronger form of fighting than attack.”4 This was certainly the case in his time, when defense-in-depth defeated Napoleon in Russia, and later saw the Duke of Wellington’s “thin red line” decimate the Grande Armée at Waterloo. A century later, the costly failed offensives on the Western Front in World War I affirmed the wisdom of Clausewitz. And even the brief period of Blitzkrieg’s success in World War II gave way, from El Alamein to Stalingrad to the Battle of the Bulge, before stout defenses. But, two centuries since Clausewitz, the rise of cyberwar is now upending his unwavering belief in defense dominance. Instead, offense rules.
To date, the best-known manifestations of cyberwar have emerged in the personal and commercial realms. Hundreds of millions of people around the world have had their privacy compromised, either by direct hacks or by having their information stolen from insurance, financial, retail, social media, and government databases. With regard to ostensibly “secure” government databases, even these have proved porous. The most notorious incident was acknowledged by the US Office of Personnel Management in June 2015. Of this intrusion, in which hackers accessed sensitive personal information, the President of the American Federation of Government Employees, James Cox, asserted “all 2.1 million current federal employees and an additional 2 million federal retirees and former employees” were affected.5 (My own classified personnel file was among those hacked.) As the matter was investigated further, the estimated number of persons affected quintupled, to more than 20 million, according to Congressional testimony of the then-Director of the Federal Bureau of Investigation, James Comey, given just a month later.6 But even this staggering breach paled in comparison with the revelation in May 2019 that nearly 900 million sensitive financial records had been hacked from the database of the First American Title Company.7
As to the theft of intellectual property and other types of exploitative or disruptive cyber attacks aimed at commercial enterprises, these cause more than 1 trillion dollars ($US) in damages each year. University research centers are also targeted as, according to one tactful report, they “haven’t historically been as attentive to security as they should be.”8 While the ransoming of locked-up information currently accounts for less than 1% of annual losses, this mode of attack is growing at a steep rate.9 Often, such theft and extortion aim at serving causes beyond just enrichment of the malefactors. In the case of North Korea’s cyber crimes, the United Nations has reported that the roughly $2 billion gained as of mid-2019, by attacks on banks and crypto-currency (e.g., Bitcoin, Ethereum, Ripple) exchanges, has been used to support its nuclear weapons program.10 This illicit form of fundraising lies somewhere between theft and statecraft. Call it “strategic crime.” Much as, in the sixteenth century, Queen Elizabeth I tacitly encouraged her piratical “sea dogs” to prey upon maritime commerce to help fill Britain’s coffers. Strategic crime has long played a role in statecraft via this form of naval irregular warfare.11
Clearly, when it comes to the abovementioned modes of cyber attack, offense is currently quite dominant. And, as George Quester’s seminal study of stability and instability of the international system notes, when the apparent risks and costs of taking the offensive are low, conflicts of all sorts are more likely to proliferate.12 They may be small-scale, individually, but their cumulative effects are large – and growing – as opposed to the more purely military realm, in which the patterns of development and diffusion are less apparent. So much so that, to some analysts, the emergence of militarized cyberwar seems highly unlikely.13
Cyber attacks in armed conflicts have had a lower profile, but there are some troubling examples – most provided by Russia. In 2008, when Russian troops and Ossetian irregulars invaded Georgia, the defenders’ information systems and links to higher commands were compromised by cyber attacks on their communications. Panic-inducing mass messaging aimed at people’s phones and computers in areas where the Russians were advancing put large, disruptive refugee flows onto the roads, clogging them when Georgian military units were trying to move into blocking positions. All this helped Russia to win a lop-sided victory in five days.14
More recently, two other aspects of cyberwar have come to the fore in the conflict in Ukraine between government forces and separatists in Donetsk, with the latter supported not only by Russian irregulars – “little green men,” so named for the lack of identifying patches on their uniforms – but also by bits and bytes at the tactical and strategic levels. In the field, Ukrainian artillery units were for some time victimized by hacks into their soldiers’ cellphone apps that were being used to speed up the process of calling in supporting fire. Russian-friendly hackers helped to geo-locate artillery batteries by this means, and brought down counter-battery fire upon them. The result: diminution of Ukrainian artillery effectiveness, although the precise extent of losses incurred remains a matter of some debate.15
At a more strategic level, the Russo-Ukrainian conflict has also featured a number of troubling attacks. The first came on Ukraine’s electrical power grid infrastructure in December 2015, when 30 substations in the Ivano-Frankivsk oblast were shut down as hackers took over their highly automated system control and data acquisition (SCADA) equipment. Nearly a quarter of a million Ukrainians were affected by this hack, which has been attributed to “Sandworm,” a Russian army cyber-warrior unit. These same hackers are believed to have masterminded the extensive cyber attacks on Ukrainian finance, government, and (once again) power companies in June 2017.
Ostensibly, this latter operation aimed at freezing data, whose unlocking was then held for ransom. But the attacks, which did some collateral damage in other countries, were more likely intended simply to impose costly disruptions – and perhaps to serve as launching pads for covert insertions of malicious software designed to act as virtual “sleeper cells,” waiting for their activation at some later date. Overall, the costs inflicted by these 2017 attacks exceeded $10 billion, according to the estimate of Tom Bossert, then a senior Trump Administration cybersecurity official.16 These uses of cyberwar as a means of “strategic attack” are highly concerning, especially the demonstration that SCADA systems – in wide and increasing use throughout the world – are vulnerable to being taken over.
Russian cyber operations in Georgia and Ukraine should be seen as among the first “capability tests” that have provided glimpses of what future cyberwars may look like. Just as the Spanish Civil War (1936–9) foreshadowed the kinds of actions – from tank maneuvers in the field to the aerial bombardment of cities – that were to characterize much of the fighting in World War II under the rubric of Blitzkrieg,17 so too have recent Russian uses of the various modes of cyberwar in Georgia and Ukraine provided a glimpse of the next “face of battle”: Bitskrieg.
And, just as fascist forces in Spain – including tens of thousands of German and Italian volunteers – demonstrated the synergy of armored and aerial operations brought into close coordination by radio, today Russian “volunteers” in Donetsk are proving that integrated cyber and physical operations have profound effects. Another goal of the Blitzkrieg doctrine as practiced by the Germans early in World War II was
