Bounded Chaos: Discovering the Nature and Order of Cyber-Warfare
For as long as there have been militaries, there have been revolutions of military affairs. Every new technology presents the possibility of new weapons, and for every new weapon there’s a soldier hoping it will yield the ultimate advantage though few ever do. Many a tome has been dedicated to the power of navies and air forces to change the face of warfare. Nuclear Weapons have further complicated the picture, creating a top tier power overshadowing conventional conflict. Today’s net-centric world proffers a new weapon. To many, cyber-warfare represents the 5th battlespace; a new type of warfare in need of further definition. To others, it is merely a new weapon to be integrated into traditional conflict. To find its proper place in war, this paper will analyze cyber-warfare in the context of two key principles: offensive versus defensive balance and thresholds.
Before proceeding, we must first define what is meant by ‘cyber-warfare.’ In the inaugural volume of the Journal of Law and Cyber Warfare, Daniel Garrie offers a simple definition: “Cyber-warfare occurs when one country perpetrates a cyber-attack against another country that would to the reasonable person constitute a state act of war.[1]” Garrie’s definition avoids the central question, however: how does an act of cyber-warfare fit within the modern conventions of warfare and strategy. As will be demonstrated below, cyber-attacks alone are unlikely to cause an escalation towards kinetic or conventional warfare. Thus defining cyber-war as a de facto declaration of war strips it of its distinction from traditional war. The cyber domain requires a distinct definition which does not rely on traditional notions of conflict.
In crafting a definition of cyber-warfare, three attributes must be addressed: agency, intent, and means. While computer[2] networks are vulnerable to attacks from a plethora of actors, warfare must be considered the domain of the military, and thus we should exclude attacks that are political (so-called “hacktivism”), criminal (fraud, theft, and laundering), or a form of public mischief (hacking, DDoS, and other attacks executed without financial or political intents). Secondly, cyber-warfare should be limited to attacks against networks meant to disable, disrupt, or destroy. Although much of the cyber domain’s usefulness revolves around information gathering, such attacks should be analyzed under the scope of intelligence and espionage. Reconnaissance efforts don’t rise to the level of warfare, dropping the first bomb does. Similarly, network intrusions alone are not acts of cyber-warfare. Some harm must be committed (or at least attempted) to qualify as an opening salvo. Finally, cyber-warfare must be a computer-based attack, not any attack on a computer network. While conventional strikes on network infrastructure or theoretical weapons like Electro-Magnetic Pulses may be an effective means of disrupting enemy networks and computer systems, the attacks are not cyber in nature. To conclude, then, we should define cyber-warfare as such: A computer-to-computer attack, initiated by a state, with the intent to disable, disrupt, or destroy a target.
Conspicuously absent from this definition are terrorist and other non-state actors. This is, undoubtedly, a failing of the definition. But for the purposes and scope of this paper, such actors must be excluded. Another complication arises in the problem of agency. By defining cyber warfare as necessarily state based, the bulk of historical cyber-attacks are excluded, either because they were not state run, or else because their origin simply cannot be proved (no matter how compelling the finger pointing may be). In fact, the two cases that will be analyzed below are perhaps the only two that can qualify, and even they are included by the preponderance of the the evidence, and not because they have been officially acknowledged. Such a narrow definition is by necessity, however. By examining cyber-warfare in its strictest form, we can begin to understand its place in the spectrum of warfare in general.
As with every new technology, cyber warfare has its champions and detractors. Always in search of the next great Revolution in Military Affairs, some have hailed cyber weapons as the next ultimate weapon: indispensable to the modern arsenal, and too great a threat to ignore. In his 2010 paper, Amit Sharma envisions a Clausewitzian absolute cyber-war. By executing parallel attacks on civilian infrastructure, government services and military systems, Sharma argues that a “cascade effect” will be created, “rendering the victim in a paralytic state with the loss of control over the state and failure of the state-as-a-system.[3]” Assuming such potency, cyber war should create a similar stability to that of nuclear weapons. Sharma concurs, holding that the threat of mutually assured cyber destruction would serve as a sufficient deterrent against the rush for a first strike.[4] In this way, the overwhelming potency of an absolute cyber-attack would be akin to a nuclear strike; a power so great, the very prospect of its use also precludes it.
This vision of cyber capabilities is fanciful at best. Initially, it assumes the world so dependent on internet services that disrupting or co-opting them is enough to break the resolve of a people to fight, a notion which seems less plausible given reactions to attacks in Estonia. Not only was Estonia able to maintain critical operations by hosting them on foreign servers,[5] but coordinated defense efforts were able to restore systems and harden defenses against future attacks.[6] While the attacks were costly, they were not decisive, and it is hard to imagine any such attacks being so.
Finally, a cyber-attack on such a massive scale runs into two difficulties. Initially, planning, coding, and executing parallel attacks against so many disparate systems is itself a near impossibility. Civilian, government, and military systems operate in vastly different ways, often with completely different languages. It is impossible to code one virus capable of attacking so many different systems at once. That means developing attacks against waterworks, electrical grids, power plants, military installations, police networks, news outlets and a plethora of other targets, and tailoring attacks against the specific systems used in the target nation. Unlike nuclear weapons, a singular logic bomb cannot be devised for broad use against any country or any target. Instead, cyber weapons often require a lot of preparatory work, including planting viruses in advance. But the greater the need for a diffuse groundwork, the higher the probability of detection, and the more likely some of the target systems are to be hardened against that attack.
Secondly, unlike missiles, cyber-attacks are defensible and systems are recoverable. Once the design of a computer attack is discovered, it is often easily neutralized. Even the Stuxnet virus was effectively defeated before its purpose was understood.[7] A “triadic” cyber-war, as envisioned by Sharma, would thus fall victim to cyber defenses on at least a few of the many fronts it would have to assault. And since the victory on all three fronts (civilian, military, and government) is necessary to achieve the desired ends, such a weapon seems even more implausible. Whether the defense came from a rival cyber army, a private security firm, or just a computer whiz in a basement, it is inconceivable that every avenue of attack would succeed to the extent necessary.
Cyber warfare thus shares a crucial similarity to Clausewitz’ understanding of war: Friction. The best laid plans still fall victim to chance, errors, and the unexpected.[8] Although the columns of marching men are replaced with a parade of ones and zeros, an absolute cyber-war is just as removed from reality as an absolute ground war.
But as Sharma is prone to hyperbole, others vastly understate the reality of cyber-warfare. Thomas Rid argues that cyber-warfare is at best a misnomer; at worst a nonentity. Rid’s argument is focused around the non-lethality of cyber-attacks. If an act is not potentially violent,” he reasons, “it’s not an act of war and it’s not an armed attack.[9]” Without the element of physical force, cyber-attacks fail to meet Clausewitz’ criteria for violence and are thus not a means of war. Rather, Rid contends that cyber-attacks fall into three categories: sabotage, espionage, and subversion.[10] The argument is not simply semantic. Although he allows for the destructive potential of cyber-attacks, Rid’s argument discredits them as a casus belli. Because such attacks are incapable of directly harming the human body, they are not weapons of war.
Rid creates a paradox, however, when he readily accepts the existence of cyber weapons. He thus must entertain the absurd possibility of an ongoing armed conflict between two states that isn’t war.[11] But whatever Rid wishes to call such a non-war conflict, his point about lethality is true. The ability of cyber weapons to kill is generally incidental. Cyber-attacks target systems or equipment, and not people directly. But this shouldn’t be understood as nonviolent. As defined above, cyber-warfare must include an intent to damage, disrupt or destroy. Although the target is most likely not a human being, the attempt to “harm” the target is a violence, even if one that doesn’t carry the same psychological gravitas. Though its effects may be felt through all domains, the cyber domain exists entirely separate from them. This separation of code from kinetic requires a different understanding of its violence. The harm to computer systems is a digital violence, and the value of networks in warfare make the violence too real a threat to ignore.
These extreme views of the power and importance of cyber-weapons highlight the confusion over their strategic place within warfare. Specifically, understanding the strategy of cyber-warfare as a subset of warfare can help elucidate how stability could be achieved in this Fifth Domain. In what follows I will analyze the two cases most commonly identified and accepted as acts of cyber-warfare. These two cases – Operation Orchard and the Stuxnet virus – represent the two most likely uses for cyber-warfare. The first covers cyber-weapons as a force multiplier in a larger act of war. The second represents the use of cyber-warfare as the sole means to achieve an objective. In analyzing these two cases, it will be shown that cyber-warfare fits within the structure of modern warfare as a substratum of physical conflict. Specifically, cyber-warfare exists as a state of constant warfare below the threshold of physical retribution. The threat of physical assault is a natural limiting factor on cyber-warfare, preventing its escalation. This stability of constant, low-level cyber warfare stems from its offensive orientation as a weapon, juxtaposed with its limitation by threat of physical retaliation.
Before delving into our two cases, a brief word on the threshold and offensive orientation. In his seminal work, Arms and Influence, Thomas Schelling analyzes the advent of nuclear weapons under the lens of these (and other) principles. In the case of nuclear weapons, Schelling finds that a potential instability arises from the offensive nature of nuclear weapons. Their immense destructive power makes them a decisive weapon in any conflict. As such, states have an incentive to conduct nuclear strikes before their rivals.[12] This offensive rush to strike first sews instability into international relations, escalating any conflict and drastically lowering the threshold for the nuclear attack, since failing to strike first necessarily means defeat.
But nuclear attacks carry their own threshold for use, much greater than that of any other weapon. The use of any nuclear weapon crosses the threshold for nuclear war,[13] irreversibly escalating the conflict. Where two nuclear nations are concerned, this escalation is the foundation of mutually assured destruction. Thus, the impossibly high threshold of nuclear warfare counterbalances the rush to first strike created by its offensive orientation.[14] The interplay of these two characteristics of nuclear war creates stability at the highest level of warfare. In the following examples, it will be shown that the offensive nature of cyber-warfare creates the predicted instability, but that a threshold-based boundary contains this chaotic state from greater escalation.
OPERATION ORCHARD
On September 6th, 2007, Israel fired what is often considered the first shot in cyber-war. Concerned over the suspected development of a nuclear facility in Dayr az-Zawr, Syria, the Israeli Air Force (IAF) planned an assault to destroy the site. Syria’s air defense and intrusion detection technology were state of the art, however, and fully capable of interdicting a sortie. The site, in the north of the country, closer to Iraq than Israel, would require stealth to reach. And yet, a squadron of IAF jets entered the country, destroyed the suspected reactor, and left without detection. In the aftermath, rising evidence pointed to the use of network intrusions to disable radar stations at Tall al-Abuad. Although never officially confirmed by Israel, the preponderance of evidence does point to such an attack as the means for escaping detection.[15] Further analysis by industry experts even went so far as to suggest Israel had exploited a “kill switch” hard wired into the radar stations.[16]
Although the specifics of “Operation Orchard” are uncertain, its effectiveness is not. The Israeli air strike not only destroyed the target, but demonstrated their ability to defeat Syrian air defenses when necessary. Without the protection of their air defense network, Syrian nuclear ambitions were certainly dampened. More relevant to this project, however, is what the incident says about the strategic role of cyber-warfare. The IAF case is demonstrative of cyber-warfare as a force multiplier in traditional conflict. This type of cyber-warfare is likely to become a common place among future conflicts. Although unproven, Russia is alleged to have utilized cyber-attacks to coincide with its 2008 incursion into Georgia. And the ability to disrupt enemy capabilities such as communications and weapons platforms is surely too tempting an advantage for generals to pass up.
Such attacks demonstrate the offensive orientation of cyber-warfare. The disruption of systems – especially defensive systems, in the case of the IAF attack – is a decidedly offensive advantage when combined with kinetic action. While such disruptions could certainly help a nation under attack, the preponderance of cyber-warfare is likely to be conducted by the offense for two reasons. Initially, most cyber-defenses are not defensive weapons in the same sense as conventional weapons systems like radar and surface to air missile batteries. Cyber-defenses are instead structured around preventing, detecting, and mitigating intrusions. A strong cyber-defense is thus more about updating patches to software and building better firewalls than creating weapons to combat an attacker.
Secondly, cyber-attacks must be individually tailored to target systems. Viruses and even denial of service attacks have to be directed towards specific systems, using specialized code. Developing a cyber-weapon thus necessitates having a target in mind. As a defense, you are subject to the weapons the attacker chooses, and a pre-developed cyber-attack may not be equipped to affect the specific systems mobilized against you. But in planning an attack, one has the luxury of picking targets in advance and developing cyber weapons tailored to them. As with the IAF raid, the advantage of target selection is on the side of the offense. The IAF knew what system it needed to take offline in order to succeed and could develop the appropriate cyber-weapon.
With the IAF attack we can also see the likely effect of such offensive orientation. Israel’s exploitation of cyber-warfare required specific knowledge of the target system’s vulnerabilities in order to create a functional weapon against it. The ability of cyber-weapons to undermine traditional defenses makes them a potent force multiplier. As such, states must invest considerable resources both in protecting their systems and in feints and prodding of rival systems. Before a state can develop a cyber-weapon they must first find the vulnerabilities of the targets. But such vulnerabilities can change with every software update, necessitating an environment of perpetual, low-level intrusions. This probing is essential in the development of offensive cyber-weapons, which necessitates continual vigilance by cyber-defences, and the constant research and development of cyber-weapons.
Despite this rush to offensive capability, cyber-warfare does not escalate conflict in instances such as the IAF attack. The threshold for conventional warfare is breached by the conventional assault (the bombing of the suspected nuclear facility in this case) and not the cyber-attack. In such multi-domain attacks, therefore, the escalatory act is not cyber-warfare, even if the cyber-attack alone might otherwise have resulted in a kinetic retaliation. To think of it in a different way, if Israel had destroyed Syria’s radar system through cyber-attack without also bombing the facility, Syria may have responded to the attack with conventional means. Although unlikely (given the balance of power between the two nations, and the fact that Syria did not even retaliate for the bombing of its facility), such a response would have demonstrated that Israel had crossed the threshold for conventional war. By using cyber-warfare in combination with air strikes, however, Israel circumvented the question of threshold by establishing the conflict within conventional warfare.
One final note on Cyber-weapons as a force multiplier. As discussed above with regards cyber-attacks on Estonia, broad based cyber-warfare could create chaos within a nation’s population and aid in its conquest. Such an indiscriminate weapon could, in theory, escalate the conflict beyond that of the ongoing conventional war. But as discussed in regards Sharma’s argument above, such a broad attack is unlikely to be potent enough for such an escalation, and can be circumvented as in the case of Estonia. Rid summarizes this as a “problem of generics.[17]” Here he posits a conundrum that the more generic or broadly scoped an attack, the less powerful it is likely to be. Finally, if a substantial weapon against civilian populations were to be developed, their use would likely fall under similar strategic guidelines as bombing civilian centers or infrastructure. Schelling describes the dual principles of “counterforce” and “no-cities” as buffers that protect, to some extent, civilian populations.[18] As the cyber domain is more fully developed in warfare, the separation of military networks from civilian is likely. As a result, attacks against civilian network infrastructure is less likely both because attacks will be focused on military advantage, and because attacks on civilians is likely to escalate the war unnecessarily and remove the last vestige of deterrence within the war.
Stuxnet
Not long before Operation Orchard, the United States was reportedly considering its own foray into cyber-warfare. Unhappy with continued growth in Iran’s nuclear program, and lacking the international support for decisive action, the Bush Administration, allegedly with the assistance of Israel, began to devise a cyber-strategy in 2006.[19] The plan, code named “Olympic Games,” didn’t start paying dividends until 2009, when the virus began spreading around the Natanz facility. But its purpose remained a mystery until September of 2010, well after it had been discovered and its exploits patched. Stuxnet, as it came to be known, was a different kind of virus. Its principle purpose was not information theft, denial of service, or even hijacking systems. Instead, Stuxnet searched every computer it infected for very specific software, running a specific number of devices, at a specific speed. These finely tuned parameters, it was later discovered, were designed to ensure that it hit only a specific target: centrifuges at the Natanz nuclear facility. This unique worm then subtly manipulated Programmable Logic Controllers (PLCs) to run the centrifuges at speeds outside of safe parameters without alerting scientists in the facility. The result was the destruction of thousands of centrifuges, setting the Iranian nuclear program back months if not years.[20]
To this day, Stuxnet remains the only known weapon of its kind. But even without other examples, the potential of such weapons is easy to see. Stuxnet illustrates the second type of cyber-warfare which we can expect to find: a single domain weapon, used in isolation to achieve a goal. Such weapons are by nature offensive. Much as with Operation Orchard above, the need for specification of target limits such uses to offensive first strikes. As a potential defense, standalone cyber-attacks cannot conceivably repel an offense, except, perhaps for one confined entirely within the cyber domain. This inability to defend a state from any conventional attack necessarily implies the offense dominance of the weapon.
The question arises, however, as to whether or not such offense dominance, in this case, creates the instability predicted above. On its face, the ability to strike with isolated cyber-attacks does not create a resulting need to strike your opponent first. But the offensive orientation of cyber-weapons still creates instability in two ways. Initially, attacks like Stuxnet cannot be created from nothing. As with the example above, targeted cyber-warfare relies on exploiting vulnerabilities. Stuxnet alone contained four ‘zero-day’ exploits; rare, undiscovered flaws in software which anti-virus software often can’t detect[21]. Discovering such exploits, as well as determining delivery systems, means of viral reproduction, and finding the systems to attack (in the case of Stuxnet, the PLCs) require constant probing of target systems. Attacks like Stuxnet should thus not be understood as a singular attack, but are instead the result of continual and relentless probing and assault. The ability to strike, in other words, is predicated on a pattern of constant, low-level attacks.
Secondly, the story of Stuxnet exemplifies the cyber first-strike doctrine. Although the race to first strike does not result from the fear of being cyber-attacked, the relatively low risk involved reduces the cost of first-strike. Threats that previously required forceful intervention now have a much lower threshold, and cyber-warfare may be a means to strike at a threat before it escalates to the level of physical conflict. This was undoubtedly the logic of the Bush Administration (and continued by the Obama Administration). The threat of a nuclear armed Iran could draw the United States or its allies (namely, Israel) into conventional conflict, especially if preventive air strikes were used, as in the case of Syria. Stuxnet provided an alternative with a significantly lower chance to cause conventional retaliation. As such, the US and Israel were able to attack the Iranian nuclear program much sooner than if they had relied on conventional intervention.
Stuxnet must also be understood as a doctrinal and technological leap in cyber warfare. For the first time, a virus demonstrated the capability of destroying hardware. Far from taking over operations or disabling systems by overload, Stuxnet could seek out specific hardware and force it to fail. But as revolutionary as Stuxnet was, it wasn’t terribly ambitious. Although it is impossible to know precisely what further capabilities Stuxnet’s designers might have considered exploiting, it is conceivable, and indeed likely, that the code could have been tailored to more catastrophic ends, possibly even to the destruction of the Natanz facility entirely.
Why then did the US and Israel aim so low? As hypothesized, the answer lies in the boundaries created by the threshold of conventional warfare. The relative weakness of most cyber-attacks, and their non-lethality, are by design. While a few thousand destroyed centrifuges likely left Iran embarrassed and in search of retribution, the means of the attack left them with few options. Iran has not officially retaliated for the Stuxnet attack, although many suspect their involvement in bombings of Israeli citizens and installations abroad,[22] as well as low level hacks of US financial institutions.[23] Still, that Iran did not retaliate militarily is indicative of the fact that such cyber-attacks operate below the threshold of conventional warfare. Adam Liff similarly finds that cyber-attacks may in fact reduce the likelihood of kinetic warfare by operating below this threshold.[24]
That is not to suggest that all cyber-warfare operates below that threshold. On the contrary, the US almost certainly flirted with the boundaries in the Stuxnet attack. The relative power of the US likely also played a major role in Iran’s decision to not openly retaliate. If Stuxnet had been built to cause more damage, however, it might have crossed that threshold for Iran. If the weapon had, for example, destroyed the site, killing the scientists inside, Iran might have had no choice but to attempt military action. Nor would such a response be unthinkable. The United States itself maintains a right to respond to cyber-warfare with all military means.[25]
The crafting of the Stuxnet virus thus illustrates an important point about cyber-warfare. Conducting an isolated cyber-attack beyond the threshold for kinetic response would be pointless and foolhardy. If a cyber-attack is likely to induce a kinetic retribution from the target nation, the attacker would be best served by coupling the cyber-attack with his own conventional assault. To declare a conventional war through cyber-warfare alone is to cede the advantage of first-strike to your opponent. Rather, if one intends to initiate conventional war via cyber-attack, the initial strike should be cross domain, accomplishing the goal of the cyber-attack while also seizing the initiative in the inevitable kinetic conflict. In this way, the threat of a kinetic response creates a natural threshold which limits the escalation of cyber-warfare. Although this threshold is far more vague than Schelling’s nuclear threshold, it is no less real. Just as with all thresholds, the cyber threshold will be felt out over time through precedent and convention.[26] But howsoever the precedent falls, it will create the upper boundary for cyber-warfare as described above.
CONCLUSION
Through these two examples, we can begin to see the order and structure of cyber-warfare within the greater constructs of warfare in general. While cyber-attacks are similar to nuclear weapons in their offensive orientation, the bounds of threshold force them into a much different role. Whereas the raw power of nuclear weapons places them atop the strata of warfare, the relative weakness of cyber-warfare places it at the bottom. The threat of physical retribution creates a ceiling for cyber-warfare, beyond which attacks will necessarily be combined with kinetic action. This threshold does not discredit the potency or potential of cyber-weapons. On the contrary, cyber-warfare as a force multiplier can be the difference between success and failure, and as a standalone weapon it has proven capable of achieving limited goals.
While isolated cyber-warfare has a natural ceiling, it does not have a floor. Instead, low-level cyber-attacks must be ever present. The offensive nature of cyber-warfare, coupled with the need to tailor cyber-attacks to specific targets, creates an unstable environment of constant war. Although these attacks will seldom rise to the level of national news, let alone international conflict, they will need to be monitored, mitigated, and defended against as much as possible. Even seemingly insignificant attacks can be a precursor to a larger assault, and states must create cyber programs in order to remain ahead of potential adversaries. Just as with nuclear weapons, nations wishing to compete in the cyber arena (and non-competition may not be possible) will need to maintain extensive capabilities. But as nuclear power created a pinnacle of warfare, the internet age has created its foundation. And where the former has becomes a stable deterrent, the latter is bounded chaos.
Author: Michael Ongstad
Michael Ongstad is a recent graduate from the University of St Andrews International Security Studies Master’s program. His research has focused on the role of hacking and cybersecurity in international relations, warfare, and defense policy. Michael has almost a decade of experience in politics and policy as a political speech writer and later contract policy analyst for the Defense Privacy and Civil Liberties Office. Michael is currently looking for opportunities to further pursue his interest in cybersecurity policy.
All credits go to the author.
Bibliography
Adee, Sally. ‘The Hunt for the Kill Switch’. IEEE Spectrum 45, no. 5 (2008).
Beidleman, Scott. ‘Defining and Deterring Cyber War’, 2009.
Bronner, Ethan. ‘Israel Says Iran Was Behind Bombs in India and Georgia’. NY Times. 13 February 2012. http://www.nytimes.com/2012/02/14/world/middleeast/israeli-embassy-officials-attacked-in-india-and-georgia.html?pagewanted=all.
Capaccio, Tony. ‘US General: Iranian Cyberattacks Are Retaliation For The Stuxnet Virus’. Business Insider, 18 January 2013. http://www.businessinsider.com/iranian-cyberattacks-retaliation-for-stuxnet-virus-2013-1?IR=T.
Clausewitz, Carl von. On War. Translated by J.J. Graham. London: 1909. Kindle Edition.
Dehghanpisheh, Babak. ‘Attacked by “Flame”: Will Iran Retaliate for the Latest Cyberassault?’ Time, 29 May 2012. http://content.time.com/time/world/article/0,8599,2115970,00.html.
Fulghum, David, Robert Wall, and Amy Butler. ‘Israel Shows Electronic Prowess.’ Aviation Week & Space Technology, 25 November 2007.
Garrie, Daniel. ‘Cyber Warfare, What Are the Rules?’ Journal of Law and Cyber Warfare 1:1 (2012).
Hughes, Rex. ‘A Treaty for Cyberspace.’ International Affairs 86, no. 2 (2010).
Libicki, Martin. Crisis and Escalation in Cyberspace. United States: RAND Corporation, 2012.
Liff, Adam. “Cyberwar: A New ‘Absolute Weapon?’ The Proliferation of Cyberwarfare Capabilities and Interstate War,” Journal of Strategic Studies, 35:3 (2012).
McConnell, Mike. ‘Cyberwar Is the New Atomic Age.’ New Perspectives Quarterly 26, no. 3 (2009).
OECD (2012), “Cybersecurity Policy Making at a Turning Point: Analysing a New Generation of National Cybersecurity Strategies for the Internet Economy,” OECD Digital Economy Papers, No. 211. http://dx.doi.org/10.1787/5k8zq92vdgtl-en.
Rid, Thomas. Cyber War Will Not Take Place. Kindle Edition. United States: Oxford University Press, USA, 2013.
Sanger, David E. ‘Obama Ordered Wave of Cyberattacks Against Iran.’ NY Times. 1 June 2012. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=2.
Schelling, Thomas. Arms and Influence. New Haven: Yale University Press, 1966. Kindle Edition.
Sharma, Amit. ‘Cyber Wars: A Paradigm Shift from Means to Ends.’ Strategic Analysis 34, no. 1 (2010).
Westby, Jody. ‘Cyber War vs. Cyber Stability.’ International Seminar on Nuclear War and Planetary Emergencies — 42nd Session, August 2009.
White House. “International Strategy for Cyberspace,” The White House, (May 2011).
Xinbo, Wu. ‘Agenda for a New Great Power Relationship’. The Washington Quarterly 37, no. 1 (2014).
Zetter, Kim. ‘How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History’. Wired.com, 7 July 2011. http://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/all/.
[1] Daniel Garrie, “Cyber Warfare, What are the Rules?” Journal of Law and Cyber Warfare 1:1 (2012). 3.
[2] Although there is a danger of over-defining cyber terms to the point of infinite recursion, it should be noted that a computer is not simply an electronic box with a screen. The Oxford English Dictionary provides a good, broad definition: “An electronic device which is capable of receiving information (data) in a particular form and of performing a sequence of operations in accordance with a predetermined but variable set of procedural instructions (program) to produce a result in the form of information or signals.”
[3] Amit Sharma, ‘Cyber Wars: A Paradigm Shift from Means to Ends’, Strategic Analysis 34, no. 1 (2010). 7.
[4] Sharma, “Cyber Wars,” 9.
[5] Jody Westby, ‘Cyber War VS. Cyber Stability,’ International Seminar on Nuclear War and Planetary Emergencies — 42nd Session, August 2009.
[6] Martin Libicki, Crisis and Escalation in Cyberspace (United States: RAND Corporation, 2012). 13.
[7] Kim Zetter, ‘How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History’, Wired.com, 7 July 2011, http://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/all/.
[8] Carl von Clausewitz, On War. Translated by J.J. Graham (London: 1909) Kindle Edition. 38.
[9] Thomas Rid, Cyber War Will Not Take Place, Kindle Edition (United States: Oxford University Press, USA, 2013). 1.
[10] Rid, Cyber War. xiv.
[11] Rid Cyber War. 37.
[12] Thomas Schelling, Arms and Influence, (New Haven: Yale University Press, 1966), Kindle Edition. 244-245.
[13] Schelling, Arms and Influence. 109-115.
[14] Although there isn’t the room here to discuss it in full, I would be remiss to not mention the necessity of a second strike capability in creating this stability. As it pertains to cyber-warfare, it will have to suffice to say that the proliferation of computer technology assures the capability for second strikes.
[15] David Fulghum, Robert Wall, and Amy Butler, ‘Israel Shows Electronic Prowess’, Aviation Week & Space Technology, 25 November 2007.
[16] Sally Adee, ‘The Hunt for The Kill Switch’, IEEE Spectrum 45, no. 5 (2008).
[17] Rid, Cyber War. 50.
[18] Schelling, Arms and Influence. 192-198.
[19] David E. Sanger, ‘Obama Ordered Wave of Cyberattacks Against Iran’, World / Middle East, 1 June 2012, http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=2.
[20] Zetter, “How Digital Detectives Deciphered Stuxnet.”
[21] Zetter, “How Digital Detectives Deciphered Stuxnet.”
[22] Ethan Bronner, ‘Israel Says Iran Was Behind Bombs in India and Georgia’, World / Middle East, 13 February 2012, http://www.nytimes.com/2012/02/14/world/middleeast/israeli-embassy-officials-attacked-in-india-and-georgia.html?pagewanted=all.
[23] Tony Capaccio, ‘US General: Iranian Cyberattacks Are Retaliation for the Stuxnet Virus’, Business Insider, 18 January 2013, http://www.businessinsider.com/iranian-cyberattacks-retaliation-for-stuxnet-virus-2013-1?IR=T.
[24] Adam Liff, “Cyberwar: A New ‘Absolute Weapon?’ The Proliferation of Cyberwarfare Capabilities and Interstate War,” Jounral of Strategic Studies, 35:3 (2012). 408-409.
[25] “International Strategy for Cyberspace,” The White House, May 2011. 14.
[26] Schelling, Arms and Influence. 135.