« Cyber warfare » and « cyberattacks »: the reality on the ground
“How can cyberattacks paralyse a country?”
by Eric Filiol
IMPORTANT : Article first published in April 2015 but still valid…
Over the last decade, armed forces and their governments all around the world – at the instigation of the United States – have begun to reflect upon the evolution of the war concept and more precisely on cyber warfare. It comes out from their discussions that future wars would mainly take place on digital space: attacks would use malicious codes or zero day exploits. From the perspectives, cyber weapons such as like Stuxnet, Aurora , Duqu, Regin, Babar or GrayFish1 are the most significant and dangerous innovation in the 21 st century.
Barely a day goes by without officials or experts boasting about the unprecedented destructive capabilities of the new digital weapons. Some of them premise an apocalypse. This allegedly “sword of Damoclès” hanging over our heads appears as a pretext for requesting a substantial increase in budget allocation for this new form of warfare. It brings with it paradigm shifts in military doctrine (from strategy to tactics aspects), in military industry sector. This perception also modifies the existing ethical approach to issues of war and peace.
The mass hysteria developed around cyber warfare is supported by various communities (especially the academic one) who wish to take advantage of emerging opportunities in the global cyber security market [1]. Indeed, this conception of cyber warfare is illusory, wrong and even dangerous insofar it puts aside many unsolved essential security issues that will undoubtedly make our societies vulnerable. This view is a heresy enhanced by opportunistic and blind people.
Let us have a closer look at the dangers associated with this view:
The digital dimension –term more appropriate than the word “cyber” which was awkwardly borrowed from the Wiener’s works [2] – of modern wars in only an additional dimension within the Art of War but in no case, it can be considered as the sole dimension. The essential act of any war is to capture enemy’s resources and to have an ultimate impact on the real sphere. The scenario was the same when aircrafts and air forces were used for military purposes early in the 20th century; there were first a strong belief that military aircrafts were a wonderful opportunity to achieve and maintain complete battlefield supremacy.
The historical events showed that, contrary to the expectations, military aircrafts were essential to win air battles but not wars and that it was just an additional dimension to naval and ground forces. Recent historical events clearly demonstrated that American air strikes were simply not sufficient to win the war against Daesh in Syria for example.
The same scenario is in play with cyber warfare and this time again, it will be an additional dimension to land, air and sea warfare.
Contemporary conflicts (for instance, in Ukrainia, Irak, Syria, Africa) and the ever-growing terrorist threat show that conventional wars take precedence over cyber warfare. The cyber dimension is only a supporting player in the theater of war.
Paradoxically, cyber wars take place during “peacetime” periods and mainly involve protagonists from the G-20 member countries. In this context, digital attacks happen in countries in dispute (state vs. state conflicts like China vs. the United States, Russia vs. Nato..) that causes a permanent state of global instability. Cyberwar is bound to be more a peacetime war.
Digital attacks are a real threat but large-scale attacks in the real life proved to be inefficient. A successful digital large-scale attack on a computer fleet or a SCADA system requires that, at the same time the attack is launched, there are a number of machines containing the same exploitable flaws or being in a suitable insecure state. However in real life, even if we consider a homogeneous fleet of computers, the rate of variability among computers is high enough to limit the effectiveness and scope of these attacks. Moreover, the delay between the intelligence phase (detecting a potentially exploitable vulnerability) and the maneuver phase (really exploiting the vulnerability) may be too long to insure that the vulnerability will still be exploitable. No experimented chief of war would base his general maneuver on such an uncertainty.
Stuxnet : really successful ?
If we look closer at the famous Stuxnet malware (often quoted as an example) and at the result of its code analysis (which clearly shows the way it was intended to run), there is no evidence that the Stuxnet attack was really successful. According to Iranian officials, the attack was effective but given the historical context in Iran during that time, it cannot be ruled out that Iranians had a vested interest in making believe that their nuclear program was delayed by Stuxnet. This is a typical example of what NATO countries call “InfoOps” (information operations), an area which is unfortunately not taken sufficiently into account in cyber warfare.
Unlike conventional attacks whose effects can be mostly contained and forecast, cyberattacks may have extensive and unpredictable consequences even for attackers2. Over time, the Internet has become an integral part of our lives but in the meantime, it has grown complex and today no one would be able to draw an exhaustive functional map due to its size, complexity and ever changing structure.
As an illustration, over the first months of the US intervention in Afghanistan, the American Headquarters planned to carry out an attack against the Afghan phone networks (mobile phone mast) as the mobile phone networks were a key battleground in the war against the Talibans. As the damages on the infrastructures would have prevented American soldiers to make personal calls, the operation was cancelled for fear of lowering the soldiers’ morale (while abroad, military personnel, when not in duty, mostly use local infrastructure for their private communications).
From a human, ethical and philosophical point of view, the concept of cyber warfare, as it is seen today, ultimately aims at calling into question the traditional ethics of the war: as a first rule in a conventional war, all soldiers are equally vulnerable and equally innocent; soldiers play a fair game: as a principle, they kill enemies and accept to be killed. As a second rule, in a conventional war context, protagonists are military experts who strike military targets.
In contrast to conventional/classic war, cyber warfare is essentially asymmetric: attacks are perpetrated by the few upon the many and no differentiation is made between soldiers and civilians.
Attackers are also all powerful whereas civilians are vulnerable targets… (see Part.2)
Image par ThePixelman de Pixabay