Does a cyber-attack mean war?
THE FUTURIAN #6
In the Spring of 2022, Taipei experienced a power outage. As with most outages, initially, nobody really knew what was going on. Across the globe in Europe, Russia had recently invaded Ukraine and the fear in Taiwan was that the country was experiencing a cyber-attack of Chinese origin that was the prelude to some form of military intervention. As it turned out, the situation was nothing more sinister than the local power company experiencing a temporary loss of service. However, the event does highlight two things: (a) a general feeling of vulnerability to cyber-attack, and (b) the belief that a more kinetic form of warfare would see a cyber-attack as a prelude to prepare the ground. Are these beliefs reasonable?
The feeling of vulnerability to cyber-attack possibly stems from a widespread insecurity over something that is unknown and not understood. We might believe that computers control everything in our lives, but this belief doesn’t quite stand up to scrutiny. Our lives are controlled by the people who use the computer systems rather than the systems per se. In the absence of a self-aware AI, this situation is likely to continue for some time to come.
If we admit to the human aspect of control and operation, we then fall back upon whether or not we trust those humans. If one side believes that they may be attacked by another, they may try to undertake some form of pre-emptive strike on the other party if there is evidence of a gathering capacity to make that attack. In the physical realm, this can be gauged by the build up of forces. The physical evidence is there. In the cyber world, by way of contrast, that evidence may be lacking and consist solely of an assessment of hostile intent. This gave rise to the situation in Taipei. China has previously stated a hostile intent towards Taiwan, which suggested that a cyber-attack was not beyond the realms of possibility.
Of course, this raises the question of attribution. The cyber realm is one in which hostile actions could quite easily placed within a wrapper that could suggest (a) the attack originated from some actor from a different state, or (b) it had originated from a non-state actor entirely. The question of deception is a little more fraught in the cyber realm because we naturally gravitate towards physical evidence. We might say that, for example, a certain attack might display the characteristics of, say, a North Korean attack vector, but it is much harder to attribute that attack to a North Korean state actor beyond reasonable doubt. It is always possible that the attack originates from elsewhere and is made to appear to be of North Korean origin. This uncertainty causes us to pause for thought.
In recent years, we have seen the rise of a group of hostile actions that are potentially destructive, but fall below the threshold where we can consider a declaration of war has occurred. We like to think of these actions as ‘Hybrid Warfare’. The use of hybrid warfare techniques as a prelude to physical warfare is not entirely new. However, the advent of the cyber world has added another dimension to this. The capacity to obscure and confuse is far greater owing to the lack of physicality within the cyber realm to establish an evidence chain.
This leads on to the degree to which a cyber attack could be a prelude to an attack in the physical world. We use the cyber world to operate much of our lives and a well placed and well delivered cyber attack could compromise much of our ability to respond to a physical attack. For example, if a cyber attack were to freeze, say, the points in a railway network, or confound an air traffic control system, would that be sufficient for a military response? It could be indicative of an impending military attack or it could be a provocation to induce some form of pre-emptive action on our part. In a world in which nuclear weapons still exist and are ready for deployment, this has the potential for something very dangerous indeed.
An interesting question arises over exactly how far a cyber attack would have to go in order to precipitate a military response. If a cyber attack were to, say, interrupt the financial system of the target, would that warrant a military response? If it were to erase the financial records of the target, how about then? If it were to significantly corrupt the financial system of the target, what then? At what point does a cyber attack on a financial system warrant a military response? Equally applies for the critical infrastructure of a nation, or the healthcare system of a nation, or the political system of a nation. Where ought we to draw the line? This uncertainty of response helps to moderate the incidence and severity of cyber attacks. Because things are not clear cut, it is difficult to say how the target would respond.
Another factor to cause hesitation are the second and third order effects of a cyber attack. It is hard to know in advance that the impacts of a cyber attack would be limited to their original target. The attack could bleed into associated systems. An attack on a piece of critical infrastructure could have a knock on effect that is disproportionate to the intended target. This is the type of scenario in which an attack on a set of railway points leads to the derailment of a train carrying, say, nuclear waste that leaks into the surrounding area. That could well lead to a military response.
Equally, the cyber attack might have an impact beyond the target. This is the type of scenario in which, say, a cyber attack on the scientific community in one country leads to the compromise of the healthcare records in another. The first country might decide not to retaliate, but the second might decide to do so. In such ways do unforeseen consequences unfold, much as they did in 1914.
It is not unreasonable to believe that a cyber attack would be a prelude to a military attack. However, if we experience a cyber attack, it doesn’t mean to say that a military attack would be coming. This uncertainty adds to our feeling of vulnerability. To counter it, we need to lessen our reliance upon single source digital systems and to build up our resilience to cyber disruption. If we don’t, we could quite easily mistake a fumbling energy supplier with the big bad bogeyman we have been concerned about for some time.
© Stephen Aguilar-Millan 2022
