By Paolo von Schirach –
WASHINGTON – We are at war. Aggression which one day can take devastating dimensions is targeting America on a daily basis. I am talking about cyber warfare. Unfortunately, it is very hard to label cyber war as “war”, simply because it is vastly different from the “conventional war” we are used to study, discuss and prepare for.
Sadly, our ability to think intelligently and proactively about this potentially fatal form of aggression is seriously hampered by our old-fashioned categories. Much to our disadvantage, when it comes to warfare, we are still prisoners of largely obsolete concepts, scenarios, international law definitions, strategies and tactics that do not allow us to fully comprehend the extent of unconventional warfare, in particular cyber war.
The UN Charter allows self-defense
All students of international law know that Article 51 of the UN Charter clearly affirms the right of self-defense that can be exercised by any UN Member, irrespective of any action that may or may not be taken by the UN Security Council to deal with that specific breach to international peace. It sounds right. Self-defense is an inherent right of all sovereign nations. Except that Article 51 specifies that self-defense is justified “if an armed attack occurs”.
And here –in this narrow and quite frankly obsolete definition– is our problem. This classic definition indicates that an illegitimate war of aggression has occurred if and when there is an “armed attack”. And we know what that is. This is Pearl Harbour. This is Nazi Germany moving into Poland on September 1, 1939. We picture armies shooting their way across internationally recognized, sovereign boundaries. We know a war of aggression when we see one.
Deliberate obfuscation in semi-conventional conflicts
But today we are confronted with a vastly different universe when it comes to warfare. Even when we are dealing with quasi-conventional conflicts, in recent years the lines have been deliberately blurred by bad actors who do their best to muddy the waters, with the goal of denying responsibility for their actions.
Indeed, Crimea was taken over in 2014 not by the Russian Army but by “Green Men” whose uniforms did not have any insignia. Likewise, officially no Russian forces are taking part in the bloody conflict in the Donbas region in eastern Ukraine. The Iranians have proxy forces in Iraq and Syria, trained and armed by them. But they are not technically part of the Iranian Army. And we could go on and on.
When there is no armed attack
While it is not that complicated to see through these disguises in semi-conventional conflicts, when it comes to cyber operations, cyber attacks, and cyber terror, we are in uncharted waters. To start with, it is often hard to determine that there was an attack, let alone who the attacker is. Whatever they are, these actions are not “armed attacks” as defined by Article 51 of the UN Charter, and as most practitioners think about acts of aggression.
We do not recognize cyber war as war
And here is our main problem. Our weakness as a society, and I suspect this includes key policy-makers, is that we have a psychological resistance in recognizing that cyber attacks are pure “acts of war”, simply because they do not look like the conventional aggressive military operations we are used to.
Furthermore, since cyber war is relatively new, we still do not have the intellectual and technical tools to fully comprehend the extent of this threat, and how devastating large scale cyber attacks could be. Are we talking about a few cyber probes here and there? Are we talking about discreet actions of cyber theft or cyber espionage? We know about all of them. But is this really war? Yes, it is.
Prepare for the worst scenario
And it will get worse. Count on it. There will be new, stealthy and deadly tools. It would be foolish, if not criminally negligent, not to think about all this and try to prepare for the absolute worst. I mean well coordinated cyber attacks that could cripple our country, (for instance, attacks that would completely and permanently disable our national power grid), without a single shot being fired by enemy forces.
And here is our problem. Right now we are at the very beginning of a very dangerous new era in which cyber tools are used as weapons. To date, aggressive cyber capabilities are probably still relatively modest. But they will inevitably grow, along with the growth of cyber science and the numerous new applications that will be created. And the temptation to do bad things is very strong. Hostile forces can always hope to hide behind anonymity.
We sort of know all this. But in a rather nebulous way. Most of all, there is no real sense of urgency, most likely because these acts of aggression take place in this intangible cyber space, whose dimensions and relevance are generally unknown to most of us and that would include policy-makers who do not have the sophisticated technical background that would allow them to immediately grasp the dimensions of this ominous threat.
So, here is our challenge. How do we mobilize all relevant policy and scientific resources against a war we are already involved in that does not look at all like the wars we are used to? How do we mobilize and sustain national efforts aimed at countering invisible cyber attacks that may soon be replaced by much bigger, perhaps fatal attacks?