The UK is “at war every day”, the country’s chief of the defence staff, General Sir Nick Carter, recently declared. The reason for Carter’s rather bleak assessment is the proliferation of cyber attacks against Britain’s information networks, and other aggressive but non-violent actions (such as disinformation campaigns) from rival states. He further claimed that the distinction between war and peace has broken down, as competitors increasingly ignore established norms of acceptable behaviour.
Although Carter is right that cyber attacks are a threat to national security, to describe them as war is problematic. War is a distinct activity, with a particular nature. But most cyber attacks are a kind of non-military activity that fall under the broad banner of “grand strategy”.
To be sure, Carter is right that warfare is always evolving in line with technology. But our common definitions of the nature of war still largely exclude cyber attacks. War is best defined by scholar of international relations Hedley Bull, as “organised violence carried on by political units against one another”.
And as 19th-century Prussian general Carl von Clausewitz wrote, war “is a clash … resolved by bloodshed – that is the only way it differs from other conflicts”. States engage in various forms of competition, even conflict. But without violence, they do not constitute war.
By violence, we mean acts of force that result in physical harm to someone or physical damage to something. In contrast to violent acts, most cyber attacks merely manipulate, steal or destroy digital information, causing, at most, economic costs and inconvenience.
That being said, it is theoretically possible for cyber attacks to result in casualties. An attack on air traffic control could produce many casualties. Alternatively, shutting down a power grid (as with BlackEnergy, an attack on the Ukrainian grid in 2015) could indirectly result in the deaths of vulnerable citizens. But to date there have been no recorded deaths resulting from cyber attacks.
There is one notable case that gives pause for thought, the Stuxnet attack on the Iranian nuclear programme (2009-2010). This involved a computer virus that destroyed centrifuges at the uranium enrichment facility in Natanz, Iran. Although there were no fatalities, this incident demonstrates that physical destruction can result from cyber attacks.
We also need to consider the notion of “cyberharm”. In recent years, some legal experts have proposed that attacks against information networks should be regulated under the international laws of war. Key to this argument is the idea that information networks are so essential to modern life, that to be without them causes harm – cyberharm. Should this principle be made part of the law, it would bring information networks into line with other essentials for life, such as water supplies, which are already protected by international humanitarian law.
And yet, despite Stuxnet and the rise of cyberharm, war still seems an inappropriate term to describe the vast majority of cyber attacks. Indeed, rather than identifying a new and ambiguous relationship between war and peace, Carter appears to be discussing different methods of grand strategy. Grand strategy has traditionally been based on four main tools available to states: diplomacy, intelligence, military and economic. Cyber power creates a fifth tool. Only the military operates in the realm of war, although the other tools can be used in support.
From a grand strategy perspective, many of the nefarious activities (including electoral interference) that use cyber means are best categorised as “covert operations”. These actions, which have a long history in international politics, are typically conducted by intelligence agencies. Indeed, cyber power has traditionally been under the control of intelligence agencies. In Britain, the National Cyber Security Centre (NCSC) exists within intelligence agency GCHQ, while in the US, Cyber Command is still closely associated with the National Security Agency.
Why does this all matter? What could be the consequences of expanding our understanding of war? First, there is the danger of escalation to physical forms of attack. If we define cyber attacks as acts of war, then we may feel justified to respond with physical violence. In this way, the threshold for resorting to violence is lowered. For example, in the 2018 Nuclear Posture Review, the Trump administration has threatened nuclear response to non-nuclear strategic attack against critical US infrastructure.
What’s more, war has consequences. In war, governments may feel justified in restricting certain freedoms, diverting resources and expecting certain sacrifices from the population (both in and out of uniform). There is also the danger of “alert fatigue”. If a society is constantly in a state of war, then people’s senses may become dulled to genuine existential threats when they appear. Cyber attacks are a threat, but not an existential threat to the continued existence of the nation.
Treating cyber attacks as a form of warfare means seeing too much novelty in the new cyber domain. Certainly, the technology and techniques of statecraft are changing, but states have always conducted different competitive activities across the entire range of grand strategy.
Cyber attacks can be used in support of military operations. The 2007 Israeli air attack on the Syrian nuclear facility at al-Kibar is suspected to have included cyber attacks on Syria’s radar system. But cyber attacks are more commonly used in non-violent covert operations, including espionage, sabotage, propaganda, etc. Certainly, cyber attack is a security threat that must be addressed. But, in the absence of violence, it does not constitute an act of war. And so cyberwar is a term we should reject.