The Russia-Ukraine conflict could trigger a massive cyberwar, New Scientist surmised. An unprecedented cyberwar is likely, Senator Marco Rubio warned. The hacker group Anonymous has allegedly launched a cyberwar against the Russian government.
Cyberwar sounds bad—and it is. Broadly, it names the global threat of combat mixed with computer stuff. But further explanations of its risks tend to devolve into disconcerting shopping lists of vulnerabilities: our power grids, water-treatment plants, communications networks, and banks, any of which could be subject to shadowy, invisible incursions from half a world away. This murky and expansive threat can even be expanded further, until it’s covering everything, including espionage, disinformation, and attacks on computer infrastructure. Cyberwar is coming! If you’re going to worry about it—and you should probably worry about it—then what, exactly, should you be worried about?
In all other matters, cyber-anything has long since fallen out of use; it’s now a shibboleth for those who have failed to stay abreast of online culture. (Remember how it sounded when Donald Trump went off about “the cyber” on TV?) Back in 1993, when the word cyberwar, as it’s used today, was coined, the prefix had more currency. That year, the Rand Corporation published a pamphlet called Cyberwar Is Coming!, by the international-politics analysts John Arquilla and David Ronfeldt. Their premise was simple: The information revolution would alter the nature of armed conflict, and new language would be needed to describe it.
To clarify the future risks, they laid out two scenarios, each of which would get its own moniker: There was cyberwar, and also netwar. The latter—with its dated reference to the “net”—feels even more anachronistic than “the cyber,” but the idea is surprisingly contemporary. For Arquilla and Ronfeldt, netwar is a social and commercial phenomenon. It involves conflicts waged via networked modes of communication, and is closest to what people call “disinformation” today. When one group attempts to disrupt the knowledge another group has about its own members and social context, by means of messages transmitted via networked communication technologies, that’s netwar.
At the time, Arquilla and Ronfeldt imagined netwar mostly as a state-based activity, and one that could unfold over any communications network. (It did not have to involve the internet.) The United States engaged in netwar with Cuba, for example, via Radio Televisión Marti, a Miami-based broadcaster funded by the U.S. federal government to transmit in Spanish to Cuba. State-run newspapers could also prosecute a netwar, along with surveillance systems that intercept or prohibit certain telephonic or electronic messages.
But Rand also imagined another kind of netwar, one fought between “rival non-state actors, with governments maneuvering on the sidelines to prevent collateral damage to national interests and perhaps to support one side or another.” Arquilla and Ronfeldt called this type of netwar “the most speculative,” but it’s one we can see quite clearly now. When social-media platforms such as Facebook and technology companies such as Google started storing and surfacing information at massive scales, those platforms became the levers that pulled ideological conflict. Governments such as Vladimir Putin’s Russia can, and do, deliberately manipulate those mechanisms in order to produce or worsen social rifts. Other state actors have struggled to stop or even detect those measures, especially when they can’t exert much control over wealthy, global businesses.
Today, netwar has been replaced by disinformation, but distinguishing between the two ideas is useful. Disinformation was a neologism of the Cold War, a loan word from the Russian dezinformatsiya, which refers to targeted propaganda—messages whose meaning is intended to deceive. Netwar refers to the manipulation of communications networks themselves. The ease of creating and disseminating messages has radically increased, mostly thanks to the global conquest by technology companies that promote information flow in order to monetize attention around it. Netwar strategists learn how to use those platforms effectively. Netwar tactics might deploy disinformation campaigns, but not necessarily. The content of the messages might seem innocuous, but their frequency, sources, delivery, and spread might not be.
But computers do much more than deliver human-readable information. They also use information to operate things, such as dams and payment systems. When an aggressor purposely disrupts those systems, that’s cyberwar.
Military operations have always deployed tactics to take out roads and bridges, airports and factories. Such action can disrupt military operations themselves, or it can destabilize the cultural and economic center of its targets. But nowadays, almost everything is operated by computers. Not just communications systems such as telephony and news media, but vehicles, power plants, and banking systems. Worse, many of those systems are connected to the internet, making them far more vulnerable to attack than they would have been a generation ago (or even more recently). Your car, which is run by computers, might be capable of downloading software updates, which means it could be disabled remotely. Your doorbell might be a computer now, and if so, it’s probably an insecure one, such that botnets could use it as an intermediary for distributing or activating malware to carry out attacks on more crucial targets.
As opposed to netwar, Arquilla and Ronfeldt saw cyberwar as a fundamentally state-based activity. That’s not because governments are the only entities that can carry out computerized attacks; rather, it’s because state-based conflicts might benefit from cyberwar strategies. One line in the Rand paper sums up the idea with both lucidity and terror: “As an innovation in warfare, we anticipate that cyberwar may be to the 21st century what blitzkrieg was to the 20th century.”
The precedents for cyberwar have been hard to catalog, in part because the agents that carried them out have been difficult to identify. A 2007 DDoS attack (which overwhelms a computer with traffic) on Estonian websites appeared to retaliate against the country’s removal of a Soviet statue. A similar attack preceded the Russian invasion of Georgia in 2008, a pretty clear example of cyberwarfare as an infotech blitzkrieg, but one that didn’t make a mark, because of the former Soviet republic’s relatively low internet adoption. In 2010, a U.S. and Israeli partnership deployed a computer worm known as Stuxnet, which took down Iranian facilities that were believed to be enriching nuclear weapons. There are others.
But the most legitimate, identifiable example of cyberwar remains largely singular: the Russian malware attack on Ukrainian energy utilities in 2015, following the seizure of Crimea the year before. The effort very briefly took out electricity to hundreds of thousands of people. Related efforts followed, targeting Ukrainian banks, transportation infrastructure, and ports. Those incursions were, and remained, mostly a warning: Cyberwar was now possible in earnest.
This week’s Russian invasion of Ukraine has not yet, as far as we know, involved a major cyberattack. But the Crimean precedent, combined with Putin’s threats against anyone who might intervene, has made cyberwar a global issue. Proximity doesn’t matter. At any time, at least in theory, your bank accounts, your power, your waterworks, and everything else might seize up. The result could be catastrophic.
In 1993, Arquilla and Ronfeldt’s prediction of a “transformation in the nature of war” might have seemed a step too far. The prior transformation in the nature of war had developed from the deliberate, planned accrual of nuclear weapons by a select few superpowers: an active buildup of strategic arsenals. The threat of cyberwar, by contrast, has more to do with a global stockpile of vulnerabilities, amassed by accident as a by-product of continued innovations in connectivity. In the end, the sensation is the same: a foreboding feeling of pervasive, imminent risk. Cyberwar is real.
Suggested countermeasures, both for netwar and for cyberwar, have lately made the rounds. We’ve been advised to slow our news sharing and consumption: Stop, investigate the source, find better coverage, and trace claims, the misinformation researcher Mike Caulfield suggests in a model he calls SIFT. At the same time, IT departments are issuing reminders to keep our systems up-to-date and watch out for phishing emails. But these individual and local efforts go only so far. A single, introspective social-media clicker can’t do much to slow the spread of lies, and even wised-up employees can’t plug the security holes created by connected gadgets.
The risks of netwar and cyberwar are consequences of convenience. Communications networks became widespread, delivering previously unthinkable quantities of bespoke content instantly. As they ballooned and megascaled, they offered more opportunities for exploitation that might affect larger populations much more rapidly. Meanwhile, business and government operations elected to take on new vulnerabilities in their computer infrastructure in order to win operational conveniences. Those conveniences once seemed worth it. Not anymore.