Nowadays, “cyber” is used mainly as a prefix for other words that converts anything to something to do with the internet, such as cybercrime, cyberbullying, Cyber Monday, and our topic, cyberwar. The etymology of “cyber” derives from a defunct area of research concerned with feedback mechanisms in animals and machines. The field was named “cybernetics,” an early forerunner to artificial intelligence. Cybernetics and the root word “cyber” became associated with robots in the public imagination in the years following its inception. “Cybermen” were a race of humanoid robots appearing in Doctor Who (1966). The “Sirius Cybernetics Corporation” was the primary manufacturer of androids, robots, and autonomic assistants in The Hitchhiker’s Guide to the Galaxy (1978). “Cyberdyne Systems Corporation” created Skynet, the antagonistic artificial intelligence in Terminator (1984).
The neologism, “cyberwar,” wasn’t introduced until 1987 in an article published by OMNI Magazine. The article described future battlefields littered with robot carcasses which leans heavily toward cybernetics. However, at this time, “cyber” and its association with robots had waned as artificial intelligence took prominence in academia and popular culture. A modern conception of “cyber” better aligns with the notion of “cyberspace,” which first appeared in the late 1960s and was popularized in fiction by the novel Neuromancer (1984). Neuromancer described cyberspace as a “consensual hallucination experienced daily by billions of legitimate operators.” The description of what would become the internet is not far off the mark, nor does it fail in describing aspects of cyberwar.
In 1993, RAND Corporation published a perceptive article titled Cyberwar is Coming!, which purged robots (and their carcasses) entirely from warfare and replaced them with a vision of war that included a modern conception of cyberspace. The authors (John Arquilla and David Ronfeldt) anticipated the challenges of future war in a connected world and laid out two scenarios: “cyberwar,” and “netwar.” According to Arquilla and Ronfeldt, cyberwar operates at a military level, “disrupting, if not destroying, information and communication systems” to subvert the ways an enemy knows and defends itself. Netwar operates at a societal level and combines propaganda and media manipulation for “low-intensity…. societal-level conflicts.” In other words, both are nonconsensual hallucinations that create a fog to effectively confuse an enemy and its population by destroying and undermining economic, social, governmental, political, and military activities.
Still, “cyberwar” is tough to intellectualize because it is meant to invoke a new word with a divergent meaning. We cannot merely sample from our experiences in “cyber” and “war” and expect to understand the new term “cyberwar.” Anyone who’s had fruitcake can appreciate how fraught the prosaic act of combining words can be. We must understand the difference between the old and the new to understand the paradigm shift. The misfortunate conflict in Ukraine may serve us in that pursuit by taking an otherwise theoretical discussion and providing tangible insight into what a cyberwar looks like and real-world examples of offensive cyber capabilities.
Years before the Russian invasion of Ukraine, a cyberwar started that is generally believed to be Russian in origin though Russia has denied involvement. In 2014, the Ukrainian elections were interfered with using a phony image of the election results to undermine public confidence in democratic processes. In 2015, a series of attacks on government agencies and media companies culminated in an attack on the Ukrainian power grid, the first time in history that a cyber-attack caused a blackout. The blackout only lasted six hours, but secondary attacks also destroyed hundreds of computers using data wipers. In 2016, a well-orchestrated attack targeted at least eight utilities, including a Kyiv powerplant, which caused another short power outage. This time the goal was to harm humans responsible for restoring power by disabling safety controls. Ukrainian state institutions (e.g., finance and defense ministries and the treasury) were also attacked about 6,500 times. In 2017, NotPetya was a widespread ransomware and data destruction attack impacting hundreds of Ukrainian companies. Adding insult to injury, the companies who paid the ransom did not gain access to their data. Like aspects of the 2015 attacks, NotPetya was designed to destroy, and estimates indicate that 10 percent of computers in Ukraine were wiped.
There are some vital observations we can make about this conflict. The first is that while cyber operations have access to almost any target, creating and deploying cyber weapons is slow and methodical. They require detailed information about a target, something a bomb does not need. Bombs don’t care about the peculiar details of a target. However, unlike a bomb, cyber weapons can spread. A single attack can spread to any computer with that vulnerability, and an attack can span hundreds of thousands of computers if the vulnerability is a zero-day. While this spread is swift, the preparation is not. We find this in Ukraine, where attacks generally occurred in the winter (NotPetya’s payload was delivered in the summer). The rest of the year was spent performing reconnaissance, infiltration, and exploitation. Second, operations in Ukraine played out over many years because cyber operations have few persistent victories, making them difficult to sustain. In other words, networks that go down come back up, and computers that are wiped are replaced, albeit at a significant cost. Progress in a cyberwar is unlike traditional military victories and more like a perpetual, low-intensity virtual counterinsurgency.
Ukraine is a microcosm for this modern warfare, which is a slightly warmer than cold, but not warm global war. Today, the world is in a continuous cycle of a largely uninterrupted cycle of destruction, espionage, sabotage, and surveillance, where cyberspace is in the foreground for geopolitical competition. Countries like Iran, North Korea, China, and Russia can achieve geopolitical goals and avoid provocation using cyber operations. The same is not true for deploying tanks to a foreign capital city. We can see elements of this in Ukraine, where seven years of provocation were not met with force, only sanctions. While other countries may not tolerate what Ukraine tolerated, all countries seem willing to accept some cyber warfare which is problematic for everyone with an internet connection.
The notion of collateral damage in cyberwar is strained beyond repair. Collateral damage has always been an affectless concept for discussing the death of civilians during war. It attempts to conceal the challenges of containment to make combat more palatable for the public. Yet, cyberwar would be difficult to contain even if global leaders weren’t complacent and even if cyber operations didn’t actively target civilian populations and commercial businesses since computer networks know nothing about administrative boundaries. Collateral damage will include companies that are willfully ignorant of cyber security, those who mistakenly think they are immune from an attack because they are too small, uninteresting, or even too virtuous to be a target, and completely innocent individuals who live on the other side of the world. The result of this cyberwar melee may not replicate a “world war.” Still, it reveals something strange––a war in a world where the negligent and oblivious are especially vulnerable to collateral damage.
Consider NotPetya, which caused considerable damage within the boundaries of Ukraine, but most of the $10 billion in damages occurred elsewhere, including the United States. International companies such as Maersk, Merck, FedEx, and Mondelez paid the price for cyberwar, and their global operations were all affected. Their sin was simply doing business with a sovereign nation. Interestingly, cyber insurance companies are determined not to pay damages, citing a policy exclusion for acts of war. Merck was negligent but sued its insurers, who had denied coverage and won. The insurers may be forced to cover the $1.4 billion in losses through the case in appeals. The verdict will force insurers to confront the fallout of cyberwar. Lloyd’s of London has already stated that insurers must make clear that they don’t cover any state-sponsored cyberattacks. Today, insurers are one of the few confronting this problem’s reality. Sadly, it is a topic that receives very little attention. We still have a lot to learn about cyberwar, the most important of which is the cost of ignoring it.