James Lewis is a senior fellow and program director at the Center for Strategic and International Studies.
Start with some definitions: Cyberwar is the use of attacks in cyberspace to erode an opponent's will and capabilities to resist. Cyberterrorism is the use of attacks in cyberspace to create fear and horror in the target population to achieve some political end. We have seen neither, though there have been many successful exploits by our opponents in cyberspace and much damage to our security and economic health.
We have at least two opponents with the ability to launch damaging cyberattacks against the United States—Russia and China. They have probably done the reconnaissance and planning necessary for these attacks, probing American networks for vulnerabilities. But they have not launched them. Why not?
The Russians and the Chinese also have missiles and airplanes they could launch against the United States. Cyberattacks have some similarities to missiles, with long range, the ability to strike an opponent in its homeland, and rapid speed. The Russians and the Chinese are no more likely to launch a cyberattack or start a cyberwar than they are to fire a random missile. We would react violently. No country will take this risk unless necessary. Now, were we to get into a shooting war over the Republic of Georgia or Taiwan, we should expect these opponents to use cyberweapons against our military forces and possibly against civilian targets in the United States. Our opponents in cyberspace have practiced these attacks and tested various kinds of weapons.
Terrorists would take the risk, but there have been no incidents because terrorists do not have the capabilities to launch cyberattacks. They may eventually acquire them, but the notion that they have them and are merely waiting to use them—Osama bin Laden's birthday, perhaps?—is silly.
All advanced militaries have cyberattack capabilities. The Chinese are open about intentions to use them, the Russians less so. An Israeli general recently said that cyberattack gives small countries the same capabilities as big countries. This is true if they are willing to invest in skilled personnel, but big countries have an advantage since they can recruit thousands of potential attackers.
Cyberattacks in war will try to create uncertainty by scrambling or erasing data. They will erode command and control and create uncertainty and political pressure. Cyberattacks will disrupt services that depend on computer networks. There is some potential that a cyberattack could even cause physical damage or destruction, as demonstrated by the Aurora tests at the Idaho National Laboratory in 2007. No one will win a war using only cyberattacks, but they will provide a real advantage to the attacker.
This is because the ways to get advantage in combat have changed. More than 20 years ago, the United States realized that having an advantage in "intangible factors"—more information, better communications, greater precision—was as important as having more tanks or airplanes. Some call it a "force multiplier." Cyber capabilities are a force multiplier. Having an "informational advantage" makes U.S. forces more effective. The people who plan to fight us are looking for ways to undo that advantage. Cyberattack is one.
These are not hypothetical capabilities. Other nations' intelligence services frequently penetrate our networks. So far, they have been more interested in stealing than disruption. But in December 2008, unknown foreign intruders were able to break into Central Command's classified networks and sit there. There are reports that when Israel attacked the alleged Syrian nuclear facility in 2007, it used cyberweapons to disrupt Syrian air defenses (and air defenses, much more powerful when networked, are a good target). The United States also has advanced cyberattack capabilities, as does Britain. The United States is probably in the top three in terms of cyberwar capabilities. Cyber is just another weapons system, cheaper and faster than a missile, potentially more covert but also less damaging. We could, of course, say we would never use cyberattack capabilities, or would not use them first, but that idea is inane. There are some weapons whose use we have renounced, such as biological weapons, because they are horrible and contrary to accepted laws of war. Nuclear weapons are so terrible that there is an implicit taboo against their use. But cyberattack is neither terrible nor horrific. Millions could die if bio or nuclear weapons were used. A cyberattack is likely to produce no casualties at all. Why would we give up this powerful tool in a world where we face many opponents who have few scruples and when our own strength is declining? We may also get defensive benefit from offensive capabilities. An opponent might worry that we would retaliate with our own cyberattack. Other countries fear the new U.S. Cyber Command. They say the United States plans to dominate cyberspace. This is not true, but we can use our cyberwar capabilities to deter potential attackers.
We have not seen cyberwar or cyberterrorism, but that does not mean the threat isn't real. Our opponents are not waiting for a shooting war when it comes to espionage or crime. Russian and Chinese hackers, with the tolerance if not approval of their governments, do this every day. There have been giant losses. If Chinese or Russian hackers backed a truck up to the Departments of State, Energy, and Defense and NASA's headquarters, smashed the glass doors, and carted off dozens of file cabinets, Americans would have a fit. When they did this in cyberspace—and it happened in 2007—America did nothing, not even complain. Some say we lost terabytes of data—as much as you can find in the Library of Congress. And our companies are victims, too—Google, or the hundreds of victims of an unattributed 2009 attack called GhostNet that targeted computers in many nations and infiltrated the Dalai Lama's organization. Though suspected, China denied involvement.
It may not be war, but that doesn't mean we aren't losing.
Read why the language of cyberwar advocates is the real threat, by security system designer Marcus Ranum.