Cyber war is real war

Of all the domains of defence today – sea, land, air, space and cyber – cyber is the most recent and the least understood.

What is important to grasp is that cyber attacks can cause physical damage, and on a large scale. And, in causing physical damage, they can kill people. 

This article was submitted to the UK Defence Journal by Rebecca Campbell. Rebecca is British and permanently resident in South Africa, where she works as a science and technology journalist, covering, among other things, the aerospace, defence and nuclear sectors.

She has a MA degree, with distinction, in International Relations from the University of the Witwatersrand in Johannesburg. Her thesis was entitled Armed Forces as Instruments of Foreign Policy: Some Case Studies. This paper is entirely her own opinions and does not reflect the views of her employers. Rebecca Campbell is not, and never has been, on Twitter or Facebook.

As early as September 2007, according to the US Centre for Strategic and International Studies, Israel used a cyber attack to disrupt Syrian air defence networks as part of an air strike against an alleged Syrian nuclear facility. The Stuxnet computer worm, discovered in 2010, inflicted physical damage on more than 900 uranium enrichment centrifuges in Iran. In late 2014, a cyber attack manipulated and disrupted the control systems of an unidentified German steel plant, resulting in massive damage to a blast furnace. In December 2015, a cyber attack on Ukraine’s power grid disconnected 30 electricity substations from the grid and cut the electricity supply to 200 000 people for several hours. Physical damage was inflicted on industrial control systems and the 30 affected substations had to be manually operated for several weeks.

Don’t forget that shutting down electrical networks also shuts down wide swathes of the economy and national infrastructure: electric trains cannot run, financial services cannot take place, civilian telecommunications are severely disrupted, hospitals are crippled – and can patients die – traffic control systems go down, and so on.

In all these actual cases, the level of damage inflicted was previously only achievable by the use of strategic bombing. 

But the potential is much wider. Chemical plants are also vulnerable. Cyber attacks which give hackers remote control of the industrial control systems in chemical plants would allow them to disrupt the entire process control system, exceed safety parameters and wreck equipment, accompanied by the spilling of dangerous chemicals and/or the release of poisonous gases, endangering the lives of many, perhaps thousands, of people. That the risk to people is real is shown by the consequences of one of the worst, if not the worst, industrial accident in history.

In December 1984 more than 40t of methyl isocyanate gas leaked from a pesticide plant in Bhopal, India, immediately killing at least 3 800 people, with up to 6 000 more dying in the following few days, and a further 15 000 to 20 000 people suffering premature death over the next 20 years.  And many people who survived, and still survive today, suffered permanent damage to their eyes, as well as their neurological, reproductive, and respiratory systems. Survivors also suffered from genetic damage, with increased levels of chromosomal abnormalities.

It should now be obvious that the military potential of cyber warfare is very real. State-organised and coordinated hacking could attack electricity grids at multiple points simultaneously, overwhelming repair crews, and, at the same time, attack multiple chemical plants and other essential systems. An entire country could be “taken down”, with recovery requiring (depending on the sector of the economy) anything from minutes to months. Now imagine such an attack combined with a simultaneous full-scale conventional assault against that country or a small, weak, ally of that country. The chaos resulting from the cyber attack would pretty much neutralise any military response to such an attack for crucial hours, maybe even days.

Both Russia and China could attack the UK through Cyber warfare, as could countries like Iran and North Korea. In fact, Cyber warfare is the ideal weapon for weaker countries against stronger ones. Because it has global range and can inflict potentially devastating physical damage and loss of life, it can substitute for strategic air power and conventionally-armed ballistic missiles, and at a fraction of the price. Cyber attacks must be guarded against.    

However, protection against Cyber attack is complicated because the sphere of cyber defence embraces the military, civilian government, and civilian commercial realms. Perhaps different terms should be used for each – “cyber defence” for the military realm, “cyber security” for the civilian governmental realm, and “cyber protection” for the commercial realm. Cyber defence would be the responsibility of service personnel (whether regular or reservist or both), cyber security would be handled by civilian government agencies, while cyber protection would involve the private sector with government support. Coordination and cooperation would be required across all three realms. 

As the threat is real, Britain must make serious investments in Cyber defence. The idea that the armed forces should protect national industrial infrastructure from air or submarine-launched conventional cruise missile attack but not from equally (perhaps even more) destructive Cyber attacks is completely irrational and, in fact, absurd. 

Of course, what is sauce for the goose is sauce for the gander. Britain can also use Cyber warfare to attack foes. I am no expert in the law of war, but I suspect that, to be legal, Cyber attacks would have to be carried out by uniformed personnel. Moreover, it would make no sense to take such a potentially powerful offensive capability away from the armed forces and give it to a civilian agency. 

But who should be responsible for strategic level Cyber defence in the UK, especially given the general perception that the types of people best suited for Cyber are not really amenable to military discipline and hierarchy?

The RN and RAF are probably better bets for hosting such people than the British Army. The RN in particular has a well-established record of successfully operating ‘quasi-piratical’ and quite informal organisations that relied on self-discipline much more than formal discipline, such as the early submarine service and coastal forces during the two World Wars.

But whichever service gets to form the framework for Cyber defence operations (which would obviously fall under the control of Strategic Command), each of the armed forces must have their own tactical and higher-level Cyber defence and offensive capabilities, just as, for example, they have their own EW capabilities. 

To reiterate and conclude: cyber war is not virtual war, it is not video game war; it is real warfare that produces kinetic results previously only attainable through the use of strategic bombing.

Cyber warfare has the potential to kill large numbers of civilians. It can wreck essential national infrastructure and key national industries.

In purely defence environments Cyber warfare can be used to “crash” defence command, control, communications and computer systems, sensor systems, integrated defence (such as air defence) systems, thereby blinding, confusing and disarming military forces and allowing an aggressor to inflict severe losses and seize key locations using its conventional forces.

Spending on Cyber defence does not and will not take money away from defence, for it is now an essential part of defence and investing in it strengthens defence overall.

Notes

1. This discussion of cyber warfare is based on: Centre for Strategic and International Studies “Significant Cyber Incidents Since 2006”   https://cisi-prod.s3.amazonaws.com/s3fs-public/200403_Significant_Cyber_Events_List.pdf?.tlmv65Bm5D0d5UVqRtac3qdYqd.BYtLj, accessed 26/04/2020; Gabrielle Desarnaud Cyber Attacks and Energy Infrastructures: Anticipating Risks, Ifri, Paris, January 2017, www.ifri.org/sites/default/files/atoms/files/desarnaud_cyber_attacks_energy_infrastructures_2017_2.pdf, accessed 14/06/2020; Kim Zetter “A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever” in Wired 8/01/2015, www.wired.com/2015/01/german-steel-mill-hack-destruction/ accessed 16/06/2020; and Emma Stoye “Security Experts warn chemical plants are vulnerable to cyber-attack” in Chemistry World 10 June 2015, www.chemistryworld.com/news/security-experts-warn-chemical-plants-are-vulnerable-to-cyber-attack-/8632.article, accessed 16/06/2020.
2. Edward Broughton “The Bhopal disaster and its aftermath: a review”, US National Library of Medicine, National Institutes of Health, www.ncbi.nim.nih.gov/pmc/articles/PMC1142333/ accessed 15 November 2020.