‘Cyber’ represents one of the greatest security threats to the modern-day state. When a virus, known as WannaDecryptor, infected the NHS in May 2017, it brought the institution to its knees. The hackers successfully encrypted vital documents in UK hospitals and GP practices, effectively reducing all computer activity to nil, and demanded ransom in the form of Bitcoin, an untraceable currency. The development of cybertechnology and the internet has thus created a much more complex global society. Needless to say, the majority of this power has been used as a force for good. Social media has arguably succeeded where even liberal democracies have failed in giving a voice to the most vulnerable groups in society. Its far-reaching influence has allowed this platform to accommodate the rise of multiple influential social movements, including #blacklivesmatter.

However, as proven, the cyber domain does not only increase human agency to liberate, but also to enslave. The attack on the NHS is just one example citing the power of cybertechnology. In practice, nobody is safe.

Cyberwarfare marks an abrupt break from the past, and thus raises the following questions: how are the rules of cyberwar different from conventional war, and does this new form of warfare pose a real threat to states? This article will address both questions to prove that cyber is an important development not only in the ivory tower but also among decision makers acting in real time. Whilst the focus is primarily on the ability of cybertechnology to provoke interstate conflict, and therefore attention on the threat to the individual will be minimal, this is not to suggest that cyberattacks on individuals are any less frequent or important. However, global leaders must first recognise the threat of cyberwarfare to the functioning of their states. Only once cybersecurity is made a priority will the necessary laws and regulations needed to protect both the state and the individual be created.

The new rules of cyberwarfare

The dropping of the atomic bomb on Hiroshima by the US army in 1945 represented a breakthrough in the field of war strategy. Not only was this event the dress rehearsal for the deadliest weapon the world has ever seen, but it profoundly changed the way states approached the topic of war. Whilst fighting continued ruthlessly throughout the Third World, the great nuclear powers were forced to find other means to solve their political differences.

Cyberwarfare is in many ways a continuation of the norms set by the nuclear age: efforts to win conflict without the need for physical combat are nothing new. And yet the weaponization of the cyber domain represents a distinct break from the past.

War is costly. In order to justify the pursuit of war the expected gains must outweigh the potential resource costs. The ‘resource cost’ is not only referencing the loss of human lives or raw materials, but also political credibility. Statesmen are primarily concerned with retaining their political position: if a war is deemed illegitimate or too costly, that position will be jeopardised. For example, world leaders have always approached the use of nuclear weapons with caution as there are very few instances of conflict that would legitimise their use. Assuming they had a position (and country) to return to, any leader who risked global nuclear warfare and the destruction of the planet is likely to lose all political credibility.

The development of cybertechnology has minimised the potential costs of enacting war against another state. All that a state needs to enact cyberwarfare is access to a single computer. Without the need to risk the lives of their own citizens or a huge stock of resources, affordability and political accountability become afterthoughts for world leaders. Cybertechnology has thus overcome this ‘legitimacy safety net’ that was inadvertently put in place during the nuclear age. In other words, the largest global powers now have the means to fight each other once again.

Legitimacy is the first rule of warfare altered by cyber. The second rule of warfare under attack concerns the anticipated outcomes of conflict. Traditionally, the state with superior power, whether it be military, economic or cultural, will win the war. Of course, there are exceptions to this rule: often cited is the failure of the US, despite its clear military superiority, to defeat its communist enemies during the Vietnam War. But whilst there are flaws, this rule largely holds true in traditional warfare. What cybertechnology has achieved is to throw this rule out of the window.

How is cyber power measured, and more importantly how is it controlled? The potential implications of a cyberattack are limitless, and yet all that is needed is access to one computer. There is very little to measure. Counting the number of guns and aircraft may be a crude way of assessing military power. But whilst it is difficult to quantify many types of traditional power truly, cyber power is truly unquantifiable. Inevitably a state at the cutting edge of cyber development will have an advantage over the individual sat behind a laptop, but as the attack on the NHS proves, both have the power to inflict mass destruction. The beauty of the internet is that it indiscriminately gives power back to the individual, simultaneously allowing them to make global connections, or destroy them. Anyone can use it. Anyone can abuse it.

This element of cybertechnology will have other, far-reaching implications. If access to the digital sphere is all that is needed, new technologies will give an unprecedented power to Third World countries, but also non-state actors. If attacks against other states no longer need to be orchestrated, or even legitimised, by the state, the role of non-state actors in influencing global events will be markedly increased. The ease with which a cyberattack can be induced has thus destroyed the concept of a ‘balance of power’ and increased the number of actors with competing aims and interests in the international system.

Knowledge is power. And yet often cyberattacks can leave the identity of the aggressor unknown. The battlefield is always a source of confusion: what are the enemies tactics, what is the best next move? Cyberwarfare is no different, however it has given the enemy the power to disguise their identity. Wars are about actions and reactions: without knowing one’s own attacker, a credible countermove is rendered impossible. We are living in the age of information yet paradoxically whilst we have access to a limitless supply of knowledge, we have never before been clouded by such uncertainty and doubt.

This has severe implications for accountability. Terrorist organisations in particular have been known to use the internet to take responsibility for certain actions they may or may not have committed. During the invasion of Mosul in June 2014, ISIS fighters used the hashtag #AllEyesOnISIS to publicise their actions and promote a fan base across the globe.

Some use the cyber domain to publicise. Others use it as a wall to mask their accountability. This tactic has been used multiple times by the state at the forefront of cyber warfare: Russia. The 2016 Presidential Election remains today an event surrounded by controversy due to supposed Russian interference in the election process. Despite ruthless FBI, CIA and NSA investigation, the advanced levels of encryption and Vladimir Putin’s incessant denials of any involvement have prevented a decisive judgement from being made concerning the scale of Russian interference.

False accountability or the inability to determine responsibility destroys any prospect of retaliation for the victim state. The cyber domain may give the illusion of unlimited information but anyone who believes this illusion is hopelessly naïve. State leaders are lured in by the promise of omniscience and consequently must grapple with the paranoia of not-knowing. Knowledge IS power, but access to limited information yields only limited control.

Cyberwarfare is a break from the past. It defies the norms of traditional and nuclear conflict and yet world leaders continue to underestimate its significance. How much of a threat is cybertechnology to states and their institutions?

Is cyber a real threat?

In 2012, Leon Panetta (then US Secretary of Defense) warned of the possibility of a ‘cyber Pearl Harbour’ against the US. In his speech, he cited the increasing vulnerability of the US to cyberattacks that could disable financial networks, the transportation system and power grids. Six years later, the US is yet to experience this ‘cyber Pearl Harbour’ but the threats posed by cybertechnology are becoming increasingly complex and disastrous for any victim state. This phenomenon is due in part to the development of malicious and invasive technologies from states who engage in cyberwarfare. Their mission, however, has only been simplified by the increased global dependence on technology in nearly every aspect of human society.

An area that has witnessed increased independence is the agricultural industry. Over the past few decades, this sector has become increasingly reliant on technology, including cyber, to generate more efficient yields. Some new developments include satellite imagery and soil sensors. Whilst this technology is non-invasive – it does not directly tamper with the goods being produced – by interfering with the information available to a farmer, hackers can disrupt agricultural schedules with potentially disastrous results.

Furthermore, states have become increasingly reliant on GMO crops to feed a growing global population. Procedures that allow invasive genetic reconfiguration could invite the prospect of mass biological warfare from any organisation that can control the genetic composition of the food that we eat.

To suggest that cyberwarfare can have no impact outside of the digital environment is therefore false.  However, its impact can have far more devastating consequences.

Moises Naim has argued that there is a direct link between the vulnerability of a state to cyberattacks and its political system. In the field of cybersecurity, speed is paramount. Democracies, he argues, are impeded from acting or reacting quickly due to the legal, political and institutional constraints of a democratic system. Their authoritarian rivals do not suffer from these checks and balances.

The slow response mechanisms of democratic systems are the least of their worries. Cybertechnology now poses a threat to the legitimate functioning of democratic systems as a whole. Already mentioned for its impact on accountability, no attack has had such a devastating impact on democracy as the Russian involvement in the US elections.

This infamous cyberattack did not damage buildings, it did not kill people; what it threatened were the fundamental pillars of the US democratic system. In January 2017, the Office of the Director of National Intelligence of the United States released the report Assessing Russian Activities and Intentions in Recent US Elections which summarised the findings of the Central Intelligence Agency, Federal Bureau of Investigation, and National Security Agency. The report made the following claim:

“We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.”

The report further clarifies that the term ‘assess’ represents only an analytical judgement; it implies a lack of evidence to proclaim certainty. In the eyes of the US security services Russia was guilty, but there was not enough proof to pass a sentence. The uncertainty surrounded Russian involvement was only heightened by Putin’s plea of innocence:

“the Russian state has never interfered and is not going to interfere into internal American affairs, including election process.” – Putin at the Trump-Putin summit in July 2018.

Even if the source of hacking could be traced to Russia, there is no proof that this attack was coordinated by the state. The attack could have been initiated by an individual acting without state authorisation, although the complexity of this task would have undoubtedly required some degree of government involvement. Regardless, this level of uncertainty has had two important consequences: firstly, it prevented a decisive reaction against Russia but more importantly, it sowed animosity between Trump and his administration.

During the summit, Trump’s undivided support of Putin did everything to suggest that the FBI was wrong, thus creating a huge domestic backlash. Senator John McCain (Arizona) argued that the summit was “one of the most disgraceful performances by an American president in memory.” Russian use of cyberwarfare in this case may not have had a physical impact, but it proved successful in sowing discord within the US democratic system and reducing the efficiency of their institutions.

This revelation leaves the uncomfortable question: is there scope for Russian interference in other democratic processes outside of the US? The EU has long been a source of inconvenience for Putin: could he have directly influenced the Brexit referendum to achieve a favourable result? Could he indirectly provide support for nationalist politicians throughout Europe who seek to weaken the institution further? These are all questions that we do not have the answers for. One thing is clear: cyberwarfare is capable of unhinging and delegitimising the institutions upon which democratic system rely without the victim states ever being aware.

Cybertechnology poses a substantial threat to the functioning of a state. Whilst the danger of nuclear warfare will inevitably remain the greatest security threat to any country, cyberwarfare represents a covert and invasive danger that requires much more of a focus than it currently has, specifically from democratic states. This danger is developing at a quicker rate than many other security threats and yet states fail to make it a security priority: Trump’s removal of the position of cybersecurity coordinator from the NSC in May is testament to this fact. Cyberattacks are difficult enough to detect and track today; future developments will only be more complex and malicious.

Cybertechnology does not just transcend transnational borders; it transcends the fabric of reality. It is not bound by geographic, physical or economic factors. It is, in every essence, limitless. It is about time policy makers started to treat it this way.