Maintaining Control of the Cyberwarfare Revolution
In his 1925 essay Mass Effects in Modern Life, Winston Churchill contemplated the challenge facing future leaders of how to control and dictate events in a world of increasing technological sophistication and disruption. Highly attuned to the history and consequences of war, Churchill opined on the effects of the evolving scientific and technological revolution on the nature of leadership in a time of war:
‘The obliteration of the personal factor in war, the stripping from high commanders of all the drama of the battlefield, the reducing of their highest function to pure office work, will have profound effects upon sentiment and opinion.’
The implications of this statement have a profound relevance as today we contemplate the increasing resort by states and militaries to cyberwarfare and the consequences therein.
The vast array of weapon systems used today by conventional armed forces are essentially legacy systems that have evolved, modernized, miniaturized or been re-imagined. Missiles have become longer range and more accurate. Ships and submarines have taken on new and improved means of detection and attack. Aircraft are increasingly becoming invisible to detection. Nuclear weapons retain their inherent destructive power as increasingly sophisticated and assured means of delivery are developed.
Where the real change has occurred is in the opening of a new domain of warfare in the information space or cyberwarfare. To clarify, cyber warfare is herein defined as cyber-attacks carried out or sponsored by a state actor. On the face of it, cyber warfare does not appear so revolutionary as cyber-attacks are essentially non-lethal (with some exceptions), and their utility in a conventional battlespace is not clear. In time cyber capabilities may present options for greater destruction, but in their present form, they have more than enough dangerous potential for us to consider their role and purpose.
Today wars, on the scale of the conflicts Churchill experienced at close hand, are less probable. Great powers are economically interlinked in a way that has never been seen, and the growing military parity between these powers certainly raises the cost of war. And it is at this nexus of fear and risk that the new technologies of war have gained appeal and utility.
Cyberwarfare has considerable asymmetric advantages. Governments, economies and militaries have all proven vulnerable to cyber intrusion and disruption. The capabilities required are comparatively cheap compared to conventional means of attack. They can more easily conceal their point of origin, with the additional distinction of being essentially a non-violent form of warfare, cyber-attacks. However, state-sponsored is not yet treated as a major provocation. But just because this has been the case does not mean it always will. Unwritten rules are only respected up until the moment they are not.
The ‘laws of war’ have more to say about conduct during the war than what is and isn’t a proper pretext for war. While most countries can agree on the wrongness of torturing POWs or using chemical weapons against civilians, there is as yet no consensus on the threshold for a military response to acts of cyberwarfare. In terms of reactions, states have not opted to treat acts of cyberwarfare as the equivalent of conventional military attacks. Responses so far have ranged from cautious condemnation (often not even naming the suspected actor) to the standard array of sanctions.
In 2019 the Israeli military destroyed a Hamas facility they claimed was being used for hacking activities in what might be the only military response of this type. There is an important distinction here in that Hamas is not quite a state actor and is designated as a terrorist organization throwing into question whether its cyber activities qualify as cyberwarfare. It suggests a possible future where cyber-attacks that are sufficiently provocative lead to conventional military attacks in response.
Cyberwarfare has clearly mesmerized leaders and commanders across the globe, with all the effort going into enhancing and expanding their capabilities rather than considering their doctrines and the consequent effects. Returning to Churchill, the concern he was articulating was that in a world increasingly influenced by ‘mass effects’ be they cultural or technological, could individuals, and especially leaders, stay in control of events. There is a disturbing lack of evidence that individuals are in control of this technology and showing restraint and not being swept along to an uncertain and dangerous future.
The problem at its core is that cyberwarfare has an unclear chain of consequences. We have seen multiple instances of cyber-attacks carried out by state actors, but we have not seen a consistent and effective response to these attacks. This is partly because no one really knows what a proportional response to a cyber-attack looks like and also because there has not been a real inclination to escalate matters on the part of those who have been attacked.
This is the insidious aspect of cyberwarfare that does not get near enough attention. The logic that is developing is that states can inflict damage or apply pressure through cyberwarfare without their opponent possessing a clear or justifiable casus belli. Perpetrators have seen their cyber-attacks gone unchallenged in any way that deters them against future attacks creating a disturbingly familiar environment. History is replete with examples of state actors that have acted provocatively and survived, breeding overconfidence about what they can get away with, leading to grave miscalculations.
The Argentinian military junta thought they could escape the consequences of their Falklands adventure and were surprised by the scale of the British response. Saddam Hussein’s invasion of Kuwait was based on the calculation that the United States would stand back and do nothing. In both these cases, there was sufficient foreknowledge of these invasions, but neither Buenos Aeries nor Bagdad sensed the disaster they were launching themselves into.
The law of unintended consequences is being tested by the advent of cyberwarfare due to the very nature of the technology. By using a non-lethal capability, states do not readily expect that they might suffer a disproportionate response in turn, like say, a cyber-attack of greater magnitude or a conventional military attack to disrupt their cyber offensive capabilities. They may be right to think so based on the responses they have encountered so far, but if a state pushes too far in its cyberwarfare activities, the response they might provoke could spiral out of control.
The boundaries of what is and isn’t considered tolerable cyberwarfare are yet to be established, and it is an open question if you could ever do so. Cyber boundaries are not tangible boundaries like a border between two countries. Conventional warfare has a long and studied history from which to draw, and the rules are easier to understand if not always adhered to. For example, if a state traverses the border of another state, that is a clear act of aggression and dislodging them with force or the threat of force is justified.
The decision to carry out conventional means of attack, be they from the air, sea or ground, are taken much more judiciously because they do put lives directly at risk and have the potential for rapid escalation. Factoring in the loss of life acts as a major restraint on states, especially in the modern era of war where conventional militaries are capable of an unprecedented degree of destruction. But cyberwarfare has no immediate victims. Firewalls may be breached, data may be stolen, and viruses implanted, but no blood is spilt. A casual decision-maker wouldn’t be wrong to think that the damage inflicted has no serious risks associated.
At this point, we should be cognizant of Churchill’s concern that the ‘mass effects’ of technological forces are detaching us from the consequences of our actions. Current and emerging military leaders in Australia will be confronted with the opportunities for enhanced cyberwarfare capabilities and have to apply serious thought to their role in securing Australia. Other states have moved ahead without considering the implications and consequences, and it will be critical that our leaders do not make the same mistakes others are making.
Writing in the aftermath of the Great War, Churchill looking both backwards and forwards, could see that in ‘no field of man's activities is the tendency to mass effects and the suppression of the individual more evident than in modern war.’ Responsible states have gone to great lengths to make modern war as discriminating as possible and not repeat the scale of destruction seen in the two World Wars of the last century. There has undoubtedly been a mentality shift whereby the appetite for prolonged conventional conflict has been much diminished, and great powers are highly risk-averse to fighting against states with equal or similar capabilities. But it is a consequence of this mentality shift that cyberwarfare has arrived and found a place as a supposedly low-cost, low-risk tool.
The absence of the ‘personal factor’ in war, as Churchill phrased it, can lead to detachment from the consequences. Cyberwarfare is impersonal, and those that use it may not think they are carrying out acts of war in the traditional sense, but they might be surprised when the recipient treats it as such and responds in a traditional manner. The core premise of this new capability is that states can attack opponents and project power through cyber-attacks yet avoid deadly consequences. But to operate on the basis that this principle is a fact is running the risk that your target will tolerate provocations indefinitely. Limits exist in statecraft, and they should not be tested easily.
 Winston Churchill, Mass Effects in Modern Life, 1925, America’s National History Museum Westminster College, https://www.nationalchurchillmuseum.org/mass-effects-in-modern-life.html.
 Churchill, Mass Effects in Modern Life.