Clausewitz and Cyber War

Thomas Rid's paper for The Journal of Strategic Studies has the provocative title "Cyber War Will Not Take Place". Rid's argument is relatively straightforward. He uses Clausewitz to define the three characteristics of war: "Any act of war has to have the potential to be lethal; it has to be instrumental; and it has to be political." To be instrumental, according to Rid, there has to be a means and an end. "Physical violence or the threat of force is the means. The end is to force the enemy to accept the offender’s will." Then he uses published sources to list examples of cyber war (thankfully he avoids using the more common and in my opinion erroneous term "cyberwar") and shows how none of those examples meet each of the three criteria. In brief, Professor Rid concludes that there has never been an act of cyber war and that there probably will never be one (his final sentence leaves room for an "act of Cassandra").

Personally, I'm not a fan of the term "cyberwar" as evidenced by a recent article that I wrote for Slate, however it is apparent to me as someone who specializes in nation state activities in this area and as the CEO of a company who's clients are on the receiving end of some of those activities, that traditional thinking about warfare has been made obsolete by our dependence upon cyber-space-time. The environment within which war is conducted has been permanently altered since Clausewitz' time. Sun Tzu would have been a better choice because he at least considers the superior option of winning a war without fighting. But even within the parameters that Professor Rid has established, here are three examples that fit the Clausewitz test of being lethal, instrumental and political:

  1. Kyrgyz Intelligence assassinates Gennady Pavlyuk. Kyrgyz intelligence cracked Pavlyuk's email account and used the information they obtained to lure him out of the country under false pretenses resulting in his murder.
  2. Mossad assassinates Mahmoud Al-Mabhouh. Israel's Mossad mounts an operation to assassinate Hamas leader Mahmoud Al-Mabhouh which includes infecting Al-Mabhouh's computer with a trojan horse virus. 
  3. Iran's IRGC arrests 30 dissidents after cracking U.S. hosted webservers. 

None of these are isolated incidents. The government of Iran continues to mine social networks to identify and arrest dissidents. Israel is one of the few nation states that openly admits to conducting cyber operations; some of which have lethal consequences. Pavlyuk's murder preceded the latest revolution in Kyrgyzstan by just a few months. And these are just the operations that we know about. There are many more examples that we'll never hear about but need to bear the probability of their existence in mind when weighing arguments by cyber skeptics like Martin Libicki, Marcus Ranum, Gary McGraw and Thomas Rid. Instead, I refer you to the "Classic of Weiqi in 13 chapters" (.pdf):
Ever since ancient times, no player has ever happened to place the pieces on the board in exactly the same way as he did during a preceding game. Therefore, reasoning must go deep and analysis must be perfect, and an attempt must be made to understand the processes that lead to victory and defeat: only in this way is it possible to attain that which is still unattained.
OECD's Cyber Report Misses Key Facts


  1. Sun Tzu for cyber warfare is dealt in Ken Kenneth Geers's "Strategic Cyber Security". According to the author's treatment, it is not a good fit.

  2. Yes, I read Geer's work. In all fairness, he didn't do an analysis of Sun Tzu's writing and I doubt that Kenneth Geers would claim he did either. He attempted a superficial application of a few Art of War phrases to a few selected examples of modern day cyber warfare. His exact words were "useful but far from perfect".

  3. This comment has been removed by the author.

  4. As an army man, must tell next:
    except nuclear war, there are no other means of warfare which can be used on their own in interstate conflicts, independently between other means of warfare. Did anyone ever heard that any country wage only psychological, infantry or electromagnetic warfare in his history? Certainly there will be many cyber wars in future, but it is not a silver bullet for military, of course. More IT and digital data in our life cause more cyber warfare. There are to many fears and wishes in every war to prevent yourself to do everything you can in a struggle on life and death.
    PS. Mr Rid should tell Raytheon and General Dynamics that cyber war will not take place. He could save them a lot of money.

    1. The idea by the cyber hysterics is that a coordinated sophisticated cyber attacks could render the rest of the armed forces impotent by denying C4ISR capabilities needed to run ops. Obviously, these cyber assaults are disruptive yes, but it does negate or neuter an entire military force because those soldiers are still physically there. If we continue to transition to a force which is 1/3 or more armed drones however... then a cyber attack could be devastating.

      I agree with Mr. Rid that a 'purely' cyber war will not take place for all the reasons he outlined but offensive cyber actions will only increase as will their capacity to cause physical harm. But singular attacks do not constitute a war... they are interactive series of events which form campaigns.

  5. I do not understand where it is - "Kyrgyz intelligence cracked Pavlyuk's email". There is just "Kyrgyz intelligence maybe cracked Pavlyuk's email' (my level or Russian is equivalent to native)

  6. I don't have the references handy, however I believe that the brother of the former President of Kyrgyzstan who was the head of Kyrgyz intelligence was either implicated or charged with that crime.


Post a Comment