An annex to the paper on cyberstrategy
There are hardly any cultures which do not distinguish war from other types of violence, and which does give it its own sense of dignity. European tradition, for example, sets the public enemy opposite the private enemy (hostis against inimicus for the Romans, polemos against extros for the Greeks).
After the pioneers of European public law from the 16th Century, lawyers were distinguishing the “symmetrical” opponent, the sovereign over the territory, who could start a war for a just cause (“just” at least in its form, if not its cause or method), from the rebels of civil wars17 or revolts. This may have no less important historical consequences, but not able in a lawful sense to obtain the “dignity” of a real war. “The other is the enemy, the other is the rebel”, according to a legal maxim of people who confirm that war is a monopoly of the sovereign (main component of the famous “legitimate violence” which is reserved for the State)
The simple reminder of these concepts raises an initial question: who is, where is, the enemy is the cyber world? The doubt which looms over the status of the enemy is the first clue. The difficulty stems from the haunting “imputability” of the attack. A government cannot react in the same way when faced with another State which is attacking it, or when facing militant groups who are possibly tolerated or helped by a neighboring government, or even when confronted with private parties only seeking profit such as transnational mafias who have been reconverted into cybercrime. This gets complicated insofar as the suspicious State could very well “hire” a criminal organization, the way some might take on mercenaries or hired killers. Moreover, they may manipulate “ideologically” motivated groups, the way that certain States have funded terrorists in flesh and blood, helped by guerillas, or favored activists or protestors on the Other’s territory.
All the same, even if we were to assume that matter was resolved (equipped with an excellent information service, the victim State knows who the guilty parties are, for example), the political dimension of the decision made by the victim would still remain in the foreground. Recognizing the act of war (and offering an ally or assistance to a State which has been a victim of attack, within a treaty framework), deciding to continue with a plan for symmetrical retaliation, or another plan (economic punishments, diplomatical-political action or open violence), is not a choice which carries the same consequences. Deciding whether to act publicly, or secretly and anonymously (just like the enemy’s first blow) is also a politically serious choice.
Finally, and above all, this figure of the enemy emerging from the Net (like the Tatars who rose up out of the desert in Buzzati’s novel) reflects the issues in the modern Western world; above all the problem of identifying the enemy in the post Cold War world. If nobody, above all in Europe, no longer refers to the Justus hostis18 of our secular tradition (he who is both just an enemy, not an absolute criminal, but who has a fair right to carry the symmetrical status of the enemy in a public war, from his own territory, his own border, and with the assets of his sovereignty). In addition, the discourse of Western powers reflects a visible embarrassment with the concept of hostility. On the one hand it results in criminalizing the enemy who is considered as a delinquent (thus deserving a punishment administered by armies acting in the name of mankind) and as an immediate danger in terms of global vision and security.
Describing conflictuality in terms of low intensity asymmetrical wars, fourth generation, out of bounds, etc., reflects the regular armies faced with a range of insurrectionary situations, local disorders, “psychological” operations or influential on both sides, “civilian-military” relations with populations (whose “hearts and minds” need to be won over), destruction/reconstruction (Nation Building, State Building, Peace Building)…a wide spread range of intermediate situations between maintaining police order, political fights and battles.
The difficulty of pointing out the opponent or understanding the game rules is the same as the difficulty of locating the war. In the absence of an enemy who is likely to acknowledge his defeat over the land, the strong know the necessity of controlling a far away territory and having unlimited vulnerability. If the “West” is omnipresent as a principle of globalization, the “target” is also everywhere where we find its symbols and representations: in an airplane, a megalopolis, a bus, or a tourist destination. If its technique is the proof of its domination, then it is also considered as its main point of vulnerability.
This idea of disorientating the strong is not only the product of its fantasies for ultimate control; it also reflects the objective strategies of the weak, “unofficially”. In situations where the distinction between civil, military and political has been erased, fluid and changing conflicts intervene against a backdrop of “grey areas” and defeated States, multiple hostile parties, militia, warlords, half-mafia, half-terrorist irregular groups, guerillas, networks with international connections, etc. Therefore, military aggression tends to melt away into the dangers and emergencies of “risk” which our societies are obsessed with. The last White Paper of Defense is symptomatic of this, which establishes the function of the territory’s armed defense as a “global” concept, mixing together risks and threats likely to bring an attack on the life of the nation.
An attacker from the cyberworld currently remains both anonymous and unpredictable, with the confusion between economic, technical and military risks, the ambivalence of criminal guilt and political intention, the violence of the real chaos and the potential threat, and finally the difficulty of separating internal and external security. Without a doubt, this makes the “new enemies” the most emblematic, that our era likes to create and locate somewhere between the fatality of the accident and the perversion of moral intention. The distinctive feature of cyberwar is not limited here, and makes a much vaster use of what is called “classic” war. It is based on different conditions :
political: the willingness to constrain the other party (“enforcing our law on the Other” according to Clausewitz), to obtain a resolution for a dispute and the satisfaction of a “historical” demand;
lethality: the possibility of human loss;
techniques: the use of weapons, resorting to specific strategies;
symbolic and cultural: war assumes beliefs, symbols, and communities which are persuaded of the legitimity of a cause, and the need to crush the opponent’s cause.
In other words, war, even when led outside of a State framework (civil war, guerilla, etc.), has always presupposed three “canonic” components:
1) specific tools, i.e., weapons. They offer the possibility of administering collective death (a war where nobody risks their lives would be a tournament, a game, a threat, etc.) The concept of the enemy stems from organized death. He is led to fight, not for what he is personally or for what he has done, or for what he has in his possession, but for what he represents and to what he belongs (the other Nation, for example). The lethality of weapons (therefore the possibility of giving or receiving upon order, which is both morally approved and socially glorified) makes war the supreme form of conflict. However, there are never any cyberdeaths in cyberwar. There are obvious losses in finances, knowledge, capacities, potential spreading of disorder or panic, and above all, enormous losses of time. Sooner or later, except for exceptional cases, the damage caused by a cyberattack may be repaired, a question of computer DIY and undoubtedly a warning for the future, if we can spot the vulnerability that the attackers have used to their advantage. Even if the financial, psychological or social damage was huge, nobody will have died. Some scenarios contemplate crossing this border in a country where air traffic, emergency services (police, fire brigade and ambulances) energy or other supplies would undergo an exceptionally serious disruption. This is a simple assumption, from which doubts reduce, at least on the symbolic front, the dimension of this “war”;
2) war is a matter for organized communities: the fighter recognizes himself as a member of a community who uses his life and orders to take the life of the enemies without counting it as a crime. War is, then, a matter of transmission, in every meaning of the word. Firstly, this involves transmission of identity (us/them). This is manifested by signs, emblems, a discourse in an exaltant and sublime register, identifiers (paintings, clothing, uniforms), symbols, rituals, discipline, traditions: in short, everything which links the group together. It is also a matter of transmitting orders, instructions, in the technical meaning of circulating messages well, etc., as the exact term here is rather “communication”. War is part of the duration. It could not be summarized as a single rupture of violence, or a unique battle. There is a before and an after the confrontation, a strategy, maneuvers, provisions, moves, gathering resources and managing them. War, even in its primitive form, assumes a materialized organization and a system of legitimity or even a vision of history. More still, it is difficult to find all these components in cyberattacks as we know them, insofar as it is tricky to describe the parties involved, in terms of the attacker as much as the attackee. The victim: the State may be directly targeted when the aim of the attack is to decrease its defense capacities or to threaten it (diplomacy reinforced by the Internet): “we will continue to disorganize your information systems until you make a political decision”.
But the State may also be involved more indirectly, for example when some of its businesses are victims of computer piracy with damage affecting the national economy, and with regard to the order that the politician is supposed to guarantee those working in the economic sector. We may push the argument further: in a democratic system, the authorities ensure our security; if the private life of citizens, their intellectual property or their interests are threatened by computer pirates, then this is a matter for justice and police. This internal question may become a diplomatic or military problem if the attack comes from beyond the external boundaries. The White Paper on Defense, by categorizing computer attacks amongst the main dangers for the nation’s “global” security, reminds us that it is up to the State’s competence to decide when a prejudice is not simply a private matter. It is up to the politician to say whether the unrest to “public order” causes a problem on an international scale;
3) a specific aim: victory (another way of saying that war has a political aim, modifying a power relationship for a long time). Victory presupposes the possibility of peace (and everybody from Saint Augustine’s time that “we make war that we may live in peace”). Both include either the enemy’s physical disappearance, or his renounced demands and surrender. The latter is either through a compromise, a treaty, a form of half-victory (and therefore, he stops being an enemy). Victory changes (or comforts) power in a long-lasting way. For example, we often hear phrases such as “from now on, the Alsatians will be French”, or “from now on, the right to trade in a certain port will belong to a certain authority and no longer to a certain other”, etc. A power struggle is part of the duration. A political willingness has given in: leading a war consists of, in the end, convincing the other that he has lost. If the opponent is not reduced to silence and is not persuaded of his defeat, then there is not really a victory to be said. War is led and dedicated to a project which can be read, either in history books or on the front of a monument; a new power struggle sanctioned by the recognition of the conquered (and if possible, by the group of nations involved).
The preceding concepts come from the following categories:
A soldier who fights, a politician who commands, and a civilian who is subjected to it;
Belligerents and neutral parties;
From the front and behind;
War time, peace time.
But there is also a towering mass of philosophic categories which define just wars (by their objective or necessity) and unjust wars, either in terms of their principle, or in their methods.
The key to this metaphorical safety box of reasoning is the same for the opponent. This is particularly important for the notion of a just enemy. He is both simply an enemy (and not an absolute criminal), but also he who has the “right” to become an enemy, because he takes delight in the very status.
This entire mental construction is badly adapted to the ambiguous nature of cyber attacks. If the Other (also badly identified) attacks you, still, we have to know what he wants to do or what he expects (as it happens, this does not seem to be signing a treaty or surrendering in good and due form).
Faced with an aggression of this type, the victim is reduced to assumptions (by hoping to not have been a victim of a “false flag”, a deception raised by a skilled third party).
If the cybernet war mainly requires technological know-how, this knowledge may be acquired by any brain with enough perseverance and inventiveness. In theory, everybody can start an “immaterial” war based on knowledge.
The question of the attacker’s status completes the question of his intention. Firstly, it is important to know what he is looking for. Since attacks in the cyberworld hardly give way to repetition or experience, as innovating as they are, they may be way below the hopes of their creators, and it may be that the targeted systems had anticipated the attack. But, it might also be the case that a virus had spread over the aimed target and that the interconnection into the virtual world had spread disorder out of the target’s territory (seeing that he had hit the initiator with a counter strike). The struck land and targeted territory might differ, here, where everything is interconnected to everything.
What does the aggressor want, meaning, what is his criterion for victory? Insofar as cyber attacks have always been surrounded by secrets and deception, and as a regular army or State has never taken responsibility for it, there can be no clearly expressed “war aim” (this would be a vow). A demand from “private” groups claiming, for example, to “punish” a state, resorts to activism and to its known forms: symbolic humiliation, “we struck you because you represent a certain type of crime or injustice that we despise, and your punishment will be made public”. Or rather threats: “obey our orders or we will start over”. This idea could be applied perfectly to an anonymous statement after a bomb explosion, following the tradition of the 19th or 20th Century
If a cyberattack does not necessarily shatter the opponent’s political willingness, then it violates a guard’s small amount of will, or even that of a legitimate owner. It consists of knowing, disorganizing, or commanding (taking control over a machine), but it is always in spite of what the legitimate owner wants
If the aim is “pure” espionage, then the answer is in the question. The objective, like that for the information in “the real world”, is not to inflict damage in the immediate surroundings, but to gather up information to increase one’s own potential (economic, technical, military, etc.) or to decrease that of the opponent.
Contrary to sabotage whose effects are instant and invisible, espionage is an investment for the future.
For a “glitch attack”, the message behind the havoc is not necessarily unique. It may be a form of punishment or a demonstration of power. In each case, it is a question of making the targeted authorities understand something. The political question, then, is in the foreground.