There’s a memorable scene in season two of FX’s Cold War spy drama The Americans where one of the show’s main characters disguises himself as a journalist so he can meet with a computer science professor who’s developing the ARPANET, the real-world Defense Department antecedent of the internet. One of the best parts of the scene is just how great actor Matthew Rhys is at looking as befuddled as any of our 1980s selves would trying to comprehend an “interstate highway system for information.” What’s even more on point is that his Russian agent character, even without totally getting it, sees that this new thing can be weaponized.
UM-Dearborn cybersecurity expert Birhanu Eshete says that storyline isn’t completely out of step with history, at least in spirit. While cyberwar isn’t quite as old as the internet, there are indeed examples of small-scale experiments with cyberattacks by nation states as far back as the 1980s and 1990s, though nothing quite so dramatic as in the show. (Rhys’ character has to break into a building, physically plant a malicious “bug” into a room-sized computer, and reluctantly kill an innocent guy in the process.) It isn’t until 2010 that you see something with really big impact, says Eshete. The so-called Stuxnet attack, in which Israel and the United States allegedly targeted Iran’s nuclear program with a software worm, was a powerful demonstration of how cyberattacks can inflict serious damage on critical infrastructure. With Stuxnet, a hack was suddenly more or less as potent as a bomb.
We have to say “allegedly” because neither Israel nor the U.S. officially admitted involvement, which Eshete says has become a hallmark of most nation-state cyberattacks. Unlike in traditional warfare, where the parties’ actions are generally more transparent, attacks are rarely owned, even when forensic evidence emerges that’s hard to dispute. In fact, in recent years, Eshete says it’s become the “playbook” for countries to “contract out” their cyberattacks to independent, non-government hacking groups, in an effort to conceal their actions or at least add a layer of semi-plausible deniability. Eshete says as a result, there’s now a sizable underground economy for people pursuing this kind of work, almost like for-hire units of cybersoldiers.
Eshete says it’s important to note that not all nation state cyberattacks involve a Stuxnetlike scenario of one country attacking another with the intention of damaging government infrastructure. That may be the most analogous to actual warfare, but in many cases, the goal of an attack is simply to break into a network and exfiltrate sensitive information, like military secrets or intellectual property of big tech companies. Some of these operations, if well done, might remain totally unknown, never producing a headline-grabbing payoff event but still helping a country grow its economic or military power. Contrast that with Russia’s campaign to interfere in the 2016 U.S. election, where the motivations seemed as specific as electing Donald Trump and as general as nurturing political dysfunction in the American political system. Other times, a state-sponsored cyberattack might be strictly financially motivated, with a goal of stealing personal information which can be sold for a profit on the dark web.
Eshete says there are even recent cases of attacks that arguably occupy a moral gray area. “During the pandemic, for example, there’s evidence of countries probing the medical research infrastructure in the U.S. and U.K. around the COVID-19 vaccine,” he says. “And, of course, there is this debate about monopolization of the vaccine by rich countries, so you might say part of the reason for the attack is rooted in equity. On the other hand, that kind of intellectual property can be used to enhance a country’s economic power or geopolitical influence, especially if the intention is to sell that vaccine to less-developed countries.”
All of this begs the question, where do cyberattacks carried out or sponsored by nation states fit into the current vocabulary of warfare and international affairs? UM-Dearborn Political Science Professor Frank Wayman says it’s a tricky question to answer. Part of the reason is there is not a set definition of war. One of Wayman’s favorites comes from Thomas Hobbes’ Leviathan, in which the 17th-century philosopher says war consists “not in battle only,” but in a period of time when “the will to contend by battle is sufficiently known.” That definition would therefore include both “hot wars,” like World War II, and the Cold War between Russia and the United States. Other thinkers, like U-M political scientist and founder of the Correlates of War project David Singer, attempted to provide a more scientific, quantitative definition of war. Wayman says, for Singer, war had to include “sustained combat” and significant loss of life on the order of at least 1,000 battle-related deaths a year. Those criteria would exclude modern cyberattacks, though one could imagine scenarios where Hobbes’ 370-year-old definition might still hold up.
Wayman says one other way of further clarifying (or productively confusing) the issue may be to think about war-adjacent concepts like retaliation and deterrence. “If somebody hits you in a war — say, blows up Seattle or runs a plane into the World Trade Center — you can believe there’s going to be retaliation and a lot of bloodshed,” Wayman says. “But when somebody engages in a cyberattack, leaders often seem much more confused about how to respond because there wasn’t that obvious cause to go to war,” most notably, a large loss of life. Wayman says this is also part of what makes cyberattacks harder to deter. In the Cold War, the known retaliatory consequences of an attack by the other party were both well understood and sufficiently horrifying to avoid large-scale armed conflict. But in an environment where the retaliation environment is less well-defined, an attacker may feel emboldened to attack and take their chances with a reprisal. As such, the traditional deterrence calculus sort of breaks down.
Wayman notes the retaliation picture is further complicated by the fact that so many cyberattacks actually target private companies, not the state itself. “When a company gets attacked, often there is a financial incentive to hide it from the public. And it’s obviously very difficult for a government to develop a strategy for responding to cyberattacks they don't even know about.”
In other situations, the Cold War or terrorism may be more metamorphically instructive than the concept of war. Eshete points out that ideological groups that don’t necessarily have nation-state status can still carry out effective, politically motivated cyberattacks on powerful countries, which Wayman notes is analogous to the kind of military assymetry common to terrorism. And many cyberattacks almost seem designed to inflict damage that won’t provoke too large a response from the target. Wayman says that calls back to the Russia-U.S. dynamic that defined the Cold War, where both parties threw many smaller punches but preferred to avoid a mutually destructive knockout bout of nuclear war.
Thus, in the same way that a missile can be an instrument of war, terrorism or Cold War deterence, it may be that cyberattacks are more an evolution in weaponry than an easily definable (or new) kind of conflict. What helps us understand cyberattacks and how to deal with them is context, and Eshete notes this is something that’s still evolving. Countries are just beginning to draft their playbooks for playing both offense and defense, and there are no treaties or international rules governing cyberwar (though Eshete predicts that could happen). Yet there is no question cyberattacks, especially those supported by nation states, are becoming more frequent. He expects it’s very likely we’ll see something analogous to “armed conflicts being carried out in cyberspace” in the next 10 or 20 years.
It’s very likely, however, that cyberwars won’t be marked by the massive physical destruction and loss of life characteristic of traditional war. Instead, Eshete sees life during a cyberwar as defined by disruption and unpredictability. “In a prolonged future cyber conflict, I think you wouldn’t be able to predict whether a critical service that you rely on to get your work done, like your electricity or internet service, is going to function the next morning, because it could very well be the target of the next attack,” Eshete says. “Or you might have the equivalent of domestic terrorists, who attack not with bullets but with a cyberattack. Our reliance on digital infrastructure and services, of course, simplifies our lives and facilitates so many activities, but it could come back to shoot us in the foot.”
How this plays out could very much depend on the work of cybersecurity researchers like Eshete. In fact, he says the field is currently in the midst of a paradigm shift as a result of such pressures. The old cat-and-mouse model, where attackers exploit a particular vulnerability and security professionals hustle to write a patch, won’t be sufficient to ward off or win a cyberwar. Instead, he says we’ll need effective tools for detecting the nearly invisible initial infiltrations of our networks as they’re happening. Being able to thwart an adversary from ever opening a backdoor into a network would be the cyber equivalent of denying them a beachhead from which to launch future attacks. Whether such emerging tools can prevent cyberwar from becoming the background noise to everyday life is something we’re probably all about to find out.
Story by Lou Blouin. If you’re a member of the media and would like to interview Assistant Professor of Computer and Information Science Birhanu Eshete or Professor of Political Science Frank Wayman about this topic, drop us a line at UMDearborn-News@umich.edu and we’ll put you in touch.