It helps in thinking about the future of cyber war if we break it into two parts: the future of cyber and the future of war. Cyber means the collection of computers, software and connections that link people, economies and countries ever more closely together. In cyber space, Beijing is as close as the building across the street. Connected computers are powerful tools that we have embedded into our daily lives. We depend on them. That dependency will grow as we turn everything from refrigerators to jet engines into cyber devices. The future is a more connected, more computer-dependent world that provides both superior capabilities and greater vulnerabilities.
Superior capabilities and greater vulnerabilities will change warfare. Computers are at the core of how modern armies fight, and a military that doesn’t use them may as well ride horses into battle. War is the use of force or the threat to use force, “compelling opponents to our will” as Clausewitz put it. Cyber war is a new way to compel opponents or gain advantage.
Cyber war isn’t new. The U.S. used cyber attacks against Serbia almost twenty years ago (cyber spying began even earlier, when the Russians hacked into DOD computers in the 1980s). What’s new is the importance of cyber space. The intersection of greater dependence, increased vulnerability, and powerful new tools, give countries and groups a new way to fight.
The future of war, at least among big powers, is that they will try to avoid it. Wars between big, heavily armed states are expensive and too risky, particularly if they have nuclear weapons. Big countries will not renounce war – Russia, the U.S. and China use force or the threat of force all the time – but they will try to avoid war with each other. If big countries do stumble into war, cyber attacks will be a part of this, but these countries prefer using cyber for things other than warfare.
We worry about cyber attacks from groups like ISIS, but so far only countries can afford cyber attack capabilities. More than twenty militaries are developing them. Cyber capabilities will disrupt the software that runs modern weapons, confuse opposing commanders by scrambling data, and perhaps even attack critical infrastructure. How and when countries will use cyber capabilities depends on their national goals and their willingness to take risks, and so far countries have been cautious in using cyber. There have been very few real cyber attacks - perhaps only four or five.
An easy rule of thumb is that if a cyber attack produces physical damage or disruption, it counts as warfare, but there is a lot of ambiguity in the discussion of cyber war. Countries can’t or won’t agree on what is an attack. Disagreement over the definition of attack makes it hard to apply the rules developed for war among states to cyber war.
This ambiguity shapes how countries use cyber space in conflict. Spying, for example, is not considered warfare. There is always the risk of being caught; it’s embarrassing, but countries don’t go to war over spying. The Internet went public twenty years ago and, despite the noise over Snowden, this created a golden age for cyber spying. Rampant cyber espionage and ambiguous rules means there is a covert struggle in cyber space as countries see how much they can get away with. It’s not war, but it is definitely conflict.
This kind of conflict isn’t going to stop. The countries that are most aggressive in using cyber tools against the U.S. - China, Russia, Iran, North Korea – will not suddenly become our friends or decide to play nice in cyberspace. They would complain that the U.S. and UK aren’t going to stop either. It’s not yet the age of killer robots or Skynet, but conflict among states is here to stay and cyber war will be part of it.
James Lewis is a Senior Fellow and Program Director at the Center for Strategic and International Studies (CSIS). Before joining CSIS, he worked at the Departments of State and Commerce. He was the advisor for the 2010, 2013 and 2015 United Nations Group of Governmental Experts on Information Security and has led a long-running Track II dialogue on cybersecurity with the China Institute of Contemporary International Relations.