“The geeks cringed” at Ignatius and others like him, he said, because “the answer to whether the system was doing the right thing lay in understanding the technology” and that “The only way to know if government is screwing up is to know enough tech to know whether the bureaucrats know enough tech.” He ended his piece by quoting Forrester’s John Kindervag, who said, “too many people get a voice before they’ve earned the right to have a voice.” For Butterworth and Kindervag, earning the right to have a voice means that “reporters need to be more tech savvy,” a requirement that would presumably apply to policymakers and the public as well.

I completely agree with Butterworth that more “tech savvy” journalists, policymakers, and members of the public would be of great benefit to ongoing efforts to assess and respond to cybersecurity threats. However, though necessary and beneficial, the requisite knowledge of “the technology” is likely not achievable before important decisions must be made, and in any case, it is not in itself sufficient to result in clarity, consensus, and good decision making. Nor is it required to provide legitimate critique of contemporary cybersecurity discourse.

“The Technology”

First, there is no such thing as “the technology.” There are multiple technologies and associated practices involved in cybersecurity, from networking and programming to the design and operation of various types of critical infrastructure facilities, and much more in between. No one person or group knows all “the technology” and associated practices involved in cybersecurity. Which ones are more and less important to know? How much technical knowledge is enough technical knowledge? Jeffrey Carr, for example, though clearly knowledgeable about “the technology,” and though he has written an excellent overview of cyberwar, does not describe himself as a “tech guy” and has warned us away from relying too heavily on technical means of analyzing cyber-threats. Has he “earned the right to have a voice?”

Technical Knowledge is Insufficient

Second, even technical knowledge does not necessarily lead to clarity or consensus when it comes to assessing cyber-threats. Skepticism has not just been raised in “tech free quarters”; even technical experts can disagree in their interpretations of particular incidents and in their assessments of the overall threat of cyberwar. There are ongoing disagreements among experts about attribution, targeting, and intent of Stuxnet. Carr has been critical of Stuxnet hype and has not seen the smoking gun pointing to Israel that others have seen. Similarly, Ralph Lagner and Symantec [PDF] have publicly disagreed on various aspects of Stuxnet.

Third, when it comes to cyber-threats more generally, individuals with technical expertise such as Bruce Schneier, Marcus Ranum, Rob Rosenberger, George Smith, and others have been either skeptical or even downright dismissive. Maybe we could dismiss their claims by calling into question whether these individuals truly have the right technical expertise. But that would only support my point about “the technology.”

Fourth, many claims about cyber-threats do not contain and likely will not contain a lot in the way technical details as so much of the discussion is shrouded in secrecy. Even if we all had more technical knowledge, it is not entirely clear how useful it would be in evaluating the kinds of claims we so often hear from cyberwar proponents. You cannot assess information that you do not have, no matter what your level of technical literacy.

Fifth, technical knowledge is not needed to legitimately question many of the claims made by cyberwar proponents. Solid critical thinking skills are enough to do the trick. Those who make the case for cyber-threats and associated responses have a burden to provide evidence, especially when there are serious potential disadvantages to their proposals–e.g. loss of privacy, militarization of cyberspace, risk of conflict escalation, etc. Cyberwar proponents themselves recognize [PDF] that their claims often lack evidence and rely instead on hyperbole and fear. It takes no special technical knowledge to be understandably skeptical in this situation.

In addition to relying on appeals to emotion, cyberwar proponents often rely on appeals to authority. Usually, this involves appeals to ones technical credentials or access to secret information. Ironically, in this last case, the very inability to provide evidence is itself marshaled as evidence for supporting the claims being made about cyberwar. Again, it is fitting and proper that one would be skeptical in a situation like this.

A natural result of lack of evidence and reliance on appeals to authority is the tendency of the critical observer to take a closer look at the person making the claims. After all, if one is supposed to believe you based on your reputation or position because you will not or cannot provide evidence, then one should take a closer look at your reputation and position. When we do that in the case of cyberwar proponents, we find a lot of people with potential or actual conflicts of interest. Again, skepticism is warranted.

In addition to looking at an individual or organization’s position within the larger system as a means of determining credibility, one could also look at past statements by those individuals and organizations and compare those to what has actually happened. In the case of cybersecurity, we have seen claims about cyber-threats leading to infrastructural, societal, and even civilizational collapse for at least fifteen years. It hasn’t happened. Hence, skepticism.

Finally, scholars have noted that, historically, successful claims about new security threats have typically involved the identification of basic elements like threat subjects, referent objects, and impacts–i.e. who threatens what and with what consequences. It seems obvious that we would expect those making such claims to provide this basic information. But in the case of cybersecurity, most of these categories have remained ambiguous at best or have shifted over time with very little evidence provided in any case (e.g. see Bendrath’s essay here). Again, it makes sense that people would be skeptical, and rightly so.

Communication Failure

Again, I agree with Butterworth that in an ideal world, journalists, politicians, and the public would all be more technically literate and, therefore, more able to assess the technical claims being made in public policy debates related to technology, science, and medicine. But that is not the world in which we live.

Nonetheless, we need to have the best possible public discussion given the circumstances. The belief by technical experts and bureaucrats that it is either too difficult or too dangerous to talk about technical details in public is just as much a roadblock to fruitful public policy discourse as technical illiteracy on the part of journalists, policymakers, and the public. Such attitudes are indicative of communication failure on the part of experts and bureaucrats–i.e. if they cannot or will not speak in an open and effective manner, then that is a failure on their part.

So, maybe in addition to journalists and politicians becoming better versed in the technical details of cybersecurity, technical experts should work on improving their understanding international and domestic politics, institutional and organizational cultures and interests, the dynamics of public opinion, and much more. Most importantly, maybe the technical experts should work on learning better how to communicate effectively with a lay audience. If it really is the case that the technical experts are failing to convince their lay audience, then maybe it’s time to move beyond just blaming the audience.

To conclude, while one suspects that the views expressed by Butterworth and Kindervag are all too common among technical experts of various types–i.e. that “the geeks” are the ones who should decide who has “earned the right to have a voice”–one does not often hear such views expressed so overtly. While we should encourage technological literacy among journalists, policymakers, and the public, such arrogant, anti-democratic, technocratic views should be roundly rejected. No one type of knowledge or way of knowing will provide the silver bullet. No one person or group of people will have all the knowledge necessary to “know if government is screwing up.” Rather, multiple people with multiple skill sets and areas of expertise, all looking at the same problems from their various perspectives, will give us an idea about the wisdom of government decision making on cybersecurity (or any policy, for that matter). Policy decisions, even ones about highly technical matters, cannot be left to the technicians alone.

The most extensive comments thus far have come from Ed Beakley of Project White Horse.  Ed, who was lead test pilot and director of testing for Tomahawk, wrote to me to say that my post is “one of (if not the only thing) I’ve seen written that even gets close to NCW, transformation, and RMAs.”  Needless to say, I’m honored that someone like Ed, who has been intimately involved in the changes upon which my research has focused, thinks that I got something right.

In the process, Ed pointed me in the direction of a post by Adam Elkus over at Rethinking Security.  In it, he riffs on both my post and a recent book by Keith Shimko (which I will definitely be ordering) to contribute to the discussion of the history and legacy of RMA.  He concludes his post by arguing that

The core of the American RMA, circa 2003, was strategic paralysis and economy of force operations. These were directed to create a science of “breaking” states through strategic simultaneous targeting–an evolution of the operational ideas of simultaneity enabled by the AirLand Battle and later FM 100-5 Operations 1993 edition suite of technologies. The perceived ability to offer an operational fix for the strategic problem of rogue states in remote areas is behind their negative reception today. But I would suggest that the problem might not be the technologies per se–even though their actual performance in 2003 was not as good as hyped—but the Schlieffen-like manner in which an operational concept becomes a vehicle of geopolitics. Or, at the very minimum, criticizing it becomes a substitute for criticizing geopolitics.

I think that Adam’s conclusion is right on the money.  In fact, I made a very similar argument in the conclusion to my dissertation and in an a forthcoming article, “Surfing on the Edge of Chaos: Nonlinear Science and the Emergence of a Doctrine of Preventive War in the United States,” for the journal Social Studies of Science.  In that article, I argue that during the 1990s, military professionals and civilian defense intellectuals alike used concepts and metaphors from nonlinear science–e.g. chaos theory and complexity theory–to translate certain elements 1980s battlefield doctrine into theories of international politics and tenets of foreign policy that posited the necessity of speed and offense to confront a supposedly more chaotic and dangerous post-Cold War world, all of which served as a foundation for the Bush Administration’s case for acting quickly and preventively against “gathering threats” in the international system.

In the conclusion to my dissertation, I called Elkus’ identification of a tendency to “offer an operational fix for the strategic problem of rogue states” leading to “an operational concept becom[ing] a vehicle of geopolitics” the “tacticalization” of U.S. foreign policy.  I argued that the transformation of the nation’s military into a force that focuses, as Cebrowski and Barnett advocated, on combating “super-empowered individuals” and groups blurs the line between military and law enforcement. But it is also indicative of the blurring of boundaries between the traditional levels of war–i.e. tactical, operational, strategic, grand strategic/national strategy. This is reflective of Charles Moskos’ [1] identification of the blurring of distinctions between ranks that is often referred to as the “strategic corporal” effect–i.e. the idea that a soldier at the lowest level can take action that has impacts at the highest levels. The implications of the Abu Ghraib prisoner abuse scandal are an example, as is the capability of small groups of special-forces soldiers utilizing IT-enabled systems to overthrow the Taliban. Both are examples of Cebrowski and Barnett’s “super-empowered individuals” or small groups having effects disproportionate to effort expended or position within the traditional levels of war.

As the Abu Ghraib scandal indicates, there can be negative consequences to the blurring of these boundaries. However, the negative consequences of blurred boundaries could potentially be much worse. First, the idea that remaking the world system in our own image is analogous to altering the initial conditions of a complex system and getting inside a potential adversary’s OODA loop assumes (dubiously) that concepts and systems originally developed for use at the battlefield level are also appropriate at the level of national strategy and even peace-time foreign policy. Finally, the vision of the U.S. military playing the role of “global cop” that targets individuals directly, or a “global systems administrator” that “exports security” as part of a national strategy based on spreading economic globalization, represents the “tacticalization” of national strategy and foreign policy, increasing the likelihood that military force will increasingly be used as a day-to-day tool of foreign policy. What’s more, the increasing capabilities for “global precision engagement,” including for example the very real possibility of developing the capability to hit a target the size of a house on the other side of the world, within minutes, with conventional weapons launched from the continental United States, could increase the likelihood that such seemingly “small” doses of force would be seen as viable tools of foreign policy.

It is vitally important that we come to grips with our recent past, in particular the efforts at military reform, revolution, and transformation that have so profoundly shaped the U.S. military in the post-Vietnam period. In doing so, it is important to avoid accounts that distort through over simplification and/or present the results of reform, revolution, and transformation efforts as natural and inevitable. The results of these efforts could have turned out differently. It was neither natural nor inevitable that operational concepts associated with AriLand Battle in the 1980s or NCW in the late 1990s should become vehicles for geopolitics in the form of spreading globalization by way of the preventive use of force.  In short, things could have been different, and they might still be. But we can only work to head somewhere different if we understand where we’ve been.

NOTES

[1] Moskos, Charles C. (2000) ‘Toward a Postmodern Military: The United States as a Paradigm’, in Charles C. Moskos, John Allen Williams & David R. Segal (eds), The Postmodern Military: Armed Force After the Cold War (London: Oxford University Press): 14-31.

At a time when it seems impossible to avoid the seemingly growing hysteria over the threat of cyber war,[1] network security expert Marcus Ranum delivered a refreshing talk recently, “The Problem with Cyber War,” that took a critical look at a number of the assumptions underlying contemporary cybersecurity discourse in the United States.  He addressed one issue in partiuclar that I would like to riff on here, the issue of conflict escalation–i.e. the possibility that offensive use of cyber attacks could escalate to the use of physical force.  As I will show, his concerns are entirely legitimate as current U.S. military cyber doctrine assumes the possibility of what I call “cross-domain responses” to cyberattacks.

Backing Your Adversary (Mentally) into a Corner

Based on the premise that completely blinding a potential adversary is a good indicator to that adversary that an attack is iminent, Ranum has argued that

“The best thing that you could possibly do if you want to start World War III is launch a cyber attack. [...] When people talk about cyber war like it’s a practical thing, what they’re really doing is messing with the OK button for starting World War III.  We need to get them to sit the f-k down and shut the f-k up.” [2]

He is making a point similar to one that I have made in the past: Taking away an adversary’s ability to make rational decisions could backfire. [3]  For example, Gregory Witol cautions that

“attacking the decision maker’s ability to perform rational calculations may cause more problems than it hopes to resolve… Removing the capacity for rational action may result in completely unforeseen consequences, including longer and bloodier battles than may otherwise have been.” [4]

Cross-Domain Response

So, from a theoretical standpoint, I think his concerns are well founded.  But the current state of U.S. policy may be cause for even greater concern.  It’s not just worrisome that a hypothetical blinding attack via cyberspace could send a signal of imminent attack and therefore trigger an irrational response from the adversary.  What is also cause for concern is that current U.S. policy indicates that “kinetic attacks” (i.e. physical use of force) are seen as potentially legitimate responses to cyber attacks.  Most worrisome is that current U.S. policy implies that a nuclear response is possible, something that policy makers have not denied in recent press reports.

The reason, in part, is that the U.S. defense community has increasingly come to see cyberspace as a “domain of warfare” equivalent to air, land, sea, and space.  The definition of cyberspace as its own domain of warfare helps in its own right to blur the online/offline, physical-space/cyberspace boundary.  But thinking logically about the potential consequences of this framing leads to some disconcerting conclusions.

If cyberspace is a domain of warfare, then it becomes possible to define “cyber attacks” (whatever those may be said to entail) as acts of war.  But what happens if the U.S. is attacked in any of the other domains?  It retaliates.  But it usually does not respond only within the domain in which it was attacked.  Rather, responses are typically “cross-domain responses”–i.e. a massive bombing on U.S. soil or vital U.S. interests abroad (e.g. think 9/11 or Pearl Harbor) might lead to air strikes against the attacker.  Even more likely given a U.S. military “way of warfare” that emphasizes multidimensional, “joint” operations is a massive conventional (i.e. non-nuclear) response against the attacker in all domains (air, land, sea, space), simultaneously.

The possibility of “kinetic action” in response to cyber attack, or as part of offensive U.S. cyber operations, is part of the current (2006) National Military Strategy for Cyberspace Operations [5]:

Of course, the possibility that a cyber attack on the U.S. could lead to a U.S. nuclear reply constitutes possibly the ultimate in “cross-domain response.”  And while this may seem far fetched, it has not been ruled out by U.S. defense policy makers and is, in fact, implied in current U.S. defense policy documents.  From the National Military Strategy of the United States (2004):

“The term WMD/E relates to a broad range of adversary capabilities that pose potentially devastating impacts.  WMD/E includes chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other, more asymmetrical ‘weapons’.   They may rely more on disruptive impact than destructive kinetic effects.  For example, cyber attacks on US commercial information systems or attacks against transportation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent.” [6]

The authors of a 2009 National Academies of Science report on cyberwarfare respond to this by saying,

“Coupled with the declaratory policy on nuclear weapons described earlier, this statement implies that the United States will regard certain kinds of cyberattacks against the United States as being in the same category as nuclear, biological, and chemical weapons, and thus that a nuclear response to certain kinds of cyberattacks (namely, cyberattacks with devastating impacts) may be possible.  It also sets a relevant scale–a cyberattack that has an impact larger than that associated with a relatively small release of a lethal agent is regarded with the same or greater seriousness.” [7]

Asked by the New York Times to comment on this, U.S. defense officials would not deny that nuclear retaliation remains an option for response to a massive cyberattack:

“Pentagon and military officials confirmed that the United States reserved the option to respond in any way it chooses to punish an adversary responsible for a catastrophic cyberattack. While the options could include the use of nuclear weapons, officials said, such an extreme counterattack was hardly the most likely response.” [8]

The rationale for this policy:

“Thus, the United States never declared that it would be bound to respond to a Soviet and Warsaw Pact conventional invasion with only American and NATO conventional forces. The fear of escalating to a nuclear conflict was viewed as a pillar of stability and is credited with helping deter the larger Soviet-led conventional force throughout the cold war.  Introducing the possibility of a nuclear response to a catastrophic cyberattack would be expected to serve the same purpose.” [9]

Non-unique, Dangerous, and In-credible?

There are a couple of interesting things to note in response.  First is the development of a new acronym, WMD/E (weapons of mass destruction or effect).  Again, this acronym indicates a weakening of the requirement of physical impacts.  In this new definition, mass effects that are not necessarily physical, nor necessarily destructive, but possibly only disruptive economically or even psychologically (think “shock and awe”) are seen as equivalent to WMD.  This new emphasis on effects, disruption, and psychology reflects both contemporary, but also long-held beliefs within the U.S. defense community.  It reflects current thinking in U.S. military theory, in which it is said that U.S. forces should be able to “mass fires” and “mass effects” without having to physically “mass forces.”  There is a sliding scale in which the physical (often referred to as
the “kinetic”) gradually retreats–i.e. massed forces are most physical; massed fire is less physical (for the U.S. anyway); and massed effects are the least physical, having as the ultimate goal Sun Tzu’s “pinnacle of excellence,” winning without fighting.

But the emphasis on disruption and psychology in WMD/E has also been a key component of much of 20th century military thought in the West.  Industrial theories of warfare in the early 20th century posited that industrial societies were increasingly interdependent and reliant upon mass production, transportation, and consumption of material goods.  Both industrial societies and the material links that held them together, as well as industrial people and their own internal linkages (i.e. nerves), were seen as increasingly fragile and prone to disruption via attack with the latest industrial weapons: airplanes and tanks.  Once interdependent and fragile industrial societies were hopelessly disrupted via attack by the very weapons they themselves created, the nerves of modern, industrial men and women would be shattered, leading to moral and mental defeat and a loss of will to fight.  Current thinking about the possible dangers of cyber attack upon the U.S. are based on the same basic premises: technologically dependent and therefore fragile societies populated by masses of people sensitive to any disruption in expected standards of living are easy targets.  Ultimately, however, a number of researchers have pointed out the pseudo-psychological, pseudo-sociological, and a-historical (not to mention non-unique) nature of these assumptions. [10]  Others have pointed out that these assumptions did not turn out to be true during WWII strategic bombing campaigns, that modern, industrial societies and populations were far more resilient than military theorists had assumed. [11]  Finally, even some military theorists have questioned the assumptions behind cyber war, especially when assumptions about our own technology dependence-induced societal fragility (dubious on their own) are applied to other societies, especially non-Western societies (even more dubious). [12]

Finally, where deterrence is concerned, it is important to remember that a deterrent has to be credible to be effective.  True, the U.S. retained nuclear weapons as a deterrent during the Cold War.  But, from the 1950s through the 1980s, there was increasing doubt among U.S. planners regarding the credibility of U.S. nuclear deterrence via the threat of “massive retaliation.”  As early as the 1950s it was becoming clear that the U.S. would be reluctant at best to actually follow through on its threat of massive retaliation.  Unfortunately, most money during that period had gone into building up the nuclear arsenal; conventional weapons had been marginalized.  Thus, the U.S. had built a force it was likely never to use.  So, the 1960s, 1970s, and 1980s saw the development of concepts like “flexible response” and more emphasis on building up conventional forces.  This was the big story of the 1980s and the “Reagan build-up” (not “Star Wars”).  Realizing that, after a decade of distraction in Vietnam, it was back in a position vis-a-viz the Soviets in Europe in which it would have to rely on nuclear weapons to offset its own weakness in conventional forces, a position that could lead only to blackmail or holocaust, the U.S. moved to create stronger conventional forces. [13]  Thus, the question where cyber war is concerned:

If it was in-credible that the U.S. would actually follow through with massive retaliation after a Soviet attack on the U.S. or Western Europe, is it really credible to say that the U.S. would respond with nuclear weapons to a cyber attack, no matter how disruptive or destructive?

Beyond credibility, deterrence makes many other assumptions that are problematic in the cyber war context.  It assumes an adversary capable of being deterred.  Can most of those who would perpetrate a cyber attack be deterred?  Will al-Qa’ida be deterred?  How about a band of nationalistic or even just thrill-seeker, bandwagon hackers for hire?  Second, it assumes clear lines of command and control.  Sure, some hacker groups might be funded and assisted to a great degree by states.  But ultimately, even cyber war theorists will admit that it is doubtful that states have complete control over their armies of hacker mercenaries.  How will deterrence play out in this kind of scenario?

Conclusion

Ultimately, there is much more that can, should, and will be said (I’m currently writing a paper about these issues for the next Association of Internet Researchers conference) about the underlying assumptions and shortcomings of contemporary cyber war discourse in the United States, assumptions and shortcomings that lead to the possibility of escalation via cross-domain response to cyber attacks, including in-credible threats of nuclear retaliation, as well as the dubious framing of cyber war in terms of Cold War nuclear deterrence between superpowers.  At this point, from what I can see, we do not need yet another cyber/network/computer/etc. security “expert” making fantastic claims about the imminent threat of a “cyber Pearl Harbor,” “cyber Katrina,” or “cyber 9/11,” but rather, more of these experts like Ranum who are willing to take a critical view, even though that might not net them as many dollars in government contracts for cybersecurity work.

References

[1] For example, see Gertz, Bill. “China Blocks U.S. From Cyber Warfare.” Washington Times, May 12, 2009, available from http://washingtontimes.com/news/2009/may/12/china-bolsters-for-cyber-arms-race-with-us/; Markoff, John, and Thom Shanker. “Panel Advises Clarifying U.S. Plans on Cyberwar.” New York Times, 30 April, 2009, available from http://www.nytimes.com/2009/04/30/science/30cyber.html?_r=1; and Sanger, David E., John Markoff, and Thom Shanker. “U.S. Steps Up Effort on Digital Defenses.” New York Times, April 28, 2009, available from http://www.nytimes.com/2009/04/28/us/28cyber.html.

[2] Marcus J. Ranum, CSO, Tenable Network Security, “The Problem with CyberWar,” presentation at DojoSec Monthly Briefings (March 2009), available from http://vimeo.com/3519680.

[3] Sean Lawson, “Virtual Mind Control: Nonviolence as the Pinnacle of Excellence for Information Age Conflict,” Technoscience (Fall 2004: Vol 20, Num 3), 9-13. Download

[4] Gregory Witol, “International Relations in a Digital World.” In Cyberwar 2.0: Myths, Mysteries, and Reality, edited by Alan D. Campen, and Douglas H. Dearth, 65-76. Fairfax, VA: AFCEA International Press, 1998.

[5] The National Military Strategy for Cyberspace Operations. Washington, D.C.: Chairman of the Joint Chiefs of Staff, 2006, p.15.

[6] The National Military Strategy of the United States of America: A Strategy for Today; a Vision for Tomorrow. Washington, D.C.: Chairman of the Joint Chiefs of Staff, 2004, p.1.

[7] Owens, William A., Kenneth W. Dam, and Herbert S. Lin. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Washington, D.C.: Nationa
l Academies Press, 2009, p.178.

[8] Markoff, John, and Thom Shanker. “Panel Advises Clarifying U.S. Plans on Cyberwar.” New York Times, April 30, 2009, available from http://www.nytimes.com/2009/04/30/science/30cyber.html?_r=1.

[9] Ibid.

[10] Freedman, Lawrence. “Strategic Terror and Amateur Psychology.” The Political Quarterly 2 (2005): 161-70.

[11] Biddle, Tami Davis. Rhetoric and Reality in Air Warfare: The Evolution of British and American Ideas About Strategic Bombing, 1914-1945. Princeton, N.J: Princeton University Press, 2002.

[12] Dunlap Jr, Charles J. “How We Lost the Hi-Tech War of 2007.” The Weekly Standard 1 (1996); Dunlap, Jr, Charles J. “Sometimes the Dragon Wins: A Perspective on Info-Age Warfare.” Phil Taylor’s Web Site (1996).

[13] Tomes, Robert R. U.S. Defense Strategy From Vietnam to Operation Iraqi Freedom: Military Innovation and the New American Way of War, 1973-2003. London: Routledge, 2007.

Technorati Tags: cyberwar, cyberwarfare, cyberattack, cybersecurity

Putting the “War” in “Cyberwar”: A Critical Examination of Cyberwar Discourse in the U.S. Defense Establishment

Abstract

As early as the 1990s, both military professionals and civilian “defense intellectuals” in the United States began to speculate about the possibilities for war to be waged or terrorism conducted in or through cyberspace.  While interest in these issues continued throughout the last decade, the recent spate of cyber-attacks accompanying the August 2008 war between Russia and Georgia, combined with ongoing and controversial attempts by the U.S. Air Force to set up a “Cyber Command,” have led to increased discussion of both what constitutes “cyberwar” and “cyberterrorism,” as well as appropriate responses to such acts.  As such, this paper will critically examine the development of cyberwar discourse within the U.S. defense establishment over the last ten years, paying special attention to articulations of the online/offline relationship in that discourse.

In particular, it will point to a recent and disturbing relaxation of standards in cyberwar discourse over what constitutes “war” or “terrorism.”  Early, speculative theories of cyberwar/terrorism, such as that offered by computer scientist Dorothy Denning, posited that to be considered acts of terrorism or warfare, malicious acts in cyberspace must lead to real-world, offline impacts such as physical damage or loss of life.  Otherwise, such acts were to be considered a form of online activism or “hacktivism” in cases such as defacement or denial of service attacks, or espionage in cases of stolen information.  But while recent cases such as the 2008 Russia-Georgia war indicate that defacement, denial of service, and information theft still constitute the main techniques for cyber attacks, this paper will describe how some theorists and policymakers have begun to drop the requirement for real-world, offline impacts before such acts are considered acts of war or terrorism, thus increasing the likelihood that in the future such acts could be met with the use of violence in the form of a traditional military response.  Thus, while it acknowledges that the maintenance of the online/offline separation is generally problematic for those engaged in critical Internet research, it also argues that in the case of cyberwar discourse, the blurring of the online/offline boundary constitutes a disturbing and dangerous development that should be resisted.