While there is recently a lot of confusion about cyber war, cyber attacks and malware, there are some experts who look at the topic less excited. Thomas Rid is one of them. Born in Germany, he is now a Reader in War Studies at King’s College in London. In his recent book “Cyber War Will Not Take Place”, Rid argues that what we’ve seen so far is espionage, sabotage or subversion – but not war.
Netwars met Thomas Rid and spoke with him about his thesis, the NSA revelations and possible solutions to deal with cyber conflict. Watch the interview here:
War as we know it is violent and causes not only damage but also death. Rid argues that So far we haven’t seen a single casualty caused by a cyber attack. In 1993, a famous article of the RAND Corporation claimed “Cyber War Is Coming”. The article can be read here.
The Economist, 2010
As an academic, Rid looks for evidence. Twenty years later, the most sophisticated attack we have seen so far was Stuxnet. Rid classifies the work of the worm as an act of sabotage, not war. And technically, he is right: Stuxnet didn’t blow up the Iranian nuclear facility, it only sabotaged the enrichment program and stopped Iran from building the bomb. For Rid, the vast majority of attacks serve the interest of espionage.
Rid discussed the topic with New York Times chief correspondent David E. Sanger during a debate at Körber Foundation in Hamburg. One of his points is that a nation cannot build just one cyber weapon and fire it against every nation as it wishes. In fact, cyber attacks have to be very sophisticated, well planned and malware has to be programmed exactly to fit the target. „Cyber weapons are not like conventional weapons“, Rid argues.
“You can’t do a military parade and show your cyber weapons”
Since they have to be tailor-made, a state can’t shoot them at targets as he pleases. This makes it kind of hard to repeat an attack. Rid thinks that politically motivated and sophisticated cyber attacks are likely to take place only in the context of actual political confrontations. And if that happens, there is no reason why the opponents should limit their response to computer attacks like switching off power grids or manipulating bank networks. In order to react as fast as possible, it would in fact be easier to use weapons.
Time Magazine, 1995
Besides, concerning to Rid there is only one nation that is able to build a sophisticated cyber tool so far: the United States. The ability of the NSA to spread malware into computer networks worldwide is outstanding and technically very sophisticated. The Snowden revelations that made these working methods official demonstrated a capability gap to China.
“Just because China has 600 million Internet users doesn’t mean they are a cyber super power”
When Rid visited the country in autumn 2013, he experienced that the Chinese look up to the US for their cyber capabilities.
Of course, the big amount of cyber attacks originating in China doesn’t mean they are acknowledged from the government. But it’s militant groups and terrorists that get security experts worried. Right now, Rid says those with the capabilities don’t have the intention to attack. And those with the intention don’t have the capabilities.
But once they find out how to break into a system, the situation changes. It’s already really easy to find industrial control systems (SCADA systems) that are connected to the Internet and therefore vulnerable.
Scientists at the Freie Universität Berlin showed in an alarming map how many SCADA systems are connected to the Internet. Some might be connected unbeknownst to the operator. A special search engine can locate industrial plants that are connected to the Internet. In the US, a hacker named pr0f used such a search engine and later broke into the system of a water plant in South Houston. He hacked the plant to protest against the lax security of these facilities. What if someone hacks a water plant for another reason?
Concerning politics Rid has a point: cyber war will not take place – or at least future wars won’t be limited to cyber attacks between two states. But when it comes to criminals, the situation might be different. Why take the risk of sending a conspirator to blow up a power plant when you’re able to take it out with just one click of a mouse?
About Thomas Rid:
Rid was born in 1975 in Aach, Germany. He studied social and political science and owned his PhD 2006 at the Humboldt University in Berlin. He conducted his research in war and media, terrorism, deterrence and cyber security at the Institut français des relations internationals (Ifri) in Paris, John Hopkins University and Woodrow Wilson International Center for Scholars in Washington, D.C. Since 2011 he is a Reader at King’s College in London.