The German philosopher of war, Carl von Clausewitz, described armed conflict as “a true chameleon” whose three base elements are “primordial violence . . . the play of chance,” and, ultimately, its “subordination as an instrument of policy.”¹ He had no way of knowing, some two centuries ago, how prescient his notion of the chameleon-like character of warfare would prove to be in its Information-Age incarnation. Echoing Clausewitz, strategist Martin Libicki has described cyber conflict as a “mosaic of forms” ranging across the various modes of military operations, and having significant psychological, social, political, and economic aspects as well. As to Clausewitz’s element of primordial violence, Libicki has contended that cyberwarfare slips the bonds of traditional thinking about armed conflict. Of its many manifestations, he has argued, “None of this requires mass, just guile.”² This poses some very major challenges to those who would defend against cyber attacks, given that the lack of requirement for mass means that small nations, networks of hackers, even super-empowered smart individuals unmoored from any Clausewitzian notion of a guiding policy, can wage a variety of forms of warfare – operating from virtually anywhere, striking at virtually any targets.

Cyber attackers, whoever and wherever they are, can opt to disrupt the information systems upon which armed forces’ operations increasingly depend – on land, at sea, in the air, even in orbit – or take aim at the control systems that run power, water, and other infrastructures in countries around the world. This mode of attack can also foster crime, enabling the theft of valuable data – including cutting-edge intellectual property – from commercial enterprises, the locking-up of information systems whose restoration can then be held for ransom, or simply the exploitation or sale of stolen identities. The democratic discourse can easily be targeted as well, allowing a whole new incarnation of political warfare to emerge in place of classical propaganda – as demonstrated in the 2016 presidential election in the United States,³ but which can be employed to disrupt free societies anywhere in the world. And for those attackers of a more purely nihilistic bent, controlled or stolen identities can be conscripted into huge “zombie” armies deployed to mount distributed denial-of-service (DDoS) attacks aimed at overwhelming the basic ability to operate of the targeted systems – institutional, commercial, or individual. When billions of household appliances, smartphones, and embedded systems (including implanted locator chips in pets) that constitute the Internet of Things (IoT) are added as potential “recruits” for cyber attackers’ robot networks (“botnets”), the offensive potential of cyberwarfare seems close to limitless.

And all this takes, as Libicki has sagely observed, is guile. Thus, it seems that, aside from providing a strong affirmation of Clausewitz’s general point about conflict having chameleon-like properties, the many faces of cyberwar undermine his three base elements. There is no need to commit acts of overarching violence, or even for a connection to higher-level policy, when, for example, millions of “smart refrigerators,” designed to send their owners an email when they need milk, can be hacked, controlled, and ordered to overwhelm their targets with millions of emails. As to chance, the vast range of targets available to cyber attackers – who often remain hidden behind a veil of anonymity, a “virtual sanctuary” – suggests that luck is a much less included factor. This undermining of Clausewitz’s base elements leads to a serious challenge to his firmly held belief that “defense is a stronger form of fighting than attack.”⁴ This was certainly the case in his time, when defense-in-depth defeated Napoleon in Russia, and later saw the Duke of Wellington’s “thin red line” decimate the Grande Armée at Waterloo. A century later, the costly failed offensives on the Western Front in World War I affirmed the wisdom of Clausewitz. And even the brief period of Blitzkrieg’s success in World War II gave way, from El Alamein to Stalingrad to the Battle of the Bulge, before stout defenses. But, two centuries since Clausewitz, the rise of cyberwar is now upending his unwavering belief in defense dominance. Instead, offense rules.

To date, the best-known manifestations of cyberwar have emerged in the personal and commercial realms. Hundreds of millions of people around the world have had their privacy compromised, either by direct hacks or by having their information stolen from insurance, financial, retail, social media, and government databases. With regard to ostensibly “secure” government databases, even these have proved porous. The most notorious incident was acknowledged by the US Office of Personnel Management in June 2015. Of this intrusion, in which hackers accessed sensitive personal information, the President of the American Federation of Government Employees, James Cox, asserted “all 2.1 million current federal employees and an additional 2 million federal retirees and former employees” were affected.⁵ (My own classified personnel file was among those hacked.) As the matter was investigated further, the estimated number of persons affected quintupled, to more than 20 million, according to Congressional testimony of the then-Director of the Federal Bureau of Investigation, James Comey, given just a month later.⁶ But even this staggering breach paled in comparison with the revelation in May 2019 that nearly 900 million sensitive financial records had been hacked from the database of the First American Title Company.⁷

As to the theft of intellectual property and other types of exploitative or disruptive cyber attacks aimed at commercial enterprises, these cause more than 1 trillion dollars ($US) in damages each year. University research centers are also targeted as, according to one tactful report, they “haven’t historically been as attentive to security as they should be.”⁸ While the ransoming of locked-up information currently accounts for less than 1% of annual losses, this mode of attack is growing at a steep rate.⁹ Often, such theft and extortion aim at serving causes beyond just enrichment of the malefactors. In the case of North Korea’s cyber crimes, the United Nations has reported that the roughly $2 billion gained as of mid-2019, by attacks on banks and crypto-currency (e.g., Bitcoin, Ethereum, Ripple) exchanges, has been used to support its nuclear weapons program.¹⁰ This illicit form of fundraising lies somewhere between theft and statecraft. Call it “strategic crime.” Much as, in the sixteenth century, Queen Elizabeth I tacitly encouraged her piratical “sea dogs” to prey upon maritime commerce to help fill Britain’s coffers. Strategic crime has long played a role in statecraft via this form of naval irregular warfare.¹¹

Clearly, when it comes to the abovementioned modes of cyber attack, offense is currently quite dominant. And, as George Quester’s seminal study of stability and instability of the international system notes, when the apparent risks and costs of taking the offensive are low, conflicts of all sorts are more likely to proliferate.¹² They may be small-scale, individually, but their cumulative effects are large – and growing – as opposed to the more purely military realm, in which the patterns of development and diffusion are less apparent. So much so that, to some analysts, the emergence of militarized cyberwar seems highly unlikely.¹³

Cyber attacks in armed conflicts have had a lower profile, but there are some troubling examples – most provided by Russia. In 2008, when Russian troops and Ossetian irregulars invaded Georgia, the defenders’ information systems and links to higher commands were compromised by cyber attacks on their communications. Panic-inducing mass messaging aimed at people’s phones and computers in areas where the Russians were advancing put large, disruptive refugee flows onto the roads, clogging them when Georgian military units were trying to move into blocking positions. All this helped Russia to win a lop-sided victory in five days.¹⁴

More recently, two other aspects of cyberwar have come to the fore in the conflict in Ukraine between government forces and separatists in Donetsk, with the latter supported not only by Russian irregulars – “little green men,” so named for the lack of identifying patches on their uniforms – but also by bits and bytes at the tactical and strategic levels. In the field, Ukrainian artillery units were for some time victimized by hacks into their soldiers’ cellphone apps that were being used to speed up the process of calling in supporting fire. Russian-friendly hackers helped to geo-locate artillery batteries by this means, and brought down counter-battery fire upon them. The result: diminution of Ukrainian artillery effectiveness, although the precise extent of losses incurred remains a matter of some debate.¹⁵

At a more strategic level, the Russo-Ukrainian conflict has also featured a number of troubling attacks. The first came on Ukraine’s electrical power grid infrastructure in December 2015, when 30 substations in the Ivano-Frankivsk oblast were shut down as hackers took over their highly automated system control and data acquisition (SCADA) equipment. Nearly a quarter of a million Ukrainians were affected by this hack, which has been attributed to “Sandworm,” a Russian army cyber-warrior unit. These same hackers are believed to have masterminded the extensive c...