The story gained legs when a security commentator, Joe Weiss, who works for a commercial organisation advising utility companies in the US on how to protect themselves from cyber security threats, mentioned in a blog article that the FBI and Department for Homeland Security (DHS) had been investigating the incident and viewed it as a suspicious cyber attack emanating from Russia.

This was enough for media outlets across the world to pick up the story and present it as one of the first verified examples of cyber techniques being used to attack and disable civilian utility networks. Some of the less circumspect news organisations were unequivocal in their analysis. This was clearly an attack by “Russian cyber criminals”, and represented a worrying precedent. When a DHS spokesman said there was no apparent threat to the integrity of public utilities or to public safety, an anonymous online hacker disagreed and claimed to have hacked into the SCADA network of a second public utility in South Houston, Texas.¹

The problem with the story, as was reported reasonably widely a few weeks later, albeit with slightly less attention, was that its whole premise turned out to be erroneous. A contractor at the Illinois plant in question, Jim Mimlitz, revealed that he had watched the hacking story unfold with incredulity. He explained that the origin of the original online traffic from Russia to the water plant’s network was himself. While holidaying in Russia, Mimlitz had been asked to check something at the plant and had done so over an internet connection, inadvertently causing the fault.²

The mystery was solved, but the incident, and more importantly the way in which it had been reported, said a great deal about the way in which potentially destructive cyber attacks are conceptualised and articulated in Western national security discourse.

A couple of years prior to the Illinois incident, the President of the United States, Barack Obama, had delivered an address at the White House on the question of “securing our nation’s infrastructure”. He painted a bleak picture about the cyber security threats that were emerging, and the need to establish a sound strategy to mitigate them. One of the particularly interesting assertions he made, on which the cyber security expert Kenneth Geers picked up, was that cyber attackers “have plunged entire cities into darkness”.³ This was a bold statement: not only did cyber attackers have the capability to probe and interfere with public utilities, but they had actually carried out attacks which had affected entire cities. This is important because it means the threat is not just theoretical or apocryphal, as many of the critics of the cyber security debate would argue, but is proven and present with us today, if the president is to be believed. If we were to adopt a constructivist security perspective on this situation, we could say that President Obama’s words were a classic securitizing “speech act”⁴ that elevated a particular threat to a higher plane and thus justified extraordinary national security expenditure and action.

Again, however, further analysis reveals that the claims are based on less-than-solid foundations. It appears that the specific episodes to which President Obama referred had occurred in Brazil in the state of Espirito Santo in 2007 and in Rio de Janeiro in 2005. Here, widespread urban electricity failures had been blamed by many media outlets on cyber attackers hacking into Brazilian utility networks. A few months after President Obama’s address, in November 2009, Brazil experienced a further wave of power blackouts in a number of urban centres, and these were also blamed on hackers. By coincidence, these latest problems had occurred just a few days after a CBS 60 Minutes television report had been aired in the US, which had made the connection between the Brazilian power outages and cyber attackers, citing unnamed sources.⁵ However, it is reported that the Brazilian energy ministry chief of staff, José Coimbra, had claimed that investigations had pinpointed the earlier outages as being due to short circuits on certain high-voltage lines in the Sao Paulo area. Meanwhile, the then director of Homeland Security Information and Security in Brazil, Mandarino, revealed that there had indeed been cyber intrusions into the energy company’s networks in 2005 from criminals making an attempt at extortion. The attack had caused a minor loss of data from an administrative computer and had been quickly resolved. There was widespread debate in the Brazilian government which had come to the conclusion that the two incidents were not connected, and that the power outages could not have been caused by cyber attacks.⁶

The Illinois story had broken about a year after the effects of the Stuxnet attacks in Iran had been revealed (which is discussed later). Stuxnet has been described by many analysts as the first real military-grade cyber weapon worthy of the name.⁷ These stories illustrate a number of important facets of the debates around cyber security and cyber warfare in the second decade of the twenty-first century. Firstly, there is clearly a high degree of anxiety and discomfort about the possibility of major cyber attacks on critical infrastructure and the level of effect they could have on civilian populations. Such attacks are considered to be the weapons and techniques that would be used in a full-scale cyber war, or substantial cyber terrorist attack. This anxiety appears to be causing a tendency to leap on incidents before full analysis has been made, and to herald them as examples of destructive cyber capability being put into action. The commentators making these connections and assertions vary from media outlets to cyber security industry “experts”, and sometimes all the way up to political leaders at the highest level of influence.

At the same time, it is clear that the veracity of the claims and the scoping of these threats are, at the time of writing, subject to a high degree of ambiguity and confusion. Incidents which are heralded as attacks are often found to be either not attacks at all or to have so much doubt and obscurity around them as to be highly dubious affairs about which very little can be said with any certainty.

These are the issues at the heart of the debate on cyber war which this book aims to explore. It does so by identifying and unravelling two spectra at the heart of the contemporary narrative on cyber war. First is the spectrum of cyber threats in which the potential of cyber war is found. This is important as “cyber” has become something of an all-pervasive term which can be applied to almost any human endeavour. Outside of the security-threat environment we might now talk about cyber bullying, cyber romance, cybernetics, and a mysterious realm called cyber space, to name but a few. The origins of the “cyber” label can be traced to ancient Greek. One of the first writers to use the term extensively was Norman Wiener, whose 1948 book Cybernetics explored the potential connection between animals and machines.⁸ In the security sphere, much as it is semantically possible to have a “war” on just about anything (obesity, drugs, cancer) so can all threats have a potentially cyber dimension to them, now that we live in an inexorably networked world. Thus, cyber security means security against a range of threats including crime, espionage, vandalism, activism, and terrorism, as well as actual war and warfare-related activities.

Cyber war is very much at the extreme end of the cyber security-threat environment, much as is the case with traditional war and conflict. One of the key questions about cyber security is how we prioritise the range of threats, in the traditional risk-assessment sense of calculating both likelihood and impact. It may be the case, for example, that an act of war using cyber mechanisms is unlikely, and would not be very damaging if it were to happen. (Indeed, as I will discuss, it could even be seen as strangely virtuous in some circumstances.) At the same time, cyber crime such as online fraud or credit card skimming is probably a much more immediate and serious threat at the present time. Perhaps we should not be worrying so much about cities going dark and planes falling out of the sky, and direct more of our attention at fairly low-level and routine online fraud. For these reasons, this book will consider the question of cyber war very much within the wider context of cyber threats and cyber security across the spectrum.

The second key spectrum in the cyber war debate is that covering the range of views about how much of a threat cyber war really is, and how damaging it could be. This book will aim to uncover and discuss the range of views being put forward, and the relevant merits of each. At one end of the spectrum are the Cassandrist doom-mongers, who will say that the threat of cyber war is not only very real but is happening today, whether it is in the shape of electricity or water plants being disrupted, or computer worms knocking out nuclear weapons facilities. In 1993, Arquilla and Ronfeldt warned us that cyber war was coming.⁹ Just over 15 years later, a former director of the National Security Agency (NSA), Mike McConnell, told us that it had arrived, and we were losing.¹⁰

At the other end of the spectrum there is a range of critical commentators who cast doubt over such assertions. These cover a breadth of views, from those who say that activities that could reasonably be called cyber war will never be seen (as Thomas Rid argues¹¹) to those who do not necessarily rule it out completely in the future but claim that it has not arrived yet (such as George Lucas Jr.¹²). The reasons for such analysts taking critical views will vary from those noting, as do the opening paragraphs of this book, that there is some degree of hyperbole over recent events that have been equated with cyber war and we need to be more careful about ascribing such a label to these events; to those who frame their critique in terms of a conspiracy theory, suggesting that the military–industrial complex has good reason to exaggerate the threat of cyber war since it will...