Amid the anxieties of others over cyber threats to national security, political scientist Thomas Rid, as his book’s title suggests, takes a contrarian stance. His argument is in part scholastic: cyber operations have so far failed to satisfy von Clausewitz’s classic definition of war as organized violence by a state to achieve a political end or, more commonly put, politics by other means. Even Stuxnet, the most destructive of cyber operations, fell short of war under this definition: It was intended as a direct, stealthy interference with Iran’s alleged development of nuclear weapons, rather than a means to compel Iran to halt.

The other part of Rid’s argument is practical: cyber weapons alone do not produce the destruction feared in sound bites like “a cyber Pearl Harbor.” Kinetic weapons, perhaps supported by cyber operations, will be more effective. Hence, the character of hostile cyber operations, when conducted by states and politically motivated groups or individuals, will more closely resemble cyber crime, but for purposes of traditional sabotage, espionage, and subversion. In making his case, Rid presents technically sophisticated accounts of the design, mechanics, and difficulties involved in some well-known and some more obscure cyber operations. For example, he terms the Gauss cyber espionage platform, analyzed by the Kaspersky Lab in 2012, as a “veritable virtual Swiss army knife” (p. 97), and details three outstanding features: the targeting of data, especially cookies, of Lebanese and other Middle Eastern financial institutions; a round-robin domain service, which limited the anticipated congestion of resting large data loads by handing out host addresses for routing the data according to a rotating list; and exceptionally strong encryption. With this appreciation of Gauss’ complexity and sophistication, Rid can then surmise that Gauss was state-sponsored.

Rid emphasizes that such operations in essence continue the traditional practices, but put them on steroids. Moreover, he contends that their use makes these practices less violent and, in some respects, self-limiting: by eliminating in many instances the need for human agents, they reduce the potential of physical confrontations among people. But the actor that can now bloodlessly steal intellectual property on unprecedented scales will lack the tacit knowledge to use it successfully. This optimism, however, might be misplaced. The “technology transfer” problem can be solved without the source’s help, and there are well-known cases of stolen intellectual property quickly being integrated in products of competitors much to the sources’ detriment, for example, Nortel and AMSC. Similarly, while Rid correctly observes that social media lowers the costs for organizing protests and other subversive actions, at the expense of organizational control–so the rally works but the campaign fails–he ignores that by rapidly mobilizing enormous numbers in the real world, social media increases the potential for the type of widespread violence recently seen in the Middle East.

This book most obviously responds to Cyber war [1], which expected cyber arms to approach chemical ones in their destructiveness and recommended their control by an international regime modeled on that for chemical weapons. Rid, however, notes that Cyber war’s point of departure--Israel’s reported use of cyber operations to neutralize adversary radar in its 2007 bombing of a Syrian nuclear reactor--amounted to a strike against a single, discreet target. On this view, sharpened by the US reluctance some years later (after the publication of Cyber war) to use cyber weapons against Libyan air defenses, Clarke and Knake might have overstated the threats. The same can be said of the NATO associated group of experts who deal with the legal status and constraints on cyber operations unrelated to kinetic actions [2]. Despite their military backgrounds, these legal scholars assumed that hypothetical cases, such as attacks on civilian infrastructures, could be realized as imagined, without considering their feasibilities, on one hand, and unintended consequences, on the other. Such thinking is not new and is prompted by the vagaries of cyber threats. John Mueller’s Overblown [3] documents a long tradition of “threat promotion” in American national security thinking–sometimes to arouse an apathetic public or defend defense budgets. Perhaps the difference here is that in most other promotions, the experts extrapolated from observables. Rid finds this particularly unfortunate. While we await an iconic, but highly unlikely catastrophe--the cyber equivalent of Hiroshima or the gas attacks of World War I--to validate the fears of cyber attacks, the defenses against real threats of cyber-enabled sabotage, espionage, and subversion remain weak.

More reviews about this item: Amazon, Goodreads