Stuxnet-fuelled talk of the dawn of cyber warfare is, alas, misguided. Sadly, keyboards will never replace guns.
These days, it seems the infosec world has been bitten by the cyber bug. I wrote some time ago that the UK establishment had managed to resist the terminology, talking instead of “electronic attack”. But now even us Brits have caved in and started applying the cyber prefix far too liberally.
We have cyber attack, cyber espionage, cyber warfare, cyber treaties, cyber defence and cyber ground zero. The military, in particular, have gone cyber mad, with plenty of encouragement from the infosec community.
Cyber warfare is possibly the topic most likely to start a shouting match among security people, with some suggesting it's the biggest military threat, and others that it's just hype. If, like me, you fall somewhere in the middle, believing it is a development worth studying, but not the omnipotent bogeyman some would have us believe, you tend to find yourself taking fire from all sides.
Stuxnet is perhaps the poster child for cyber warfare. It's been described as a devilishly sophisticated nation-state cyber weapon and, indeed, is arguably a milestone development. But if you look a bit closer, some of the claims start to crack. Stuxnet certainly did some harm, delaying Iran's uranium enrichment by a couple of years. In terms of precision, though, it failed dismally. We only know about it because it affected thousands of computers unrelated to its target – hardly a smart weapon by modern standards.
There was also much talk about how only a nation state could marshal the technical resources to produce something so sophisticated. Given the ingenious nature of financial malware, however, this seems somewhat unlikely. The genuine “smoking gun” of nation state involvement – the accurate and detailed intelligence on Iran's centrifuge controllers and how to disrupt them most effectively – went largely without comment. (We're now going through a similar news cycle with the Flame espionage malware.)
Then there's the recurring description of cyber weapons as “the new nukes”. Really? Show me a single cyber weapon that can vaporise a city centre anywhere on the planet, with zero intelligence other than a grid reference and a “from decision to destruction” time of about 30 minutes. Cyber weapons are by no means toothless, but comparing them to nuclear weapons is facile.
Also often forgotten is the changing nature of modern warfare. While I consider the “Cold War is over” mentality to be somewhat optimistic, it is also true to say that most current shooting conflicts involve enemies that are largely resistant to cyber warfare. It's difficult to see how a virus would have tipped the balance in al-Anbar as effectively as the ground-pounding provisional reconstruction teams and supporting troops. Likewise, I don't anticipate any network-based defences against improvised explosive devices, the leading cause of Allied injuries and fatalities in Iraq and Afghanistan.
Military types use the term ‘revolution in military affairs' (RMA) for major new developments such as cyber warfare. Whenever an RMA occurs, people (usually those with the most to gain from the technology) inevitably suggest it will make previous methods obsolete. While this is true in some cases, it is usually overstated. The machine gun, tank and air power did not make infantry redundant, and signals intelligence will never completely supplant people.
In reality, the evolution of warfare is much messier, with new concepts overlapping tried-and-tested methods and gradually integrating into general use. Cyber is no different. It is having an impact on standard military operations, but it won't make them redundant. In many cases, a simple change of thinking can be as effective as new technology.
I would love to see cyber warfare overtake its kinetic ancestors. I have friends who bear the scars of modern warfare, and would be far happier if they could do their job with a keyboard instead of a rifle. I just don't see it happening any time soon.