Defining Cyberwarfare and Cyberterrorism
An essay on the definition of cyberwarfare and cyberterrorism and how Australia’s terrorism laws differ from other western democracies.
Since time immemorial, humans have waged war. War against each other and possibly against our humanoid ancestors too. War is an intrinsic part of being human. It is little wonder that new technology drives motivation for advantage in warfare. Just as military dominance in the 19th-Century meant conquering the seas, and air superiority won wars in the 20th-Century, ruling cyberspace is strategic for the 21st-Century. Not surprisingly, applying age-old concepts of war and terrorism to new realms is controversial. This essay reviews various definitions of cyberwarfare and cyberterrorism, contrasting them with each other and comparing these definitions with uses by governments and the public. The words cyberwarfare (also written as ‘cyber warfare’ or cyber-warfare) and cyberterrorism (also ‘cyber terrorism’, cyber-terrorism), according to the Google Books Project, were first mentioned in the 1970s. The usage of the words did not become common till the late 1990s. Interestingly, the word ‘cyberterrorist’ has always been the most popular term among the variations, whilst ‘cyber warfare’ remains the most popular among its variations. For simplicity, this essay will use the compound word forms for both terms.
Among academics, the definition of when a cyberattack amounts to cyberwarfare is contentious. At one end of the spectrum, Rid (2012) argues that cyberwarfare has not occurred in the past and is unlikely to happen in the future. He defines war in precise terms, borrowing from Carl Von Clausewitz, a 19th-Century Prussian military theorist. There must be three elements for an action to be considered an act of war by a state. Firstly, there must be aggressive or defensive actions of a violent character, ‘an act of war is always potentially or actually lethal’. Second, an act of war must be instrumental, that is, a means to an end. The end meaning rendering the opponent defenceless or forcing the opponent to submit to the attacker. Thirdly, an act of war must be political in nature, with attributable actions.
Rid prefers to characterise cyberattacks as either sabotage, espionage or subversion. He opines that although cyberwarfare is possible, it is currently science fiction. In his opinion, calling cyberattacks cyberwarfare is at most metaphorical, the same way we use the term “the war on obesity” or the “war on cancer”.
Contrastingly, Rid’s colleague, Stone (2013), argues against war requiring lethal force and the need for attribution. Aggressive actions do not require lethal force but only “the application of force to produce violent effects”. Additionally, Stone introduces modern concepts of western liberal war, which aim to minimise the loss of human life by inhibiting an enemy’s means of waging war. This is illustrated with the example of the US Air Force raids on German ball-bearing factories in World War II, arguing that war is also waged on objects. In rejecting Rid’s view that destroying things can only amount to sabotage, Stone argues that war and sabotage are not mutually exclusive. Stone also argues that the new cyber domain could mean that future wars are fought without attribution.
In defining cyberwarfare in law, legal scholars seek to interpret the term ‘use of force’ in Article 2(4) of the UN Charter. The international legal community’s consensus is that the threshold for force only applies to cyberattacks where the result has the same effects as a kinetic force. That is, there is physical injury, death or destruction of property (Tully, 2012). This interpretation aligns more with Stone’s definition, meaning that cyberattacks such as:
- the Stuxnet virus in 2005 (attributed to Israel) which sabotaged Iran’s nuclear enrichment program by creating a virus that modified the SCADA systems to destroy centrifuges; and
- the Siberian pipeline explosion in 1982 (if it did happen) caused by faulty pump values which the US Intelligence rigged via the SCADA system (Rid, 2012); would qualify as cyberwarfare.
The news media use the term cyberwarfare and cyberattack almost interchangeably. A recent example is the hacking of Parliament House emails. Whilst academics would consider this cyberespionage, the Sydney Morning Herald categorises the story a cyberwarfare.
Whereas nation-states wage wars, cyberterrorism is waged by anyone with political or social objectives. Denning (2000) provides an often-quoted definition of cyberterrorism, being an:
“unlawful attacks and threats of attacks against computers, networks… to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear”.
This definition has similarities with cyberwarfare, with the threshold for ‘force’ being that the result is violence against people or property, but extended to include inciting fear of violence, as is the definition of traditional terrorism. Additionally, Denning’s definition explicitly excludes “attacks that disrupt nonessential services or that are mainly a costly nuisance” as not being cyberterrorism. The US Federal Bureau of Investigation defines cyberterrorism in similar terms as “politically motived attacks against computer systems… result[ing] in violence against non-combatant targets by sub-nation groups or clandestine agents” (Pollitt, 1998). Examples of cyberterrorism inclusive of the abovementioned definition are:
- the 1998 Tamil guerrillas email bombing Sri Lankan embassies to disrupt communications; and
- The 2007 DDoS attacks on Estonian and NATO websites by Russian ‘patriots’ protesting the relocation of a Soviet WWII statue from the centre of the Estonian capital.
International laws for cyberterrorism are addressed by existing laws covering terrorism (Tully, 2012). This includes Australia, but not without issue. The Criminal Code Act 1995 (Cth) defines ‘a terrorist act’ in such broad terms (and out of line with other western democracies) that hacktivism, which Denning would exclude as a costly nuisance, is inclusive of a ‘terrorist act’. Whilst other jurisdictions may exclude cyber-activism from anti-terrorism laws, Australia does not, which means that according to Australian law, the 2010 cyberattack on the Australian Parliament House website, co-ordinated by Anonymous titled ‘Operation Titstorm’ to protest the proposed “internet clean feed filter” was an act of cyberterrorism according to Hardy (2010).
Cyberwarfare are attacks by nation-states, whereas cyberterrorism could be attacks anyone with political or social objectives. Both require physical harm, injury or damage to property. That is, with the exception of Australian’s anti-terrorism laws that have a low harm requirement, meaning that most cyber-activism is classified as cyberterrorism in Australia.
Amendments to the Australia/New Zealand/United States (ANZUS) alliance mean that cyberattacks on member nations resulting in property damage or loss of life allow military responses, including kinetic warfare. It is, therefore, imperative that we understand the nuanced differences between the common usage and the technical usage of cyberwarfare and cyberterrorism not only as cybersecurity professionals but also as citizens.