Linguistic precision in cyberspace
Linguistic rigour matters. And not just because I studied philosophy and my tutors insisted on it to the point of obsession. Linguistic imprecision reflects muddled thinking. This is as true of cyberspace as physical space, as I discovered when writing my book on cyberdiplomacy. Unfortunately, linguistic precision in cyberspace is rare. The media in particular use terms like cyberwar and cyber attack so indiscriminately as to cause public confusion about cyberspace, and its dangers. But these terms have policy implications which should urge more caution in their use.
To begin: we are not in a cyberwar. Wars involve physical damage, to both humans and things. In other words, people get killed and things get blown up. Careless, and inaccurate, talk of cyberwar trivialises warfare and its enormous human cost. In cybersecurity this physical damage is referred to as kinetic effects. Kinetic effects as an intended consequence of cyber operations have so far been extremely rare. There is only one clear cut case: the attack, supposedly by the US and Israel on the Iranian nuclear processing plant at Natanz (the US may have also used cyber operations to cause kinetic damage to the N Korean medium range ballistic missiles, but it remains speculation). This is not to say that cyber operations will not escalate to kinetic attacks on critical civilian infrastructure, for example power generation or air traffic control systems. The Russians have carried out disruption operations against the power grid in Ukraine, although only temporary and possibly to signal capabilities to the US. When and if they do happen, the human casualties could be terrible. But we should await the occurrence of real kinetic attacks before talking about cyberwar.
The indiscriminate use of the word “cyberattack” by politicians, journalists and even academics (who should know better) conceals a multitude of sins. The word “attack” is a theory laden and emotionally charged word. It implies an unacceptable aggression, to which there should be some kind of response or counterattack. It is curious that we regularly use the word attack in cyberspace where we would not use it in physical space. For example, the use of cyberattack to refer to espionage operations. We would never talk about espionage attacks in the physical world, but rather espionage operations. The distinction is important. The use of the word “operations” for espionage in the physical world recognises that such operations, while not welcome, are part of international relations and constant, with their own rules of the game. These rules of the game include that espionage itself is no casus belli, and that intelligence officers, as opposed to the agents they recruit, are generally immune. Is it because we talk about cyberespionage attacks that the US government is indicting Russian and Chinese intelligence officers for their activities in cyberspace in a way that it has never done for their activities in physical space.
It would better if we referred to cyber operations. This would allow us to distinguish between the different kinds of operations and the motivations behind them. This would better enable us to devise strategies to deal with each kind of operation. Such a classification of operations would include degradation operations, designed to cause permanent damage either in cyberspace or physical space (kinetic damage); disruption operations, designed to temporarily disrupt systems; espionage operations, designed to steal data; criminal operations, designed to steal money; or information operations, designed to destabilise societies by spreading a mix of information and disinformation through online platforms. Distinguishing motivations also matters. Cyberespionage operations may be aimed at identifying the true intentions of a foreign government, stealing intellectual property to close a technology gap or stealing personal data as preparation for further espionage or criminal operations. Some of these activities may be acceptable (seeking to identify government intentions) or unacceptable (stealing intellectual property). These distinctions matter. In the Cold War espionage may have helped avoid nuclear war in both 1962 and 1983.
Cybersecurity is trendy. It helps sell newspapers (albeit online) and (I hope) books. Stories like the dangers of Huawei´s involvement in setting 5G industrial standards bring home the need to get diplomats more involved in internet governance. But so far kinetic damage from cyber operations is limited. There is no evidence of people being killed by cyber operations. It may come to pass. Indiscriminate use of terms like “cyberwar” and “cyberattack” will only make that more likely, while hiding the more interesting story of what is really going on. 5