Understanding Cyber Conflict

Conflict in cyber space is the stuff of box office thrillers and countless articles in the popular press. But how can specialists better understand the consequences and significance of cyber attacks in the real world? Have major cyber attacks scored strategic victories for the nations that have sponsored or launched them? Or are these fusillades of ones and zeros simply a nuisance to their targets?

Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, recently delivered a talk to assembled faculty, researchers, and students at NYU Abu Dhabi that addressed these questions.

The talk was given in conjunction with a conference sponsored jointly by the Center for Interdisciplinary Studies in Security and Privacy at NYUAD (CrISSP-AD) and the Atlantic Council.

Healey was careful to make a clear distinction between cyber conflict and cyber war, arguing that the world has yet to see a cyber war. He prefers the term cyber conflict, as "conflict is a general enough term that it can include many things, like espionage and high-end crime. While 'war,' or 'warfare' is such a loaded term" and a cyber war could potentially provoke a response with real bombs and missiles.

Healey noted that though the world's computer networks have not served as a theater of cyber war (even specialists fail to name a particular case in which a cyber attack led directly to a death), attacks have certainly damaged national security and businesses, at least temporarily.

During his talk, Healey asked the audience to name cases from the past that constituted cyber conflict; attendees mentioned the denial of service attack on Estonia in 2007, attacks on Georgia that coincided with the Russian invasion of that country in 2008, and the Stuxnet affair of 2009 to 2010, in which the US and Israel allegedly attacked centrifuges of the secret Iranian nuclear program.

Though intriguing and powerful as stories, Healey wonders: What are the long-term consequences of attacks like these? For example, the attack on Estonia led to the Estonian government's disconnecting the country's networks from the rest of the world for several weeks. But in the end, the attackers weren't able to dissuade the Estonian government from moving a statue that commemorated Soviet war dead. An operational victory but strategic defeat for the attackers.

Moreover, though cyber conflict constantly changes at the tactical and technical levels, "over the past 30 years, things have changed so little in the dynamics of cyber conflict," Healey said. "And the more significant the conflict, the more similar cyber conflict is to battles in air, land, and sea." With one major exception: the role of the private sector in the cyber realm.

A traditional campaign is fought on the ground, sky, or ocean, while the battlefield of cyber conflict has literally been built by — and is largely controlled by — private companies. "The Internet is dominated by the private sector in a way that other battlefields aren't," Healey said.

Jason Healey works to demystify the overlap of traditional national security and cyberspace by focusing on international cooperation, completion, and conflict in cyberspace. He has worked on cyber issues since the 1990s as a policy director at the White House, as executive director at Goldman Sachs Asia, and as a US Air Force intelligence officer. Widely published on cyber conflict and statecraft, he is a board member of Cyber Conflict Studies Association and lecturer in cyber policy at Georgetown University. He is editor of A Fierce Domain: Conflict in Cyberspace, 1986-2012, the first comprehensive cyber conflict history, published in 2013.