Cyberwarfare created a dangerous battlefield where nobody wins

COMMENTARY: Of all the forms of warfare humans have invented, there’s nothing stranger and more unsettling than modern cyberwarfare. We’re habituated to think of war as a state of conflict with a defined beginning (outbreak), middle (mutual struggle) and end (victory or defeat).

Several decades after the term was first used, we can now say with some certainty that cyberwarfare doesn’t work like this. So, what are cyberwarfare’s distinctive characteristics?

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Cyberwarfare in the 21st Century feels more epochal, something closer to a permanent state of conflict from which we might never emerge. Cyberwarfare must have started in the 1980s as computer networks expanded their influence but it's not clear that it will ever end in any conventional sense. For geo-politics and human society, this represents a profound change, the effects of which are still underestimated even as negative effects already have manifested.

A dynamic trend in recent kinetic wars is the way hacktivists now flock to digital wars almost as fast as the humans in the firing line are running in the other direction. The ongoing war between Ukraine and Russia offers a good illustration. Wars are traditionally fought with appointed combatants. Hacktivism shows us that anyone with the right skills can be involved in a cyberwar, which potentially creates dangerous instability. Armies take orders and have defined chains of command. Hacktivism lacks this discipline and can pick their targets with minimal accountability.

Contrary to popular opinion, Ukraine v. Russia didn’t start in 2022 – it dates to the early 2000s when Russia started investing in digital warfare capabilities to destabilize its geo-political opponents, including the nascent Ukrainian democracy movement. Analysts were aware of this new capability – a widely discussed example being the cyberattacks on Estonia in 2007 – but believed it was secondary to kinetic war. However, these Russian campaigns were harbingers of a deepening enmity. This pattern has repeated across other geo-political conflicts.

In Ukraine v. Russia and Israel v Iran we see the outlines of new and increasingly aggressive disinformation and influence campaigns. It’s often underplayed by traditional news reporting, which focuses on territory gained or lost, tanks destroyed, and soldiers killed. While this physical dimension is important it’s no longer the whole story. Out of sight and much harder to assess is the information warfare that has augmented the kinetic conflict and at times taken on a life of its own. We used to call this propaganda, a term that now seems tame as a description for the epic psychological influence campaigns of modern disinformation.

Cyberwarfare leveling increases risk

In traditional warfare, bigger is better. When larger armies also have the force multiplier of superior technology, there’s only one possible outcome. Cyberwarfare doesn't overturn this principle, but it’s a warning that in the digital realm it’s not strengths that count, but weaknesses. It’s this observation which caused many nations to invest in cyberwarfare in the first place. Digital vulnerabilities are easier to exploit than kinetic ones.

Cyberwarfare, then, acts as an asymmetric leveler. Building a superpower takes trillions of dollars of investment in people and technology over decades. Nations can build a cyber-superpower for a tiny fraction of that investment in a few years. In theory, any country or even a small, determined group could do this.

AI as a force multiplier

There’s understandable speculation about whether defenders of attackers will benefit more from AI in terms of cyber security. In truth, both will gain. However, cyberwarfare will function as the early testing ground.  

Today, despite the huge expansion in cyberwarfare over the last decade and a half, it scales rather badly. Expanding cyberwarfare still requires people, and that’s why a nation’s capabilities are judged on the number of people working on cyber-offense and defense in government agencies.

AI changes this calculation. For the first time, machines can carry the load. The same dynamic may change the number of workers needed by white collar businesses – why would cyberwarfare be any different?

People now worry about the unpredictability and instability of this new reality. Right now, countries are still transfixed by the exciting offensive potential of cyberwarfare, and that’s to say they are overestimating their ability to control it. But it's just as likely they will sit on the receiving end.

At some point, we’ll have to establish some new norms to govern cyber-capabilities using the same red lines applied to kinetic warfare. There have already been attempts to do this, notably the Budapest Convention of 2001. Unfortunately, some countries took the process seriously, while others paid lip service at best. The fact that we're still writing about the expansion and dangers of cyberwarfare almost 25 years later suggests that this process has not worked and the industry must come up with a new mechanism. More on that in a future column.

Pascal Geenens, director, threat intelligence, Radware

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.