The end of the “old wars”?

Part 2 of 7 of our journey into one of the most crucial challenges of our time: the information warfare

  1. The fifth element of war
  2. The end of the “old wars”?
  3. From square to war
  4. CIBs are the new APTs
  5. The race for Cyber Superiority
  6. Information warfare in a multipolar world: European Union
  7. A place for ethics in information warfare?

We talk about “information warfare” and “cyberwar” for decades, starting from sci-fi novels and moving through philosophical and military essays. However, the definition is continuously evolving and adapting to a domain that mirrors the “liquid” society we live in, the “age of uncertainty”. This concept, developed in the last decades even before the end of the Cold War, extended from culture to politics and to the military level, making clear that even the concept of “victory” needed an update, both on techniques and in the concept itself. This raises a very significant question for humanity, i.e., are we living in the age of durable disorder, where nobody can win?

The idea that to win a war, it was necessary to control the enemy’s information and communication targets is nothing new, but after World War II we started to move this concept from the idea of disabling such targets physically (i.e. bombing) to the idea of disabling them remotely (hacking). Disabling such networks electronically, instead of explosively, also allows them to be quickly re-enabled after the enemy territory is occupied. Similarly, counter-information warfare units are employed to deny such capability to the enemy. It is generally accepted that the first modern information war has been Operation Desert Storm, conducted by US Army in 1990-1991. According to Col. Alan D. Campen, the Gulf War «differed fundamentally from any previous conflict», because «the outcome turned as much on superior management of knowledge as it did upon performances of people or weapons». On one side, the first Iraqi targets attacked were air defense, leadership assets and electrical grids, all of which had the highest priority because of their impact on the Iraqis’ flow of information. On the other side, Dutch hackers allegedly «stole U.S. military secrets during the Persian Gulf War and offered them to Iraq». They gained access to information on personnel performance reports, weapons development, and descriptions of movement of equipment and personnel. The systems penetrated included the Naval Sea Systems Command, the Army’s readiness system at Ft. Belvoir, Virginia, and the Army missile research lab at Aberdeen, Maryland. At least one penetrated system directly supported U.S. military operations in Operation Desert Storm prior to the Gulf War. They copied or altered unclassified data and changed software to permit future access. The hackers were also looking for information about nuclear weapons. 

Between 1996 and 2003, US military, research, and university networks were hit by a coordinated attack – Moonlight Maze – part of which came from a Russian mainframe. 

Much of the official evidence was classified, but a Newsweek report in 1999 and further investigations conducted by various subjects, stated that sensitive information on a massive scale was stolen. Victims included the Pentagon, NASA, and the Department of Energy, and many more, on a scale that investigators didn’t hesitate to define “monumental”. . This could not be 100% confirmed as a Russian cyber attack, but it was clear that something massive had just happened.

In the spring of 2007 Estonia fell under a cyber attack campaign lasting a total of 22 days. The attacks, that were part of a wider political conflict between Estonia and Russia over the relocation of a Soviet-era monument in Tallinn, were well known, but unparalleled in size and variety compared to a country the size of Estonia. As stated by Rain Ottis, analyst for NATO Cooperative Cyber Defence Centre of Excellence, «Estonia is highly networked, so a wide scale attack on the availability of public digital services has a significant effect on the way of life of ordinary citizens and businesses alike. Therefore, these cyber attacks can not be disregarded as mere annoyances but should be considered a threat to national security».

In 2008, the war between Russia and Georgia was remarkable for its inclusion of a series of large-scale cyberspace attacks that were relatively well synchronized with conventional military operations. The cyber campaign consisted of DDoS attacks and website defacements that were similar in nature but different in method to what had occurred in Estonia the year prior. Thirty-five percent of Georgia’s Internet networks suffered decreased functionality during the attacks, with the highest levels of online activity coinciding with the Russian invasion of South Ossetia on August 8, 9, and 10. Even the National Bank of Georgia had to suspend all electronic services from August 8–19. «The cyber attacks – Sarah P. White wrote – had little effect on conventional forces and were not decisive to the outcome of the conflict, but they nevertheless offer significant lessons on the character of modern warfare for scholars of conflict and military studies». 

The most important cyber war episode until that day dates back to January 2010, when Stuxnet, a highly sophisticated computer virus targeted Iranian nuclear programme.

At the Natanz nuclear power plant in Iran, centrifuges dedicated to the enrichment of Uranium went out of control and exploded. This knocked out at least 1,000 of the 5,000 Iranian centrifuges and caused a few years’ delay for the Iranian nuclear program.

All these events reinforced the interpretation of cyberspace as a tool for holistic psychological manipulation and information warfare, and highlighted the role of third forces on the modern battlefield. From a strategic perspective, these attacks provided a demonstration of how the technical concepts of cyberspace can be understood through conventional operational concepts in order to more effectively integrate them with military operations. There’s not a direct cause-effect relationship, but it’s quite clear that the Russian strategy in the mid-2000s influenced the behaviour of Western countries some years later.

In 2015, US Air Force changed its own claim on its website, stating that its mission is «to fly, fight and win in air, space and cyberspace». The following year, NATO declared cyberspace as a “domain of operations”, and it has recently agreed to establish a Cyber Operations Center at SHAPE (Supreme Headquarters Allied Powers Europe). This confirms that cyberspace is “already militarized”, and that it is, in fact, a continuously contested domain where deterrence is impossible without persistent engagement. 

When this contemporary version of information warfare emerged, social media weren’t seen yet as a strategic battlefield, but the emersion of new technologies and challenges is continuous.