The arenas in which humans seek advantages are ever changing. From land and sea to air and space, humans have found a way to contest each other and the manmade arena of cyberspace will be no exception (Tabansky, 2011, p. 79). Different actors approach cyber in unique ways depending on their goals, motivation and resources. Nation states may do strategic battle in an information war while terrorist organisations spread their message of fear through isolated cyber incidents. To further complicate matters, incidents can even be misattributed to the above, when they are in fact the work of skilled individuals for recreational fun, such as the attacks on U.S. DOD computers systems in 1990 Z(Lewis, 2002, p.8). So what differentiates warfare from terrorism? First, we shall explore two major cyber warfare doctrines, then look at two incidents and determine if they would be considered warfare or terrorism. The picture may be murkier than we believe.
Contrasting U.S. and Russian approaches will be effective in defining cyber warfare. The U.S. is the sole world superpower, making it the benchmark for military competitiveness worldwide (Fritz, 2008, p.40). The U.S. views cyber capability, both offensively and defensively, within an effects-based approach. That is to say, it is interchangeable with a kinetic strike as the effect produced is of concern, not the means via which it is produced (Farrell & Glaser, 2017). U.S. doctrine expresses a defensive mindset thus, 'the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests’(Farrell & Glaser, 2017). What does this tell us? The U.S. (at least publicly) believe cyber warfare is an employable asset, like an aircraft, or naval fleet. A military instrument to be used at the correct time, to generate a desired result.
Russia in contrast does not even use the term cyber (kiber) or cyberwarfare (kiberrvoyna), except where referencing western doctrine, instead referring to this concept within the broader rubric of information warfare (informatsionnaya) (Connell & Vogler, 2017, p.3). Instead of an act to cause an effect, it is viewed as a strategic fulcrum in the exercise of state power, both in peacetime and in wartime, to create and sustain total information dominance (Connell & Vogler, 2017, p.6). This approach is a direct continuation of the Soviet-era Leninist doctrine of endless war (Connell & Vogler, 2017, p.5). Thus its willingness to use cyber capability is not confined to what the West would determine ‘acts of war/deterrence’ but rather as part of an endless doctrine of advancing Russian power.
The concept of cyber terrorism is young and not yet properly defined. Traditional terrorism typically has been defined as an act causing fear and harm indiscriminately (Janczewski & Colarik, 2009, p. xiv) to advance a goal. Where an act of terror ends and an act of war begins is murky at best, especially in the field of psychological warfare. Unlike its parent concept, which is constituted by serious acts of violence against people or property (Jarvis, Macdonald, Whiting, 2016, p.36), cyber terrorism is much harder to pin down. While western organisation such as ASIO consider hacktivist groups such as Anonymous to be cyber terrorists (Joyem, 2013), others have expressed concern that what is merely private protest or dissent in the cyber space is being reclassified as cyber terrorism when it runs against the status quo or state goals (Anonymous: Protestors or Terrorists?, 2012 ). Until a clear, collective perception of what constitutes an act of cyber terrorism settles in the public subconscious, each cyber incident will need to be considered on a case by case basis, looking at the perpetrator, the goal and the impact before it could be called cyber terrorism.
Given the above discourse, it is impossible to select a ‘cyber warfare’ and ‘cyber terrorism’ event objectively. Instead, let us look at two significant cyber incidents, and how we would classify them.
Cyber in practice
In late December 2015, three separate distribution centres in the Ukraine had their power grids brought offline via remote access controls, then had internal data wiped using a KillDisk malware (Connell & Vogler, 2017, p.20). Over 220,000 Ukrainians spent six fearful hours in the dark and repairs would take months to complete. Terrorists seek to make a political statements and to inflict psychological and physical damage on their targets (Lewis, 2002, p.8). The statement here is clear; we can take your power away when we want, with precision. Be fearful of opposing us. Is this cyber terrorism? Or do the links the pro-Russian instigators are rumoured to have, rebrand this incident as an act of cyber warfare?
The worm Win32/Stuxnet is one most technologically sophisticated malicious programs developed for a targeted attack to date (Matrosov, 2011). Security experts have suggested the worm was designed to specifically target Iranian Bushehr nuclear plant (Chen, 2010). Its level of sophistication and unprecedented use of four zero-day exploits suggests development by a highly competent team, almost certainly a state actor. While never proven, the use of a cyber weapon to produce a specific kinetic effect, is consistent with U.S effects based cyber war doctrine, and its origin has often been believed to be American. Stuxnet more clearly falls into the category of cyber war, as there is no message being sent; instead an effect - covertly disrupting Iranian nuclear research - was the goal.
Is there a difference?
The key takeaway is the question, do cyber acts require a recognised state actor to be considered cyber warfare instead of cyber terrorism? Or is it the intent of the act, ie. effects-based versus sending a message, that makes the difference? Acts that may be considered terrorism, such as spreading fear and uncertainty through Russia’s policy of informatsionnaya can be considered acts of cyber war from a certain point of view. By contrast, acts that would normally be considered war if conducted under the U.S. effects-based doctrine, become terrorism when perpetuated by an unrecognised state, such as ISIS or an independent hacker. This is further complicated by state actors who conduct covert actions against rivals and their assets using subsidiary organisations in order to achieve deniability. In the end, there may be no clear discernible difference, beyond a visceral gut reaction, between an act of cyber warfare and an act of cyber terrorism. There are only cyber incidents and the effects on society they create.