Long Live Cyber War

Thomas Rid on the pitfalls of using analogies to illustrate the reality of the threat posed by ‘Cyber War’.

“Analogies enhance didactics, discovery, and deception — especially self-deception. ‘Cyber war’, along with other martial comparisons like ‘cyber weapons’ and ‘new warfighting domains’, should be seen for what it is: a metaphor with some benefits and many limitations. Lest we forget.”

Similes, metaphors, and analogies have enabled and shaped the discussion of computers from the beginning. As engineers developed new technologies, they needed new words to describe what they and their technology were doing. Storage and packets and firewalls are all spatial analogies that refer to something humans could intuitively relate to. Hard disks were repositories for lots of data, so referring to them as storage devices must have seemed intuitive. Small pieces of information, bundled between a header and footer with an address on it, naturally could be called a packet. Calling software that kept malicious things from coming into your network a firewall just made sense.

Pointing out that cyberspace itself is a spatial metaphor may be obvious. Less obvious is that it was not an engineer that coined the term, but a novelist: William Gibson. Gibson first used the word in his 1982 science-fiction short story Burning Chrome. He later popularized it in the 1984 novel Neuromancer. It is worth quoting the paragraph that introduced the word to the book’s readers. The segment describes the fictional thoughts of Henry Dorsett Case, a low-level drug dealer in the dystopian underworld of Chiba City, Japan,

A year here and he [Case] still dreamed of cyberspace, hope fading nightly. All the speed he took, all the turns he’d taken and the corners he’d cut in Night City, and still he’d see the matrix in his sleep, bright lattices of logic unfolding across the colorless void … The Sprawl was a long strange way home of the Pacific now, and he was no console man, no cyberspace cowboy. Just another hustler, trying to make it through.

Cyberspace, for Gibson, was meant to evoke a Matrix-like virtual world of computer networks that users would be able to ‘jack’ into through consoles. Cyberspace, he later explained, was an ‘effective buzzword … evocative and essentially meaningless.’ The writer imagined the word as a suggestive term, one that had ‘no real semantic meaning.’ Even Gibson could not have imagined a more spectacular rise of his evocative yet meaningless expression. To this day, this creative lack of semantic clarity remains a potent source of agility that helped the analogy jump out from the pages of an obscure sci-fi novel and ‘jack’ cyberspace into the political reality of international geopolitics.

Yet analogies should be used with caution and skill, especially in the conceptual minefield that is cyber security. Analogies can be triply instructive. First, a metaphor can make it easier to understand a problem – analogies are didactic devices. Describing cyber security as a conceptual minefield, as in the opening sentence of this paragraph, underscores one thing: be careful, something could go wrong if you don’t pay attention to detail. Second, the comparisons that metaphors force upon us can highlight areas of importance and connections that might otherwise have been missed — analogies are inspirational and creative devices. If cyber security is a conceptual minefield, then perhaps we can come up with a way to better find the ‘mines’? Finally, and most importantly, at some point a metaphor will begin to fail, and at this point of conceptual failure we may learn the most important things about the subject at hand: how it differs from the familiar, how it is unique — analogies are also testing devices.

This triple approach to evaluating the utility of metaphors is simple in concept but difficult in practice. Perhaps especially in the context of cyber security — a field which encompasses the technological knowledge of various sub-disciplines of computer science as well as social science, political science, legal studies and even history — each step on this three-bar ladder of abstraction by analogy requires progressively more specialized expertise.

The first step is easy. Even laypersons may use analogies as didactic devices. The second step is not too difficult. Using analogies as creative devices requires some working knowledge of a field, but not special training. But using analogies as testing devices requires expertise and skill. Recognizing a complex analogy’s point of failure and taking advantage of the additional insights afforded by the conceptual limitations of a given metaphor takes expert knowledge, perhaps even knowledge from across unrelated disciplines. In practice, therefore, analogies often begin to fail without their users noticing the defect.

The shortsighted and flawed use of metaphors is especially prevalent in the cyber security debate. Talking about cyber war or cyber weapons, for instance, is didactically useful: the audience instantly has an idea of what cyber security could be about. It inspires creativity: perhaps it evokes thoughts of ‘flying’ or ‘manoeuvring’ in cyberspace, not unlike Henry Dorsett Case ‘jacking in’. But too often analogies are used without communicating their point of failure. If cyber security is a conceptual minefield, then stepping on one of the dangerous devices causes harm that cannot instantly be recognized. The line between using such comparisons as testing devices and self-deception devices, in other words, can be a subtle one.

A good example of this self-deception is the common comparison between the Cold War and cyber war, or between nuclear weapons and cyber weapons. On 9 April 2013, Reuters reported that the US Air Force had designated some of its network attack tools as ‘weapons.’ Indeed, an ideal illustration of this problem is the much-vaunted war in the so-called fifth domain. ‘Warfare has entered the fifth domain: cyberspace,’ The Economist intoned in July 2010. Referring to cyber conflict as warfare in the fifth domain has become a standard expression in the debate. This author was taken aback in a closed-door meeting in the Department of War Studies at King’s College London in early 2012 when a senior lawyer for the International Committee of the Red Cross referred to cyber war and wondered whether the organization needed to work toward adapting the Law of Armed Conflict to that new fifth domain.

Five points will help illustrate how difficult it is to draw the line between didactic benefit and the risk of self-deception. First: the expression ‘war in the fifth domain’ has its origin as an Air Force lobbying gimmick. The air force was already in charge of air and space, so cyberspace came naturally. In December 2005 the US Air Force expanded its mission accordingly. Henceforth, it would be ‘flying, fighting, and winning […] in cyberspace.’ This alone is not a strong argument against the term’s utility, but it is important to be clear about where the expression comes from, and what the original intention was: claiming a larger piece of the shrinking defence budget pie.

Second: ultimately, code-triggered violence will express itself in the other domains. Violence in cyberspace is always indirect. Computer code cannot directly affect human beings and human bodies, only indirectly by weaponizing a target system that is critical for some form of human interaction or security. By definition, violence that actually harms a human being cannot express itself in a ‘fifth domain.’ This is not a moot philosophical point, it is a fundamental limitation.

Third: if warfare in the ‘fifth domain,’ as consequently would be necessary, referred only to damaging, stealing, or deleting information stored in computer networks, not to affecting something that is not part of that domain in the first place, then the very notion of war would be openly degraded to a metaphor, as in the ‘war’ on obesity.

Fourth: cyberspace is not a separate domain of military activity. Instead, the use of computer networks permeates all other domains of military conflict: land, sea, air, and space. To an extent, that is the case for the other domains as well. But in the case of IT security, an institutional division of labour is far more difficult to implement, especially in a military context: the air force doesn’t have tanks, the army has no frigates, but everybody has computer-run command-and-control networks.

Fifth: cyberspace is not even space. Cyberspace is now a common metaphor used to describe the widening reaches of the Internet. ‘Firewall’ and ‘surfing’ the web are other well-established and widely accepted spatial metaphors. Saying the air force ‘flies’ in cyberspace is like the army training troops to ‘scale’ firewalls or the navy developing new ‘torpedoes’ to hit some of those surfing the web. The silliness of such comparisons reveals their limitations.

Metaphors and analogies, philosophers of language know, may die. They die through extensive, repetitive, and widespread use in a new context. Once a metaphor is dead, we no longer recognize it as such, as in ‘firewall’, ‘Trojan’, or indeed ‘pilot,’ an expression that has been used to mean guiding or steering a boat since the 1500s. Language becomes richer as metaphors wither. But once analogies are dead, recognizing their deceptive potential also becomes more difficult. It is, therefore, in our keen interest to keep some metaphors alive — long live ‘cyber war’.

Inspection Copy Request
Review Copy Request
Join our mailing list

Subscribers receive exclusive discounts and early access to new books from Hurst.