The John Markoff and Thom Shanker recently covered collateral damage in cyber conflict for the NY Times. Unfortunately, collateral damage in cyber conflict is extremely difficult to distinguish from (a) chance and (b) the intended effect of offensive operations. From their article featuring John Arquilla:
In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the United States invaded Iraq. He would have no money for war supplies. No money to pay troops….
But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the United States.
Fears of such collateral damage are at the heart of the debate as the Obama administration and its Pentagon leadership struggle to develop rules and tactics for carrying out attacks in cyberspace.
This account of collateral damage in cyber conflict doesn’t really explain what’s different about cyber conflict. Why would covert or military cyber actions that affect Saddam’s bank accounts be all that different from, say, financial sanctions on Iranian banks?
In cyber conflict, the range of targets is extremely broad. Critical infrastructure is a key lever of pressure on political adversaries, and cyber attacks are a huge set of tools for pulling on that lever. Creative cyber attacks give the attacker a degree of choice over which businesses, which cities, which industries, and which services to attack; but essentially nobody has a complete picture of the interrelationships in the global economy, and nobody can possibly predict the exact consequences of large events in international business. Future cyber attacks are unlikely to involve hacker commandos that insert malware into enemy aircraft sitting on the runway. More than likely, they will attack the same critical infrastructure systems that power the civilian economy.
Battle damage assessment in cyber operations is more difficult than, say, strategic air campaigns. Couple that with an incomplete picture of the economies and political adversaries that cyber attacks are designed to pressure, and then season liberally with the fog of war: meaning that it is largely impossible to gather timely information about the identity and motivation of your true adversary when defending against cyber attacks.
Conventional force-on-force conflicts have clearly drawn lines around the objectives of combat (controlling territory) and the application of lethal and destructive force (proportionality, prohibited means). Damage that falls outside of these narrow boundaries is either collateral or criminal. Cyber attacks do not (yet) have these bright boundaries.