“Now I am become Death, the destroyer of worlds” JR Oppenheimer, 1945
Those famous words resonate with us all, as does the dramatic mushroom cloud on the horizon. In fact, everything about nuclear weapons is worthy of a superlative; expense, explosive power, political clout to name a few. But are we going the same way with e-weapons? How do we measure the scale of a cyber-attack so that we can respond?
There is no doubt that an e-weapon could kill thousands of people in a few seconds: bursting a dam, crashing airliners, destroying health IT or overheating a nuclear power plant.
But just how exposed are we? According to Symantec, it blocked 229,000 web attacks a day in 2016 (83 million pa). According to Cisco, the annual fixed internet traffic in 2016 was 65,942 Petabytes (a single PB is 1,024 TB) as more and more things are getting connected.
Are there ground rules for the use of e-weapons? A group of experts has attempted to tackle this problem and have set out some basic rules of the game in the Tallinn Manual in an attempt to apply International Law to cyber warfare. Martin Libicki from the Rand Corporation has stated that:
“As a general rule if you do something in cyberspace that looks like the sort of thing you could do with kinetic weapons, it will be treated as though you have done it with kinetic weapons.”
But these Tallinn rules are voluntary and also assume that only nation states are players. The United Nations Office for Disarmament Affairs (UNODA) started the process of establishing some ground rules on the use of cyber weapons when Russia (yes, Russia!) initiated a draft resolution in 1998. However, it has suffered from many of the same problems as its work to disarm and prevent the proliferation of nuclear weapons.
Given that the cyber weapons can now (or shortly will be able to) dispense large scale disruption (and death), have they reached the MAD scenario? Whilst there are many similarities, such as deterrence, there are also significant variations. For instance, it is hard to measure opponents’ arsenals when they are lines of code. Nuclear weapons were the property of nation states and so limitations treaties were signed by governments (not by renegade or terrorist hackers) and it was much easier to define the payload.
If cyber weapons can have a devastating impact, if there are only a few (voluntary) ground rules and if nations / individuals can wreak havoc on each other – how do we measure the scale of a e-weapon?
Numbers of population impacted.
Cost of damage / repair
|1||>10||Low||Petty. Committed by isolated individuals for financial reward. Tiny numbers of people affected.|
|Weak. Criminal intent, impact is limited to a small number of people. No death or injury|
(>£ 100 thousands)
|Minor. Likely to be criminal and random in nature (no strategy or intent can be shown). No death or injury.|
(In excess of £100,000)
|Moderate. National Impact but does not target key infrastructure. Motivation is purely financial / major crime. No deliberate attempt to harm humans, although this may have taken place.|
(In excess of £100,000)
|Intermediate. International impact. Causes few deaths and some injuries. Infrastructure is impacted, resolved within 24 hours.|
|6||millions||High (£M)||Serious. International impact. Death and injuries can be measured accurately. Infrastructure is impacted, resolved within 48 hours.|
|7||millions||High (£M)||Very Serious. International impact. Targets infrastructure. Cost of repair is significant. Death / injury takes place.|
|8||millions||Billions.||Severe. International impact. Death and injury is a bi-product of the attack, but remains a major attack on a nation. Infrastructure and economy is severely impacted. Recovery is likely to be measured in weeks. Constitutes an Act of War.|
|9||millions +.||Billions.||Profound. International impact. Designed to inflict death and injury. Major damage to national security. Major impact to economy.|
|10||millions +.||Billions.||Catastrophic. International impact, likely to be used in conjunction with physical military attack. Long lasting impact to economy and infrastructure.|
A scale that allows both sender and recipient to understand the severity of the weapon they are using gives e-weapons their own Kiloton yield. War crimes trials or collateral damage estimates would benefit from a measurable scale that shows proportions. But most importantly a scale allows nation states to communicate with each other, to send signals to each other and offer a deterrence. A measurable scale allows decision makers to formulate an appropriate response without which, they can only estimate.
 2nd edition in Feb 2017.
 Mutually Assured Destruction (MAD)
The views expressed within individual posts and media are those of the author and do not reflect any official position or that of the author’s employees or employer. Concerns regarding content should be addressed to firstname.lastname@example.org
Contributor: Matthew Botsford has over 20 years of combat leadership and management experience. The Wavell Room are pleased to bring you an abridged version of his full article on Cyber Warfare, which was originally published on DefenceIQ.com