on September 16, 2013
The upshot: Save your money.
At the outset, this author seems to have at least two major problems in his reasoning.
1. He chooses a definition of war (it must involve violence, it must be political, and it must be instrumental) and then concludes that whatever does not fit onto that definition does not constitute war. It's like he never stops to consider that, in light of new technology the definition of war could (and should) be expanded.
2. He gives a lot of anecdotal examples from history and shows where they were ultimately of little consequence. And therefore he arrives at the conclusion (not too lightly) that future attacks will be equally benign (or will not be able to wreak the destruction that many people fear). But to follow that reasoning to its logical conclusion, one could conclude that because the last attack where people fired muskets (and didn't kill that many people) meant that guns would never get to the level of destruction of an AK-47.
The book is written such that any of the chapters can be read stand-alone. And so I'll go through the book and make some statements chapter by chapter.
Chapter 1 (Definitions). This is where Rid lays out the definition. Again, war must be political, instrumental, and violent. The author then goes on to make the case that since not many people have been killed by electronic warfare, that it is not the same thing as hand to hand warfare or nuclear devices. The problem is that words are not our masters. They are our servants. If we follow this author's line of reasoning to its logical conclusion we could say something like: "So and so said that a legal system should have impartial jurists and be predictable. A country/ territory that does not have predictability and impartial jurists does not have a legal system." Yet that would not explain the Chinese legal system (which is unpredictable and the concept of "impartial jurist" does not exist-- at least not in the Western sense) and that is not to say that there *is* no legal system in China. There's just one that does not fit onto So and So's definition of what is a legal system. The author then goes into a few anecdotal examples. But these are irrelevant. If you have had 100 electronic ("cyber") attacks and they caused limited damage, you can say absolutely nothing (!) about the 101st.
Chapter 2 (Violence). More semantics. More pressing of the Clausewitz definition. Based on the Clausewitz definition, wars must be violent (and violence must have an emotional impact). Electronic attacks are not violent, nor are they the same thing as a bullet or an explosive device. And so they therefore don't qualify as war. There is some interesting discussion about the instrumental role of violence in establishing the power of the state and maintenance of trust. (And so if violence is not directed toward establishing the role of the state and maintenance of trust relationships, then it is not instrumental.) It's a very long argument, but ultimately it's sophistry. One could say that erosion of trust (by repeated cyber attacks) destroys so much economic activity. And if you pick a certain value per life, then that is the same thing as killing actual civilians. And in that case, then it is instrumental (destroying the government of the enemy) and does count as "war."
Chapter 3 (Weapons). Here we get part of a helpful distinction between generic and low potential tools vs. specific and high potential weaponry. But before the chapter if finished, he gets into more casuistry. Weapons are meant to hurt people/ things. But DDoS attacks don't actually harm anyone. The damage that they cause is second-order, and so they don't fit onto the definition of "weapons" (which, are meant for direct use in this case).
Chapter 4 (Sabotage). There is some discussion of attacks on things like the attacks on Saudi Aramco. He says that they interrupted operations for less than a day. But it is fallacious to conclude that just because something happened one way one time that it might not be worse the second time. The author expands this foolish line of reasoning for *several* pages.
Chapter 5 (Espionage). Here the author makes the distinction between Human Intelligence and Signal Intelligence. Apparently economic espionage can be damaging, but it is not all that damaging for things that have process knowledge (just because you have recipe for bread doesn't mean that you know how to make it *well*.) As with all the other chapters, he builds his argument by anecdote-- and then assumes that absence of evidence is evidence of absence (so, if you can't prove beyond a shadow of a doubt that Chinese espionage didn't cause the collapse of a company then that is enough to rule out electronic espionage as anything significant).
Chapter 6 (Subversion). I am not sure what his point is here. And I didn't have the patience to fish for it (through the long discussion about what does subversion mean). Some part of it seems to be an argument that was repeated before by Evgeny Morozov in The Net Delusion: The Dark Side of Internet Freedom. Basically, he says that: 1. Movements that are not made by flesh and blood people might not have the same "stickiness" as movements that are based online, and; 2. As larger numbers of people get together the focus of the group becomes more vague. (This could account for why the Occupy Wall Street Movement had such a hard time articulating a message-- or even finding one for that matter.)
Chapter 7 (Attribution). Now the book gets really silly. He goes over some cases where attribution was difficult (as we suspect that it might be given the nature of the tools). And even though the author has mentioned that circumstantial evidence would not hold up in court (such as the fact that in one case all the attacks happened between 9am and 5pm Beijing time and were traceable to the Shanghai Pudong District)....how this is relevant, I'm totally unsure.
Chapter 8 (Conclusions). There is some interesting discussion about the use of metaphors (1. didactic devices; 2. creative devices; 3. testing devices). And he seems to conclude that the advantage is on the side of the defenders. Given how shakily reasoned this book has heretofore been, I am tempted to conclude the exact opposite of what he says. Finally, there is a bit of discussion on the *ethics* of cyber attacks. And this strange, because: 1. The author has just gotten finished telling us that electronic warfare is not the same as physical warfare; 2. Don't let your metaphors take you too far. But then he turns around and does *just that* by imagining that conventions can be made to which countries will agree to adhere-- even though patriot hackers are not government officials and hence not bound by war conventions. And even though attribution is difficult (gist of the last chapter)-- how can someone be called to account for something that no one can prove that they did? And even though some people don't have any ethical superstructure to appeal to (China). Rid suggests that more needs to be done on defense than offense (the US government concentrates on offense). But then, who knows what they are doing? (He admits that most of this work is stamped "secret.")
Verdict: This book is worth the time if you want to sit and pick apart the arguments (I *love* tearing things apart). But as an investigation into the subject, it's not all that great. The reasoning is just too strained and sloppy. In any case, anyone who wants to tear apart strange arguments can just pick up a copy of the New York Times for less than a couple of bucks. I can't see investing the $12 for this book if I had the chance to do it all over again. It doesn't really settle the case for me any better than when I started the book.
on September 13, 2013
The author uses a very restricted and dated definition of war, emphasizing again and again that cyber attacks do not constitute war because computers cannot directly make people bleed. he would have been right 200 years ago, but today, a view like that is naive. The author presents anecdotal information and questionable assumptions to validate his point-of-view and presents himself as an authority in this area.
I attended his presentation and ended up walking out because he failed to directly answer simple direct questions from the audience. His responses were evasive and did not address the specific questions members of the audience presented.
For a more comprehensive view of cyberattacks there are superior sources that have credibility. "Cyber War Will Not Take Place" is a simplistic, contrarian view of a very complex area.
on January 17, 2015
This book gives me hope. I will follow the example, do a lot of research on a topic with which I have no experience, publish it, and hopefully make enough money to pay off my wife’s Sears card. The interest rate is killing me!
Dr. Rid’s book provides many interesting stories about computer attacks and provides a slant on them that supports his thesis that a Cyber 9/11 will not happen. He also writes for pages and pages about topics unrelated to Cyber and though his command of the English language is impressive, more correctly, magniloquent, those pages still do not relate to Cyber.
Why does everybody have to pick on the U.S. Air Force? It’s because we mock what we don’t understand. A lack of understanding and misguided assertions are common themes for this book. Dr. Rid cites over 200 sources in this 174 page thesis making me wonder if he had any original thought based on his experience, so I did a little research. Dr. Rid is a Professor who teaches wartime studies though I could not find evidence of him ever serving his country. I could also find no information on his Cyber or even IT background (yes, there is a difference), making it clear that he lacks the credentials to write on this topic.
Dr. Rid asserts that Cyber is non-lethal, therefore Cyber war will not take place. His assertion can be discredited with three letters: UAV. Here we have a flying computer with weapons that is flown through the Internet. I would say that UAVs are most certainly lethal and they are flown from thousands of miles away through Cyberspace. Yes, the U.S. Air Force was right: Cyberspace is actually a fifth domain.
I retired from the U.S. Air Force and also the U.S. Civil Service, working in Cybersecurity for the past eleven years, and IT for sixteen years before that, so I found this book to be doubly offensive. This book is certainly not one that should be taught in schools even if only for Dr. Rid’s lack of credentials on the subject of Cyber. He did a lot of research and found books and articles freely available on the Internet, but only those that supported his assertion. In one case, he could not find a definition for “weapon” that supported his thesis so he made one up! How cheesy is that?
Dr. Rid is highly educated in wartime studies but he avoided any tie that would discredit his assertion. In his book he talks about how the Israeli’s used cyber to neutralize a Syrian radar site so they could safely fly past and bomb a nuclear reactor construction site. He states that this cyber intrusion helped the physical battle but because it was not lethal then it was not cyber warfare. The objective of war is not to kill people, it is to achieve a goal. In this case the goal was to bomb a construction site and the Israeli’s did it without the loss of life – bonus, and goal achieved! Dr. Rid should know this tenet of warfare.
My notes in the columns of the book say many times that Dr. Rid is stuck in the physical world and needs to open his mind. He cites people from centuries ago and falsely relates their thoughts to the cyber world. He even talked about Adam and Eve…really? To prepare for and win a Cyber war we need people who can think beyond the past and the physical and into the virtual, studying the “what if”. Dr. Rid is not one of those people. I will put the pages of this book to good use and level my uneven dining table – they are both equally annoying.
on March 6, 2015
Excellent book. Highly recommended. Some of the other reviews on this site criticise Thomas Rid for using the Clausewitz definition of war. If anyone has a better definition of war, I would like to see it. Clausewitz's definition is still taught in military command and staff college all around the world, including in non-Western countries such as China. If anyone here has a better definition, please go and publish a book so we can finally replace "On War".
Thomas Rid is a Professor at the War Studies Department, King's College London. This is probably the world's leading institution for strategic studies. I would discount the criticism here, and go read the book or at least the article of the same name in Journal of Strategic Studies, which preceded the book.
I have been studying Cybercrime for a postgraduate law degree and found Rid's analysis absolutely invaluable. It helped bring clarity to the issue of subversion, espionage and sabotage emanating from cyberspace. There is a lot of muddled thinking out there on the issue, unfortunately. Rid helps you cut through the chaff.
on October 8, 2013
Thomas Rid's book is summarized well in the last chapter, with "It is about time for the debate to leave the realm of myth and fairytale--to a degree, serious experts have already moved on, and the political debate in several countries is beginning to follow their lead." I myself have stopped attending some of the usual big cybersecurity conferences held annually, because it seems not much progress has been made for finding new ideas and approaches. Thomas Rid has taken the next steps, and in this book, has left behind much of the traditional thinking that has kept discussions of cybersecurity, cyberattack, and cyber warfare confined inside smaller boxes. His analysis of the characteristics of sabotage, espionage and subversion is thorough and exhaustive, and this has generally been missing from much other literature about cybersecurity.
At first, I found it hard to agree with some of the concepts Rid has stressed. If all real war is historically violent and lethal, then perhaps cyberwarfare offers the possibility of less violence, but along with increased frequency of attacks due to ethical benefit and convenience. He describes cyber violence as mainly parasitic, without its own force or energy. However, he leaves open the question about whether the destruction of computerized intellectual property (such as e-money, or 3D blueprints) can also be considered violence, even though it lacks effects of heat, blast, and fragmentation felt in the physical world. His analysis leads to curious statements, such as cyberattacks are attacks against violence in a conflict, and thus more ethical than use of conventional weapons.
However, I still recommend this book. It gives a different viewpoint about characteristics that should be discussed concerning cyberwarfare. For example, the book concludes with a discussion about misuse of the term "fifth domain", and misapplication of several other analogies often presented by the military when describing cyberspace and cyberwarfare, and points out problems when trying to compare limitations now being proposed for cyber weapons to those once placed on cold-war weapons.
Overall, the author gives a good analysis of familiar labels that we try to apply to events that occur in cyber space. His argument is that sometimes the analogies and labels we use cause the conversations to emphasize characteristics that can be misleading, and which may delay a much needed, clearer understanding of cyberattacks and cyberwarfare.
on January 11, 2015
Dr. Rid's book is a breath - nay, a desperate gasp - of fresh air in an overwhelming sea of blather from self-professed experts who all too often lack expertise in warfare and strategy, information security, or both.
I hold a master's degree in Strategy, and have worked in information ("cyber") security for a number of years. I first heard Dr. Rid interviewed for King's College London's War Studies Podcast, had been eager to read his book, and finally invested the time to do. I was not disappointed. His arguments are many and varied, but from my perspective they boiled down to two main concepts. First: the definitions of war and warfare defined by Carl von Clausewitz are still the best framework for understanding either concept, and because "cyberwar"/information security lacks a number of key commonalities with either, the resulting martial language used to discuss the security of information technology is imprecise and counter-productive. Second: "cyber security" is more productively considered through the conceptual frameworks of sabotage, espionage, and subversion than through the conceptual frameworks of war and warfare in which it is commonly discussed.
At no point does Dr. Rid argue against the dangers posed by vulnerabilities in international data networks - in fact, his case studies and observations make precisely the opposite case. However, he very adeptly disassembles the common martial rhetoric used to discuss the topic, and provides cogent arguments, observations, and case studies to wrap it all up. The book will be more accessible to those who are familiar with either military topics, information security, or both, but Dr. Rid does a reasonably good job of staying out of the realm of technobabble in order to make the book comprehensible to most readers.
If there's one flaw to Dr. Rid's argument, it may be a lack of imagination: it's dangerous to presume what technology will or won't be able to do in ten, fifteen, twenty, fifty years. However, even this criticism is muted by his careful discussion of what is or isn't likely to happen, rather than what will absolutely happen; and his skepticism is still more credible than many of the alarmist predictions from others. Given the continuing debate over the attribution of the recent Sony hack, Dr. Rid's book (and particularly its penultimate chapter) seem prescient.
For anyone interested in the future of warfare, or in information security, Dr. Rid's book is a must-read.
on September 16, 2013
I write reviews of books for several publications and blogs--mainly literary ones--but also have been involved in software design and information security issues. Therefore, I was very interested in this book when it came out and had to read it. I feel my background as both a reviewer and someone who knows about the nuances of computer security allows for me to write a pretty informed yet unbiased review. Professor Rid is simply wrong in his views overall and has a vested interest in making his case that cyber-war is not war at all: his book is based on that very thesis and he'd not have a book in hand had he not had this unique take on the matter. If he'd gone with the majority of his field, he'd just have another book (of quite many) saying that cyber-war is a valid concern as others have named it such. So it was in his interests to march in the other direction to stand out from the crowd. He wrote an editorial for Slate where he made, in a nutshell, the same claims he makes at length in his book, and I made these same comments in response to that article.
It is possible that some people--especially in the contractor circles--are ramping up the threat of cyber-war to the level of an unseen monster the likes of which we never will see, that much is true, but that doesn't mitigate the very real concern of cyber-war as a threat. Professor Rid's claim that cyber-war is spying by another name is false: it's much more than spying, and it's not limited in scope except to the arena that war is fought in, which is one that is in full or part based in computer information systems. The 1997 RAND publication "In Athena's Camp" lays out an encompassing picture of the many faces of possible cyber-war, and those situations have of course only expanded in type and form since 1997. I highly recommend that as the book to start with on the topic.
The following is illustrative of why cyber-war is real, and troublesome:
The real crux of it could be a combined attack with ground operatives and external attacks. In example, the enemy sends in commandos to damage essential switchgear and get into physical systems, meanwhile a coordinated attack is mounted from afar. I worked on an IT project for a research center on a rather small scale where we tried this: first, we tried a conventional "hacking" attack of black-hat guys trying to hack our systems and our white-hat guys protecting them. That was easy to stop. The white-hat team won. But when we added "crooks" breaking into the facility and messing with physical systems inside, it all became bedlam. Nothing was designed to prevent this. We lost power, then switched to back-up generators to find the (very good) "attack team" had disabled the generators. Everything done on the institutional level was done with cyber-security in mind as isolated from physical concerns.
Now, not all institutions are like that, no. Nor would an attack on vital national resources be so easy, but it is how this could happen. And if it was done by an enemy nation or terrorist group it would be war. Professor Rid cages his view in terms of "this is how cyber-war differs"". Ok, fine, but let's get real: the information and infrastructural systems of our nation are both the most enticing and easier of things to attack for an enemy and where real damage can be done. If terrorists crippled three power plants, took the regional grid offline, took out five telephony central offices all around a major US city you'd have utter chaos akin to a major hurricane or other disaster. We have designed robust systems at great cost since the onset of the Cold War to ensure our nation's command and control can be continued if an enemy attacks via nuclear or other means that would cripple our infrastructure. We are fighting that fight today in a digital domain, and despite 9/11 and the security frenzy that followed, some of our national command and control systems still are pretty much at the Cold War level. It's taken a very long time to make everything go digital and we're still unprepared in some areas. We saw, on a moderate scale, what happens when we lack critical infrastructure due to acute damage with Hurricane Katrina: hospitals with no power, communications that were unstable at best. Those same circumstances could be brought about via a cyber-centric attack and would indeed be real warfare. Bringing commercial activities to a halt for 24 hours in a major metro region alone could do horrible economic damage. Even an example such as that New Orleans hospital that lost power is illustrative: who on earth left the only generators in a hospital that was in a floor zone in the basement? Who failed to put some generators at a location in higher ground? Every error that has lead to any form of serious disaster at any nuclear power plant the world over has been due mainly to human error or the poor response of human operators to a situation. That's SL-1 to TMI to Windscale to TEPCO's misdeeds in Japan. Such errors could be pushed along by a combination of cyber and other terrorism. There are ample threats, and frankly, we're only now starting to really meet all those threats.
And that's why cyber-war professionals do call it "cyber-war"; that's why we have people like Rear Admiral Gretchen S. Herbert and why her title is Commander, Cyber Forces. If this book has any real value, it is in tempering the debate over cyber-war, and reducing the loud cry of doom that is also out there. There are, yes, people who make the cyber-threat seem larger than it may be, but Professor Rid goes wildly in the other direction here.
on December 27, 2014
A bunch of news clippings supporting a theory that doesn't mean anything. I strongly suggest you find a different book if you are interested in cyber.
on October 27, 2013
I began this book with several preconceived notions about the conceptions surrounding cyberwar. My interest focused mainly on the possibility of cyberterrorism, which I now know to be mainly myth propagated by government policy makers and Hollywood.
I found this book to be well structured and thorough in it's analysis of the subject matter.
on July 12, 2015
In spite of being promoted by certain cyber conferences, Mr Rid has neither the experience or knowledge to support his simplistic views. I found both his presentation and his book lacking in value.