Thomas Rid, Cyber War Will Not Take Place (, Hurst, 2017), pp. 232, ISBN 9781849047128

Reviewed by Myriam Dunn Cavelty Center for , ETH Zürich

It is a clear signal of how cybersecurity is still unusual as a field of research when a book first published in 2013 receives the label “conflict classic” in 2017. Yet, Thomas Rid’s “Cyber War Will Not Take Place” is undoubtedly that: a classic. Published at an opportune time when a considerable knowledge deficit needed to be filled, the book has helped to structure the cyber-conflict debate in meaningful ways and can be considered one of the must-reads for students, journalists and analysts entering the field. However, being a classic comes with a burden. In a field as strongly driven by the dynamics of events in the form of cyber-attacks, how solid are the underlying assumptions? How long until it will become outdated, a mere relic of how we once thought about this issue? In addition, how can we ensure that the rapidly growing academic cyber-conflict literature can continue to profit from its content in the future? Arguably, the book fares much better with regards to the first than the second: It makes a robust, time-enduring contribution to structure the debate, but its scientific value is declining as knowledge about cyber-attacks becomes consolidated in the expert community. The catchy title of this publication tempts two types of people to cite it. The first group consists of those sympathetic to the claim that cyber-war will not take place. They use the book to stress that the danger of cyber-threats is overhyped and that doom and gloom scenarios are unfounded. The other group has a fundamentally different opinion: They consider people who do not acknowledge the destructive potential of cyber-attacks to be naïve and quote the book as a bad example of such misguided optimism. Both, I argue, would benefit from a closer reading of the book. Its true value is not that it debunks the myth of cyber-war (though Rid claims this himself in the insert “The Argument”), but that it shows the manifold ways in which the cyber-dimension changes aspects of conflictual relationships between social groups. In Rid’s own words, the book is “an attempt to help consolidate the discussion” (p. ix). By giving us eight chapters on various facets of cyber-aggression, each of which can be read as “stand-alone essay” (p. x), the book delivers on that promise. The point in the first two chapters on “cyber war” and “violence” is to establish a definition of what “war” is – and, what it is not. Here, Rid follows Clausewitz in saying that war is violent, war is instrumental, and war is political. In what then follows, the book puts the most weight on cyber-attacks not being violent enough.

ERIS Vol. 5, Issue 1/2018, pp. 131–134 https://doi.org/10.3224/eris.v5i1.17 132 European Review of International Studies, Volume 5/2018

Rid writes “computer code can only directly affect computer-controlled machines, not humans” (p. 13) and therefore, “in cyberspace the language of force just isn’t as convincing” (p. 18). The human body, he claims, is the foundation of all violence and as long as no bodily harm comes to people, the use of cyber-tools cannot easily be considered war. Rid’s critics – one reply by John Stone is published in this new edition as an “Epilogue” – take issue with his (narrow) definition of war and claim that on the contrary, cyber-war could very well take place (or is already taking place). Of course, there are many possible, political theory inspired ways to define “war”. Depending on how we choose to define it, Rid’s claim “cyber war has never happened in the past, it does not occur in the present, and it is highly unlikely that it will disturb our future” (p. xiv) can be easily refuted by providing evidence to the contrary, in support of any individual definition. However, I argue that Rid’s book actually shows, though clearly more by accident than intent, how pointless this debate has become. In the policy realm, at least two different understandings of cyber-war have emerged over the years. On the one hand, there is the notion of “strategic cyber-war”, elegantly defined by Martin Libicki as “a campaign of cyberattacks launched by one entity against a state and its society, primarily but not exclusively for the purpose of affecting the target state’s behavior”1 (2009: 117). This, then, is a type of conflict during which cyber-tools are employed as primary, even stand-alone tools of force. The infamous notion of the “Electronic Pearl Harbor” fits into this category; it is a scenario of a massive, unexpected cyber- attack on a country’s critical infrastructure, which will immediately catapult two governments into a state of war. “Operational cyber-war” on the other hand is “the use of a computer network attack to support physical military operations” (ibid.). These operations are supportive as they happen in the context of conflicts that are decided by “traditional” kinetic military operations. There is ample evidence that operational cyber-war (as a more modern version of electronic warfare) has been a reality for many years, whereas strategic cyber-war is a mere thought construct. Indeed, no real expert takes stand-alone cyber-war scenarios seriously anymore – and it is even debatable whether they ever had as much of a mobilizing power as it is often claimed. In the context of strategic practices, whether a mythical notion of cyber-war will turn into reality, or not, is irrelevant. The true issue that has arisen for policy-makers and strategists is which politically motivated actions take place right now – and how they shape different types of conflicts and international relations more broadly. In sum, a constructivist, channeling Wendt, may say, “war is what people make of it”. More importantly though, it matters little what people say about the future danger of cyber-war (unless we want to study the political economy of cyber-threat inflation), but it matters a lot how state and non-state actors use cyber-tools to further their political goal in various settings in the present. In other words, it is not very fruitful to study what people say – but much more important to understand what they do. Indeed, Rid himself moves away from the rather stale “hype or not” debate and spends three chapters looking at the actual strategic use of cyberspace under the headings sabotage, , and subversion.

1 Martin C. Libicki (2009) Cyberdeterrence and Cyberwar, RAND Corporation Myriam Dunn Cavelty: Review of ‘Cyber War Will Not Take Place’ 133

These three types of activities are reality – Rid uses anecdotal evidence to flesh out all three phenomena – and they influence strategic thought and actions far more than any abstract notion of cyber-war does. The space is lacking here for a more detailed discussion of the content of these chapters, but a few quotes should help to illustrate how diverse these phenomena are. Rid writes cyber-attacks “have a significant utility in undermining social trust in established institutions” (p. 26), they are “ideal instruments of sabotage” (p. 56) and cyber-espionage “is entirely non- violent yet most dangerous” (p. 82) since it is a real threat to the world’s economies. The most substantial chapter of the three is the one on espionage, the least convincing the one on subversion. There, Rid fails to establish clearly enough what he means by this category and what aspects the cyber-domain adds to its strategic utility, which makes the chapter unfocused and the examples erratic. That is a shame because the (alleged) Russian meddling in the 2016 US election with the help of data exfiltration and the manipulation of the social media environment with fake news has emerged as a new focal point in the cyber-threat debate very recently. This “subversion” of trust and destabilization of democratic processes is particularly worrying because of its very wide societal impact and the difficulties for democracies to counter a threat that is not attacking infrastructure but the human mind. Other chapters in the book look at the importance of “attribution” (needed for political action following an attack) and the notion of “cyber weapons” (Rid finds the use of this term much more productive than the use of “cyber war”) and the book concludes with a chapter called “Beyond Cyber War”. There, it becomes obvious that however convenient the stand-alone essay character of the chapters may be for the author, the downside is that the book has no overarching argument and, ultimately, delivers an ambiguous message. The conclusion does not enlighten us enough: If cyber-war will not take place, what else will? Moreover, what does that mean for international politics? Yet, after one has read the book from cover to cover, it manages to impress with how much that was said in 2013 still has relevance today. In that sense, the book deserves the label “classic”. In terms of its scholarly contribution however, the book sadly lacks both theoretically and analytically. Granted, it may never have been the intent of the author to make such a contribution, yet it seems like a lost opportunity. The use of anecdotal evidence helps to make a general point, but it also reveals the lack of scholarly foundations. Though we find the words “hypothesis” in the subversion chapter, there is no systematic, methodologically sound data collection and analysis, and no substantiation of many claims that are made. For example, Rid states in the preface that cyber-attacks do not make the world a scarier place but actually make strategic interactions less violent, by creating new, non-violent opportunities for political action (p. viii). Sadly, this claim is not systematically substantiated in the book. In the year 2018, political cybersecurity research has come of age. In recent years, research focusing on the cyber-dimension of political conflict has started to appear more frequently in traditional strategic studies and international relations journals. Using empirical data, it focuses on the familiar aspects of strategic interaction in (dyadic) conflict settings, asking how and to what degree cyberspace as a domain of warfare influences (inter alia) coercion, offense-defense theory, and deterrence. Given the particular ontological and epistemological choices of this research, it uses reliable (often-quantitative) “data” about cyber-incidents. These data needs lead to 134 European Review of International Studies, Volume 5/2018 a bias for cyber-incidents that are known and create “visible” or measurable effect – most of the incidents in the datasets are DDOS-attacks. However, these types of attacks are only a small part of the whole cyber-threats picture and arguably, not the most important, as Rid would certainly agree with. What the cybersecurity research agenda needs, to move beyond publications that do not talk to scholarly debates on the one hand and overly biased publications on the other, is a combination of Rid’s solid understanding of actors, mechanisms and cases with an academic, theoretically informed research strategy that moves from the realm of anecdotes to robust data. Rid himself touches upon this aspect in the afterword of his book, when he stresses the role of the private sector as producer of the most detailed threat intelligence and the need for collaboration between scholars, government agencies (with privileged access), and private security companies (pp. 184–85). This highlights that cybersecurity as a field at the intersection between technological operations and national security policy is a formidable challenge for the scholars of tomorrow. If we want to tackle it, we must leave behind the banal question of whether cyber-war will or will not take place and start looking at how we can explain the strategic choices of today.