EPC Book Review: June 2019

Title:

Cyber War Will Not Take Place

Author(s):

Thomas Rid

This scholarly, but very accessible, book is a very welcome addition to the literature on the risk of cyber-attacks. This is so for a number of reasons, but most importantly because it addresses the overblown language and muddied concepts that seem to surround the debate, but without ever trivialising these phenomena or the risks they create for our security and well-being. For that reason if no other (the injection of a little rigour into the debate), it is recommended reading for civil protection and organisational resilience practitioners.

Thomas Rid is a scholar in War Studies at King’s College, London. So he is professionally interested in what can and cannot be legitimately called war or warfare. The book starts with a critical analysis of why cyber-attacks, no matter how concerted, damaging or malicious they are, cannot be considered warfare in their own right – according to any generally accepted concept or model of war. 

What we call war has to be directly violent, instrumental (in that violence is used to achieve a particular outcome) and politically motivated. It has to be all three – and cyber-attacks cannot be, despite the preference of many in the business for the trappings of military language and quasi-military neologisms. If cyber-attacks ever result in the sort of extreme violence, structural damage and human suffering we associate with war, then the effect will be indirect –through the cybernetic sabotage of critical systems leading to their failure or disruption.  So if it isn’t cyber “war”, what is it? Rid makes a very good case that cyber-attacks fit very well into the existing models of subversion, espionage and sabotage – all of which may of course be used as an adjunct to warfare or be employed on their own.

Is this just a purist’s delight in semantics? For us the answer is an emphatic no, for two reasons. 

First, it just makes more sense to see them in those frames, without the wrapping of an emotive metaphor. Secondly, it is important because the language of cyber security seems to be saddled with inappropriate terminology and not a little hyperbole.  Perhaps, like Cassandra, they will be proved right in the end. But in the meantime, overblown rhetoric and dubious metaphors weaken their case and dilute their argument. Of course, Rid does not challenge the prevalence or the importance of the cyber threat and the need to meet it, but he does make the case very clearly that there is little evidence yet of its capacity to cause serious harm to people or society’s critical infrastructure, of the sort readily trotted out as the shape of things to come.

In summary, Rid’s arguments are that: cyber-attacks will always lack war’s capacity for direct violence; they operate in the domains of subversion, espionage and sabotage; and they have limited political or symbolic utility – compared with other means available to states and non-state actors. 

This does not mean they are unimportant. But it does mean they can be understood better and more clearly in this way. He concludes with two important points. The first is that the cyber debate is overly “militarised” intellectually and linguistically, and the second is that this leads to the overstating of cyber’s offensive capacity (its potential utility in the hands of malicious others). Whereas, he argues, cyberspace actually favours the well-resourced and technically capable defence.

Rid’s argument needs to be considered and this book needs to be read – if we are to maintain objectivity and rigour when understanding and evaluating the cyber threat. At the moment this threat seems to be a “new black”, with its own priesthood, an esoteric language and a tendency to use a thin evidence base a little too selectively for comfort. What this reviewer was looking for – and found – in this book is the corrective lens that provides a balanced, informed and accurate (but non-technical) understanding of the phenomenon – of the sort that a generalist resilience manager can use. 

This is important because the civil protection and emergency management communities have no ready narrative to fall back on when cyber risk is debated. The field is too new and it has emerged relatively quickly, without obvious antecedents or much in the way of actual case history–at least at the levels of impact we are being led to expect. It is a bonus that the book is very well written and highly readable, using plain English throughout and a minimum of technical vocabulary.


Reviewed By:

 

Mark Leigh,  BA MSc MA MSc PGCE​

Capability Lead, Emergency Planning College

Date of Review: June 2019
Link to Purchase this Book: Buy from Amazon