Cyberwar isn't going to be about hacking power stations. It's going to be far more subtle, and more dangerous.
Wandering the pretty, medieval streets of Tallinn's old town, it is hard to believe that the tiny country of Estonia has anything at all to do with cyberwarfare. But first as victim of an attack and now as home to some of the leading thinkers on how the digital battlefield will develop, the country has played a key role in its emergence and evolution.
Estonia is a country of around 1.3 million people, facing the Baltic Sea and the Gulf of Finland, it borders Latvia to the south and Russia to the east. After decades as part of the Soviet Union, it regained independence in 1991.
Even today reminders of the Soviet times still abound in the capital Tallinn. There's a museum in one of the big downtown hotels showing how the KGB would bug the rooms of foreign guests.
But Estonia does not intend to be defined by its past, but is instead intent on creating the most advanced digital state on the planet. Since independence, Estonia has invested heavily in digital services. It leads the way with internet voting—in the 2011 election nearly a quarter of voters cast their ballots that way—and electronic tax filing, all underpinned by a nationwide digital signature infrastructure.
Today, you can even become an Estonian e-resident regardless of where you live in the world so you can use that same infrastructure to electronically sign contracts or set up your own company in the country.
But being so reliant on the internet carries a risk, as the country found out in 2007.
Plans by Estonian authorities to move a Soviet war memorial sparked a wave of website defacements and denial of service attacks in the country over a three week period, throwing Estonia's government services, newspapers, and businesses offline. The attacks temporarily disabled the websites of banks, ministries and political parties. Many pointed the finger at Russian hackers (Russia denied any involvement in the incident) but the events demonstrated how a purely digital attack on a state could have real-world consequences.
The Tallinn Manual
While the impact of the attacks can be overstated—"inconvenient, not cyberwar" is how one local described it—it accelerated plans, already in place, to set up a NATO cyber defence think-tank in the country.
The Cooperative Cyber Defence Centre of Excellence (CDCOE) was established the year after the attacks took place as an institution created to figure out how to improve the digital defences of NATO members and what cyberwarfare would actually look like.
As well as the cyber defence exercises it conducts annually, probably the centre's most important work so far appeared in 2013: the Tallinn Manual on the International Law Applicable to Cyber Warfare, known simply as the Tallinn Manual.
While there is no international law that directly refers to the ultra-modern concept of cyber warfare, there is plenty that applies. So CDCOE assembled a panel of international legal experts to go through this existing law and show how it applies to cyber warfare. This formed the basis of the Tallinn Manual and the 95 so-called 'black letter rules' it contains (so named because that's how they appear in the text).
Through these rules the manual attempts to define some of the basics of cyber warfare. At the most fundamental level, the rules state that an online attack on a state can, in certain circumstances, be the equivalent of an armed attack. It also lays out that such an attack is against international law, and that a state attacked in such a way has the right to hit back.
Other rules the manual spells out: don't target civilians or launch indiscriminate attacks that could cripple civilian infrastructure. While many of these sorts of rules are well understood when it comes to standard warfare, setting it out in the context of digital warfare was groundbreaking.
While the manual argues that a cyber attack can be considered to be the equivalent of an armed attack if it causes physical harm to people or property, other attacks can also be considered a use of force depending on their severity or impact. For example, breaking into a military system would be more likely to be seen as serious, as opposed to hacking into a small business. In contrast, cyber attacks that generate "mere inconvenience or irritation" would never be considered to be a use of force.
The manual also delves into some of the trickier questions of cyber war: would Country A be justified in launching a pre-emptive military strike against a Country B if it knew Country B planned to blow up Country A's main oil pipeline by hacking the microcontrollers managing its pipeline pressure? (Answer: probably yes.)
The manual even considers the legality of some scenarios verging on the science-fictional.
If an army hacked into and took control of enemy drones, would those drones have to be grounded and marked with the capturers insignia before being allowed to carry out reconnaissance flights? (Answer: maybe.)
But what's striking is that the Tallinn Manual sets the rules for a war that hasn't been fought yet.
No Digital Pearl Harbour
Although nearly every state around the globe has been developing a cyber warfare strategy, and some have been building up skills and perhaps even stockpiles of digital weapons, there haven't been any digital attacks that have crossed the thresholds of armed attack as defined by the Tallinn Manual. No massed bot armies, no hackers blowing up power stations from their bedrooms.
Perhaps the closest was the use of the Stuxnet worm (most likely by the US) as part of a bid to derail the Iranian nuclear programme. By contrast, the attacks on Estonia itself would, for all the excitement around them, be towards the inconvenience and irritation end of the spectrum.
The Tallinn Manual doesn't say much about the reality of the cut-and-thrust of the modern internet, where state-sponsored hackers, spies, and more are constantly probing the systems of other nations. This is a shadowy world where it is often unclear who the attackers are and what their intentions are (and just what the motivations of their backers are, too). It's a world filled with misleading evidence, ambiguity and deniability.
Throughout history, states have used third parties and proxies to get their dirty work done. The difference is that by hacking into systems in countries across the world, these groups can have an impact far from their home territories.
On the subject of such attacks—which can be extremely serious but never quite reach the level of an actual attack by force—the manual has little to say. However, these kinds of attacks are the ones that take place every single day. Cyberwar has become the continuation of politics by digital means.
"The scope of cyber attacks is very, very wide, so that's why with the first Tallinn Manual we took the most severe case of armed attack and the use of force," explains Colonel Artur Suzik, the director of CCDCOE until August 2015. "But the majority of cyber incidents nation states face occur outside of the conflict law, so there was a clear need to expand the legal analysis to this area."
That doesn't mean the manual is a failure, or irrelevant. Indeed, it may even be that by making clear that digital attacks are covered by an array of existing international law, the Tallinn Manual has forced countries to rethink their approaches to cyber warfare. That is, because the manual does a good job of defining just what kinds of attack might lead to a missile being lobbed in your direction, states launching hacking attacks have been careful to keep their operations (just) below that threshold, say experts.
An expanded Tallinn Manual 2.0 is due to be published next year looking at how international law addresses malicious cyber operations by state (and non-state) actors during peacetime.
The new manual will try to create the same 'black letter rules' around much trickier concepts, such as when countries are responsible for hostile cyber operations launched against other states from their territory, and when such operations violate the sovereignty of the state.
It will take the analysis into the much complicated and murky environment of the day-to-day cyber attacks that don't ever reach the level of physical attacks, but are no less dangerous for it.
Few, for example, could have imagined a couple of years ago that a hacking attack against a film studio could lead to an international incident, or that the theft of HR records from the obscure Office of Personnel Management could create such consternation.
Politicians and diplomats are still struggling to work out how to deal with the near-constant stream of other data leaks from all sorts of government agencies that are blamed on state-sponsored hackers. And there is little in the way of consensus on how to deal with it or often even how to label it. When does hacking become espionage and when does that evolve into something that could escalate into the use of armed force?
And while many industry watchers saw the attacks on Estonia and built out of that lurid 'Digital Pearl Harbour' style scenarios where a country could be toppled by a digital attack launched by a dedicated few, this has not taken place. The reality has turned out to be less far less dramatic, but much more complicated to tackle.
That's not to say that the apocalyptic scenario of state-backed hackers causing mayhem by breaking into industrial control systems (the technology that runs power stations or chemical plants) is utterly impossible - just extremely unlikely, and extremely hard and extremely expensive. Cyberwar, as it was envisaged, has not taken place.
But it's entirely possible that by watching and waiting for a explosive Hollywood-style catastrophe that we've missed the much more insidious and protracted cyberwar that has been going on for years already.
Hybrid information war
Earlier this year, the cyber think-tank held a conference to bring together some of the biggest thinkers on cyber warfare in Tallinn to discuss the most recent developments in cyber war theory ahead of the publication of the new Tallinn Manual at an event called CyCon.
For what was effectively a technology conference, there were a lot of people in uniform. In attendance was not only the head of the NSA, Admiral Mike Rogers, but also the Assistant Secretary General of NATO, Sorin Ducaru, reflecting the level of concern around cyber defence among the allies.
Despite the subject matter, it wasn't all serious. Speakers, including surveillance chief Admiral Rogers, were presented on-stage with a thank you present of a mug with an ear for a handle.
Both men reflected a cautious, slowly-developing approach when it comes to the use of the internet by the military. NATO itself, for example, only recently decided that a major digital attack on a member state could be covered by Article 5 of its collective defence clause (one of the most fundamental tenets of NATO, that an armed attack on one member should be considered an armed attack on them all). And, Ducaru insisted, "NATO doesn't have any interest [in militarising] cyberspace or to have an ungoverned space."
Rogers emphasised that the use of the internet by the US military is still evolving, with defence the priority. "Our view is that cyber is another operational domain, much as the seas are, much as the land is, much as space is, and increasingly, it is an environment in which we will conduct a series of very traditional military evolutions from the defensive things to the application of capabilities to generate specific kinds of effects," he said. "We think cyber will evolve over time, much as we've seen the other domains, in the more traditional arenas."
To put it another way: cyberwarfare models are maturing in the same way that other technologies mature. To take a more prosaic example, the evolution of cyberwarfare is a lot like the cycle e-commerce went through. There was a lot of initial excitement and investment from retailers in building separate e-commerce operations or businesses, but gradually these became not just a standard part of their operation but for many retailers the core of their business, just as cyberwarfare planning and strategy is gradually becoming a part of mainstream military planning.
However that doesn't mean that all countries are taking the same approach to strategy or that they even agree on what should be included in the term cyberwarfare. Some countries have a very narrow model of what cyberwarfare should look like - that is should focus on hacking and damaging systems. Others see it as just one part of a much wider information warfare spectrum which stretches from hacking to disinformation and propaganda. Indeed, much of the criticism of the Tallinn Manual has been around how it represents a NATO—and specifically Western—outlook on what cyberwarfare should look like.
Across the street from the hotel where the conference took place stands a building topped with a Soviet star, a reminder of Estonia's past and, unsurprisingly given the location and the ongoing conflict in Ukraine, understanding the cyberwarfare strategy of Estonia's big neighbour was a recurring theme.
And while NATO is thinking of cyberwarfare in terms of defending (and attacking) networks, others—particularly Russia, according to speakers at the conference—have developed a wider perspective that folds classic hacker tools into the broader concept of information warfare, which can stretch all the way from propaganda and disinformation through to the more expected denial of service attacks and more.
Speaking at a conference session, Keir Giles of the Conflict Studies Research Centre crystalised it thus: "There is now a developing realization that pure cybersecurity and cyberdefence is not sufficient to counter an enemy thinking in much broader terms."
Richard Bejtlich of the US Brookings Institution think-tank said that when it comes to cyberwar and cyberdefence, the NATO emphasis is still on software. "The Chinese and Russia have a broader concept," he said.
For example there was limited use of cyberwarfare—like hacking and denial of service—during the hostilities in Ukraine, even though many analysts were expecting more. Was it that cyberwar didn't happen, or that it simply didn't look quite how western observers were expecting it to?
"There are number of reasons why it doesn't look the way people were expecting when the Ukraine conflict first started. Cyber-armageddon was promised but hasn't happened," Bejtlich said. "All of the cyberactivity is purely a facilitator for broader information warfare ends."
All of this means that cyberwarfare isn't just—or perhaps even primarily—about breaking stuff anymore.
Indeed, protecting your networks will not protect you from cyberwar but may even leave you more open to it because those networks are exactly how your opponent will want to deliver its messages, its themes, its memes to their targets.
As Professor Francois Gere of the French Institute of Strategic Analysis pointed out: "That's some kind of paradox: if you want to dispatch propaganda and disinformation you cannot totally disrupt the communications devices of your adversary, so the internet must remain relatively safe and accessible."
Instead of a being characterised by the delivery of an elegantly crafted digital weapon like Stuxnet, it seems that for some countries, cyberwarfare is becoming just one part of a continuum which includes the much wider concept of hybrid information war. That includes subtle disinformation and overt propaganda along with more traditional options like denial of service or website defacement.
As such, rather than just worrying about denial of service we should start to worry more about denial of reality. The rise of 'troll armies' is well documented: bloggers paid to promote a pro-government agenda, making it harder for critics to be heard. This is well documented in Russia and China but also seems to be spreading further around the globe.
This much broader definition of 'information warfare' is much harder to tackle, especially as none of it would rise to the level of the use of force as defined by the Tallinn Manual. It's hard to stop a denial of service attack against a bank; it's much harder still to deal with a flood of rumours spread across social networks that the bank is running out of money.
In some respects this is harnessing the nature of the internet, a space where free speech, doubt, and scepticism can run wild. Fighting an army of online trolls sharing half-truths or outright lies in order to confuse the public and make it harder for politicians to make decisions is hard, and certainly not one that any existing army can deal with.
Few democratic nations will want to limit the free flow of information to the public but also aren't set up to—or are capable of—rebutting every crazy rumour which makes it a hard technique to combat. But if a nation can orchestrate a campaign of rumour and disinformation against another that changes public opinion in that country to the point that it alters the decisions made by its political leaders, then an army of trolls could be vastly more useful, and harder to fight, than a squadron of tanks.
Few democratic countries would want to wage war in such a way, but tackling it without undermining, for example, the freedom of speech which the public are used to is a challenge which they are currently ill-equipped to deal with. However, some are taking gradual steps in this direction. For example, the UK government recently started a Twitter account aimed at countering online propaganda from ISIL.
The next version of the the Tallinn Manual is due in 2016, and will make it clearer just how international law applies to cyber attacks which don't reach the level of physical attacks. It may be that providing a legal framework for this extremely murky environment will actually reduce some of the attacks we're currently seeing. But what is clear is that, overtly or covertly, the internet is now another battlefield, even if it often hard to discern it as such.
Or, as Margarita Jaitner of the Swedish Defence Academy told the conference: perhaps we have run an "information operation" on ourselves, tricking ourselves into thinking we would see some "breaking things armageddon" but completely missed the part about "what does it do to society, what does it do to our impression of what is going on, and how does it fog our picture of the events, and how does it stop us from acting or reacting?"
Perhaps the greatest success of cyberwarfare so far is to convince the world that it hasn't really started yet.