What the heck is a cyber-weapon, anyway?

We may earn a commission from links on this page.
This is not a cyberweapon (because nobody knows what a cyberweapon is)
This is not a cyberweapon (because nobody knows what a cyberweapon is)
Image: AP Photo/Steve Parsons

Reuters reports today that the US Air Force has decreed six “cyber tools” as weapons. From the report:

[Lieutenant General John] Hyten said the recent decision by Air Force Chief of Staff General Mark Welsh to designate certain cyber tools as weapons would help ensure funding.

“It’s very, very hard to compete for resources … You have to be able to make that case,” he said.

That’s great. So the US Air Force is renaming bits of code as weapons in an effort to wring a little cash out of an already squeezed budget. It’s a simple enough tactic (except for vendors of security software, who claim it’s the beginning of “a new arms race.”) But what does it really mean? When does malicious code stop being a virus and leave the world of biological metaphors to enter militaristic ones?

This is tricky. For one thing, the US Department of Defense Dictionary of Military and Associated Terms does not have an entry for “cyberweapon.” Indeed, it does not even have one for “weapon.” Nor does there seem to a definition elsewhere, as the Pentagon complained in a 2011 policy report.

Fortunately, Thomas Rid and Peter McBurney of Kings College London, made a stab at answering the question (pdf) in the RUSI Journal last year. They define it as “computer code that is used, or designed to be used, with aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings.” This is helpful but absent the words “computer code” and you’re left with the definition of any old weapon.

This is not sloppiness on the part of Rid and McBurney. Their spectrum of cyber-weapons looks closely at what is meant by the use of the term. At one end are “generic but low-potential tools,” which they compare to a paintball gun—it resembles a weapon but isn’t particularly threatening. At the opposite end are “specific but high-potential tools,”  which require major R&D investment, long lead times and are often highly targeted. Think Stuxnet, the computer virus used to attack industrial machinery used in Iran’s nuclear program. (The US and Israel are believed to be behind that.)

What does any of this have to do with the US Air Force classifying six bits of code as weapons? It makes no material difference to the nature, quality or efficacy of the tools being employed. But it helps with what Rid and McBurney call the “militarization of cyber-security.” Sean Lawson of the University of Utah writes that some from the American security establishment have compared malicious software to the atom bomb “by not only working to place cyber weapons and nuclear weapons semantically into the same category, but by arguing that cyber attack can have effects equivalent to nuclear attack.”

The reasons for this are obvious. There is only one language that armies across the world understand. It is not enough to use new technologies as instruments of war: they must be renamed accordingly as well.

In Rid and McBurney’s words, the Pentagon may not be militarizing cyberspace, but it is “unwittingly militarizing the ideas and concepts to analyze security in cyberspace.” What starts as a convenient metaphor for the defense department can seep into popular consciousness and take over the conversation. That can only scare, not help, the lay internet user—or indeed the coming billions of new users.

Oh, and while we’re at it: a “drone” is just a remote-controlled aircraft.