In German, the line „Stell dir vor, es ist Krieg und keiner geht hin.“ (literally: Imagine there’s a war and nobody goes there.) is quite often falsely attributed to Bertold Brecht and became a slogan of the German peace movement in the 1980s. Actually, it is a translation of a line from American poet Carl August Sandburg’s poem “The people, Yes”: Sometime they’ll give a war and nobody will come. What has been a both defiant and encouraging slogan in the 1980s, sadly lost a lot of its spirit in times of cyberwarfare and drone strikes.
Often, the term “cyberwarfare” is attributed to the 1993 RAND publication “Cyberwar is Coming!” by John Arquilla and David Ronfeldt. Since then, experts within and outside the field of security, politicians of all couleur, the media, and others are debating in reassuring periodicity the sense and nonsense of the term, whether it has arrived, and, if not, when we will see it. The latest spike in the debate about cyberwarfare has clearly been the alleged Russian interference in the 2016 US elections, now raising fears in other countries. Among them, Germany with the upcoming “super election year” (Superwahljahr) 2017. I would like to discuss here why I consider the term “cyberwarfare” to be unhelpful in academia, security, and the public debate, and how Germany is prepared for the “Superwahljahr 2017”.
An obvious point to start discussing a concept is clearly the term itself, a portmanteau from cyberspace and warfare. The concept of “cyberwarfare”, I would argue, is a catch-all term which already suffers from the two blurry concepts it is made of. In terms of cyber it encompasses everything from hard- and software to information and communication online, including their implications for the “real world”. When it comes to warfare, the old questions are raised again: Does a war need to be declared? Does it need a state-actor? How many casualties make a war? And so cyberwarfare gives away a lot of the dearly needed clarity. It is an important though sometimes very difficult distinction when trolling becomes a covert (false flag) action, where crime ends and warfare starts. Clear attribution of an online action to an actor is one of the main challenges in cyberspace and often not possible. And so the question remains who the perpetrator is – script kiddies, trolls, state sponsored groups, criminal organizations, intelligence services, or even the military – and likewise who is needed in response – vigilant end-users, admins and enterprises, the police, intelligence services, or even the military.
I would like to argue that, just like the political sciences slowly move away from the concept of war, it is time to bury the buzzword “cyberwar” and admit that the world has become more complex. It is necessary to discuss the individual facets of the problem and address the fact that every potential technical (e.g. strong encryption) and institutional (e.g. more rights and resources for intelligence agencies) approach is ultimately part of both the solution and the problem. So where are we in terms of cyber threats in respect to the upcoming elections in Germany? I would like to pick three areas that were often part of cyberwar debates: cyber attacks on critical infrastructure, stealing and leaking sensitive information, and “fake news”.
My argumentation here is threefold. Firstly, when it comes to cyber attacks on critical election infrastructure, I would argue, Germany is in a state of “security by backwardness” – and I mean that in the most positive way imaginable. It becomes more and more obvious that something like an un-hackable system simply does not exist. Even completely air gapped systems can fall victim to attacks. Unlike in some parts of the United States, the German electoral system does not allow electronic voting machines but relies solely on “pen and paper” – one of the few things that are still extremely difficult to hack. So, a nicer and probably more appropriate way to put “security by backwardness” would be “resilience through downgrading”.
Secondly, could the German elections be influenced by stealing and then leaking explosive information, as we have seen it in the US? Though the person behind the leaked documents from the parliamentary committee on the NSA (NSA-Untersuchungsausschuss) is still unknown, the case shows that also in Germany classified information well finds its way into the public. From both a moral and strategic point of view, one could argue that the responsibility here lies with the parties and ultimately with the candidates themselves. The moral (and very naive) take on it would be: someone with skeletons in the closet does not belong into office. The more strategic take on it is that from Nixon, via Guttenberg to Clinton and recently Fillon many examples have shown that “they won’t find out” often doesn’t fly. On the other hand, we have also seen that a scandal or five do not necessarily harm everyone the same way. Nevertheless, electronic infrastructure of politicians, parties, and other organization remains vulnerable. It is the responsibility of these institutions and definitely in their best interest to (re-)enforce security measures here to prevent defacement of websites, information theft and other incidents.
And lastly, fake news, a term that is prevalent in the public debate since early November 2016, is not an entirely new phenomenon. Information warfare in general is a concept that has been around at least since WW I. Not only the recent US elections have seen a sharp increase in obviously false information about the candidates, mainly spread on the internet with sharing via Facebook as a main way of distribution. Also Germany had several wake-up calls in the form of online rumors with real-life implications. One of the more recent cases is the “case Lisa” in which online rumors of a Russian-German girl having been abducted and raped by refugees led to spontaneous demonstrations in Berlin and even a statement from Russian foreign minister Sergei Lavrov. This incident clearly showed that a part of the population is susceptible to this kind of deception and might very well take it from online forums to the streets.
To put it in a nutshell: While I would argue that we are considerably safe from direct interference in the election process from whichever side, indirect interferences can strongly affect both the election outcomes in particular and, more broadly, trust in the democratic system. As attractive as offensive countermeasures against the actual perpetrators (once they are identified) may seem, they are necessary against cyber crime but probably even counterproductive in information warfare: With credible deniability assured, retaliation can be turned around and displayed as aggression or measures to cover up guilt. Such a fight will ultimately be decided by the side that is able to dominate the debate and to define the narrative. Very often, the goal is not even winning an argument anymore, but simply to create doubts and confusion. Censorship is definitely one of the measures that is both unworthy for a democracy and strategically little helpful. In how far “warning labels” on Facebook posts and “hoax maps” may help is currently discussed. The best strategy for political decision-makers and their campaign teams is a fast, clear, concise, and open communication on all channels. And finally, we need a little more faith in the German voters – the vast majority really deserves it.
Photo by: https://pixabay.com/en/users/bykst-86169/ (CC BY-SA 4.0 license)