天河一号

Yesterday a cyber tussle in Israel has again made news, and The New York Times promptly screamed “cyber war.”

So with perfect timing, the Department of War Studies is hosting a talk on “Cyber Arms Limitations.” As a bonus incentive, the speaker is Qichao Zhu, a Chinese guest at King’s College right now and otherwise the deputy director of the Center for National Security and Strategic Studies (CNSSS) at the National University of Defense Technology in Changsha, Hunan Province. That’s right — these are guys known for Tianhe-I, until June last year the world’s fastest computer. So when Qichao says cyber weapon, he means it.

Location Strand, War Studies Seminar Room, 6th floor, and that’s tomorrow, 18/01/2012 (16:00-18:00). First come first serve. Chair is John Gearson, director of our Centre for Defence Studies.

Abstract: With the development and proliferation of ICT in recent years, governments, international organizations and private sectors have invested a lot of strategic, tactical and technological concerns on cyber security issues world widely. How to define and differentiate cyber crime and cyber war? How to understand cyber war escalation and de-escalation? Why the western countries always criticize China on cyber espionage cases and look on China as a potential rival on future cyber conflicts? What are the obstacles and difficulties on international cyber arms limitation? Dr. Zhu tries to give some Chinese perspectives on these questions and deliver some recommendations to international cyber security cooperation.

So this evening, I was reading through the Intelligence and Security Committee’s Annual Report 2010–2011 (you know, just casually). As I delved inside, I became particularly intrigued by the sheer number of agencies who were tasked with protecting the UK from cyber attack, or at least some particular portion of it.

Now I’m no cyber guru, but it seemed to me baffling that we could have created such a uniquely complicated tangle of overlapping authorities spread across a whopping 18 (!) different agencies (nominally headed by the Cabinet Office):

It would seem that I am not alone either.

Of course, this is slightly old news, but the government’s response to the issue is definitely not. It appears now that government has begun to attempt to unravel this convoluted web (sorry for such a terrible pun!) of agencies through the establishment of a new, centralised (at least partially) cyber security hub (full report here), which it announced in November.

My knowledge of this topic area is very limited, but I was interested to know from some of the cyber aficionados (and others too) as to their thoughts on these issues:

- Is it right for multiple agencies be employed across the private and public sector to formally help protect the UK from cyber attacks? It seems that, done right, this could lead to an synergistic, mutually supportive system whereby the different agencies provide interlocking safety nets that stop threats more effectively than a single brittle barrier. But done wrong, it could be a chaotic shambles where no one really takes overall responsibility, coordination breaks down and massive gaping gaps are left open for cyber attackers to exploit.

- Is the government right to try to scoop it all up under the jurisdiction of one centralised centre? This seems like a good idea on the surface, but will having one central agency like this ultimately lead to bureaucratic inefficiency? In fact, is this even really viable as an idea, or will the other entities – particularly within the private sector - continue to flourish at such a rate that the centre will quickly become all but obsolescent?

Any thoughts?

I recently had the opportunity to ask this question to a group of serving UK military personnel. It cropped up in relation to an intriguing query raised by Ole Jørgen Maaø in his article: Leadership in Air Operations – In Search of Air Power Leadership:

Air power has often been used to attack societies and structures within societies, often to deter an enemy from pursuing their goal. This requires in-depth analysis of an enemy’s society. Is a fighter pilot best at doing such an analysis? It is hard to believe such a proposition. It could be that different analysts of society, such as political scientists, social anthropologists, sociologists or even psychologists at least ought to be consulted in such an analysis. Maybe a political scientist is better educated and trained to perform this task?

We know from history that commanders with exclusively military backgrounds have not always won the day: Mao Zedong – for example – was a librarian, while his defeated opponent – General Chiang Kai-Shek – was a seasoned military veteran. So in an age where warfare is increasingly fought in alternative theatres outside of the traditional battlefield, a pressing question has become:

Is it right for people with an exclusively military background to lead the armed forces and oversee military operations? (this refers only to leadership of the armed forces, not the state as a whole).

Would an Air Marshal be capable of handling cyber threats such as Stuxnet or would a computer programmer be more appropriate? Would a General be best positioned to ferret out terrorists from an unfriendly population or would a police constable be preferable? Would an Admiral be most suitable to tackle the tangled social, political and economic roots behind marine piracy or would a sociologist be better? At a broader level, Clausewitz asserted that War is the continuation of policy by other means, and many modern analysts believe that political successes are just as important in today’s wars as military ones.

Should we then hand over command of the armed forces to civilians?

‘Yes’ is a tempting answer. But that misses an important piece of the puzzle. The people most able to influence enemy assets and support friendly forces from land, sea and air are almost certainly the people with the most experience in these areas. The same Air Marshal who might struggle to understand the complexities of cyber warfare is still more likely to know about how to destroy an enemy radar post or intercept an enemy fighter squadron than a computer scientist. Removing military leadership from any and all command of the armed forces would be ridiculous.

However, in an age where some say that warfare is becoming ever more complicated, it does seem important to more effectively combine civilian, military and political expertises within our military command structure.

So what then would be the best way to carry this out?

Should wars be waged by committee, with delegates drawn from a sprawling pool of military and civilian specialisms, each one providing bespoke advice and guidance about their area of expertise? It sounds logical in theory, but would be a nightmare to implement. What level of decisions would the body make? How would decisions be made? Who would chair the group? How would arguments be resolved? How would the group respond quickly enough to rapidly moving events? Which specialisms would be included? We have seen before the difficulties of using committees in war, albeit on an international rather than interdisciplinary scale.

Or should we appoint a single leader with a background in politics, the military and civilian trades? Alexander the Great embodies this model. As combined military and political leader, he exploited the structural weaknesses of the Persian Empire by pursuing a path of political decapitation, militarily triumphed against vastly larger armies, and effectively channelled civilian efforts to achieve incredible technological feats (such as coordinating civilian engineers to build a massive causeway during the Siege of Tyre) and to accomplish political goals (such as infusing Greek culture into the rich tapestry of societies he conquered). But this has its problems too. Firstly, finding a person with all of the requisite modern skills would be a Herculean task. But perhaps more importantly, it would create a potentially abusive concentration of power that could lead to military dictatorship or worse.

Should we then try to share command between two or more partners? During the final civil war of the Roman Republic, the military commander Octavian used his political skills to outmanoeuvre his opponent – Mark Anthony – with propaganda, while his close aide Agrippa used his engineering genius to build a navy and his military expertise to defeat Anthony’s forces at Actium. Their partnership worked well, but others have failed. We cannot forget that prior to Actium, Anthony had himself been the military expert who was allied with Octavian, that is until their relationship fragmented and collapsed into civil war. This seems like an unappealing risk for today.

Or would we be better off dividing the two elements entirely, as once proposed by President Obama in his speech about developing a Civilian National Security Force? This once again is flawed – not only would it involve vast expense, but could easily lead to rivalries and gaps in communication and coordination between the two separate entities.

It seems then that there are no easy answers. But the importance of the question remains.

Sadly, no one in the group agreed that I should be the leader of our armed forces. But they did believe that academics should be more involved with the decision making progress. The considered and balanced nature of their response both reflects well upon the sophistication of the UK’s armed forces, and shows how seriously the military itself takes the issue.

Or perhaps they just didn’t want to hurt my feelings.

Editor’s note: A friend of the blog — who happens to be a poetic engineer —  would like to share the following poem on the world-famous, magnificent, glorious, dazzling worm known as Stuxnet. TR

Oh Stuxnet,
What in motion have you set?
They say, that you destroy Gas Centrifuges
And to propagate you use Network Abuses

That you are made up of,
A Dropper and a Payload
And that you do both,
Data upload and download.

That you jump the "air gap"
By infecting the USBs
And that you try to sabotage
By re-programming the PLCs.

Oh Stuxnet,
What in motion have you set?

The people whom you intrigue,
All belong to a different league
Computer Scientists to Nuclear Physicists,
Psychologists to Political Scientists
Believe me, all are intrigued.

People have written
In papers like New York Times
That Stuxnet was written
To put Iran through some difficult times
Whether Iran was delayed or not
Only time can tell, in short.
But, Oh Stuxnet,
What in motion have you set?

A thought that it is a new form of war,
A debate that you are changing the face of war,
A notion that launching you was an act of war,
Unfortunately termed as a Cyber War.

Oh Stuxnet,
What in motion have you set?

A few days ago, I attended an event about the new British cyber security strategy. Three members of the Office for Cyber Security and Information Assurance answered questions about the strategy.

The event’s key phrase was: ‘businesses need to operationalize the strategy’. Meaning that the government hopes the market rectifies what it has failed so far: to improve cyber security.

One of the arguments behind this logic is money. The government lacks the resources to tackle the problem. For example, it cannot invest in expensive awareness raising campaigns on cyber security issue. But Google can. But this can also be a problem.

Londoners have been able to admire large Google advertisement posters for two months now that gives users basic cyber security tips.

While the idea has to be praised for trying to educate the end user, the posters don’t show that cyber security is a topic to be debated, and not to be spoon-fed by a large US company.

It is regrettable that the British government lets the private sector (Google here) lead the debate on cyber security in the UK. The private sector can only show the side of the debate that is beneficial to them. A business-driven debate can even mean a completely biased debate. Some of Google’s posters are as a matter of fact almost ironic.

Let’s take two of their recent items as examples.

‘Making search more relevant’ involves using more personal data to filter down the answers of the search engine. Are you really willing to give such data to a company? Were you even aware of the amount of personal data that this single company possesses on you? The very same algorithm used to ‘make the search more relevant’ also creates what has been dubbed a ‘filter bubble’, or echo chambers in other words. A user receives information that only matches their interests and point of views.

Echo chambers lead to a polarization of views, including political views. People don’t feel challenged in their ideas, as they are comforted in their opinion by the information they receive. Eventually, they may not even see why there should be a debate. A bit like in this case with the advantages/drawbacks of ‘Making search more relevant’. And this cannot be beneficial to society and to politics more broadly.

Another example is ‘Me on the Web’. ‘Me on the Web makes it easier to monitor your identity online’. Very well, but it doesn’t help you remove data linked to your name that you would want to erase. The European Commission is currently reviewing a change in data protection law to introduce the ‘right to be forgotten online‘. This sort of law can be difficult to implement, especially on an international scale. But it is important to keep the public aware of the ongoing debate. And Google’s ad doesn’t show the problematic side of this debate.

Why did Google start a campaign in the first place? The European Commission has ‘accused [Google] of abusing its dominant position in the market’. Google being in a dominant position means that it doesn’t seem to need any extra advertisement to boost its business.

Moreover, why did the government not support Google’s campaign? The campaign is in partnership with the Citizens Advice Bureau. While being ‘largely funded through government grants’, the Citizens Advice Bureau is not a government run project. Therefore, the Citizens Advice Bureau cannot be deemed as implementing government’s policies.

The answer might come from the Get Safe Online project. Launched in 2005 and backed by at least 9 government agencies including the OCSIA, the project also aims at educating the public on cyber security. Have you ever heard of Get Safe Online before? Google’s campaign seems a priori to have gained more momentum in two months than Get Safe Online got in 6 years.

Hence, it is regrettable that the willingness of the government to coordinate and facilitate the exchange of information (with the new ‘hub’ for instance) didn’t extend to support Google’s initiative. Their support could have tried removing the bias of the campaign and would have benefited from reaching out to a large audience.

So, we are back to the original problem. Is the market self-correcting? In the past, it hasn’t done so. Why pin even more hopes for that to happen on the future? The private sector is the driver of innovation in cyberspace and the government thinks this is a good thing. It is most of the time. But it has also the power to create a one-sided debate.

A nice video on Stuxnet in Australian:

Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.

It may be a bit alarmist in tone at the end (and what 20 0-day vulnerabilities?). But one thing’s clear: nice job in terms of presentation on Patrick Clair’s part. I should use that software instead of slides in my next lecture …

(h/t to to our colleagues from KCL Informatics.)

Probably not £27 billion a year. That, however, is the claim of the Cabinet Office & Detica in a recent report evaluating the cost of cyber crime in the UK. That would be more than the cost of drugs, estimated in 2004 at £15.4 billion a year in the UK. So what are the real costs?

Before repeating the £27bn claim, note that it is an estimate of the cost of cyber crime. It does not provide a breakdown of known cyber crimes, which would be far more informative.

Law-enforcement authorities may actually assess the actual level of cost of cyber crime. Cyber criminals violate laws, and the police keep record of the cases they deal with. In Germany, for instance, the police reported that the actual cost of cyber crime was €61.5 million in 2010. The UK, unfortunately, does not publish such fine-grained statistics.

Cyber crime can be split into two categories: the crimes facilitated by the modern use of information technologies, and the crimes targeting information technology. The UK estimate includes intellectual property theft and fiscal fraud, and falls therefore squarely within the first category. But child pornography and cyber stalking are strangely left out. An approach that estimates the cost of cyber crime in its wider interpretation should therefore include the socio-economic cost of online child pornography and cyber stalking in order to be coherent. Such an estimate is as difficult to make as extrapolating the cost of intellectual property theft and espionage.

The evaluation of the costs of intellectual property theft and espionage is largely based on two factors: first the investment in R&D by sector, and secondly that sector’s turnover. Even if a criminal got his hands on a company’s most recent and most valuable proprietary information, that doesn’t mean that the company in question would lose its entire R&D investment. The thief needs to be able to re-sell the material first, and even in the case a competitor implementing the stolen R&D, the company would still have some return-on-investment. But admittedly the actual loss is hard to pin down.

A first question that can be answered is how many cases have been processed by law enforcement agencies that relate to the wider interpretation of cyber crime. The statistics of crime are available from the Criminal Justice Statistics in England and Wales. It is then possible to link each cyber crime category of the Cabinet Office & Detica report with a specific breach of law.

If you're interested in more detail ...

We cannot know how many of these cases really involved the use of computer and how much the court assessed the damage to be in each case. But law enforcement agencies can. In any case, it is interesting to note that blackmailing trumps intellectual property theft, or that customer data loss is almost irrelevant (2 cases).

Needless to say: having a better taxonomy for data gathering by law enforcement agencies would be desirable. From a legal standpoint, ‘espionage’ may be merged with ‘intellectual property theft’, and ‘online theft from businesses’ with ‘online fraud’.

Bearing in mind that cyber crime in its wider interpretation is incomplete and only extrapolations of figures can be provided, how much of the cost of cyber crime in its narrow interpretation can then be assessed?

Let’s focus for a moment on online fraud (and identity theft and online theft from businesses), scareware and customer data loss. According to Financial Fraud UK, and summing up online banking fraud (£46.6 million), phone banking fraud (£12.7 million) and e-commerce fraud (£135.1 million), this makes a total of £194.4 million. Scareware are fake program that trick the user into believing he has been infected by a virus and he needs as a consequence to buy an (fake) anti-virus solution. No legal complaints have concerned them and no other figures are available apart from those in the Cabinet Office & Detica report. The figure of £30 million damage is to be contrasted by the worldwide market of scareware estimated at £114 million. The UK would therefore represent 26% of the share of this market for an online population representing only less than 2% of the global online population. Why the discrepancy?

And regarding consumer data loss: all the 3 legal cases in 2010 where the Computer Misuse Act 1990 was invoked concerned a breach of confidentiality, and no data were deleted. Thus the cost of consumer data loss reported to the police would be zero.

Finally the report raises the issue of two other gaps that need to be explained. The first is straightforward: the Police e-Crime Unit’s annual budget is said to be £2.3 million (footnote 39). That seems to contradict Charlie McMurdie’s statement, the head of that unit, during the RUSI Cyber Security Conference 2011, saying the budget was £504 million over four years. Where’s the mistake?

The other gap concerns policy itself: if £27 billion is an accurate figure, none of these budgets would be adequate to deal with the threat. But if the magnitude of the damage is comparable to what’s happening in Germany — in the ballpark of £200 million — the Police e-Crime Unit’s budget, whatever the figure, suddenly seems a lot more appropriate.

So — if the £27 billion figure is right, then the government should perhaps put their money where their mouth is. But if our on-the-back-of-the-envelope calculations are up to something, then they better put their mouth where their money is.

The author is a MPhil/PhD student in the Department of War Studies at King’s College London.

In the grand tradition of post-post modern conflict, it started with a youtube video (in English here). Anonymous, the loose idea/group of hacktavists/irc channel threatened Los Zetas, a particularly brutal* Mexican cartel, with public identification of their loose conspirators. In the grander tradition of post-post-post modern (bear with me, the modern era started in the 16th Century) conflict, it’s a hoax. Or rather, no-one associated with a free association of pick-up-group hackers will take responsibility for seeding an idea that will get people killed. Wired has it as “Let’s you and him go fight,”. This sounds about right, but there’s a problem. Isn’t that what Anonymous is anyway? As a group that decides to pick fights via discussions on 4chan and IRC, every Anonymous Op everywhere has to start with someone saying “Hey, let’s mess with those guys”. Since Anonymous is defined as a group without definition, then anyone can pick up the Anonymous torch/brand and run with it. More on that in a bit.

What perhaps sets this apart from the rest of the cyberwar kerfuffle is that if someone goes through with it, people will die. No two ways about it, no “If hackers do this and then this happens as a result then this will constitute a threat that will likely harm the interests of national security and severely impinge upon the functioning of the state and therefore  be bad for its citizens.” No. If someone is identified as aiding a Mexican cartel, that cartel’s rivals are going to find them, and they are going to kill them. If someone publishes the identities of these people, even without the threatened addresses, then every single one of those identified are likely to wind up dead, or in permanent protective custody. In publishing this information, the person doing it is effectively signing their death warrant.

There’s a couple of interesting things at work here, outside the “Anonymous vs Zetas” blog re-post with zero information that is doing the rounds. For instance, there are questions as to whether the alleged kidnapping (or demonstration that started the kidnapping) even happened. If there are any new undergraduates are reading this who are still wondering why footnotes matter, this is a perfect reason: Just because Stratfor says it happened, it doesn’t make it true.

The interesting bit for me is the virtual/”real” interface, IE: where the transfer of information on the internet physically affects the world around us. This might seem facile, and perhaps outmoded, but for me, war is when people die and things get broken. Espionage is all well and good, but it is when bank accounts take hits, people lose their liberty/jobs/lives or paedophiles get jailed that I sit up and take notice.

What I think had people chomping at the bit about this story was the possibility of this happening, in a pretty spectacular way. Earlier this year there was the Guardian/Wikileaks/Assange spat about the publication of the un-redacted diplomatic cables. Everyone pointed out that this was likely to get named informants in trouble, but I’ve yet to read any decent follow up to this. Did any regimes disappear people? Did any non-state actors off pesky informants? Who knows. Even so, the cause-and-effect of this would be problematic, how could you categorically state that a person’s name appearing in the cables got them disappeared/killed? In Mexico, this would be relatively unproblematic: someone publishes a list of names, people on that list start dying, Anonymous and the cartels share the blame. I’m sure there would be a PhD thesis on the topic within five years.

The second thing that has me interested on the subject is the nagging idea of the re-democratisation of violence, or coercion. In a world where information can get you killed/imprisoned, the ability of the average citizen to access this matters. Part of the reason that I think people want to “see” a group in Anonymous is that it allows them to un-see the fact that anyone with a bit of technical nous and substantial quantities of caffeine can learn to hack. If they can’t be bothered with that, they can probably free-ride on the work of other hackers and take advantage of the fact that most people don’t know their arse from their elbow in terms of online security. We’re used to living in a world in which the state can protect us, but the state can’t really protect us against ourselves. It is quite striking that coercive methods of protest are in ascendancy. Without wanting to attract the wrath of Anonymous, hackers are the new thugs. That is, they are people who can use their strengths in order to attack other citizens that lack them. Just as we tend to look away when stared at by a 6′ 4″ steroid abuser, people would be wise to avoid staring down someone that can empty your email account of juicy information, take down your website/business and possibly donate the contents of your bank account to Greenpeace. What happens to society when a significant percentage of the population gain the technical skills to coerce the rest? Anonymous already demonstrated that a bunch of people can take down planet-wide infrastructure like Paypal for lulz/revenge/solidarity. It used to be that if you wanted to coerce a significant number of people, you would need an army, nowadays, this is no longer the case. To return to the free-form nature of Anonymous: all you need is a few like-minded people with sufficient skill.

Lastly, to return to the real/virtual interface, Alan Moore got it wrong: Even if you can’t kill an idea, people are identifiable, and prone to death and imprisonment. This is perhaps why everyone running around in V is for Vendetta masks makes me laugh. Moore’s vision of a rebellion against a totalitarian fascist dystopia was predicated on a simple duality: “Us” vs “Them”. The people vs the system and similar tropes. The problem is that an “us” doesn’t exist anymore. As much as anyone who appropriates the anonymous rebel idea wishes to believe they are in league with everyone versus the man/the system/whatever, they’re more likely to be in league with a startling minority of people who happen to believe in a given cause. A cause which is in any event one amongst many. There is a vast disparity in perception, usually in reference to the targets of such operations. Shutting down paedophile websites on the dark web is unlikely to draw protest from many people (apart from NAMBLA), but attacking Paypal will. While I doubt the FBI is actively trying to arrest and imprison those responsible for taking child-porn offline, all the other types of online coercion are likely going to draw their ire. But law enforcement tend to play by the rules, paedophile networks don’t have armed wings, messing with non-state actors that do is playing for keeps. As weird and wonderful as the Church of Scientology (an early Anonymous target) is, and as dodgy as some of their methods may be (I used to be a PA for a journalist who was kept “under tabs” for writing on/investigating them in the late 80s/early 90s), they haven’t yet (to the best of my knowledge) resorted to killing people that cross them. The long arm of the state has demonstrated that it can find out who’s hacking and arrest them. The interesting bit of the Stratfor report that kicked off the endless speculation is the valid point that Cartels will target and kill people for online speech, therefore they might do the same to Anonymous members if targeted.

What’s playing in my head is the idea of “identity wars”. A persistent online conflict in which the “game” is to identify other people and knock them out before they identify you. States are used to playing this with hackers: they try to identify them, arrest them and imprison them. Hackers play this game against each other/civilians (doxing, whereby they dump a person’s identifiable information on the internet), and recently, right back at the state. All these people are not, however, likely to kill each other directly. Targeting people that will makes it a whole other ball game, particularly in insecure regions that criminal networks can operate. At the core of the alleged Anonymous video was the idea of private citizens identifying criminal associates and goading the state into action, though this identification was likely to warrant their deaths at the hands of other criminals. But criminals have access to hackers as well, and that raises the problem of the persistent conflict becoming lethal. So we have a situation in which hackers identify criminals for the state to target, and the criminals seeking to identify said hackers in order to kill them. This is a spectre built upon some things that are already occurring, but it makes for an interesting way of looking at conflict. In my own research, I’ve been thinking about insurgency in this way, in that identity is the key to such conflicts. If a state can identify an insurgent, they can target them. Similarly in all forms of “networked warfare” such as counter-terrorism or counter-narcotics operations, identity is the key piece of knowledge that all actors require in order to operate (Do you know if the guy selling you the radiological material is a disgruntled scientist/criminal or a sting operation? On whose head do you drop the JDAM?). In this sense, the alleged operation is an extension of this form of warfare into the virtual environment. In all these forms of conflict, the ability to identify an opponent (or actor) is the key variable. Right now, for hackers, getting identified might get you arrested, but that’s only when they’re going up against companies, states and organisations that play nice. Capture/kill raids and predator strikes are what states do to people when they’re not “playing nice”, and I doubt that criminal networks are liable to play nice to anyone that might out them, or their assets. Maybe when the first OpCartel chap winds up gruesomely executed with a note pinned to their chest, Anonymous etc might realise that there are worse people out there than Visa and Paypal.

*NB: This description is attached to every cartel in pretty much every story written on Mexico. I’ve yet to see a Mexican cartel described as “not quite as brutal as the rest”

Coming to London next Thursday

Next week the Foreign Office is hosting the London Conference on Cyberspace. The event was originally set up with high ambitions, to agree on “norms of behavior” for cyberspace, although some of the high hopes may have been lowered. Still, the speaker list covers the whole gambit, from Yemeni political activists to German arms control officials. Somewhere in between you might spot Hillary Clinton or Jimmy Wales, co-founder of Wikipedia.

You’d think this event is hard to beat. Well, we did it. Certainly regarding the title. Next Thursday, November 3, at 5pm, the world-famous Ron Deibert will announce ”The Coming Perfect Storm in Cyberspace” at the Department of War Studies. That’s right.

Ron is the director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. His institute is well-known for investigative and highly innovative research projects, most notably the discovery of GhostNet. David Betz will chair the event; I will offer some short thoughts as a discussant. All that will be in the War Studies Meeting Room (K6.07) 6th Floor, King’s Building, Strand. Please RSVP.

There will be time after the event to rush to Tesco to stock yourself up with tinned food and duct tape. Not much though.

Oh no!

Yesterday, 5 October 2011, is likely to be remembered as a historic day of the information age: Steve Jobs died. Barack Obama put it well in a tweet: “There may be no greater tribute to Steve’s success than the fact that much of the world learned of his passing on a device he invented.” Indeed the man’s accomplishments are awe-inspiring. Even if you learned of Mr Jobs’s passing on an Android-powered device, that is only possible because Apple woke up the sleeping market of tablets. And smartphones before that. And portable audio devices before that. And personal computers before that. Jobs has indeed redefined the digital age, as the New York Times put it.

The more and more global ubiquity of all these iSomething devices and their many competitors also means something else: almost everybody intuitively understands the risk associated with gadgets hooked up to the cloud. Everybody intuitively understands the risk of having sensitive data stolen and one’s life or corporation disrupted — through cyber attack. What intuitively makes sense on an individual and corporate level must also apply on a state level: the advent of cyber war is just a matter of time, even experts say.

But is it?

In a forthcoming article now available online, “Cyber War Will Not Take Place,” I argue that the answer is actually not so easy. That title of course is a provocation, infused with a bit of Giraudouxian irony (Jean Giraudoux, a French playwright, also inspired Jean Baudrillard’s confused book, The Gulf War Did Not Take Place). Yet this provocation is meant literally here – as a statement about the past, the present, and the likely future. If we take the notion of war seriously, not as a metaphor, then cyber war has never happened in the past — it does not take place in the present — and it is highly unlikely that cyber war will occur in the future. Instead, all past and present political cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: subversion, espionage, and sabotage. That is improbable to change in the years ahead.

We at War Studies at King’s are currently teaming up with the Department of Informatics, just down the hall on the sixth floor of our Strand campus. By bringing together computer scientist and political scientists, we hope to open some new perspectives on an extraordinarily complex subject that is also sizzling hot — sometimes so hot that a cool, sober, and nuanced debate may be impeded. This debate has to be informed by at least two disciplines that usually don’t talk to each other very much. That makes the task considerably more difficult. So read “Cyber War Will Not Take Place” as a first cut.

The text is also, if I’m not mistaken, the first-ever article that the Journal of Strategic Studies published under Taylor & Francis’s iFirst scheme — you may treat the program’s Apple-inspired name as another tribute to Mr Jobs.