Industrialised societies have gradually moved into the global village predicted by Marshall McLuhan in 1967, and today we all depend on the same free and open Internet for a growing part of our daily activities. But when military issues appear in cyberspace, civilian life is in the front line. France’s information systems defence and security strategy describes cyberspace as a new Tower of Babel and a new Thermopylae, simultaneously the place where we live and a battleground.

Conflicts in cyberspace are often called cyber wars, though no act of cyber violence has yet led to armed conflict. The name appeals because of its resonance with popular culture which, since the film WarGames (1983), has stimulated the collective imagination to the point of influencing government policy on digital belligerence.

Cyber war made the cover of Time in 1995, but the digital offensive and defensive capabilities of states only became apparent on a large scale after cyber attacks launched from Russia against Estonian state, bank and newspaper servers in 2007, and an attack on Georgia in 2008. These confirmed the strategists’ view that cyber attacks should be counted as instruments of international and bilateral conflict. They also illustrated the distinctive relationship between civil society and the military: The cooperation of Estonia’s informal ICT security community helped the country survive what its defence minister called a “national security situation.”

These events prompted the great powers to organise. In 2010 USCybercom, the US sub-unified command responsible for cyberspace operations, was officially established at Fort Meade, Maryland. General Keith Alexander, director of the US National Security Agency (NSA) since 2005, became head of the new organisation, whose mission, according to the Department of Defence (DoD), is to “ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” Today Admiral Mike Rogers is in charge of both USCybercom and the NSA, despite recommendations that the functions be separated, made to President Barack Obama after the Snowden affair.

In June 2010 a group of Belarusian researchers discovered Stuxnet, a computer worm designed to attack Siemens industrial control systems — notably in nuclear and hydroelectric power stations. This malware programme was the first cyber weapon discovered by chance “in the wild”, replicating and propagating on the Internet. The New York Times confirmed in 2012 that Stuxnet was a US-Israeli creation, initially deployed against Iran’s uranium enrichment centrifuges at Natanz, and was part of a cyber espionage programme known as Olympic Games. Cyber warfare has no rules or limits, but seems already to have accomplished its first feats of arms.

It also has armies. In 2015 the Wall Street Journal attempted to catalogue the world’s cyber armies, a difficult task owing to widespread opacity, and identified at least 29 countries with one or more military or intelligence units formally dedicated to offensive operations in the cyber domain — the biggest being in the United States, Russia, China, Iran, Israel and North Korea. Another 50 purchase software and ready-to-use hacking tools. Tools developed by Hacking Team, FinFisher and Zerodium attracted the reporters’ attention, but the industry strives for discretion. The wisdom in military circles is that all future conflicts will have a cyber dimension, a self-fulfilling prophecy given the escalation of facilities.

Though states began to organise and structure their cyber capabilities from 2008, the legal framework remains vague. Former NSA and CIA director Michael Hayden recognises this, quoting Estonia’s president Toomas Hendrik Ilves: “Lacking a Lockean social contract in the cyber domain, what we have is an almost purely Hobbesian universe, a universe where Hobbes’s description of ungoverned life as ‘poor, nasty, brutish, and short’ really applies. There is simply no rule of law there.”

In 2009, under the aegis of NATO, a small group of experts began an academic study of the international legal framework applicable to confrontations in cyberspace. The Tallinn Manual, published in 2013, attempts to answer the question of how international law on armed conflicts applies to cyberspace. Focusing on hypothetical rules applicable in time of armed conflict, rather than norms that would govern inter-state disputes in time of peace, this study reflects the state of the debate among the major powers.

The militarisation of cyberspace has advanced far faster than the construction of positive peace-building mechanisms. Only in 2012, after a joint initiative by Brazil, the United States, Nigeria, Sweden, Tunisia and Turkey, did the UN affirm that human rights should also apply online, whatever the medium, and regardless of national borders. And only in 2013 did a governmental expert group of the UN committee on disarmament and international security publish a report stating that international law, especially the UN charter, applied in cyberspace — though this declaration needs elaborating to say exactly how international law can be applied.

The cyber arms race is taking place in an unstable and changing context, where even the definition of a cyber conflict is debated. When, in 2016, the US Senate Armed Services Committee asked the Director of National Intelligence, James Clapper, to define what kind of attack or incident would trigger a military response, he replied that it was a matter of perception. Lieutenant General Vincent Stewart, director of the US Defence Intelligence Agency, explained that it was unwise to class all cyber events as attacks, regardless of the identity and motives of those responsible, and that it would be useful to distinguish between cyber incidents and acts of war. The debate is renewed after each incident. In 2014 the attack on Sony Pictures Entertainment caused an uproar: Some US politicians called it an act of cyber terrorism or cyber warfare, others a simple hack, or hacktivism which could be likened to cyber crime; Obama decided on “cyber vandalism”.

The practical consequences of this semantic debate are of fundamental concern to democracy: They will determine the legal framework applicable, the consequences and the players. In the real world (as opposed to online), you don’t mobilise the army over a broken window; in cyberspace, overreaction is much more likely. Indeed, the more societies depend on the Internet, the more they need to modify their laws and social mechanisms to ensure peace, justice and security, in a context where military-industrial complexes around the world are developing and imposing intrusive methods of control.

Yet the earliest architects of the Internet and cyber-libertarians dreamed of a cyberspace free from state interference and the sovereignty of the “giants of flesh and steel” described by the poet John Perry Barlow in “A Declaration of the Independence of Cyberspace.” Hayden mocks this vision, which contrasts with that of cyberspace as a fifth domain of warfare, after land, space, sea and air: “In retrospect, however, we didn’t appreciate that there was an entire generation growing up at that time believing that cyberspace was a global commons, a pristine playground, and not a potential zone of conflict among powerful nation-states. The debate over those competing archetypes continues today.” Cyberspace remains influenced by these archetypes: The conflicts there are creating a grey area.

The reason why this notion of a “grey area” characterises cyber warfare is that it is inherent to the concept itself. It appears in the earliest strategic studies on the deployment of state power in cyberspace. In the United States, one of the first definitions of “information war” and its strategic consequences dates from 1976. In a report to Boeing, Thomas Rona, science adviser to the DoD, described “tactical, operative and strategic level confrontations over the whole spectrum of peace, crisis, crisis escalation, conflict, war, ending of war, reconstruction, undertaken by the parties, adversaries or enemies, using informational means to attain their objectives.” Competition happens in peacetime as well as in time of war, among allies as well as enemies.

The ambiguity of the concept of cyber warfare contributes to its dangerousness and makes it difficult to place it in a clear legal framework. The concept should inspire mistrust: It prevents us from thinking about peace in cyberspace, where we will need it tomorrow.

- Camille François is a researcher at the Berkman Centre for Internet and Society, Harvard University. Translated by Charles Goulden.

Copyright ©2016 Le Monde diplomatique -- distributed by Agence Global