The concept of cyberwarfare has entered the collective consciousness. The hand of the cyberterrorist is seen behind any attack on computer-based systems. Battalions of hostile cyberspace operators are evoked whenever a website is ‘defaced’.⁽¹⁾ However, no one has ever seen a cyberterrorist. No country has yet experimented with cyberwarfare on a large scale. Are such operations therefore no more than a myth, both reassuring (a virtual and entirely dehumanised war) and perturbing (the ‘IT Pearl Harbor’)?

A Range of Activities

The term cyberwarfare is used to describe a wide range of activities: the lone hacker with a taste for a challenge, the professional phishing⁽²⁾ expert who exploits hundreds of compromised bank accounts, the activist who launches a denial of service⁽³⁾ operation for purely ideological reasons, or nation-states that develop defensive as well as offensive operational capabilities. Of course, the interfaces between these various worlds are not watertight: the amateur becomes the professional, the professional markets his services, the terrorist adopts methods used by criminal organisations; but motivations, resources used and above all risks taken differ widely. It is difficult to talk of an actual war, as such operations have no concrete consequences in terms of physical damage or loss of human life. After all, hacking into a bank has only a limited economic impact. Modifying an institution’s website merely provokes irritation or mockery, depending on which side one is on. As for terrorist groups, they use the Internet for communication, recruitment and the preparation, even funding, of operations. But attacks are still made using explosives and not kilobytes. This is cheaper and has more impact on public opinion.

Should we therefore play down the risk? Most certainly not. The computer attacks suffered by Estonia in April-May 2007 marked a first turning-point. Naturally, the type of attack (denial of distributed service) was relatively conventional and appeared from the outset to be the result of ‘hackivism’;⁽⁴⁾ this was the first time that political, media and economic elements within a country had been targeted simultaneously, leading to the country becoming temporarily paralysed (cash dispensers were also blocked). This was also the first time that a cyberconflict took on a political dimension: a few days after the attack, the Estonian Minister for Foreign Affairs accused the Russian authorities and demanded a public apology. This was therefore the first time that the sovereignty of a state had been directly threatened by a computer attack, which was also carried by an untouchable enemy using ‘botnets’.⁽⁵⁾