First Monday

Putting the war in cyberwar: Metaphor, analogy, and cybersecurity discourse in the United States by Sean Lawson

Public policy discourse about cyber security in the United States is dominated by a metaphor of war and analogies to the Cold War. This essay critically evaluates the contradictory tendency within U.S. cyber war discourse to see cyber conflict as simultaneously revolutionary and unprecedented, but also amenable to the tenets of Cold War nuclear deterrence. This contradiction points to an ongoing crisis of effectively identifying and understanding what is old and new, the same and different about cyber conflict. The first tendency overemphasizes the new/different aspects of cyber conflict while the second simultaneously overemphasizes the old/same aspects. This essay argues that current contradictory tendencies are unproductive and even potentially dangerous. It argues that the war metaphor and nuclear deterrence analogy are neither natural nor inevitable and that abandoning them would open up new possibilities for thinking more productively about the full spectrum of cyber security challenges, including the as-yet unrealized possibility of cyber war.


Metaphors, analogies, and knowledge
Revolutionary change and the law of war
Cyber cold war and deterrence
Alternative analogies and metaphors




Following a number of high–profile incidents of cyber attack, including those targeting Estonia in 2007 and Georgia in 2008 and the Stuxnet computer worm that targeted Iranian nuclear facilities in 2009 and 2010, policy–makers and news media in the United States have paid increased attention to cyber security. Although during the 1990s cyber security was primarily seen as an issue for civilian law enforcement (Bendrath, 2001, 2003; Dunn Cavelty, 2007), in the last four years, the metaphor of “war” has played a dominant role in U.S. public policy discourse about cyber security. Some influential voices in the national security community have claimed that the United States is already in a cyber war that it is losing. In response, some have argued that the U.S. should “re–engineer the Internet” (McConnell, 2010) or perhaps even create a new, separate Internet that “would require visitors to use certified credentials for entry and would do away with users’ Fourth Amendment rights to privacy” (Sternstein, 2011). In May 2009, the United States created a military Cyber Command (Gates, 2009). The July 2011 Department of Defense Strategy for Operating in Cyberspace made it clear that “the Defense Department sees cyberspace as an operational domain, like land, air, sea, and space” (Lynn, 2011; U.S. Department of Defense, 2011). In June 2012, a report in the New York Times confirmed what many already suspected, that Stuxnet had been a joint, U.S.–Israeli operation. It is unsurprising, therefore, that with a wide variety of “hostile or malicious action in cyberspace” [1] conflated under the term cyber war — including crime, espionage, protest, and activism — policy–makers and military leaders have looked primarily to war–related historical analogies and metaphors to aid their understanding of and responses to cyber security challenges. This has included attempts to understand cyber war in terms of the United States’ experience with Cold War–era nuclear deterrence, as well as efforts to apply the law of war to cyber conflict broadly conceived.

This essay critically evaluates a contradictory tendency within U.S. cyber war discourse. On one hand, many have seen cyber conflict as new and different to a degree that existing definitions of ‘war’ and the international laws, norms, and principles that govern it are no longer believed to be adequate. Simultaneously, however, cyber war proponents have deployed analogies to industrial era, Cold War nuclear deterrence, which implies a well–known template for successful response to cyber threats. This contradiction points to an ongoing crisis of effectively identifying and understanding what is old and new, the same and different, about cyber conflict. The first tendency overemphasizes the new/different aspects of cyber conflict while the second simultaneously overemphasizes the old/same aspects. Though this essay does not reject the use of analogies and metaphors, it does argue that current contradictory tendencies are unproductive and even potentially dangerous. It argues that the war metaphor and nuclear deterrence analogy are neither natural nor inevitable and that abandoning them would open up new possibilities for thinking more productively about the full spectrum of cyber security challenges, including the as yet unrealized possibility of cyber war.



Metaphors, analogies, and knowledge

Western thought in the Enlightenment tradition has seen metaphor as a frivolous, literary device, a poor substitute for clear, literal language, which was to be the gold standard for truly scientific understanding and description of the world. But over the course of the twentieth century, scholars came to understand that “language, perception, and knowledge are inextricably intertwined” [2] and that metaphor, therefore, is an essential part of the way that humans make sense of the world. But “metaphor is not just a matter of language, that is, of mere words ... . [H]uman thought processes are largely metaphorical ... the human conceptual system is metaphorically structured and defined” [3]. This means that “[t]he essence of metaphor is understanding and experiencing one kind of thing in terms of another” [4]. This is especially the case when it comes to understanding things that are new or novel. In addition to applying the biological metaphor of evolving systems to the world of human social relations, some have applied this metaphor to metaphors themselves, arguing that “[a]s evolving things, metaphors are open to novelty, surprise, inspiration and even mutation. They therefore can capture the underlying processes of other evolving entities surprisingly well” [5]. By allowing us “to see similarity in difference and difference in similarity” (Geary, 2011), at its best metaphor can and should help to provide a balanced view of the new and novel in relation to the old and familiar.

As Lakoff and Johnson [6] suggest, metaphorical language used to describe and communicate can serve as a window into conceptual systems that power human understanding and, ultimately, actions. In fact, many have come to see metaphors as not merely tools for understanding and describing the world, but as at least partially constitutive of that world [7]. Metaphors not only work as cognitive but also normative “structuring devices” [8]. They shape how we understand the way the world is, but also how it should be and the actions that we take based on these beliefs. Thus, while we cannot avoid or get beyond metaphor to absolutely literal and “objective” language, nonetheless we should be cautious and reflexive about our use of metaphors because they “carry with them, often covertly and insidiously, natural ‘solutions’” [9]. Not only can metaphors limit our vision and understanding of the world, but they can also constrain our possible avenues of action [10].

This is the case because metaphors do not just work individually or in isolation but collectively and systematically. First, they help to structure collective, human knowledge. This is where the use of metaphorical language helps to bridge the gap between individual human cognition and collective understanding and action. Scholars and practitioners alike of law (Lamond, 2006; Nerhot, 1991; Weinreb, 2005; Hibbitts, 1994), the natural sciences (Wyatt, 2004; Keller, 1995; Cowan, et al., 1999), foreign policy (Khong, 1992; Saperstein, 1997; Jervis, 1976) and military affairs (Lawson, 2011a; Bousquet, 2009; Paparone, 2008; Libicki, 1997) have all noted the central role of metaphors and analogies to the production of knowledge in these fields. Second, metaphors work together in systems and, therefore, come with “entailments” [11]. This means that a root metaphor can bring with it other, related metaphors. In the case of the cyber war metaphor, notions of “attack,” “offense,” “defense,” “battlefields,” and “domains of war” are all entailments of the war metaphor. The very idea that the law of war can and should apply to cyber conflict and other malicious cyber activities is an entailment of employing a war metaphor, as is the resort to war–related analogies like Cold War nuclear deterrence. These two entailments, law of war and Cold War nuclear deterrence, will be the focus of the next two sections.



Revolutionary change and the law of war

The law of war is codified in the United Nations Charter, international treaties, the body of international case law, and in customary principles of behavior during times of conflict. The law of war covers the issues of jus ad bellum and jus in bello, that is, what constitutes “armed attack,” “use of force,” and when a state can defend itself with military force, as well as how states should conduct themselves once armed conflict has begun. In the case of applying law of war to cyber war, the tendency to focus on a set of new technological instruments instead of the effects of those instruments has sparked a debate about the adequacy of the law of war and even the definition of “war.”

Based in the belief that cyber “weapons” represent an unprecedented development, it is common to hear the argument that technology has run ahead of current ways of thinking about, planning for, and regulating the conduct of warfare. Former NATO Supreme Allied Commander and one–time U.S. presidential candidate, General Wesley Clark, believes that cyber war exemplifies the tendency for technology to be “ahead of the law” (Adhikari, 2009). Most notably, during his April 2010 Congressional confirmation hearing to become the first commander of U.S. Cyber Command, Lt. Gen. Keith Alexander testified that there is a “mismatch between our technical capabilities to conduct operations and the governing laws and policies” [12]. Thus, several influential voices in the national security community, including former Director of National Intelligence, Adm. Dennis Blair, and former General Counsel for the National Security Agency, Stewart Baker, have claimed that the law of war is “inadequate” or “irrelevant” in the context of cyber conflict (Nakashima, 2010; Gjelten, 2010).

When the law of war is deemed inadequate, previously resolved questions are reopened for consideration. This includes not only the question of what constitutes “cyber war,” but also the more general question of what constitutes “war” in the Information Age. Daniel Ryan, a professor who teaches law of war at the National Defense University, stated the supposed problem most succinctly: “We don’t know when or if a cyber attack rises to the level of ‘armed attack’” (Gjelten, 2010). Even the leadership of the U.S. Strategic Command, which oversees both the U.S. nuclear arsenal and the newly formed U.S. Cyber Command, are openly wrestling with questions like

[D]o cyber attacks require a cyber response, or should the President order a live weapon reply? [...] Does it matter if it’s an attack on the economy, where there’s little physical damage, there’s just disruption? [...] Espionage generally is a crime punishable by jail — but in the cyber world couldn’t intensive spying be an enabler of physical combat? When do ‘normal’ cyber operations conducted in peace–time cross the line — and where is the line? (Perera, 2009)

Answers to these questions are important because they will determine “what constitutes a cyberattack worthy of a full–throated U.S. military response” including the use of physical force (Markoff and Shanker, 2009b).

In response, some have argued for reform of the law of war. But it is not because cyber war is so revolutionary or unprecedented that the law of war seems inadequate. Indeed, as I will argue below, current definitions of “war” as embodied in the law of war are more than adequate for allowing us to determine “where the lines are.” Rather, the seeming inadequacy of the law of war in the current discourse results from the fact that the move to frame cyber conflict and other malicious cyber acts as “war” involves the conflation of many acts that are clearly not war in the traditional sense (e.g., protest, crime, espionage) (Lewis, 2010, 2011). This conflation of non–war activities that is at the heart of the cyber war metaphor is, in part, a cause of the ongoing confusion and ambiguity about “where the lines are” (Carroll, 2011). Framing cyber conflict as “war” entails attempts to apply the law of war; but the conflation of activities that powers the “war” framing undermines the application of the law of war, creating a “double bind” situation in which it seems that we simultaneously must but cannot apply the law of war to cyber war [13].

The most disturbing response to this double bind has been efforts to reconcile cyber war and law of war that have resulted in serious calls to redefine “war” in general to include all of the activities lumped together under the term cyber war. After concluding that the cyber “attacks” against the nation of Georgia in 2008 did not constitute “armed attack” under current definitions of the term in the law of war, a report from the NATO Co–operative Cyber Defence Centre of Excellence (CCDCOE) concluded that “new approaches to traditional LOAC [law of armed conflict] principles need to be developed.” It advocated that the advent of “new bloodless types of warfare” mean that “the definition of an ‘attack’ should not be strictly connected with established meanings of death, injury, damage and destruction” [14].

There is evidence to suggest that U.S. policy–makers and military leaders are also beginning to adopt this view. As early as 2004, the National Military Strategy of the United States of America identified cyber attacks as a type of “asymmetric” threat that “may rely more on disruptive impact than destructive kinetic effects” [15]. The strategy document advocated the preventive use of force against adversaries believed to be undeterred from acquiring such capabilities [16]. In May 2009, when asked by members of Congress if the cyber attacks on Estonia in 2007 and Georgia in 2008 could be considered “cyber war,” Lt. Gen. Keith Alexander replied, “On those, you’re starting to get closer to what would be [considered war]” (Harris, 2009, brackets in original). Two months later, U.S. Representative Peter Hoekstra, the ranking Republican on the House Intelligence Committee, called for a military “show of force” against North Korea in response to a series of distributed denial of service (DDoS) attacks against U.S. and South Korean Web sites (Zetter, 2009). It later turned out that the attack had not in fact originated in North Korea (Dunn, 2010). Finally, as recently as June 2011, an unnamed Pentagon official involved with the development of the DoD cyberspace strategy released a month later said, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks” (Gorman and Barnes, 2011).

This expansion of what counts as war is seemingly necessary because, as the CCDCOE report indicated, even the most dramatic cases like the cyber attacks against Georgia in 2008 do not rise to the level of war as traditionally defined. Many observers agree with that assessment and also note that the cyber attacks against Estonia in 2007 were not war (Ottis, 2010; Schneier, 2009; Lewis, 2009a). In fact, some claim that we have yet to see anything close to “armed attack” in the cyber “domain” (Dunn Cavelty, 2011; Dunn Cavelty and Rolofs, 2011; Lewis, 2009a, 2010). As Evgeny Morzov has argued, “there is no evidence yet to link the current generation of cyber–attacks to warfare, at least not in the legal sense of the term. [...] [T]here is a line between causing inconvenience and causing human suffering, and cyber–attacks have not crossed it yet” (Morozov, 2009).

Thus, arguments in favor of expanding the definition of “war” to encompass “bloodless” cyber actions are less a consequence of the supposed inadequacies of the law of war and more the result of political and military leaders, news media, and others focusing first and foremost on the instruments of cyber conflict rather than their effects or intent of their use. Many different types of actions carried out in/through cyberspace for very different reasons are conflated because they tend to rely upon the same instruments, which are seen as new and unprecedented. Unfortunately, the term under which they have been conflated is “war.” Because the instruments of cyber conflict are seen as new and unprecedented, and because the law of war does not specifically mention them, it is assumed that the law of war is therefore inadequate. Instead of using the law of war to determine whether the use of the instruments of cyber conflict amount to armed attack, many have merely presumed that the use of cyber instruments is armed attack and that, therefore, it is the law of war that is inadequate.

But there are strong arguments in favor of the continuing adequacy of the law of war and its restrictive definition of “armed attack.” Maj. Gen. Charles Dunlap, Jr. (ret), a leading expert in information age conflict and the law of war, has stated unequivocally that the law of war is more than adequate for determining if a cyber attack rises to the level of armed attack. He writes, “The leading view, therefore, among legal experts focuses on the consequences and calls for an effects–based analysis of a particular cyber incident to determine whether or not it equates to an “armed attack’” and that “the consequences must extend to more than mere inconvenience; there must be at least temporary damage of some kind” [17]. As Michael Schmitt, the world’s preeminent expert on cyber conflict and the law of war has written, to count as “armed attack,” an action must have at least been “intended to directly cause physical destruction or injury” [18]. As such, James Lewis has argued, “[t]he thresholds for war or attack should not be very different in cyberspace than they are for physical space. [...] [V]iolence, or the threat of violence, is the defining element for the use of force, armed attack, or an act of war. [...] If there is no violence, it is not an attack or the use of force” (Lewis, 2011).

There exist a number of clear frameworks developed by international legal scholars and other critical researchers that provide a strong and compelling set of tools for identifying when “armed attack” has occurred in cyberspace (or anywhere, for that matter) and, thus, when a state can respond in self–defense with military force. Schmitt (1999) has provided a clear normative framework for determining if a cyber attack constitutes use of force or armed attack [19], as well as if self–defense is warranted [20]. Similarly, Myriam Dunn Cavelty has provided a “cyber–escalation ladder” as an aid to distinguishing between different types of hostile cyber actions (Dunn Cavelty, 2010). These frameworks are thoroughly effects–based to the degree that the instrument used is largely irrelevant to determining whether an armed attack has occurred.

The argument that an effects–based approach to jus ad bellum is adequate is all the more compelling when we consider some of the possible negative consequences of expanding the definition of “war” that results from the instrument–based approach. First and most obvious is that ”[a]llowing forcible reprisal to non–military coercion would broaden the grounds for use of force to an intolerable degree” [21]. Carelessly using the metaphor of war for acts that are clearly not war and, as a result, moving to formally alter definitions of armed attack “inevitably leads to aggressive behavior, the planning of escalating countermeasures and — eventually — to real war” (Dunn Cavelty, 2011). This is possible, in part, because of the speed, difficulty of controlling, and likely collateral damage that would result from the use of the kinds of offensive cyber attacks imagined by many policy–makers and military leaders. When militarist cyber rhetoric results in use of offensive cyber attack, it is likely that those attacks will escalate into physical, kinetic uses of force (Lewis, 2009a; Clarke, 2009).

Finally, overemphasis on cyber war could undermine our ability to focus on other forms of cyber threat, as well as undermine the military’s ability to address those aspects of the threat that should come under its purview. Though cyber crime and cyber espionage are real problems [22], conflating them under one term limits the possibility for taking the most specific and effective actions in response to each, leading simultaneously to the possibility of miscalculation and overreaction in some cases and a do–nothing, boy–who–cried–wolf response in others (Lewis, 2010). Similarly, Charles Dunlap, Jr. has warned that over–involvement of the military in cyber security matters that should rightly be the job of law enforcement or civilian regulatory bodies risks exacerbating an already–growing, “generalized distrust of government” that could “undermine the public support” for the military [23].

Ultimately, strict adherence to an effects–based approach can and should undermine the brave–new–world rhetoric of those who argue for the expansion of the definition of “war” as a result of their focus on cyber instruments rather than the effects of their use. When the focus shifts from instruments to effects, what had appeared revolutionary and unprecedented suddenly seems much more familiar. While the tools by which humans engage in conflict might change, the human suffering associated with war has not and should not be forgotten. The use of an effects–based approach helps to correct an imbalance in dominant views about the new and novel in relation to the old and familiar in the context of hostile or malicious actions in cyberspace.



Cyber cold war and deterrence

Attempts to understand cyber conflict through the use of war–related analogies and, in particular, analogies to Cold War–era nuclear deterrence, are another entailment of applying a war metaphor to hostile or malicious actions in cyberspace. As in the case of applying the law of war to cyber war, analogizing to Cold War nuclear deterrence is also motivated by the sense that so–called “cyber weapons” [24] present a revolutionary and unprecedented form of technologically mediated conflict, just as the advent of nuclear weapons did in the 1950s and 1960s (Clarke, 2009). But while in the case of the law of war the seemingly revolutionary and unprecedented nature of cyber war has caused some to call into question extant rules, norms, principles, and definitions of war, the nuclear deterrence analogy seems to hold out the promise of an effective response to the radically new via the application of a well–known and familiar template. This section explores some of the key ways in which cyber war has been compared to the Cold War and nuclear weapons. It argues that analogies to Cold War nuclear deterrence falsely imply that two very different examples of radical change in technology can be responded to in the same way.

Starting from the belief that “[w]e sit at a similar historical moment” to the advent of nuclear weapons, former White House cyber security advisor, Richard Clarke, has advocated that policy–makers look for guidance to the intense period of research and discussion during the 1960s that led to the strategy of nuclear deterrence (Clarke, 2009). Similarly, Mike McConnell has argued that development of cyber security strategy should be modeled on “the equivalent of President Dwight D. Eisenhower’s Project Solarium,” which “brought together teams of experts with opposing views to develop alternative strategies on how to wage the Cold War” (McConnell, 2010). But Clarke and Knake (2010) believe that the United States has thus far failed to approach the development and use of cyber weapons with the same kind of “learned discussion and rigorous analysis” [25] that resulted in the development of deterrence strategy.

His observation is largely correct. While he and McConnell have called for a process that is analogous to the one that led to the development of deterrence, many cyber security proponents, including Clarke and McConnell themselves, have instead attempted to import the results of the Cold War era process of strategy development into contemporary discussions of cyber war. This has included a tendency to see global cyber conflict in bi–polar terms, to compare the effects of cyber weapons to nuclear weapons, and to seek to apply deterrence in the context of cyber conflict.

Cyber security proponents in the United States have tended not only to see cyber conflict as global in scope, but also in terms of two main protagonists. For at least the last four years, media reports have proclaimed the existence of a “cyber Cold War,” with the two main adversaries being the United States and China (Griffiths, 2007; Goldman, 2011). Indeed, Richard Clarke is one of those cyber security proponents who have framed cyber conflict in these terms. Fifteen pages of his 2010 book, Cyber war: The next threat to national security and what to do about it, are devoted to detailing the Chinese cyber war program, which he claims has been purposefully developed to provide the Chinese with “asymmetrical” advantage over a high–tech U.S. military increasingly dependent upon networked information and communication technologies [26]. In a recent op–ed, Clarke went so far as to claim that “the government of China is systematically attacking the computer networks of the U.S. government and American corporations” (Clarke, 2011).

This rhetoric has resonated with U.S. policy–makers. In her January 2010 speech on “Internet freedom,” U.S. Secretary of State Hillary Clinton invoked the image of the Berlin Wall to claim, “even as networks spread to nations around the globe, virtual walls are cropping up in place of visible walls. Some countries have erected electronic barriers that prevent their people from accessing portions of the world’s networks. [...] [A] new information curtain is descending across much of the world” (Clinton, 2010). She identified China repeatedly as engaging in online censorship of political and religious speech, as one of those countries erecting “a new information curtain.” Pointing to Google’s accusations that China had hacked into its systems and stolen proprietary information, and reminiscent of the collective defense provision of the North Atlantic Treaty Organization (NATO), which sees an attack on one member as an attack on all, Clinton warned that “[i]n an internet–connected world, an attack on one nation’s networks can be an attack on all” (Clinton, 2010).

The Cold War nuclear analogy also invites comparison of cyber weapons to nuclear weapons. In making such comparisons, cyber security proponents have coined new terms and acronyms that place nuclear weapons and cyber weapons in the same category. The 2004 National Military Strategy of the United States of America combines “chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other, more asymmetrical ‘weapons’,” including “cyber weapons,” under the category of “weapons of mass destruction/effect” (WMD/E) [27]. Others have substituted “disruption” for “destruction” and have claimed that “cyber weapons can be Weapons of Mass Disruption/Mass Effect” [28]. Even President Barack Obama has used the term. In a speech introducing his Cyberspace Policy Review, he warned that “acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer — a weapon of mass disruption” (White House Press Office, 2009). John Arquilla, a RAND researcher who was one of the first to popularize the term cyber war in the 1990s, has argued that “our leaders are overly focused on nuclear weapons of mass destruction; more thought should be given to the looming threat of cyber ‘mass disruption’” (Arquilla, 2009).

Others have gone further by not only working to place cyber weapons and nuclear weapons semantically into the same category, but by arguing that cyber attack can have effects equivalent to nuclear attack. Mike McConnell has claimed that cyber attack not only “mirrors the nuclear challenge in terms of the potential economic and psychological effects” (McConnell, 2010), but that cyber attacks on critical infrastructure systems “could create damage as potentially great as a nuclear weapon over time” (quoted in Harris, 2009). The United States’ 2006 National Military Strategy for Cyberspace Operations echoed this position, explaining that “Well–planned attacks on key nodes of the cyberspace infrastructure” could result in “WMD–like effects” [29]. Finally, when reflecting upon the impact of the 2007 denial of service attacks that targeted the Baltic nation of Estonia, the speaker of the Estonian Parliament, Ene Ergma, said, “When I look at a nuclear explosion, and the explosion that happened in our country in May, I see the same thing” (quoted in Poulsen, 2007).

With hostile and malicious acts in/through cyberspace framed as a new “cold war” and cyber attack categorized as WMD/E, it only seems natural to argue that the primary goal of U.S. cyberspace strategy should be deterring cyber attacks. Noting that nuclear deterrence was based, in part, on the abilities to attribute and locate the origins of an attack, Mike McConnell has argued that “we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable” (McConnell, 2010).

Similarly, retired Air Force Lt. Gen. Harry Raduege, a co–chair of the CSIS Commission on Cyber security for the 44th Presidency, has argued that even though “low–level ‘tactical’ strikes” make up the bulk of cyber incidents affecting the United States, cyberspace strategy should instead be focused on deterring a catastrophic “strategic–level attack” that an adversary “could one day” launch against the United States (Raduege, 2011). In addition to agreeing with McConnell that attribution is essential, Raduege also stresses the importance of developing retaliatory capabilities that are not limited to in–kind, cyber responses but could include response with physical force: “If we can trace the source of a cyber attack to a cave in the Hindu Kush mountains, America’s response could come in the form of a hellfire missile” (Raduege, 2011). As mentioned above, some Pentagon officials have echoed this view, warning that cyber “attacks” could provoke a kinetic response from the United States. Administration officials have even refused to rule out the possibility of nuclear response to particularly destructive of disruptive cyber attacks (Markoff and Shanker, 2009a).

Although in the case of the law of war, cyber war proponents have too quickly abandoned definitions, rules, and norms of war that are and should still be relevant to cyber conflict, in the case of cyber deterrence, many of these same individuals have too quickly adopted a framework that is “deeply flawed and largely unworkable” (Lewis, 2009b). First and foremost, this is the case because, as Martin Libicki of RAND notes, “Cyberspace is its own medium with its own rules. [...] Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace” [30]. Not only does the nuclear deterrence analogy tend to lead its users to “exaggerate the destructive capacity of cyber weapons,” it also results in a tendency to focus on hypothetical worst cases while ignoring actual threats (Lewis, 2009b). For example, while Raduege admitted that “low–level” attacks are predominant, he nonetheless advocated that national policy should focus on “strategic attacks” that “could one day” occur (Raduege, 2011).

This tendency presents several problems. First, if cyber weapon capabilities have been exaggerated, then it is unlikely that strategic cyber attacks, if they did occur, could be decisive in the way that nuclear weapons could be [31]. Ironically, however, without the potential for decisiveness, the threat of cyber retaliation alone would likely have little deterrent value, meaning that one would have to rely upon threats of physical retaliation to deter cyber attacks. In turn, this could encourage an escalation to physical confrontation — that is, assuming the defender follows through on his threat of retaliation, without which any future threats would lose credibility.

Second, the threat of massive retaliation, either cyber or physical, has not and will not deter the actual and pervasive “low–level” cyber attacks experienced on a daily basis. It is important to remember that during the Cold War, the threat of massive retaliation did not deter all war. It only deterred all–out nuclear war. As Raduege (2011) notes, the Cold War ended up taking the form of numerous proxy wars fought around the globe, from Southeast Asia to Latin America. Similarly, not only will U.S. capabilities for and threats of massive retaliation in response to cyber attacks not deter the daily occurrence of low–level attacks, it will likely encourage potential adversaries to constantly seek to pose challenges that fall below the threshold that would trigger massive retaliation, either cyber or kinetic.

Finally, all of this points to another problem: a simplification of nuclear deterrence and Cold War history. Nuclear strategists confronted these same problems in the 1960s as it became increasingly clear that Eisenhower era threats of “massive retaliation” had lost their credibility and value. This resulted in a robust debate about “flexible response,” escalation, the role of conventional forces in promoting nuclear deterrence, and much more. In short, there was no one nuclear deterrence strategy during the Cold War. Nuclear strategy evolved over time (Freedman, 1989). Unfortunately, current notions of cyber deterrence are more akin to the 1950s strategy of massive retaliation that was ultimately deemed incredible and dangerous in comparison to the later, more nuanced variants of deterrence.

Finally, a number of other differences between nuclear weapons and cyber weapons render the quest for cyber deterrence inappropriate at best and even potentially counterproductive. Cyber attacks generally suffer from a crisis of cause and effect. In one variant, this is what cyber war experts call the “attribution problem” — i.e., it is difficult to know who the attacker is because of online anonymity. As Mike McConnell and others have noted, deterrence is impossible without the ability to credibly threaten the attacker. But deterrence is also difficult if one cannot reliably know in advance the effects of one’s response. In cyberspace, the “collateral damage” caused by cyber attacks can be unpredictable, which could reduce “the willingness of political leaders to incur the risk of a retaliatory response that goes awry, widening a conflict or creating unfavorable political consequences” (Lewis, 2009a). The unpredictable results of a cyber response could encourage the use of a more predictable but more deadly physical response. It is for all of these reasons that Myriam Dunn Cavelty warns against the use of the language of deterrence and aggression with respect to cyber threats. Such language is counterproductive because it results in a self–fulfilling prophecy: actions taken by one state to increase its security can make others feel less secure, resulting in their taking similar actions, which confirms to the first state that it is insecure, and so on (Dunn Cavelty, 2010).



Alternative analogies and metaphors

Although there are real cyber threats that need to be taken seriously, including the daily occurrences of cyber crime and cyber espionage conducted by both state and non–state actors (Dunn Cavelty, 2010), effective response requires disaggregating and distinguishing among the various threats that have been lumped under the term cyber war (Dunn Cavelty, 2010; Dunn Cavelty and Rolofs, 2011; Lewis, 2011). Each threat should be addressed first and foremost by the institutions and using the techniques most appropriate to it. As such, instead of one metaphor and set of analogies through which to think about cyber threats (e.g., war and deterrence), there may be multiple metaphors and analogies that are more or less appropriate depending on the type of cyber threat being addressed.

The remainder of this essay will consider several alternative metaphors and analogies in an effort to demonstrate that it is neither natural nor inevitable that we should think about cyber conflict in terms of war and nuclear deterrence. First, I will suggest that analogies to (counter)insurgency or biological warfare might be more appropriate than analogies to nuclear deterrence for the subset of cyber threats of a political–military nature. Second, I will argue that various types of biological metaphors and analogies might be more appropriate for thinking about the full spectrum of cyber threats, including cyber war. Finally, I will conclude the section by discussing the limits of these metaphors and analogies in particular, the limits of metaphors and analogies in general, and the limits of military and government responses to cyber threats.

In his book, Counterinsurgency, David Kilcullen (2010) notes that most of the wars in the Correlates of War database are actually insurgencies [32], what Western military professionals have tended to call “irregular” warfare. This suggests that it is actually insurgency that is “regular”; large–scale, state–on–state, high–intensity warfare between professional militaries is “irregular” in the history of warfare. Similarly, the drive to apply the law of war to cyber conflict and to look for guidance in analogies to Cold War nuclear deterrence overlooks the reality of the vast majority of cyber attacks. As mentioned above, numerous observers have noted that we have yet to see any cyber attacks that rise to the level of war or terrorism as traditionally defined. Nonetheless, two recent chronologies of cyber attack incidents indicate that there have been plenty of cyber incidents [33]. The “hacktivist” groups Anonymous and LulzSec alone have been responsible for a great number of these incidents just within the last year. This does not include the number of similar incidents perpetrated for criminal or espionage purposes that have not been publicized. These incidents are the “regular” face of cyber conflict, not large–scale cyber attacks analogous to strategic bombing or the use of nuclear weapons. Just as the Cold War between the United States and Soviet Union played out in a series of proxy wars often involving (counter)insurgency, the “cyber Cold War” (if it really exists) is playing out much the same way, with many acts carried out across cyberspace that never rise to a level that warrants “massive retaliation” (cyber or kinetic) but which pose a serious and chronic challenge nonetheless.

Even the most well–known cyber attack, Stuxnet, largely fits this pattern. The public discussion that followed the revelation that Stuxnet was a joint, U.S.–Israeli operation (Sanger, 2012a) illustrates that the tendency to think about cyber conflict in terms of nuclear weapons and deterrence is very strong. For example, David Sanger, the author of the piece revealing Stuxnet’s origins, wrote a follow–up piece in which he used an analogy to nuclear deterrence to analyze the implications of what he had reported (Sanger, 2012b). But the details found in his reporting should suggest that even state–level cyber conflict currently resembles the world of intense espionage, covert actions, sabotage, and proxy conflicts more than it does global nuclear war.

Just as acknowledgement that the war in Iraq had become an insurgency led to a substantial change in the way the U.S. military operated (Ricks, 2009), one should also expect that acknowledging the fact that most cyber threats do not match the dominant metaphor and analogy could also lead to quite different responses than what we have seen thus far. While a few scholars have begun to explore cyber conflict as a form of low–intensity conflict or even insurgency (Dartnell, 2006; Liles, 2010), the mismatch between the reality of most cyber attack incidents on one hand and the still–dominant war metaphor and nuclear deterrence analogy on the other indicates that more work is needed in this area.

The United States has expended a great deal of money and effort addressing threats that are in many ways strikingly similar to cyber threats: the threats of biological warfare and bioterrorism. But the lessons learned in the area of biosecurity have generally not made their way into the dominant American discourse of cyber security. The similarities between the two sets of challenges should suggest that biological warfare and bioterrorism are far more appropriate analogies than nuclear deterrence for describing and responding to cyber threats.

As early as 1969, the Nixon administration argued that biological weapons were “naturally resistant to the strategic aims of mutual deterrence and should be abandoned.” The reasons should seem quite familiar as they are almost identical to the problems that plague the use of cyber weapons today: “biological agents were unpredictable in their effects, responsive to uncertain climatic and environmental conditions, indifferent to national borders and prone to backfire on those who used them, making it difficult to defend the boundaries between the civilian and the military spheres, friend and enemy, over here and over there” [34]. What’s more, the United States worried about the proliferation of biological weapons technology to non–state actors, “which threatened to propagate ... not only a specific pathogen, but another mode of warfare altogether” via the “emergence of non–sovereign enemies” [35].

In the 1990s and early 2000s, in the wake of a number of high–profile terrorist attacks, such as the 1993 bombing of the World Trade Center, the 1995 Oklahoma City bombing, and the 1995 nerve gas attacks in the Tokyo subway system, U.S. policy–makers turned their attention to the unique challenge of “bioterrorism.” They worried that the ability of biological agents “to spread without detection, to incubate and produce delayed effects” [36] gave would–be attackers the ability to strike anonymously. Anonymity combined with the difficulties of effectively targeting a non–state entity with traditional military force and the extreme religious or political views of the kinds of groups that many believed would be most likely to carry out mass casualty attacks meant that a policy of deterrence based on threats of massive retaliation was largely impossible (Hoffman, 1998). The United States certainly did not threaten the development and use of offensive biological warfare capabilities of its own as a means of deterring biological attack from non–state actors. Instead, the primary policy response was focused on public health measures meant to provide early warning and mitigate the effects of a biological attack were it to occur. Most “first responders” would be civilian medical, emergency response, and law enforcement personnel, not the military. As in the case of a (counter)insurgency analogy, the striking similarities between biosecurity and cyber security suggest that the former not only can provide a better model for describing the latter, but if taken seriously might lead policy–makers to less militaristic and more appropriate responses to cyber threats.

Recent revelations about Stuxnet indicate that if they can be described as “weapons” at all, cyber weapons are more like biological than nuclear weapons. We know about Stuxnet because its American and Israeli developers were not able to limit its effects to the intended target. Like a biological weapon, Stuxnet was difficult to control and ultimately spread beyond its intended target. We also know from Sanger’s account (Sanger, 2012a) that the effects of Stuxnet’s use were both delayed and uncertain, not the instantaneous and unmistakable destruction one would see from the use of a nuclear weapon. Finally, as with biological weapons, the very use of the weapon can result in giving the weapon to the enemy. Samples of the “pathogen” (biological or digital) can be collected, analyzed, further weaponized, or used to make an antidote. When the weapon’s effects exceed the intended target, it cannot only become available to the target, but also to third parties. Thus, the Stuxnet code is now available for download on the Internet by both state and non–state groups. With Stuxnet, it seems that the United States has promoted what it sought to avoid in the case of biological warfare — i.e., the propagation of a new, difficult–to–control mode of warfare to both state and non–state actors.

Use of biological metaphors such as “viruses” and “infections” have been common for decades in the discourse of computer security (Helmreich, 2000). But while biological metaphors and analogies have been common at the technical and tactical levels of computer security, they have not played a leading role in recent efforts to develop national cyber security policy. But there has been some movement in this direction within the last few years as several influential voices in industry and government have called for the adoption of more appropriate metaphors and analogies drawn primarily from the biological sciences. A report from the JASON group [37] notes the importance of language, discourse, definition, and analogies in particular to the natural sciences. Pointing to imprecision in the current discourse of cyber security, the report identifies several sciences that could serve as analogies for thinking about cyber security, including economics, meteorology, medicine, astronomy, and agriculture. The authors focus especially on “the immune system analogy” [38]. While they admit that it is not perfect, they do see it as particularly appropriate and useful. Similarly, Scott Charney, Corporate Vice President of Microsoft’s Trustworthy Computing Group and member of the President’s National Security Telecommunications Advisory Committee, has called for “applying public health models to the Internet,” with the central policy prescription being the issuance of “digital health certificates” to consumer devices before they are allowed to connect to the Internet (Charney, 2010).

A March 2011 report from the U.S. Department of Homeland Security (DHS) indicates that at least some in government are listening and beginning to consider the policy implications of thinking about cyber security through a biological lens. The DHS report begins by describing cyberspace as an “ecosystem” composed of heterogeneous elements, including human and nonhuman participants that are constantly interacting. Keeping individuals, groups, and the entire ecosystem healthy is seen as analogous to the human immune system and its institutional extension in the form of public health systems meant to protect entire communities and societies [39]. The report suggests the creation of “the cyber equivalent of a CDC [Centers for Disease Control]” that would perform many of the same functions of the real CDC, including monitoring the environment for “outbreaks” of cyber threats, analyzing and disseminating information about threats, and recommending, coordinating, and analyzing the effectiveness of prevention and response measures [40]. The report offers principles to guide the system’s response to cyber threats that are based in contemporary military command and control theory, which has itself been highly influenced by the application of metaphors and analogies from the biological sciences [41]. For example, the report’s emphasis on agility, maneuverability, decision cycles, and the devolution and decentralization of decision and action resonate strongly with the Observation–Orientation–Decision–Action (OODA) Loop model of command and control, which has been extremely influential within the U.S. military since the 1980s and which is heavily influenced by cybernetic theory and evolutionary biology (Hammond, 2001; Osinga, 2007). While DHS has drawn from biological sciences and dominant thinking about information–age conflict to develop its vision of cyber security, most American military thinking about “cyber war,” the apotheosis of information–age conflict, has been dominated instead by analogies to industrial–era, Cold War nuclear deterrence.

It is important to clarify, however, that this essay neither advocates any one metaphor or analogy, nor the primacy of one government bureaucracy over another. Just as the war metaphor and nuclear deterrence analogy have serious limitations, the alternative metaphors and analogies highlighted above have their own limitations. The COIN analogy is still a militaristic one that implies the need for military response. Similarly, the bioterror/biological warfare analogy at minimum subjects hostile or malicious acts in/through cyberspace to a logic of security. As the concept of security has yet to cast off its traditional, military connotations, metaphors and analogies that encourage the application of a logic of security risk encouraging militarization as well [42].

Additionally, life science metaphors in general are also potentially problematic. Biological metaphors can have a tendency to naturalize social phenomenon and, thereby, encourage deterministic ways of thinking. We see this in various attempts to understand social realities in biological terms, including structural functionalism, sociobiology, and the “selfish gene.” Next, life science metaphors have already been co–opted for militaristic purposes. Industrial–era and information-age theories of warfare have draw variously from eugenics, evolutionary biology, crowd psychology, complexity theory, and more (Lawson, 2011b). Finally, the life sciences have themselves been inflected with militaristic metaphors. Donna Haraway (1991), for example, has documented the way the immune system has been described by scientists as a command and control system for defending the body against foreign invaders. In short, life science–based metaphors are no guaranteed solution to the problem of militarization.

There are limits to metaphor and analogy’s power to explain and bring about change. It is important to note that the U.S. defense community’s use of the war metaphor and deterrence analogy is as much a symptom as it is a cause. The use of Cold War, industrial–era metaphors is an indicator that the U.S. military still struggles to adapt its thought and culture to the realities of the Information Age. Since the 1980s, U.S. military discourse has been dominated by talk of networks, decentralization, and the Information Age (Cebrowski and Garstka, 1998). The thinking of some of the most influential U.S. military theorists has even been described as “postmodern” (Osinga, 2007). And yet the knee–jerk reaction to prospective cyber threats has been to apply industrial–era thinking. This indicates that the shift to an information–age fighting force has yet to be fully realized and raises deeper questions about whether such a shift is possible at the level of military thought and culture.

But even if use of the war metaphor and deterrence analogy is a symptom of larger organizational pathologies, they nonetheless narrow the range of possible responses and, if taken seriously, pose serious risks to the future of the Internet. For example, Mike McConnell’s call to “re–engineer the Internet” was motivated by a desire to make deterrence possible. This is an attempt to respond to prospective cyber threats not by changing the defense community’s frame of reference but by changing the material reality of the Internet to fit the dominant metaphor and analogy. As Zimmer (2004) notes, such changes, if realized, would have a profound effect on both the material reality of the Internet’s architecture, as well as the politics and values expressed via those architectural and artifactual decisions.

But just as metaphors can serve to constrain possible futures, so too can they serve as conditions of possibility that enable (if not cause) alternative futures. The discussion of COIN, bioterror, and life science metaphors above is therefore meant to demonstrate that it is neither natural nor inevitable that metaphors of war and analogies to nuclear deterrence should dominate our thinking about the myriad challenges that we face in and through cyberspace.

Finally, as mentioned above, disaggregation of cyber threats implies the need not only for multiple metaphors and analogies, but also multiple response actors. The defense community’s difficulty in thinking about cyber security beyond war and deterrence is one indicator that the military can have only a small role in responding to these challenges. Likewise, though the Department of Homeland Security’s conception of a more decentralized approach analogous to the public health system is a valuable step away from war and deterrence, nonetheless, ongoing instability in the cyber security leadership at DHS (O’Harrow and McCarthy, 2004), the fact that most cyber infrastructure is privately held, and the reluctance of Congress to give DHS the power to regulate critical infrastructure providers (Sasso, 2012), all point not just to the impossibility of centralizing the response to cyber threats within the DHS. It also points more generally to the limits of the state’s ability to respond to cyber threats.




This essay has critically examined the dominant discourse of cyber security in the United States, in particular the tendency to conflate the full range of hostile and malicious acts in/through cyberspace using the metaphor of “war.” The reliance upon the war metaphor has resulted in two contradictory entailments. The first has been a tendency to see cyber war as revolutionary and unprecedented such that existing rules and definitions of war as embodied in the law of war seemingly no longer apply. The second has been a tendency to see cyber war as analogous to Cold War nuclear deterrence of the 1950s and 1960s, implying that this supposedly unprecedented form of conflict can be addressed with a 50–year–old strategy. The first tendency overemphasizes the aspects of cyber conflict that are new and different and focuses too much on the instruments of cyber conflict and not enough on their real–world effects. Instead of using widely accepted and reasonable definitions of war that require effects such as injury or death to people and damage or destruction to property to determine when and if a hostile or malicious act in/through cyberspace counts as armed attack, cyber security proponents have instead sought a dangerous expansion of the definition of war to include a wide range of bloodless acts that traditionally would not (and should not) be considered armed attack. The second tendency overemphasizes the aspects of cyber conflict that are old and the same and has resulted in attempts to respond to cyber conflict with an inappropriate strategy of the pre–Internet era that was developed for weapons that are substantially different than the instruments of cyber conflict. Both tendencies are dangerous because they overlook the reality of cyber conflict, making effective responses to the threats that do exist more difficult, while at the same time increasing the chances that malicious but bloodless acts in cyberspace could needlessly escalate to physical conflict.

Finally, this essay has suggested that it is neither natural nor inevitable that cyber security should be framed in terms of war, and certainly not in terms of nuclear war. Taking the vast majority of hostile or malicious cyber incidents seriously instead of focusing on hypothetical cases of “strategic attack” in/through cyberspace suggests that contemporary cyber conflict is indeed like war in general and the Cold War in particular, but not as most have imagined. So–called “irregular” forms of conflict have dominated the history of war, including the Cold War. Thus far, conflict in cyberspace has also fit this pattern. As the difficulties that the United States faced in Iraq eventually forced it to recognize and respond to the realities of that conflict, so too should the daily occurrence of hostile or malicious acts in/through cyberspace that pose a real threat but which cannot be deterred or responded to with massive retaliation cause civilian policy–makers and military leaders to reevaluate their thinking about cyber security. Where analogies to other types of weapons are concerned, biological weapons are more similar to cyber weapons than are nuclear weapons. This notion suggests that the more decentralized and civilian–focused response to biosecurity threats may be a more appropriate model for cyber security policy than a centralized, military–led effort. In the end, a move away from the dominant war metaphor and nuclear deterrence analogy and towards other metaphors and analogies could allow for better thinking about and policy responses to the full spectrum of cyber threats. Ironically, taking the war out of cyber war could be the first step towards thinking more effectively about the possibility of cyber war. End of article


About the author

Sean Lawson is Assistant Professor in the Department of Communication at the University of Utah. His essays on science, technology, and security have appeared in the journals Social Studies of Science, Security Dialogue, Cold War History and Journal of Information Technology & Politics (forthcoming). He also writes about these issues for and
E–mail: Sean [dot] Lawson [at] utah [dot] edu



The author would like to thank his colleagues Anya Plutynski, Danielle Endres, Robert Gehl, and Michael Middleton for their valuable feedback and support in the preparation of this essay.



1. This phrase is borrowed from James Lewis of the Center for Strategic and International Studies and will be used throughout the remainder of this essay. See Lewis (2011).

2. Ortony, 1993, p. 2.

3. Lakoff and Johnson, 1980, p. 6.

4. Lakoff and Johnson, 1980, p. 5.

5. Beyerchen, 1997, p. 76.

6. Lakoff and Johnson, 1980, pp. 3 and 7.

7. Lakoff and Johnson, 1980, pp. 145–146; Schon, 1993.

8. Wyatt, 2004, p. 245.

9. Ortony, 1993, pp. 5–6.

10. Lakoff and Johnson, 1980, p. 10.

11. Lakoff and Johnson, 1980, p. 9.

12. U.S. Senate Armed Services Committee, 2010, p. 9.

13. Fortun and Bernstein, 1998, p. 37.

14. Tikk, et al., 2008, p. 30.

15. Chairman of the Joint Chiefs of Staff, 2004, p. 9.

16. Chairman of the Joint Chiefs of Staff, 2004, pp. 5, 9.

17. Dunlap, 2011, pp. 85–86.

18. Schmitt, 1999, p. 929.

19. Schmitt, 1999, pp. 914–915.

20. Schmitt, 1999, pp. 934–936.

21. Oscar Schachter quoted in Schmitt, 1999, p. 929.

22. Lewis, 2009a, 2010; Dunlap, 2011, p. 84.

23. Dunlap, 2011, pp. 84, 94.

24. Some have called into question the usefulness of cyber weapons and the degree to which they can even be called “weapons”; see Rid and McBurney, 2012.

25. Clarke and Knake, 2010, p. x.

26. Clarke and Knake, 2010, pp. 47–62.

27. Chairman of the Joint Chiefs of Staff, 2004, p. 1.

28. Kass, 2006, p. 7, emphasis added.

29. Chairman of the Joint Chiefs of Staff, 2006, p. C–1.

30. Libicki, 2009, p. iii.

31. Libicki, 2009, p. xv.

32. The Correlates of War data is available at, accessed 8 October 2011.

33. See “Cyber Events,” Center for Strategic and International Studies, at, accessed 8 October 2011, and “Keeping up with the hackers (chart),” CNET, at, accessed 8 October 2011.

34. Cooper, 2006, p. 122.

35. Ibid.

36. Cooper, 2006, p. 124.

37. Originally formed following World War II and coordinated by the MITRE Corporation, JASON is a group of prominent scientists who advise the United States government on science and technology, often with a focus on national security (Finkbeiner, 2006).

38. JASON, 2010, pp. 65–76.

39. U.S. Department of Homeland Security, 2011, p. 2.

40. U.S. Department of Homeland Security, 2011, pp. 10–11.

41. The report draws from publications of the Command and Control Research Program, accessed 9 October 2011.

42. Zedner, 2009, p. 47; Waever, 1995.



R. Adhikari 2009. “Civilization’ s high stakes cyber–struggle: Q&A with Gen. Wesley Clark (ret.),” TechNewsWorld (2 December), at, accessed 18 June 2012.

J. Arquilla, 2009. “Click, click ... counting down to cyber 9/11,” San Francisco Chronicle (26 July), p. E2.

R. Bendrath, 2003. “The American cyber–angst and the real world — Any link?” In: R. Latham (editor). Bombs and bandwidth: The emerging relationship between information technology and security. New York: Free Press, pp. 49–73.

R. Bendrath, 2001. “The cyberwar debate: Perception and politics in U.S. critical infrastructure protection,” Information & Security, volume 7, pp. 80–103.

A. Beyerchen, 1997. “Clausewitz, nonlinearity, and the importance of imagery,” In: D. Alberts and T. Czerwinski (editors). Complexity, global politics, and national security. Washington, D.C.: National Defense University, pp. 70–77.

A. Bousquet, 2009 The scientific way of warfare: Order and chaos on the battlefields of modernity. New York: Columbia University Press.

C. Carroll, 2011. “Congress demands cyber details while DOD aims for ambiguity,” Stars and Stripes (21 July), at, accessed 18 June 2012.

A. Cebrowski and J. Garstka, 1998. “Network–centric warfare: Its origin and future,” Proceedings of the U.S. Naval Institute, volume 124, number 1, pp. 28–35.

Chairman of the Joint Chiefs of Staff, 2006. The national military strategy for cyberspace operations. Washington, D.C.: Chairman of the Joint Chiefs of Staff.

Chairman of the Joint Chiefs of Staff, 2004. The national military strategy of the United States of America: A strategy for today; A vision for tomorrow. Washington, D.C.: Chairman of the Joint Chiefs of Staff.

S. Charney, 2010. Collective defense: Applying public health models to the Internet. Redmond, Wash.: Microsoft Corp.

R. Clarke, 2011. “China’s cyberassault on America,” Wall Street Journal (15 June), at, accessed 18 June 2012.

R. Clarke, 2009. “War From cyberspace,” National Interest (October/November), at, accessed 18 June 2012.

R. Clarke and R. Knake, 2010. Cyber war: The next threat to national security and what to do about it. New York: Ecco.

M. Cooper, 2006. “Pre–empting emergence: The biological turn in the war on terror,” Theory, Culture & Society, volume 23, number 4, pp. 113–135.

G. Cowan, D. Pines, and D. Metzer (editors), 1999. Complexity: Metaphors, models, and reality. Cambridge, Mass.: Perseus.

M. Dartnell, 2006. Insurgency online: Web activism and global conflict. Toronto: University of Toronto Press.

C. Dunlap Jr., 2011. “Perspectives for cyber strategists on law for cyber war,” Strategic Studies Quarterly volume 5, number 1, pp. 81–99.

J. Dunn, 2010. “North Korea ‘not responsible’ for 4 July cyberattacks,” Network World (6 July), at, accessed 18 June 2012.

M. Dunn Cavelty, 2011. “As likely as a visit from E.T.,” European (7 January), at, accessed 18 June 2012.

M. Dunn Cavelty, 2010. “The real cyberwar is about beating the crooks and the spooks,” Parliamentary Brief Online (29 October), at

M. Dunn Cavelty, 2007. Cyber–security and threat politics : U.S. efforts to secure the information age. New York: Routledge.

M. Dunn Cavelty and O. Rolofs, 2011. “From cyberwar to cybersecurity: Proportionality of fear and countermeasures,” Munich Security Conference (5 February), at, accessed 18 June 2012.

A. Finkbeiner, 2006. The Jasons: The secret history of science’s postwar elite. New York: Viking.

M. Fortun and H. Bernstein, 1998. Muddling through: Pursuing science and truths in the 21st century. Washington, D.C.: Counterpoint.

L. Freedman, 1989. The evolution of nuclear strategy. Second edition. New York: St. Martin’s Press.

R. Gates, 2009. “Memorandum for Secretaries of the Military Departments. Subject: Establishment of a Subordinate Unified U.S. Cyber Command Under U.S. Strategic Command for Military Cyberspace Operations” (23 June), at[1].pdf, accessed 18 June 2012.

J. Geary, 2011. I is an other: The secret life of metaphor and how it shapes the way we see the world. New York: HarperCollins.

T. Gjelten, 2010. “Extending the law of war to cyberspace,” National Public Radio (22 September), at, accessed 18 June 2012.

D. Goldman, 2011. “China vs. U.S.: The cyber Cold War is raging,” CNN Money (28 July), at, accessed 18 June 2012.

S. Gorman and J. Barnes, 2011. “Cyber combat: Act of war,” Wall Street Journal (30 May), at, accessed 18 June 2012.

P. Griffiths, 2007. “World faces ‘cyber cold war’ threat,” Reuters (29 November), at, accessed 18 June 2012.

G. Hammond, 2001. The mind of war: John Boyd and American security. Washington, D.C.: Smithsonian Institution Press.

S. Harris, 2009. “The cyberwar plan,” National Journal (13 November), at, accessed 18 June 2012.

S. Helmreich, 2000. “Flexible infections: Computer viruses, human bodies, nation–states, evolutionary capitalism,” Science, Technology, & Human Values, volume 25, number 4, pp. 472–491.

B. Hibbitts, 1994. “Making sense of metaphors: Visuality, aurality and the reconfiguration of American legal discourse,” Cardozo Law Review, volume 16, pp. 229–356, and at, accessed 18 June 2012.

B. Hoffman, 1998. Inside terrorism. New York: Columbia University Press.

JASON, 2010. Science of cyber–security. McLean, Va.: MITRE Corp.

R. Jervis, 1976. Perception and misperception in international politics. Princeton, N.J.: Princeton University Press.

L. Kass, 2006. “Cyberspace: A warfighting domain,” presentation to Air Force Cyberspace Task Force (26 September), at, accessed 18 June 2012.

L. Kay, 2000. “How a genetic code became an information system,” In: A. Hughes and T. Hughes (editors). Systems, experts, and computers: The systems approach in management and engineering, World War II and and after. Cambridge, Mass.: MIT Press, pp. 463–492.

E. Keller, 1995. Refiguring life: Metaphors of twentieth–century biology. New York: Columbia University Press.

Y. Khong, 1992. Analogies at war: Korea, Munich, Dien Bien Phu, and the Vietnam decisions of 1965. Princeton, N.J.: Princeton University Press.

D. Kilcullen, 2010. Counterinsurgency. New York: Oxford University Press.

G. Lakoff and M. Johnson, 1980. Metaphors we live by. Chicago: University of Chicago Press.

G. Lamond, 2006. “Precedent and analogy in legal reasoning” (20 June) In: E. Zalta (editor). Stanford Encyclopedia of Philosophy, at, accessed 18 June 2012.

S. Lawson, 2011a. “Surfing on the edge of chaos: Nonlinear science and the emergence of a doctrine of preventive war in the U.S.,” Social Studies of Science, volume 41, number 4, pp. 563–584.

S. Lawson, 2011b. “Articulation, antagonism, and intercalation in Western military imaginaries,” Security Dialogue, volume 42, number 1, pp. 39–56.

J. Lewis, 2011. “Cyberwar thresholds and effects,” IEEE Security and Privacy volume 9, number 5, pp. 23–29.

J. Lewis, 2010. “The cyber war has not begun” (11 March), at, accessed 18 June 2012.

J. Lewis, 2009a. “The ‘Korean’ cyber attacks and their implications for cyber conflict” (23 October), at, accessed 18 June 2012.

J. Lewis, 2009b. “The fog of cyberwar,” International Relations and Security Network, at, accessed 18 June 2012.

M. Libicki, 2009. Cyberdeterrence and cyberwar. Santa Monica, Calif.: RAND.

M. Libicki, 1997. Defending cyberspace, and other metaphors. Washington, D.C.: National Defense University.

S. Liles, 2010. “Cyber warfare: As a form of low–intensity conflict and insurgency,” In: C. Czosseck and K. Podins (editors). Conference on Cyber Conflict Proceedings 2010. Tallinn, Estonia: CCD COE Publications, pp. 47–58.

W. Lynn, III, 2011. “Remarks on the Department of Defense cyber strategy,” presentation to National Defense University (14 July), at, accessed 18 June 2012.

J. Markoff and T. Shanker, 2009a. “Panel advises clarifying U.S. plans on cyberwar,„ New York Times (30 April), at, accessed 18 June 2012.

J. Markoff and T. Shanker, 2009b. “Halted ’03 Iraq plan illustrates U.S. fear of cyberwar risk,” New York Times (1 August), at, accessed 18 June 2012.

M. McConnell, 2010. “Mike McConnell on how to win the cyber–war we’re losing,” Washington Post (28 February), p. B01, and at, accessed 18 June 2012.

E. Morozov, 2009. “Cyber–scare: The exaggerated fears over digital warfare,” Boston Review (July/August), at, accessed 18 June 2012.

E. Nakashima, 2010. “Pentagon’s Cyber Command seeks authority to expand its battlefield,” Washington Post (6 November), at, accessed 18 June 2012.

P. Nerhot (editor), 1991. Legal knowledge and analogy: Fragments of legal epistemology, hermeneutics, and linguistics. Boston: Kluwer Academic.

R. O’Harrow, Jr. and E. McCarthy, 2004. “Top U.S. cyber–security official resigns,” Washington Post (2 October), p. A18, and at, accessed 18 June 2012.

A. Ortony (editor), 1993. Metaphor and thought. Second edition. New York: Cambridge University Press.

F. Osinga, 2007. Science, strategy and war: The strategic theory of John Boyd. New York: Routledge.

R. Ottis, 2010. “The vulnerability of the information society,” futureGOV Asia Pacific, volume 7, number 4, pp. 70–72.

C. Paparone, 2008. “On metaphors we are led by,” Military Review (November–December), pp. 55–64, and at, accessed 18 June 2012.

D. Perera, 2009. “Cyber deterrence dialog raises many questions,” Defense Systems (19 May), at, accessed 18 June 2012.

K. Poulsen, 2007. “‘Cyberwar’ and Estonia’s panic attack,” Wired: Threat Level (22 August), at, accessed 18 June 2012.

H. Raduege, 2011. “Deterring attackers in cyberspace,” The Hill (23 September), at, accessed 18 June 2012.

T. Ricks, 2009. The gamble: General David Petraeus and the American military adventure in Iraq, 2006–2008. New York: Penguin Press.

T. Rid and P. McBurney, 2012. “Cyber–Weapons,” RUSI Journal, volume 157, number 1, pp. 6–13.

D. Sanger, 2012a. “Obama order sped up war of cyberattacks against Iran,” New York Times (1 June), at, accessed 18 June 2012.

D. Sanger, 2012b. “Mutually assured cyberdestruction?” New York Times (2 June), at, accessed 18 June 2012.

A. Saperstein, 1997. “Complexity, chaos, and national security policy: Metaphors or tools?” In: D. Alberts and T. Czerwinski (editors). Complexity, global politics, and national security. Washington, D.C.: National Defense University, pp. 44–61.

B. Sasso, 2012. “House GOP leaders rebuff White House push on cybersecurity mandates,” The Hill (18 April), at, accessed 18 June 2012.

M. Schmitt, 1999. “Computer network attack and the use of force in international law: Thoughts on a normative framework,” Columbia Journal of Transnational Law, volume 37, pp. 885–937.

B. Schneier, 2009. “Keynote address. Presentation to Conference on Cyber Conflict,” NATO Co–operative Cyber Defence Centre of Excellence, Tallinn, Estonia (18 June).

D. Schon, 1993. “Generative metaphor: A perspective on problem–setting in social policy,” In: A. Ortony (editor). Metaphor and thought. Second edition. New York: Cambridge University Press, pp. 137–163.

A. Sternstein, 2011. “Former CIA director: Build a new Internet to improve cybersecurity,” Nextgov (8 July), at, accessed 18 June 2012.

E. Tikk, K. Kaska, K. Rünnimeri, M. Kert, A.-M. Talihärm, and L. Vihul, 2008. Cyber attacks against Georgia: Legal lessons identified. Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence, at, accessed 18 June 2012.

U.S. Department of Defense, 2011. Department of Defense strategy for operating in cyberspace. Washington, D.C.: Department of Defense.

U.S. Department of Homeland Security, 2011. Enabling distributed security in cyberspace: Building a healthy and resilient cyber ecosystem With automated collective action. Washington, D.C.: Department of Homeland Security.

U.S. Senate Armed Services Committee, 2010. “Advance Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command,” United States Senate (15 April), at April/Alexander%2004-15-10.pdf, accessed 18 June 2012.

O. Waever, 1995. “Securitization and desecuritization,” In: R. Lipschutz (editor). On security. New York: Columbia University Press, pp. 46–86.

L. Weinreb, 2005. Legal reason: The use of analogy in legal argument. New York: Cambridge University Press.

White House Press Office, 2009. “Remarks by the President on securing our nation’s cyber infrastructure,” White House Press Office (29 May), at, accessed 18 June 2012.

S. Wyatt, 2004. “Danger! Metaphors at work in economics, geophysiology, and the Internet,” Science, Technology, & Human Values, volume 29, number 2, pp. 242–261.

L. Zedner, 2009. Security. New York: Routledge.

K. Zetter, 2009. “Lawmaker wants ‘show of force’ against North Korea for Website attacks,” Wired: Threat Level (10 July), at, accessed 18 June 2012.

M. Zimmer, 2004. “The tensions of securing cyberspace: The Internet, state power and The National Strategy to Secure Cyberspace,” First Monday, volume 9, number 3, at h, accessed 18 June 2012.


Editorial history

Received 31 October 2011; revised 27 April 2012; revised 6 June 2012; revised 17 June 2012; accepted 18 June 2012.

Creative Commons License
This paper is licensed under a Creative Commons Attribution–NonCommercial–ShareAlike 3.0 Unported License.

Putting the “war” in cyberwar: Metaphor, analogy, and cybersecurity discourse in the United States
by Sean Lawson
First Monday, Volume 17, Number 7 - 2 July 2012