Foreign Policy Watch

Geopolitical musings through a progressive lens …by Matt Eckel and Jeb Koogler

Cyberwarfare and Sir Francis Drake

Yesterday, the Times had a story about how the Stuxnet worm, a piece of malware designed to attack a particular kind of industrial control computer used at Iran’s nuclear facilities (in addition to those of a number of other countries) might contain a biblical reference to the book of Esther and the pre-emptive foiling of a Persian plot. Nobody said hackers/intelligence types have no sense of humor.

Putting aside questions of authorship for a moment, though, the article got me thinking about potential historical parallels to the emerging phenomenon of cyber attacks like this. There have been a number of instances in recent years in which international tensions have found expression – intentional or not – in campaigns of electronic disruption and harassment. It seems to me that an interesting parallel can be found in the era of New World piracy/privateering in the 16th and 17th centuries. Both phenomena – peacetime cyber attacks and piracy – give states the ability to, in a sense, poke each other with a stick. They can harass, annoy and disrupt a state’s operations and slow its attainment of political or economic goals without providing sufficient strategic imperative for a stronger, more direct response from the target state. As today’s article underlines, they also leave murky trails of responsibility, and the risk that a particular cyber attack will be definitively traced to a particular government is quite low, especially if intelligence agencies act through private proxies. As the article points out, murky lines of authority make cyber deterrence quite difficult (also like the ‘peacetime’ piracy/privateering of an earlier era), and I wouldn’t be surprised to see this kind of behavior, lying as it does on the borders of state policy, economic opportunism and criminality, increase sharply in the near future.

This is not to deny that this kind of behavior has drawbacks for its perpetrators. Also like early moder piracy, when privateers recruited during war came back to haunt their erstwhile paymasters in peace, I imagine the danger of “blowback” associated with this kind of activity will increase along with its frequency. Putting state resources into the hands of semi-affiliated actors with their own motives and goals is sure to have unintended consequences. It should also be remembered that piracy did on occasion lead to more serious escalations of hostilities (there was that whole Spanish Armada thing), and that an unstable deterrence regime may make state responses to particularly serious cyber threats unpredictable.

Something to keep a weather eye on.

Subscribe to Our Posts

Comments Closed


  1. Very interesting point.
    What I would like to add is, that this kind of cyberterrorism/-warfare can be done by any sufficiently big organisation. (Unlike training an army, for which you need to control some territory.)
    This fits nicely into your pirate analogy, where in the 17th century organisations like the east India company and the VOC did acquire semi-extraterritorial rights (at least in the colonies).

  2. Very good point. The converse is also of course true. Non-state actors can be (and frequently are) targets of such action, as with the East India company and its battle against piracy for much of the early modern period. Raises interesting questions about state/non-state boundaries. For example, to what extent does an attack on Google that may or may not come from state or semi-state actors implicate the American state in a response?

  3. There are really many interesting questions :) So let me sketch another two of them.
    First in reply to your example: The difference to an American farmer is quite strange. It would be an act of war, if Russia occupies the land of one American farmer. By contrast an attack on Google would likely be seen as a crime not as warfare. This raises the question, does Google have a right to retaliate against an attack from an foreign (state/ non-state) power?

    And second, what would Germany do in case of an attack on Google? My point here is, critical infrastructure can be located outside of an country.