A preliminary engagement with the spatiality of power in cyberwar

The growing prevalence of cyberwar highlights rapidly shifting conceptions of geopolitical space in global politics. However, critical geographical engagement with the topic remains limited, leaving the geopolitical spaces of cyberwar critically unexamined. To facilitate greater geographical engagement with cyberwar, this paper proposes a spatiality of power model to examine how political space and power might manifest in cyberwar. The model proposes four ways in which political space and power manifest offline and how the model can be applied towards cyberwar. The utility of the model is then applied as a framework for examining three well-known cyberwar case studies: the Estonia–Russia 2007 cyberwar, the Georgia–Russia cyber and kinetic war in 2008, and the U.S.-Iran cyberwar from 2010 to 2013 with a focus on the Stuxnet malware.

Thus, the purpose of this paper is to offer a preliminary geopolitical engagement between states, space, and power in cyberwar.It does so by taking a spatiality of power model developed by Durand et al. (1993), Lévy (2007), and expanded by Agnew (1999Agnew ( , 2003) ) and utilizing it as a conceptual lens through which to view cyberwar geographically through three famous cyberwar case studies.

Framing space and power on the internet
Early Internet scholarship focused on its emancipatory potential to create a separate distinct cyberspace (Graham, 2013).This vision was famously articulated by John Perry Barlow in his 'Declaration of the Independence of Cyberspace' which stated that cyberspace was independent and 'the new home of Mind' (Barlow, 1996).Nation-states, Barlow's 'weary giants of flesh and steel' were antiquated and the Internet would give people a new and democratic voice (Diamond, 2010).
This early cyber-utopianism would not last.As a result of the 1998 Moonlight Maze cyberattack where Russia exfiltrated classified data, the United States moved towards securitizing cyberspace (Haizler, 2017).This attack resulted in Presidential Decision Directive 63, which defined critical infrastructure to be protected in cyberspace and created the Joint Task Force Computer Network Defense to defend cyberspace (Haizler, 2017).Soon, other countries incorporated cyberwar into their armed services and passed laws to defend their domestic Internet (Flournoy & Sulmeyer, 2018).These efforts have continued, with the current U.S. cybersecurity budget exceeding $17 billion (Ratnam, 2019).But defending the 'cyber homeland' is not new: in the 1980s, the former Soviet Union pioneered the creation of 'national cyberspace', including cyberwar operations in official military doctrine (FitzGerald, 1997).
Efforts to territorialize cyberspace extend beyond cyberwar to the development of 'Internet borders' with online censorship and Internet shutdowns.This idea of Internet 'balkanization' along national borders first appeared in scholarship in the year 2000 (Kesan & Hayes, 2011).The trend continues with 2020 marking the ninth year of increases in global Internet censorship (Shahbaz & Funk, 2020).Currently, 2.1 billion people live under a censored Internet-more than at any period in the Internet's history (Shahbaz & Funk, 2020).Additionally, 2019 saw the highest number of national Internet shutdowns: 213 shutdowns in 33 different countries, up from 196 shutdowns in 25 countries in 2018 (Taye, 2020).These states argue that they have full sovereignty over their cyberspace (Mueller, 2019).
Beyond states, corporations and private users exercise powers to create and re-create spaces online.For Lambach (2019), corporations create private territories through sign-up requirements and the lack of interoperability between their platforms while users create 'virtual territories' through private encrypted chats and curated content.Other geographers have explored related avenues of digital creations of digiplace, geographies of information and information geographies, neogeographies, and private and public spatialities (Adams, 1998;Graham, 2015;Kitchin & Dodge, 2011;Zook & Graham, 2007;Zook et al., 2004).
The idea of Westphalian sovereignty in cyberspace has been contested, most notably by Milton Mueller who argues that states do not seek territory but 'alignment' of their Internet with national interests (Mueller, 2017).In security studies, however, scholars have reinforced the idea of territory in cyberspace, leading to contested engagement with the relationship between states, space, and power online (Hughes & Colarik, 2017;Libicki, 2007).Indeed, a multiplicity of perspectives exist on the future of space and power on the Internet -framing it as a choice between liberation and control (Deibert & Rohozinski, 2010), increasing democracy (Diamond, 2010), or surveillance and capitalism (Dobson & Fisher, 2007).
Geographers have also wrestled with the Internet, space, and power.Adams argued that 'the integration of society through computers facilitates control and territoriality' (Adams, 1997, 168) while Gregory (2011) articulated key spatialities in cyberwar, questioning where borders begin and end in cyberspace.Warf has examined cyberspace from multiple perspectives, including Arab and North Korean internets, Internet censorship, cyberterrorism, and arguing for cyberwar to be a focus of geographical work (Fekete & Warf, 2013;Warf & Fekete, 2016;Warf, 2007Warf, , 2011Warf, , 2015aWarf, , 2015b)).Geographers have also seen cyberspace as disguising a multiplicity of interactions in a spatial metaphor (Graham, 1998), as a distinct geographical domain (Holloway, 2018), multiscalar (Kellerman, 2016), inscribed with power (Sassen, 1997), as an interdependency between the physical and digital (Zook & Graham, 2007).Others, such as Kitchin andDodge (Kitchin &Dodge, 2005, 2011), have emphasized space and code, moving from cyberspace as disembodied metaphor and towards a space of continual becoming.

Understanding the spatiality of power
The relationship between state, space, and cyberwar remains largely unexamined in geographical literature.Indeed, the engagement has situated spatialities of power in cyberwar as operating in opposition to, or contrasted with, the territorial state.This has maintained the territorial state as the sole unit of spatial analysis on the Internet around which other forms of space and power revolve.
In his influential Terror and Territory, Elden (2009) argues that the U.S. War on Terror and terrorism call into question the relationship between states, sovereignty, and territory.Elden argues that the territorial trap of the 'sovereignty-territory bind' requires a re-thinking of the two concepts.He cites contingent sovereignty in the War on Terror or humanitarian intervention that belies the idea that states have a territorial monopoly on violence.Cyberwar, with its fuzzy battlefronts, uncertain distinction between combatant and non-combatant, ease of embedding resources in a country to attack that country, rapid dissemination of disinformation, attributional ambiguity challenge this territorial trap.
The most recent U.S. Department of Defense Cyber Strategy (United States Department of Defense, 2023) articulates this contingent sovereignty by stating that the United States will actively 'defend forward' by pre-emptively infiltrating the computer networks of foreign countries (Sanger, 2019).In the same report, the United States declares cyberspace a 'warfighting domain' with cyber-assets considered part of the homeland's critical national infrastructure.Sovereignty is stressed as inviolable for the U.S. and held as contingent for its opponents.This collapses what Elden calls 'the sovereign fiction that states have a monopoly of legitimate violence within their territory' (Elden, 2009, 177).This fiction rests on three geographical assumptions, known as the territorial trap: (1) that all states have exclusive power over their territory; (2) that the domestic and foreign are separate spaces governed by different rules; (3) that the boundary of the state is the boundary of society (Agnew, 2015, 43).However, the territorial trap as a state-centered conceptual framework cannot adequately frame the complexities of cyberwar.What is needed are theoretical interventions to go beyond it.
To accomplish this, the paper uses a spatiality of power model originally developed by Durand et al. (1993) and Lévy (2007) as a geographical lens to examine cyberwar.This model is a way to think about the globalizing world in four different spatialities, extended by Agnew (1999Agnew ( , 2003) ) as seeing 'beyond geopolitics'.
The model corresponds loosely with the spatiality of power in historical epochs of human political, social, and technological development.As originally presented, it emphasized how actors, space, and power relate when power is not tied to a territorial state.These four spatialities are: ensemble of worlds, field of forces, hierarchical network, and world society.

Ensemble of worlds
This model echoes early pre-Columbian world cultural regions.Here, cultures and societies are isolated except for sporadic trade interactions.In Fig. 1 this is represented by black dots of varying sizes separated by white space.Power is directed towards the maintenance and sustenance of the culture within its Fig. 1 Ensemble of worlds (Agnew, 1999, 505) 'natural' boundaries.Space is perceived as an obstacle to overcome or manage, and regions have a sense of significant difference beyond their boundaries with little idea of other regions.

Field of forces
This model maps existing states with rigidly defined territories in a geographical zero-sum game in which territorial gains come at the expense of others.The dominant approach to space is through states which contains the society's political, economic, and social actions with clearly articulated rights and responsibilities within demarcated boundaries.These boundaries are created, modified, and reified through technological interventions (Elden, 2007;Rose-Redwood, 2012).In Fig. 2 polities have expanded through geographical space and have encountered other polities, with this expansion represented by arrows.

Hierarchical network
The hierarchical network moves from rigid state spaces towards cores, peripheries, and semi-peripheries connected by flows.These nodes exist in a global network where the dominant connections are trade, information, labor, and finance.Figure 3 represents this through arrows representing flows and larger dots representing cores, smaller dots representing semi-peripheries, and the smallest dots being peripheries.This is a pattern consistent with contemporary globalization where power is based on relative location to global centers.This model's spatiality is networked, focused on nodes, areas, and a global flow hierarchy of people, information, capital, and trade goods (Agnew, 1999).

World society
The world society model is focused on globallyintegrated and structured communities, identity, and economics.Problems, such as climate change or inequality, become increasingly framed and discussed globally and transcend rigid state borders.Communications are unhierarchical amongst networks whose spread and growth is 'rhizomatic'.The centers of power revolve around social groups rather than bounded entities or location.Space and time are reciprocal, and time-based activities can be framed in terms of space, and vice-versa.Real and virtual spaces also operate reciprocally and are in many ways indistinguishable.Figure 4 represents this through polities of different sizes connected via lines representing multidirectional connections between the entities.(Agnew, 1999, 505) Fig. 3 Hierarchical network (Agnew, 1999, 505) Fig. 4 World society (Agnew, 1999, 505) The spatiality of power in action: case studies To illustrate how the spatiality of power model can be used as an analytical tool for cyberwar, this paper will examine three well-known case studies.
The first case, the 2007 cyberwar between Russia and Estonia, was the first international event to be broadly described as cyberwar.It precipitated a state of national emergency in Estonia with calls for a potential armed response by NATO.The second example, the Russian invasion of Georgia in 2008, was the first-time cyberwar was used in a direct coordination with kinetic ground conflict.The third case, a series of cyberconflict incidents between Iran and the United States, features the world's first and most sophisticated cyberweapon.

Russia and Estonia cyberwar: 2007
The Russia/Estonia cyberwar began in 2007 after a parliamentary proposal to relocate a statue (commonly known as the "Bronze Statue) commemorating Soviet soldiers who died liberating Estonia from Nazi Germany to a military cemetery.Ethnic Russians, comprising nearly a quarter of the population (Greene, 2010), viewed the monument as a symbol through which their minority rights were respected while many ethnic Estonians saw it as a symbol of totalitarianism (Ehala, 2009).
Tensions reached a critical point in April 2007 during a series of violent protests and riots called the 'Bronze Night' (Kaiser, 2015).Over a thousand ethnic Russians rioted for more than two days, burning cars and buildings, resulting in one death, hundreds of arrests, and over 100 injuries (BBC, 2007).At the same time, protesters in Moscow besieged the Estonian embassy, attacking anyone who attempted to leave or enter the building, including the Estonian ambassador.The siege prompted diplomatic intervention by the European Union (Finn, 2007).
On the first night of the protests, April 27, Russian discussion forums, chat rooms, blogs, and social media were filled with calls to action against Estonian Internet targets (Schmidt, 2013).These websites provided easy-to-use tools and a list of targets for Russians to attack.The posts and tools became popular, allowing non-technical citizens to participate.The initial list of targets included the Estonian parliament, presidency, and various government ministries (Traynor, 2007).This began a Distributed Denial of Service (DDoS) attack, flooding websites with traffic, rendering them inaccessible.The success of the attacks encouraged more users to participate, sending over 4 million data packets per second to the country in contrast to Estonia's usual traffic of 20,000 packets per second (Davis, 2007).
More advanced hackers defaced government websites and replaced images of elected officials with images of famous Nazis (Herzog, 2011).The sophistication of the attacks grew with the use of networks of hijacked computers ('botnets') to augment the cyberattacks.At the peak, Estonia was attacked by over 1 million computers-nearly matching the country's population (Thilek, 2009).There were over 125 separate DDoS attacks, and mass-emailing systems were used to overwhelm and shut down government email servers (Thilek, 2009).These attacks were severe enough to cause physical damage to routers and email servers (Thilek, 2009).
The initial target list of political websites expanded to include businesses, banks, Internet service providers, and email addresses of all members of the Estonian parliament and government agencies (Lesk, 2007).The attacks rendered inaccessible the websites of the Estonian presidency, parliament, most government ministries, many political parties, the three largest news agencies in the country, most of the country's banks, the national Internet service provider, and most private Internet service providers (Thilek, 2009).
Citizens were unable to withdraw money from cash machines, government systems were unable to be updated, and email communications between citizens, government, and business was shut down (Thilek, 2009).Despite the scale of the attacks, Estonia took steps to defend itself but was quickly overwhelmed.As a result, Estonian Internet service providers were forced to disconnect users from the Internet, and at the national level Estonia resorted to blocking all traffic originating from outside its borders, isolating itself from the rest of the world.Automated financial transactions, regulatory filings, and criminal justice proceedings, were also disrupted (Schmidt, 2013).
Through digital forensics, researchers determined that the initial attacks started on Russian language forums (Schmidt, 2013).The second wave, utilizing global botnets was more difficult to locate.Given the parallels between targets and attacks, security researchers assumed that the source behind the botnets was Russia.This was supported by discoveries implicating IP addresses used by Russian criminal organizations in previous attacks, admissions of guilt by the state-sponsored Russian Nashi youth movement, and the refusal of Russian authorities to cooperate with Estonian and EU investigations (Clarke & Knake, 2012;Schmidt, 2013).
The severity of the attacks prompted the Estonian Minister of Defense, Jaak Aaviksoo, to consider invoking NATO's Article 5 requirement that the alliance aid members under attack (Davis, 2007).He stated that: All major commercial banks, telcos, media outlets, and name servers-the phone books of the Internet-felt the impact, and this affected the majority of the Estonian population.This was the first time that a botnet threatened the national security of an entire nation.(Davis, 2007).
NATO declined to intervene, citing lack of precedent and believing that the attack was insufficiently dangerous (Kaiser, 2015;Wolff, 2014).Eventually, the attacks slowed, allowing Estonia to regain control over its cyberspace.As a result of these attacks being 'the birth of cyberwar', NATO established its Cooperative Cyber Defence Centre of Excellence (CCD-CoE) in the Estonian capital Tallinn in 2008 (Kaiser, 2015).

Russian invasion of Georgia: 2008
Russian and Georgian claims over the regions of Abkhazia and South Ossetia had caused conflict between the two states since the fall of the Soviet Union (Hollis, 2011).Under the Soviet Union, the region of South Ossetia was autonomous, and Russia had encouraged South Ossetian separatism since 1990 (Cohen & Hamilton, 2011).At the same time, Abkhazian separatists received military support from Russia while Georgia fought two wars to regain control of these breakaway regions in the years following Soviet collapse (Cohen & Hamilton, 2011).In both instances Georgian troops were defeated by a mixture of local secessionists and Russian irregular troops (King, 2008).As a result, the regions enjoyed de facto independence and were recipients of Russian foreign aid (Kolossov & O'Loughlin, 2011).
In 2008, Georgia accused Russia of shooting down an unmanned drone operating in or near Abkhazia (BBC, 2008).Days later, Russian troops moved into Abkhazia under the pretext of defending Abkhazia from Georgian aggression.Almost simultaneously in South Ossetia, separatists broke a cease-fire and began attacking Georgian troops.Georgian President Mikhail Saakashvili, who had promised to regain the breakaway regions, sent troops into South Ossetia (King, 2004).This intervention prompted thousands of Russian troops to advance into South Ossetia and Georgia, with Russian airstrikes hitting Georgian targets (Deibert et al., 2012).Ultimately, Russia and Georgia signed a cease-fire which saw Abkhazia and South Ossetia gain de facto independence.
In the weeks before the ground invasion, Georgian Internet infrastructure was attacked by external agents, assumed to be Russian (Hollis, 2011).In July 2008, Russian hacker forums, blogs, and online communities contained many posts about methods and tactics for attacking Georgian targets, emphasizing the DDoS and website defacements used against Estonia.Arbor Networks, a prominent global security firm, noticed a heightened amount of 'noise' in July 2008 coming from Russia's hacker and cybercriminal underground, indicating a high level of premeditation and strategic oversight behind the attacks (Markoff, 2008).
The first wave of attacks occurred hours after the ground invasion and consisted of DDoS against over 50 websites, government servers, and national communications infrastructure (Bumgarner & Borg, 2009;Hollis, 2011).The attacks came from botnets whose IP addresses were affiliated with Russian organized crime and the unofficially state-sanctioned 'Russian Business Network' which was connected to the attacks against Estonia in 2007 (Korns & Kastenberg, 2008;Markoff, 2008;Stapleton-Gray & Woodcock, 2011) (Fig. 5).
A second wave of attacks utilized participatory DDoS by providing an easy-to-use tool for Russian citizens to attack Georgian websites.This wave targeted financial institutions, business associations, and educational websites (Bumgarner & Borg, 2009).The attacks disrupted the ability of Georgia to make financial transactions as the Internet was essential for commerce and trade.The attacks were so successful that the National Bank of Georgia severed all Internet connections for ten days, leaving it unable to operate (Bumgarner & Borg, 2009).
Despite the low-level of Internet penetration in Georgia, Russian hackers modified their attack plans to deprive the Georgian government of the ability to communicate or disseminate information.These attacks rendered the majority of governmental websites inoperative, forcing the Georgian government to relocate its official business to Google's Blogspot service in the United States and to other U.S. based hosts (Kastenberg, 2009;Korns & Kastenberg, 2008).The Georgian IT community also reached out to Estonian officials who connected them to EU and NATO experts to bolster Georgia's defenses by altering the European Internet infrastructure upon which Georgia relied (Bumgarner & Borg, 2009) (Fig. 6).
What distinguishes these attacks is the linkage between online attacks and offline military action.Once Russian commanders had established a foothold in Georgian territory, cyberattacks were intensified and designed to sow confusion amongst the general populace, government functionaries, and financial and political elites (Bumgarner & Borg, 2009;Hollis, 2011).This was demonstrated by directing cyberattacks towards local news and government communications services in the city of Gori at the same time as the Russian ground and air offensive against the city.The attacks were specific enough that intelligence analysts were able to use DDoS attacks to anticipate where Russian ground attacks were focused or imminent (Hollis, 2011).

The United States and Iran: 2010-2016
The third case examines a series of attacks between the United States and Iran from 2010 through 2013, with emphasis on the well-known Stuxnet case.Although it is argued this cyberwar is still ongoing, this paper will focus on the most well-known and foundational attacks (Greenberg, 2019;Nakashima, 2019;Perlroth & Krauss, 2018).
The US/Iran cyberwar begins with Stuxnet, malicious software designed to destroy industrial components in Iran's nuclear enrichment facilities, erase evidence of its presence, and deceive computer administrators into believing that systems were Fig. 5 Defaced Georgian parliament website (Markoff, 2008) Vol:.( 1234567890) normal (Gross, 2011;Markoff, 2011).The discovery of Stuxnet sent ripples through cybersecurity communities because it was the first 'cyberweapon' designed to destroy physical infrastructure and was sophisticated enough to have accomplished its objective virtually undetected (Gross, 2011;Sanger, 2019).
Stuxnet was designed to alter speeds on nuclear centrifuges to cause them to malfunction and explode (Gross, 2011;Zetter, 2014).It did this by targeting software developed by the German company Siemens used to power centrifuges, specifically model S7-300 (Falliere et al., 2011;Gross, 2011;Zetter, 2014).If the Siemens software was not found, Stuxnet would delete itself from the computer.It would, however, spread to other computers and continue scanning for S7-300 (Falliere et al., 2011).
If the Siemens software was found, Stuxnet would scan the system for disk drives used on the S7-300 system from two vendors: Vacon from Finland and Fararo Paya from Iran.The existence of these drives would confirm to Stuxnet that this system was a valid target, and Stuxnet would examine the centrifuges for those spinning at certain frequencies (Falliere et al., 2011;Shakarian, 2011).If these elements were present, Stuxnet would cause the centrifuges to rapidly increase and decrease in rotational speed, stressing the centrifuge and forcing it into collision with its housing, destroying it (Stark, 2011).While these centrifuges were spinning, Stuxnet would feed information to centrifuge operators indicating that systems were normal (Gross, 2011;Markoff, 2011) (Fig. 7).
Stuxnet faced a significant problem reaching Natanz because the facility was air-gapped (disconnected from the Internet) as a security precaution.To address this, Stuxnet developers ensured that it could spread through infected USB drives.Stuxnet's developers also targeted the internal systems of five companies that intelligence sources believed were working with Iran's nuclear program (Zetter, 2014).The hope was that someone from these companies would unwittingly take an infected drive into Natanz and allow the malware to infect the facility (Sanger, 2019;Zetter, 2014Zetter, , 2015)).This was successful, as employees of those companies posted questions to anti-virus forums asking for help with unusual problems associated with Siemens software (Zetter, 2014).According to Zetter (2014): But by August that year, only 4,592 centrifuges were enriching at the plant, a decrease of 328 centrifuges since June.By November, that number had dropped even further to 3,936, a difference of 984 in five months.What's more, although new machines were still being installed, none of them were being fed gas.(Zetter, 2014) Stuxnet was discovered in July 2010 by Belarusian security firm VirusBlokAda (Gross, 2011).Security analysis pointed towards state sponsorship of its development by the United States and Israel (Sanger, 2012), as the sophistication of the code indicated access to resources beyond those available to nonstate actors.
The discovery and dissection of Stuxnet did not slow the cyberwar against Iran.Shortly after discovering Stuxnet, security researchers discovered another malware, codenamed Duqu in two countries: Sudan and Iran.Duqu exfiltrated information on industrial command and control systems by recording keystrokes and screenshots and sending them back to servers located in 'Vietnam, India, Germany, Singapore, Switzerland, the UK, the Netherlands, Belgium, South Korea' (Kamluk, 2011).The malicious intent of the software and geographic specificity led researchers to conclude that Duqu was a follow-up to Stuxnet designed to survey the post-Stuxnet landscape in preparation for future attacks (Symantec Security Response, 2011).Other attacks included 'Mahdi' designed to exfiltrate industrial control information out of Iran and 'Gauss' exfiltrating data from Iran's proxies in Lebanon (Gross, 2013).
The scale of U.S. activities against Iran, dubbed 'Operation Olympic Games' and the unambiguous source and targets did not go unnoticed by the Iranian government (Sanger, 2012).Iran declared  (Finin, 2010) that it would be increasing its cyberwar potential and expanding its cyber-army to identify threats and project power abroad (Gross, 2013).In March 2012 Iran's Supreme Leader Ayatollah Ali Khamenei established the High Council of Cyberspace with $1 billion in funding (Berman, 2012).
After Stuxnet, Iran counterattacked U.S. interests.The first attack, in July 2011, targeted DigiNotar, a Dutch firm which issues encryption certificates used to encrypt communications for banking, social media, or email (Galperin et al., 2011;Gross, 2013).Iran was able to issue compromised certificates and intercept the emails of over 300,000 Gmail users while the breach threatened global encrypted communications (Arnbak & Van Eijk, 2012;Galperin et al., 2011;Gross, 2013).
Iran's success with DigiNotar prompted the world's Internet browsers to immediately stop accepting their certificates, an unprecedented move which demonstrated Iran's technical sophistication in cyberwar (Zetter, 2011b).The security risk was significant enough for the Dutch government to take ownership of the firm, prompting a major restructuring of Dutch encryption certificate-issuing authorities (Arnbak & Van Eijk, 2012;van der Meulen, 2013;Zetter, 2011b).
Iran's next target was Saudi Aramco.At the time, it was the largest cyberattack against a corporation and the first whose purpose was destruction of data rather than exfiltration or surveillance (Gross, 2013).Codenamed Shamoon, it occurred on August 15, 2012, infecting and erasing data on over 30,000 computers and replacing screens with an image of a burning American flag (Gross, 2013).Saudi Aramco was forced to replace these compromised drives, temporarily driving up global prices on computer disk drives (Rashid, 2015).Digital forensics indicated that an insider with physical access to the machines used an infected USB drive to plant the virus.The malware then automatically replicated and spread through 75% of Saudi Aramco's communications network.It erased essential data related to refining and exploration, eventually infecting company computers around the world, including in the Netherlands and the United States (Bronk & Tikk-Ringas, 2013).
Iran's retaliation continued after Shamoon.In September 2012, U.S. banks and financial firms encountered the most sophisticated DDoS attacks ever detected.The attacks came from global datacenters and targeted 'Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC' (Perlroth & Hardy, 2013;Peterson, 2013).The attack's traffic was significantly larger than the total of traffic used in the Russian cyberwar against Estonia, with researchers claiming that the attacks were more than 10 times larger than any known DDoS attack (Gross, 2013;Perlroth & Hardy, 2013) (Fig. 8).
In the previous case studies, states leveraged globally dispersed networks of malware infections controlled by centralized 'command and control' servers.These Iranian DDoS attacks, dubbed Operation Ababil, eschewed that cyber-geographic orthodoxy and infected concentrated cloud storage servers in datacenters with a malware known as 'itsoknoproblembro'.This malware evaded detection and spread rapidly through thousands of servers.Security researchers stated that the attacks exceeded 70 gigabits (Perlroth & Hardy, 2013).By comparison, at that time, midsize businesses routinely had less than 1 gigabit of traffic and a large international bank would barely reach 40 gigabits of traffic during peak usage (Perlroth & Hardy, 2013).The banks incurred large costs, with some paying more than $10 million for emergency DDoS defense (Gross, 2013).

The spatiality of cyberwar: discussion of the case studies
The complexities of space and power in these case studies highlight the need for thinking beyond territory.The spatiality of power model offers one potential avenue of moving beyond territory in cyberwar.

Ensemble of worlds
In the ensemble of worlds, power is articulated through separation of human groupings, with limited connectivity, and power concentrated and directed internally rather than externally.The spatial focus is on separation.
While the idea of separation may be at odds with connectivity in a digital age, it remains relevant in the modern state's co-production of space and secrecy (Paglen, 2010).The secretive Dimona labs where Stuxnet was developed and Iran's Natanz facility are located in remote deserts, which are air-gapped with multiple levels of security and military defense (Broad et al., 2011;Zero Days, 2016;Zetter, 2011a).The disconnection of these secretive spaces made them more powerful-requiring substantial more effort and work to infiltrate and attack (Sanger, 2019).Indeed, efforts to infect Natanz relied upon crossing the air-gap, utilizing both undercover physical infiltration, targeted infections, and global malware spread to increase the odds of crossing the air-gap (Zero Days, 2016).
Beyond physical separation, firewalls and antivirus software create digital spaces of separation.Computers located behind secured networks are connected to the broader Internet but disconnected from the world of malware infection.However, 'zero days' which are exploits with no defense, were used by Stuxnet and can overcome these defenses to infiltrate separated spaces (Huskaj & Wilson, 2020).Due to this ability, zero day exploits are expensive and difficult to procure, with RAND estimating that one exploit costs an average of US $30,000, making them mostly used by states (Ablon & Bogart, 2017).The lack of separation through effective anti-virus software creates spaces of vulnerability from connectivity, forming the backbone of the global DDoS networks which utilize thousands of poorly-defended computers to orchestrate DDoS attacks.
Disconnection also becomes power with the ability to disconnect from the Internet forcibly or defensively.The DDoS attacks in the cases of Russia and Estonia/Georgia were efforts to separate these states from the global Internet.Given the disparity of available resources between Russia and Estonia/Georgia, a powerful state is one which can resist separation or can easily separate others.At the same time, Estonia disconnected itself from the Internet to retain domestic communicative power.Thus, space and power in cyberwar can manifest simultaneously with and in separation.

Field of forces
The field of forces model sees power within territorial states where the state has total control over its territory and where border expansion comes at the expense of others.The focus in this model is on power within boundaries.
The DDoS-focused case studies demonstrated how power can be distributed globally by infecting millions of computers and using them to attack a territorial state.In the face of overwhelming attacks directed towards its national cyberspace, Estonia leveraged territorialized power by disconnecting from the Internet.In this way Estonia maintained some domestic connectivity to allow critical national services to continue to operate and simultaneously stopped the attack.While Russian DDoS power was globally dispersed and not bound by its territory, Estonia's power manifested in its territorial power to disconnect.
Territorial boundaries in cyberwar also manifested in the case of Georgia.The Russian attacks focused on targets within Georgia's territory in coordination with a kinetic ground invasion.In response, rather than disconnect, Georgia relocated key government services to the territory of the United States.Georgia Vol:.( 1234567890) used TSHost and Google's US-based infrastructure which offered robust protections and were located in a neutral country (Kastenberg, 2009).
By determining the structure of Iran's Natanz facility through traditional intelligence work, Stuxnet's developers crafted a cyberweapon targeting a specific industrial control system.They did so by embedding the details of Iran's technical systems within the malware itself.This was to deliberately limit the potential for outside discovery, minimize damage or disruption to non-targeted systems, and to ensure that the correct targets were destroyed.Indeed, while much of the Internet operates on similar hardware and software worldwide, how these systems are used and deployed varies by geography and is influenced by the state's technical and social structures (Golumbia, 2009;Takhteyev, 2012).Here, territory in cyberwar manifests in the development and deployment of cyberweapons which embed territorial particularities in code.

Hierarchical network
The hierarchical network emphasizes cores, semiperipheries, peripheries as nodes in a global network of flows.The focus is on networks connecting global hierarchies of nodes.
Global computing power is arranged in a core/ periphery model centered around datacenters.These datacenters are host to tens of thousands of computers and power most of the Internet (Jaeger et al., 2009).Indeed, 1/3 of all websites are powered by Amazon's AWS datacenters (Desjardins, 2019).The centrality of datacenters to the Internet landscape continues apace, with Cisco Systems estimating datacenter Internet traffic will reach 19.4 zettabytes in 2021 (Cisco Systems, 2018).A zettabyte is one billion terabytes, with one terabyte being the common size for an entire PC hard drive.In contrast, the computers of individual users form a dispersed periphery of global computing power.
These spatial disparities are malleable in cyberwar.As demonstrated in both the Estonian and Georgian cases, by infecting tens of thousands of 'periphery' computers, a state can form them into a core of computing powerful enough to disconnect states from the Internet.The 'topography' of global computing power, therefore, is shaped by geographies of malware vulnerability.The distinction between core and periphery is less rigid and more flexible, with periphery becoming core through the scale of hijacked computers.This is the logic behind DDoS attacks which emphasize hierarchical networks by negating territorial boundaries and gathering computing power through infected nodes.
The fluidity in the hierarchical network does not only benefit the attacker.In the case of Georgia, the state's collapsing computing defenses demonstrated that it was on the periphery of global defensive resources.Recognizing this, Georgia relocated its online services to a core: Google's servers in the United States.The assumption was that Google's scale and resources could withstand the DDoS attacks (Kastenberg, 2009).While novel at the time, relocating key assets to DDoS-defensible nodes has become a norm, with industry leader Cloudflare defending 27 million websites from attack in 2020 (Cloudflare, 2020;Zuckerman et al., 2010).
The core/periphery model of datacenters was a critical factor in Iran's retaliatory DDoS attacks.Instead of hijacking computers on the global computing periphery, Iran infected computers at core datacenters, marking the start of a new era in datacenterfocused attacks.Due to their relative homogeneity, datacenters became nodes of heightened risk, filled with tens of thousands of identical computers with similar vulnerabilities which were easily infected by the 'itsoknoproblembro' malware (Gilder, 2006;Jaeger et al., 2009).Datacenters are growing as attractive, centralized target for states, with malware which exploits their vulnerabilities (Cimpanu, 2019;Korolov, 2017Korolov, , 2020)).
Power and space in hierarchical networks is fluid, aggregating and disaggregating peripheries and cores.With global DDoS attacks estimated to reach 15.4 million in 2023 and global malware detections exceeding 750 million, hierarchical networks will continue to play a prominent role in both cyber-attack and defense (Cisco MalwareBytes, 2019;Systems, 2020).

World society
The world society model postulates synchronous interconnectedness of real and virtual spaces, the emergence of a global public opinion and awareness, 'flat' unhierarchical networks, as well as reciprocal time and space in global human affairs (Agnew, 2003).
Early geographic literature about the Internet articulated a distinct 'online/offline' dichotomy (Brunn, 1998).While such a distinction may have existed with dialup modems and desktop computers, the contemporary reality of near-ubiquitous mobile computing and connectivity has made the dichotomy a false one.This interconnectedness of the real and the virtual has resulted in cyberwar becoming a security priority for states, as industrial control systems in national electricity grids, dams, water treatment plants, railroads, and other key infrastructure become connected to the global Internet (Baram & Lim, 2020;Clarke & Knake, 2012;Sanger, 2019;Zetter, 2016).World militaries have organized around this, notably the U.S. budgeting $610 million for Cyber Command to integrate cyberwar offense and defense into kinetic conflict (Williams, 2019).
The Estonian case study demonstrated the reciprocity between online and offline protest movements.The effort to relocate the Bronze Soldier resulted in riots and simultaneous online calls for digital action.The resulting online attacks interrupted bank transfers, telephone calls, and more (Thilek, 2009).The attacks themselves were launched from a globally infected DDoS network which ignored national boundaries and operated across multiple time zones simultaneously with the protests.
The Georgian case likewise demonstrates this confluence: globally controlled DDoS networks attacking specific targets in conjunction with kinetic ground assaults.While forensics research has concluded that Russia was responsible for the attacks, the global distribution of attack sources meant there was no single state responsible (Blank, 2008;Grant, 2007).Russia could claim that even if it shut down or restricted access within its own borders, it was powerless to stop attackers in other jurisdictions-which is precisely what it did (Clarke & Knake, 2012).
Of the case studies, the future of synchronous online and offline interconnectedness was most clearly demonstrated in Stuxnet.The malware was developed to exploit the reality that even air-gapped spaces cannot be disconnected.The Natanz facility, although disconnected from the Internet, required regular software patches provided by vendors whose computers would be connected to the Internet.This allowed Stuxnet to be updated and destroy additional centrifuges by unwitting vendors bringing Sutxnetinfected USB drives to (Zero Days, 2016).Even disconnected spaces can be connected in the world society model (Table 1).
The confluence of online and offline means that the spatiality of power in cyberspace is not restricted to cyberspace, but manifests in the interconnectedness between the digital and the physical.Power is spatialized globally to the extent the Internet is spatialized globally.This is evidenced in the dramatic increase of 'Internet of Things' devices like Internet-connected thermostats, copy machines, and webcameras.Their widespread usage, with over 34 billion devices, has resulted in an enormous new geography of cyber insecurity (Burhan et al., 2018).The result is further blurring of the cyber-battlefront and the boundaries between civilians and combatants.Indeed, one of the largest DDoS attacks occurred in 2016 from nearly 50,000 webcameras in 164 countries infected by the Mirai malware (Herzberg et al., 2016).

Conclusion
Despite nearly 8 million DDoS attacks annually, a U.S. budget of $17 billion for cyberwar, and broad public awareness, geographers have rarely engaged with the spatiality of cyberwar.The purpose of this paper was to address this gap by offering a preliminary theoretical geographical lens on space and power in cyberwar.
How does applying this theoretical framework advance cyberwar in geography?Given the case studies and discussion of the multiple spatialities in these conflicts, spatializing power in cyberspace through a strictly territorial lens is insufficient.The spatiality of power model offered is one lens through which the paper sought to demonstrate how space and power can exist in cyberwar apart from the Westphalian model.And although there is broad agreement that the Westphalian system is challenged by various supranational forces, without engagement by geographers, cyberwar scholarship is likely to remain in the territorial trap which recent research has demonstrated (Hughes & Colarik, 2017).
What the case studies and analysis also demonstrate is that there are multiple spatialities at play in cyberwar: disconnection, hierarchy, spatiotemporal connectedness, and more.And as this paper's analysis was not exhaustive, there are undoubtedly more layers of analysis which could be applied.However, given the dearth of geographical engagement, these valuable analyses are lacking.Geography has much to offer this field both theoretically and empirically, and it is hoped that this paper can contribute to the beginnings of that conversation on space and power in cyberwar.
Funding Open access funding provided by Central European University Private University.The author did not receive support from any organization for the submitted work.

Declarations
Conflict of interest The author has no relevant financial or non-financial interests to disclose.

Fig. 6
Fig. 6 Georgian Ministry of Foreign Affairs on Google Blogspot (Screenshot by author)

Table 1
Case studies and the spatiality of power Vol.: (0123456789) This research did not involve human participants or animals.Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.