Is America Really Ready for a Cyber War?
A defensive cyber strategy cannot rely on the ability to guarantee defense.
The United States faces new types of military threats that challenge traditional organization and strategy, including those emanating from the cyber domain. This challenge, however, can be made more solvable by using a well-known theory of warfare to provide a model upon which theorists of today can build an understanding of modern warfare. The most widespread framework with which cyber conflict is modeled is that of deterrence. As different as these two may seem, both are characterized by offense ascendancy and costly defense, providing the base for the borrowed theory. The theoretical and practical application of the deterrence model to cyberspace was included as a crucial component of the 2015 Department of Defense cyber manual, citing a key mission as contributing to “the development and implementation of a comprehensive cyber deterrence strategy to deter key state and non-state actors from conducting cyberattacks against U.S. interests.” While this way of thinking helps prepare for—and prevent—a large-scale cyber Pearl Harbor, it has significant limitations in regards to practical use. A better framework for this kind of activity is the irregular-conflict model.
Limits of the Deterrence Model
The fundamental-element-of-deterrence theory is the existence of a credible threat. Kinetic weaponry, like bombs and missiles, cause obvious and devastating consequences through methods which the populations of the world can understand and fear. In the cyber domain, attacks have not proven to hold this same psychological power, especially in that the most powerful cyber weapons we have are those our enemies know nothing about.
One of the key points of the deterrence model is the ability to assure retaliation. Though the difficulty of cyberattack attribution is no longer as large a hurdle as it once was, it is difficult to accurately identify all attack parameters within the accelerated time frame that the deterrence model demands.
The tremendous cost and specific requirements of large-weapons programs limit the types of actors capable of developing and deploying weapons whose main function is it to deter—not engage in—warfare. Though sophisticated cyber attacks, too, are more easily developed with the aid of the technological and fiscal superiority of developed states, anyone with access to the internet has access to basic, but effective, hacking tools. “The battlespace is open, accessible, nearly anonymous, and with an entry cost that appears affordable,” according to Daniel Hughes and Andrew Colarik of National Defense University Press. Access to higher order cyber tools requires time, equipment and practice, but this learning curve is a gentle slope in comparison to the steep development curve of sophisticated kinetic weaponry.
Irregular Cyber Model
Cyber conflict, specifically those activities that take place below a level which could necessitate significant retaliation, strongly resembles the model of irregular conflict. On irregular battlescapes, conflict is characterized by a lack of fixed lines blurring the separation between friendly and enemy, combatant and noncombatant. In cyberspace, this lack of distinction is just as—if not more—pronounced. There are no political borders in cyberspace, no uniformed enemy and no certainty that the next day’s circumstances won’t radically alter.
As Sun Tzu wrote in The Art of War, “Numerical weakness comes from having to prepare against possible attacks; numerical strength from compelling our adversary to make these preparations against us.” This principle can explain offense ascendency in cyberspace in that a defender must prepare and guard against large volumes of diverse attacks, of which, only a few need to successfully penetrate the network. Therefore, a defensive cyber strategy cannot rely on the ability to guarantee defense. This allows a numerically or otherwise weaker force to disproportionately increase their power relative to the enemy.
The objective of a cyber attack can be a combination of deterrence, denial, disruption, degradation and deception. The last three of these necessitate an invasive strategy, requiring practitioners to operate within areas of enemy control without detection. During the Vietnam War, Võ Nguyên Giáp championed the use of small units capable of operating in pockets deep in enemy-claimed territory. It was essential to this strategy that his soldiers be able to conceal themselves and capitalize fully on the element of surprise. In the battlefields of both cyber and irregular conflict, combatants attempt not to reach complete spatial ownership, but to maximize their freedom of movement and deny that of their enemy.
The human element of the environment is an essential part of both irregular and cyber conflict. Civilians—whether friendly or passive—provide a significant base of support as a source of camouflage or materiel. In cyberspace, attackers can obscure their actions by taking advantage of the volume of civilian infrastructure and traffic, just as modern-day insurgents hide amongst civilian populations. Exploiting existing civilian infrastructure, combatants can use civilian devices to create a network of botnets. The role of civilians is also reflected in the role of private corporations in cyberspace as critical actors and sources of expertise.
Mao Zedong wrote that it is essential to identify an enemy’s vulnerabilities, a process requiring significant reconnaissance. In the cyber domain, this information gathering is even more critical in determining assailable targets. Weaknesses called zero-day exploits must be located in advance, taking advantage of unnoticed weaknesses in code. In irregular and cyber conflict these weaknesses are often lines of communication and logistics. During World War I, Arab tribes focused many of their attacks on Turkey’s infrastructure and logistics, rather than main Turkish forces. Thus, the Turks were unable to take full advantage of their numerical and technological superiority. In the cyber domain, this action is paralleled in the targeting of critical infrastructure networks that run the command-and-control systems, manage logistics, enable the staff planning and operations, and are the backbone of the intelligence capabilities.
Value for the United States
The model of irregular conflict does not undermine the importance of the deterrence model in regards to large-scale attacks. Rather, this model deals with the type of cyber conflict seen on a day-to-day basis, which does not amount to war, but does threaten the core interests of the United States. Having a model, like the deterrence model, that ignores daily cyber operations significantly limits the theoretical framework for our actions in cyberspace to the equivalent of missile stockpiling. But the United States is not merely sitting on a pile of zero-day exploits, it is actively taking advantage of them. The conception of cyber activity as a flexible tool of engagement allows the United States—and the international community—to create a consensus as to what measures are appropriate at each level of cyber conflict, and what exactly constitutes a deterrence-level threat. The benefit of using a model that allows for flexibility of response is that a more holistic understanding of the strategic uses of the cyber domain can be developed. With this framework in place, actors such as the United States can more reliably choose the most appropriate response from a range of escalatory steps.
With a better understanding of cyber-strategic theory, practical uses of cyber tools can develop as well. In a defensive capacity, the irregular-conflict model can be used to understand the methods and targets of our enemies, so that the United States can create more appropriate and effective responses. This will increase our resilience to cyber attacks and decrease the risks associated with their widespread use. Offensively, the model of irregular conflict offers a pathway to understanding how operational and tactical uses of cyber tools can be better used to forward strategic objectives, increasing the potency of our attacks. This would also aid in minimizing unnecessary actions that could result in secondary geopolitical complications.
Under the irregular model, cyber conflict can be understood as an asymmetric tool, preferred by forces at significant disadvantage to a stronger enemy, not a characterization comfortable for the United States. But General Dempsey, the former chairman of the Joint Chiefs of Staff, said in an interview that American dominance in the cyber domain is not guaranteed. “It’s a level playing field,” he said. “And that makes this chairman very uncomfortable.” Although the United States is more familiar with being at the advantage, the country does not—and cannot—ignore such a valuable force multiplier. As the United States does not have assured capability dominance, it needs to utilize every available technique to secure American defense and national security.
Emma Schroeder is a member of the Atlantic Council’s Transatlantic Security Initiative.
Image: Simulated test in the Central Control Facility at Eglin Air Force Base, Florida. Wikimedia Commons/Public domain