Responding to the proliferation of information-based weapons
High-end cyber weapons and espionage platforms such as
Stuxnet and Flame are to cyber power what the Navy SEALs are to the U.S.
military — exceptional yet singular. Just as a focus on special
operations direct action ignores the bombers, fleets and tanks that give
our military its devastating punch, cyber weapons and intelligence
collection platforms are only one part of a larger matrix of military
cyber power.
In order to create effective policy and
strategy, policymakers must first acknowledge that cyber power is part
of an ongoing strategic military competition between the United States
and nations such as Russia and China. Militarized malware is but one
part of a larger cyber power complex that other powers seek to imitate
and counter. Only by considering the whole of military cyber power will
the United States formulate responses to the expansion of military
competition in and over cyberspace.
Beginnings of a Strategic Competition
If we take professor Daniel Kuehl’s definition of cyberspace —
in short, a domain “framed by the use of electronics and the
electromagnetic spectrum to create, store, exchange and exploit
information” — then militaries have been conducting cyberwar since the
invention of the telegraph.
Large-scale land warfare in
the late 19th century was rooted in the strategic use of telegraph
communication to connect large military bureaucracies to operational
commanders, and was part of a matrix that enabled distributed campaigns
and integration of respective fronts into a common strategic whole. The
naval idea of network-centric warfare, as analyst Norman Friedman
argues, originated not in the Information Age but in early 20th-century
command-and-control technologies that allowed the British Navy to take a
common operating picture-based approach. In the late Cold War, the
United States, aiming to build military systems to “expand the
battlefield” and counter the Soviet quantitative conventional advantage,
invested in a set of military technologies that would make conventional
weapons approach the destructiveness of tactical nuclear weapons.
But cyberspace is not just a method of enabling military force. One can
also exert military power through cyberspace as well. Electronic
warfare and computer network operations both target, in different ways, a
military force’s ability to employ cyber power on the battlefield.
Countervalue targeting — taking aim at assets that are not strictly
military threats — through computer network operations is also possible
as a means of political coercion. Very little about these methods is
new. Electronic countermeasures have been routinely used in a host of
military missions and episodes of civilian hacking date back to the
1970s.
Though supposed information superiority did not do
away with the fog of war or make victory inevitable, American use of
cyberspace for military operations and information attacks on enemy
platforms helped the United States intervene in regional crises across
the globe with relatively small military forces. Trading mass for
information superiority is a peculiarly American tendency rooted in
elements of U.S. strategic culture, just as the umbrella term
“blitzkrieg” simply denotes technological and doctrinal enhancements to
existing Prusso-German ideas about war, strategy and command.
Network-centric warfare is a paramount example of how cyber-enabled
military operations merged with mainstream tenets of American strategic
culture. Adm. Arthur K. Cebrowski and his collaborators married
technology with an expansive geopolitical vision of American ability to
determine “rule sets” in an international system that he judged to be
imperiled by information-technology-enabled regional actors.
Network-enabled force and flexible logistics would help the United
States contain the damage from such actors, spread globalization’s
connectivity to disconnected regions and deter new conflicts. These
geopolitical ideas, while wrapped in metaphors from systems science and
economics, are at their core very much rooted in a traditionally
American brand of liberal internationalism. The United States does not
trust a balance-of-power system abroad to create national security, and
thus has historically sought the military capability to create favorable
regional, national-level and substate political outcomes.
American military hegemony, coupled with a penchant for cyber-enabled
regional intervention, is what is driving adversaries’ search for
countermeasures. A military competition is underway over military cyber
power.
Structure of Military Competition
Military competitions are an analytical tool developed by Andrew
Marshall and others associated with the Office of Net Assessment for
examining a long-run peacetime conflict between two states to master a
specific area of military importance. Military competitions have
occurred over nuclear forces, precision strikes, space, warships and
other important aspects of military operations. Crucial to understanding
the dynamics of military competition is a holistic analysis that
incorporates doctrine, socio-bureaucratic dynamics and other “soft”
factors, as well as technical considerations. Military competitions are
not necessarily won or lost, but states can gain an ability to compete
in a manner that is not only efficient but also achieves desired
strategic effects.
Military competitions are informed
by war plans but aim to achieve peacetime objectives. A military
competition can dissuade a state from certain regional defense
strategies if they are made tactically or operationally untenable.
Successfully competing in a military competition in one area can have
second- and third-order effects on the other. For example, a recent
Center for Strategic and Budgetary Assessments paper has looked at the
American development of the B-1 bomber as a means of pushing
unsustainable costs on Soviet air defense networks.
In
1991, the rapidity and perceived ease with which the United States
demolished the Iraqi Army shocked Russia and China. To counter the
United States, other states are investing in information warfare
capabilities — electronic warfare and computer network operations — to
try to retard the American ability to use cyberspace for military
operations. These strategies mesh with existing usage of anti-access and
area denial weapons and counterspace capabilities, the employment of
special operations and airborne units, and other similar
low-cost/high-value tools. Unlike many in the U.S., Russia and China do
not see cyberwarfare tactics and operations as standalone strategic
methods.
China’s information warfare theory and
doctrine is well-known, although disputes remain in military circles as
to the extent of Chinese preparations and doctrinal purity. Chinese
strategists contemplate attacks on military and civilian infrastructure
in concert with deception operations and conventional weapons. The
Russians have developed a similar set of ideas and doctrine rooted
around concepts of reflexive control, which employs integrated deception
and cyber operations. Both states maintain military and intelligence
structures for employing information warfare but also have a murky
relationship with patriotic hackers and cyber criminals who engage in
espionage and political subversion.
Espionage, rather
than cyberwarfare, is a more near-term concern for the Defense
Department. Foreign hackers routinely compromise civilian and defense
networks, although their connection to state organizations often is less
than perfectly clear. While one might be tempted to dismiss these
developments as unrelated to kinetic cyberwarfare activities, a closer
look reveals a more solid connection. Timothy L. Thomas and others have
pointed out that “long-range cyber reconnaissance” can be used to gain
crucial military information and possible target intelligence for
employment of cyber weapons either during geopolitical crises or the
initial period of war. Some cyber tools such as the Flame virus are also
dual-use, programmed to both degrade systems and collect intelligence
information.
Chinese and Russian exploitation of
cyberspace, however, is not solely limited to information warfare.
Rather, both states have also attempted to “informatize” their own armed
services. Informatization in Chinese and Russian military doctrine
should be understood as a structural integration of modern information
technology with existing and future military platforms. Chinese military
writings in particular portray “informatization” as the digital
equivalent of motorizing land armies in the interwar period.
Having witnessed U.S. military operations routed through sophisticated
command-and-control systems and U.S. weapons guided by space operations,
Russian and Chinese military forces have sought to mimic American
organizational, technological and doctrinal methods. Whether they will
achieve such innovations is another matter entirely. The Russians seek
defense reforms to enable a smaller and more agile military, but face
formidable institutional opposition. The Chinese have developed battle
networks for joint operations, although command-and-control problems
persist and many of their most fearsome weapons are either mostly
aspirational or have never been tested in wartime conditions.
Other states and nonstate actors pursue information warfare
capabilities and means of exploiting cyberspace for powerful
conventional weapons. North Korea and Iran are building up hacking and
electronic warfare capabilities to counter the West and target their
neighbors. North Korea has executed cyber attacks against South Korean
civilian targets and jammed air traffic communication, and Iran claims
to have used electronic warfare to down an American spy drone in
December. Nonstate actors are engaging in what former Israeli Defense
Forces commander Itai Brun judges “The Other Revolution in Military
Affairs,” using cyberspace as a medium for distributed operational
command-and-control, communications, sensor networks and propaganda. The
proliferation of precision-strike weapons predicted by many military
analysts may add a kind of primitive nonstate reconnaissance-strike
complex to this mixture of cyber-enabled tactics and operations.
Against the backdrop of adversarial efforts to exploit and attack
through cyberspace, the U.S. aims to lock in its existing advantages.
Despite periodic calls for cyber cooperation and norms, the U.S. has
elected to avoid placing significant restraints on itself and resists
attempts to limit its freedom of action.
But while the
U.S. currently exercises substantial cyber power, it also has extensive
weaknesses. American critical infrastructure, operated mostly by the
private sector, suffers from known flaws and, in all likelihood, unknown
zero-day exploits. While the government has created initiatives over
the last 15 years to secure its infrastructure, it has also strongly
indicated that it would reserve the right to respond both in and out of
cyberspace. The U.S. has always leveraged multiple operational domains,
and a cyber attack judged to be an “act of war” would be no exception.
What began in cyberspace certainly would not stay in cyberspace.
Cybersecurity, while overlapping with cyberwarfare, should not be
unnecessarily conflated with military efforts. As Samuel P. Liles has
argued, information hygiene issues are important but differ
substantially from military efforts in the way that the Navy SEALs
cannot really be compared to Wackenhut private security guards. But
should adversaries execute countervalue attacks, the first responders
will be civilians instead of the military. The private sector will be an
extensive — if not the dominant — civilian target, and the Stuxnet
malware that targeted Iran’s uranium enrichment facility has
demonstrated that infrastructure attacks will be a regular part of cyber
conflict. But the purpose of these attacks is not simply to watch
America burn. Rather, they will be part of integrated strategies to
achieve political goals. At a certain level of severity, attribution
could be overrated. Attackers may have an interest in letting the U.S.
know precisely who has hit them in order to coerce American
policymakers, and policymakers may regardless make decisions based on
imperfect information rather than agonizing over perfect attribution.
Dynamics of Competition
At first glance, U.S. investment in cyber weapons may be disruptive to
international order. Such opinions have been frequently voiced in the
aftermath of New York Times reporter David Sanger’s revelations about
alleged U.S. and Israeli authorship of Stuxnet. But this point of view
ignores the threat assessments of adversarial nation-states and substate
actors that see the whole of U.S. military cyber power as a threat.
American computer network operations have not killed anyone, but
American military cyber power enables destructive conventional weapons.
Schemes to create stability in cyberspace through treaties that focus
exclusively on computer network operations — presuming they would be
enforceable — would not remove the real factors driving military
competition.
From the American perspective, investment
in cyber weapons helps sustain an already powerful American lead in
military cyber power and deters other states with military forces
targetable either through cyberspace or by cyber-enabled force. In
addition to the military dimension, cyber power also provides new means
of covert action, espionage and statecraft. Finally, the history of U.S.
military operations in operational domains and American policy
surrounding international protection of commons — including cyberspace —
suggests that the U.S. will not readily allow other powers to restrict
its freedom of action.
The United States does not want
adversaries to achieve parity in the employment of military cyber power,
but it will have to create a strategy for efficient competition if it
seeks to continue its present course. A strategy for competition would
have several components: knowing what operational “markets” are
important to invest in, minimizing costs and understanding the
components of adversary power. The U.S. should begin any competition
with realistic expectations. No one is going to be able to achieve
“information superiority” in cyberspace. Barriers to entry, whether in
the form of computer network operations or “informatized” conventional
battle networks and precision-guided weapons, are falling. Rather, the
United States can use military power — and not just military power — to
influence how other states employ the operational domain of cyberspace
to create tactical, operational or strategic effects or attack through
cyberspace.
For example, the United States
substantially invested in network-enabled operations over the last few
decades. Other powers can use a variety of means — from computer network
operations to targeting orbital intelligence systems — to deny or
degrade the use of cyberspace to U.S. military forces. American critical
infrastructure can also be attacked through cyberspace. But complete
control over state use of cyberspace is impossible. Take spying, a
perennial concern of American cyber policymakers. Networks can be
hardened and counterintelligence can be used, but stopping cyber spies
is just as much of a lost cause as totally foiling more traditional
forms of espionage.
Cyber power strategy also must be
based on holistic comparison between U.S. and adversary capabilities for
cyber-enabled operations, computer network attacks, and general
potential for translating state and commercial information technology
into military power. Focusing on any one element of military cyber power
at the expense of the others will give a false picture of a state’s
strengths and weaknesses in cyberspace. The use of cyber attacks for
covert operations can provide a test bed for thinking about cyber
operations, but it is important not to draw the wrong lessons. Covert
operations and espionage are meant to be kept secret and occur over long
timeframes. Operational cyberwarfare will likely be much more
fast-paced and used to coerce adversaries, not steal from them or
covertly attack their infrastructure. Policymakers also may be tempted
to use computer network operations for brinksmanship and coercive
diplomacy, adding a digital component to the escalation ladder.
With Stuxnet and Flame now exposed to coders, we are likely to see a
process of reverse-engineering that mirrors the general process of
military adaptation and diffusion sparked by the global information
technology revolution in military affairs. But in order to create
effective policy and strategy, it is first necessary for policymakers to
acknowledge that a competition exists and goes far beyond militarized
malware. Only by considering the whole of military cyber power will the
United States formulate responses to the expansion of military
competition in and over cyberspace. AFJ