Introduction
At a time when it seems impossible to avoid the seemingly growing hysteria over the threat of cyber war,[1] network security expert Marcus Ranum delivered a refreshing talk recently, “The Problem with Cyber War,” that took a critical look at a number of the assumptions underlying contemporary cybersecurity discourse in the United States. He addressed one issue in partiuclar that I would like to riff on here, the issue of conflict escalation–i.e. the possibility that offensive use of cyber attacks could escalate to the use of physical force. As I will show, his concerns are entirely legitimate as current U.S. military cyber doctrine assumes the possibility of what I call “cross-domain responses” to cyberattacks.
Backing Your Adversary (Mentally) into a Corner
Based on the premise that completely blinding a potential adversary is a good indicator to that adversary that an attack is iminent, Ranum has argued that
“The best thing that you could possibly do if you want to start World War III is launch a cyber attack. […] When people talk about cyber war like it’s a practical thing, what they’re really doing is messing with the OK button for starting World War III. We need to get them to sit the f-k down and shut the f-k up.” [2]
He is making a point similar to one that I have made in the past: Taking away an adversary’s ability to make rational decisions could backfire. [3] For example, Gregory Witol cautions that
“attacking the decision maker’s ability to perform rational calculations may cause more problems than it hopes to resolve… Removing the capacity for rational action may result in completely unforeseen consequences, including longer and bloodier battles than may otherwise have been.” [4]
Cross-Domain Response
So, from a theoretical standpoint, I think his concerns are well founded. But the current state of U.S. policy may be cause for even greater concern. It’s not just worrisome that a hypothetical blinding attack via cyberspace could send a signal of imminent attack and therefore trigger an irrational response from the adversary. What is also cause for concern is that current U.S. policy indicates that “kinetic attacks” (i.e. physical use of force) are seen as potentially legitimate responses to cyber attacks. Most worrisome is that current U.S. policy implies that a nuclear response is possible, something that policy makers have not denied in recent press reports.
The reason, in part, is that the U.S. defense community has increasingly come to see cyberspace as a “domain of warfare” equivalent to air, land, sea, and space. The definition of cyberspace as its own domain of warfare helps in its own right to blur the online/offline, physical-space/cyberspace boundary. But thinking logically about the potential consequences of this framing leads to some disconcerting conclusions.
If cyberspace is a domain of warfare, then it becomes possible to define “cyber attacks” (whatever those may be said to entail) as acts of war. But what happens if the U.S. is attacked in any of the other domains? It retaliates. But it usually does not respond only within the domain in which it was attacked. Rather, responses are typically “cross-domain responses”–i.e. a massive bombing on U.S. soil or vital U.S. interests abroad (e.g. think 9/11 or Pearl Harbor) might lead to air strikes against the attacker. Even more likely given a U.S. military “way of warfare” that emphasizes multidimensional, “joint” operations is a massive conventional (i.e. non-nuclear) response against the attacker in all domains (air, land, sea, space), simultaneously.
The possibility of “kinetic action” in response to cyber attack, or as part of offensive U.S. cyber operations, is part of the current (2006) National Military Strategy for Cyberspace Operations [5]:
Of course, the possibility that a cyber attack on the U.S. could lead to a U.S. nuclear reply constitutes possibly the ultimate in “cross-domain response.” And while this may seem far fetched, it has not been ruled out by U.S. defense policy makers and is, in fact, implied in current U.S. defense policy documents. From the National Military Strategy of the United States (2004):
“The term WMD/E relates to a broad range of adversary capabilities that pose potentially devastating impacts. WMD/E includes chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other, more asymmetrical ‘weapons’. They may rely more on disruptive impact than destructive kinetic effects. For example, cyber attacks on US commercial information systems or attacks against transportation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent.” [6]
The authors of a 2009 National Academies of Science report on cyberwarfare respond to this by saying,
“Coupled with the declaratory policy on nuclear weapons described earlier, this statement implies that the United States will regard certain kinds of cyberattacks against the United States as being in the same category as nuclear, biological, and chemical weapons, and thus that a nuclear response to certain kinds of cyberattacks (namely, cyberattacks with devastating impacts) may be possible. It also sets a relevant scale–a cyberattack that has an impact larger than that associated with a relatively small release of a lethal agent is regarded with the same or greater seriousness.” [7]
Asked by the New York Times to comment on this, U.S. defense officials would not deny that nuclear retaliation remains an option for response to a massive cyberattack:
“Pentagon and military officials confirmed that the United States reserved the option to respond in any way it chooses to punish an adversary responsible for a catastrophic cyberattack. While the options could include the use of nuclear weapons, officials said, such an extreme counterattack was hardly the most likely response.” [8]
The rationale for this policy:
“Thus, the United States never declared that it would be bound to respond to a Soviet and Warsaw Pact conventional invasion with only American and NATO conventional forces. The fear of escalating to a nuclear conflict was viewed as a pillar of stability and is credited with helping deter the larger Soviet-led conventional force throughout the cold war. Introducing the possibility of a nuclear response to a catastrophic cyberattack would be expected to serve the same purpose.” [9]
Non-unique, Dangerous, and In-credible?
There are a couple of interesting things to note in response. First is the development of a new acronym, WMD/E (weapons of mass destruction or effect). Again, this acronym indicates a weakening of the requirement of physical impacts. In this new definition, mass effects that are not necessarily physical, nor necessarily destructive, but possibly only disruptive economically or even psychologically (think “shock and awe”) are seen as equivalent to WMD. This new emphasis on effects, disruption, and psychology reflects both contemporary, but also long-held beliefs within the U.S. defense community. It reflects current thinking in U.S. military theory, in which it is said that U.S. forces should be able to “mass fires” and “mass effects” without having to physically “mass forces.” There is a sliding scale in which the physical (often referred to as
the “kinetic”) gradually retreats–i.e. massed forces are most physical; massed fire is less physical (for the U.S. anyway); and massed effects are the least physical, having as the ultimate goal Sun Tzu’s “pinnacle of excellence,” winning without fighting.
But the emphasis on disruption and psychology in WMD/E has also been a key component of much of 20th century military thought in the West. Industrial theories of warfare in the early 20th century posited that industrial societies were increasingly interdependent and reliant upon mass production, transportation, and consumption of material goods. Both industrial societies and the material links that held them together, as well as industrial people and their own internal linkages (i.e. nerves), were seen as increasingly fragile and prone to disruption via attack with the latest industrial weapons: airplanes and tanks. Once interdependent and fragile industrial societies were hopelessly disrupted via attack by the very weapons they themselves created, the nerves of modern, industrial men and women would be shattered, leading to moral and mental defeat and a loss of will to fight. Current thinking about the possible dangers of cyber attack upon the U.S. are based on the same basic premises: technologically dependent and therefore fragile societies populated by masses of people sensitive to any disruption in expected standards of living are easy targets. Ultimately, however, a number of researchers have pointed out the pseudo-psychological, pseudo-sociological, and a-historical (not to mention non-unique) nature of these assumptions. [10] Others have pointed out that these assumptions did not turn out to be true during WWII strategic bombing campaigns, that modern, industrial societies and populations were far more resilient than military theorists had assumed. [11] Finally, even some military theorists have questioned the assumptions behind cyber war, especially when assumptions about our own technology dependence-induced societal fragility (dubious on their own) are applied to other societies, especially non-Western societies (even more dubious). [12]
Finally, where deterrence is concerned, it is important to remember that a deterrent has to be credible to be effective. True, the U.S. retained nuclear weapons as a deterrent during the Cold War. But, from the 1950s through the 1980s, there was increasing doubt among U.S. planners regarding the credibility of U.S. nuclear deterrence via the threat of “massive retaliation.” As early as the 1950s it was becoming clear that the U.S. would be reluctant at best to actually follow through on its threat of massive retaliation. Unfortunately, most money during that period had gone into building up the nuclear arsenal; conventional weapons had been marginalized. Thus, the U.S. had built a force it was likely never to use. So, the 1960s, 1970s, and 1980s saw the development of concepts like “flexible response” and more emphasis on building up conventional forces. This was the big story of the 1980s and the “Reagan build-up” (not “Star Wars”). Realizing that, after a decade of distraction in Vietnam, it was back in a position vis-a-viz the Soviets in Europe in which it would have to rely on nuclear weapons to offset its own weakness in conventional forces, a position that could lead only to blackmail or holocaust, the U.S. moved to create stronger conventional forces. [13] Thus, the question where cyber war is concerned:
If it was in-credible that the U.S. would actually follow through with massive retaliation after a Soviet attack on the U.S. or Western Europe, is it really credible to say that the U.S. would respond with nuclear weapons to a cyber attack, no matter how disruptive or destructive?
Beyond credibility, deterrence makes many other assumptions that are problematic in the cyber war context. It assumes an adversary capable of being deterred. Can most of those who would perpetrate a cyber attack be deterred? Will al-Qa’ida be deterred? How about a band of nationalistic or even just thrill-seeker, bandwagon hackers for hire? Second, it assumes clear lines of command and control. Sure, some hacker groups might be funded and assisted to a great degree by states. But ultimately, even cyber war theorists will admit that it is doubtful that states have complete control over their armies of hacker mercenaries. How will deterrence play out in this kind of scenario?
Conclusion
Ultimately, there is much more that can, should, and will be said (I’m currently writing a paper about these issues for the next Association of Internet Researchers conference) about the underlying assumptions and shortcomings of contemporary cyber war discourse in the United States, assumptions and shortcomings that lead to the possibility of escalation via cross-domain response to cyber attacks, including in-credible threats of nuclear retaliation, as well as the dubious framing of cyber war in terms of Cold War nuclear deterrence between superpowers. At this point, from what I can see, we do not need yet another cyber/network/computer/etc. security “expert” making fantastic claims about the imminent threat of a “cyber Pearl Harbor,” “cyber Katrina,” or “cyber 9/11,” but rather, more of these experts like Ranum who are willing to take a critical view, even though that might not net them as many dollars in government contracts for cybersecurity work.
References
[1] For example, see Gertz, Bill. “China Blocks U.S. From Cyber Warfare.†Washington Times, May 12, 2009, available from http://washingtontimes.com/news/2009/may/12/china-bolsters-for-cyber-arms-race-with-us/; Markoff, John, and Thom Shanker. “Panel Advises Clarifying U.S. Plans on Cyberwar.†New York Times, 30 April, 2009, available from http://www.nytimes.com/2009/04/30/science/30cyber.html?_r=1; and Sanger, David E., John Markoff, and Thom Shanker. “U.S. Steps Up Effort on Digital Defenses.†New York Times, April 28, 2009, available from http://www.nytimes.com/2009/04/28/us/28cyber.html.
[2] Marcus J. Ranum, CSO, Tenable Network Security, “The Problem with CyberWar,” presentation at DojoSec Monthly Briefings (March 2009), available from http://vimeo.com/3519680.
[3] Sean Lawson, “Virtual Mind Control: Nonviolence as the Pinnacle of Excellence for Information Age Conflict,†Technoscience (Fall 2004: Vol 20, Num 3), 9-13. Download
[4] Gregory Witol, “International Relations in a Digital World.†In Cyberwar 2.0: Myths, Mysteries, and Reality, edited by Alan D. Campen, and Douglas H. Dearth, 65-76. Fairfax, VA: AFCEA International Press, 1998.
[5] The National Military Strategy for Cyberspace Operations. Washington, D.C.: Chairman of the Joint Chiefs of Staff, 2006, p.15.
[6] The National Military Strategy of the United States of America: A Strategy for Today; a Vision for Tomorrow. Washington, D.C.: Chairman of the Joint Chiefs of Staff, 2004, p.1.
[7] Owens, William A., Kenneth W. Dam, and Herbert S. Lin. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Washington, D.C.: Nationa
l Academies Press, 2009, p.178.
[8] Markoff, John, and Thom Shanker. “Panel Advises Clarifying U.S. Plans on Cyberwar.†New York Times, April 30, 2009, available from http://www.nytimes.com/2009/04/30/science/30cyber.html?_r=1.
[9] Ibid.
[10] Freedman, Lawrence. “Strategic Terror and Amateur Psychology.†The Political Quarterly 2 (2005): 161-70.
[11] Biddle, Tami Davis. Rhetoric and Reality in Air Warfare: The Evolution of British and American Ideas About Strategic Bombing, 1914-1945. Princeton, N.J: Princeton University Press, 2002.
[12] Dunlap Jr, Charles J. “How We Lost the Hi-Tech War of 2007.†The Weekly Standard 1 (1996); Dunlap, Jr, Charles J. “Sometimes the Dragon Wins: A Perspective on Info-Age Warfare.†Phil Taylor’s Web Site (1996).
[13] Tomes, Robert R. U.S. Defense Strategy From Vietnam to Operation Iraqi Freedom: Military Innovation and the New American Way of War, 1973-2003. London: Routledge, 2007.
Technorati Tags: cyberwar, cyberwarfare, cyberattack, cybersecurity
