Cyber War: The Next Threat to National Security and What to Do About It (20 page)

When you think about “defense” capability and “lack of dependence” together, many nations score far better than the U.S. Their ability to survive a cyber war, with lower costs, compared to what would happen to the U.S., creates a “cyber war gap.” They can use cyber war against us and do great damage, while at the same time they may be able to withstand a U.S. cyber war response. The existence of that “cyber war gap” may tempt some nation to attack the United States. Closing that gap should be the highest priority of U.S. cyber warriors. Improving our offensive capability does not close the gap. It is impossible to reduce our dependence on networked systems at this point. Hence, the only way we can close the gap, the only way we can improve our overall Cyber War Strength score, is to improve our defenses. Let’s take a look at how we might do that.

M
ilitary theorists and statesmen, from Sun Tzu to von Clausewitz to Herman Kahn, have for centuries defined and redefined military strategy in varying ways, but they tend to agree that it involves an articulation of goals, means (broadly defined), limits (perhaps), and possibly sequencing. In short, military strategy is an integrated theory about what we want do and how, in general, we plan to do it. In part because Congress has required it, successive U.S. administrations have periodically published a National Security Strategy and a National Military Strategy for all the world to read. Within the military, the U.S. has many substrategies, such as a naval strategy, a counterinsurgency strategy, and a strategic nuclear strategy. The U.S. government has also publicly published strategies for dealing with issues wherein the military plays only a limited role,
such as controlling illegal narcotics trafficking, countering terrorism, and stopping the proliferation of weapons of mass destruction. Oh yes, there is also that National Strategy to Secure Cyberspace dating back to 2003; but there is no publicly available cyber war strategy.

In the absence of a strategy for cyber war, we do not have an integrated theory about how to address key issues. To prove that, let’s play Twenty Questions and see if there are agreed-upon answers to some pretty obvious questions about how to conduct cyber war:

• What do we do if we wake up one day and find the western half of the U.S. without electrical power as the result of a cyber attack?
  
• Is the advent of cyber war a good thing, or does it place us at a disadvantage?
  
• Do we envision the use of cyber war weapons only in response to the use of cyber war weapons against us?
  
• Are cyber weapons something that we will employ routinely in both small and large conflicts? Will we use them early in a conflict because they give us a unique advantage in seeking our goals, such as maybe effecting a rapid end to the conflict?
  
• Do we think we want to have plans and capabilities to conduct “stand-alone” cyber war against another nation? And will we fight in cyberspace even when we’re not shooting at the other side in physical space?
  
• Do we see cyberspace as another domain (like the sea, airspace, or outer space) in which we must be militarily dominant and in which we will engage an opponent while simultaneously conducting operations in other domains?
  
• How surely do we have to identify who attacked us in cyberspace before we respond? What standards will we use for these identifications?
  
• Will we ever hide the fact that it was us who attacked with cyber weapons?
  
• Should we be hacking into other nations’ networks in peacetime? If so, should there be any constraints on what we would do in peacetime?
  
• What do we do if we find that other nations have hacked into our networks in peacetime? What if they left behind logic bombs in our infrastructure networks?
  
• Do we intend to use cyber weapons primarily or initially against military targets only? How do we define military targets?
  
• Or do we see the utility of cyber weapons being their ability to inflict disruption on the economic infrastructure or the society at large?
  
• What is the importance of avoiding collateral damage with our cyber weapons? How might avoiding it limit our use of the weapons?
  
• If we are attacked with cyber weapons, under what circumstances would, or should, we respond with kinetic weapons? How much of the answer to this question should be publicly known in advance?
  
• What kind of goals specific to the employment of cyber weapons would we want to achieve if we conducted cyber war, either in conjunction with kinetic war or as a stand-alone activity?
  
• Should the line between peace and cyber war be brightly delineated, or is there an advantage to us in blurring that distinction?
  
• Would we fight cyber war in a coalition with other nations, helping to defend their cyberspace and sharing our cyber weapons, tactics, and targets?
  
• What level of command authority should authorize the use of cyber weapons, select the weapons, and approve the targets?
  
• Are there types of targets that we believe should not be attacked using cyber weapons? Do we attack them anyway if similar U.S. facilities are hit first by cyber or other weapons?
  
• How do we signal our intentions with regard to cyber weapons in peacetime and in crisis? Are there ways that we can use our possession of cyber weapons to deter an opponent?
  
• If an opponent is successful in launching a widespread, disabling attack on our military or on our economic infrastructure, how does that affect our other military and political strategies?
  

Didn’t do too well finding the answers anywhere in U.S. government documents, congressional hearings, or officials’ speeches? I didn’t, either. To be fair, these are not easy questions to answer, which is, no doubt, part of the reason they have not yet been knitted together into a strategy. As with much else, how one answers these and other questions will depend upon one’s experience and responsibilities, as well as the perspective that both create. Any general would like to be able to flip a switch and turn off the opposing force, especially if the same cannot be done to his forces in return. Modern generals know, however, that militaries are one of many instruments of the state, and the ultimate success of a military is now judged not just by what it does to the opponent, but by how well it protects and supports the rest of the state, including its underpinning economy. Military leaders and diplomats have also learned from past experiences that there is a fine line between prudent preparation to defend oneself and provocative activities that may actually increase the probability of conflict. Thus, crafting a cyber war strategy is not as obvious as simply embracing our newly discovered weapons, as the U.S. military did with nuclear weapons following Hiroshima.

It took a decade and a half after nuclear weapons were first used before a complex strategy for employing them, and, better yet, for not using them, was articulated and implemented. During those first years of the nuclear weapons era, accidental war almost occurred several times. The nuclear weapons strategy that eventually emerged reduced that risk significantly. Nuclear war strategy will be referenced a lot in this and the next chapter. The big differences between cyber war and nuclear war are obvious, but some of the concepts developed in the creation of nuclear war strategy have applicability to this new field. Others do not. Nonetheless, we can learn something about how a complex strategy for using new weapons can be developed by reviewing what went on in the 1950s and 1960s. And, where appropriate, we can borrow and adapt some of those concepts as we try to piece together a cyber war strategy.

THE ROLE OF DEFENSE IN OUR CYBER WAR STRATEGY

I asked at the beginning of this book: Are we better off in a world with cyber weapons and cyber war than in a theoretical world in which they never existed? The discussion in the ensuing chapters demonstrated, at least to me, that as things stand today the United States has gaping new vulnerabilities because others have cyber war capabilities. Indeed, because of its greater dependence on cyber-controlled systems and its inability thus far to create national cyber defenses, the United States is currently far more vulnerable to cyber war than Russia or China. The U.S. is more at risk from cyber war than are minor states like North Korea. We may even be at risk some day from nations or nonstate actors lacking cyber war capabilities, but who can hire teams of highly capable hackers.

Put aside for the moment the question of how it would start and consider a U.S.-Chinese cyber war as an example. We might
have better offensive cyber weapons than others, but the fact that we might be able to turn off the Chinese air defense system will give most Americans limited comfort if in some future crisis the cyber warriors of the People’s Liberation Army have kept power off in most American cities for weeks, shut the financial markets by corrupting their data, and created food and parts shortages nationwide by scrambling the routing systems at major U.S. railroads. Although much of China is highly advanced, a lot of it is still far from dependent upon networks controlled in cyberspace. The Chinese government may also have to worry less about temporary inconveniences experienced by its citizens or the political acceptability of measures it might impose in an emergency.

Net/net, cyber war puts America at a disadvantage right now. Whatever we can do to “them,” chances are they can do more to us. We need to change that situation.

Unless we reduce our vulnerabilities to cyber attack, we will suffer from self-deterrence. Our knowing about what others could do to us may create a situation in which we are reluctant to use our superiority in other areas, like conventional weapons, in situations where it might be warranted for us to get involved. Other nations’ cyber weapons may deter us from acting, not just in cyberspace but in other ways as well. In future scenarios, like ones involving China and Taiwan, or China and the offshore oil dispute, will an American President really still have the option of sending carrier battle groups to prevent Chinese action? What President would order the Navy into the Taiwan Straits, as Clinton did in 1996, if he or she thought that a power blackout that had just hit Chicago was a signal and that blackouts could spread to every major American city if we got involved? Or maybe the data difficulties the Chicago Mercantile Exchange might have just experienced could happen to every major financial institution? Worse yet, what if the Chairman of the Joint Chiefs tells the President that he does not really know whether the
Chinese can launch a damaging cyber attack that would leave the carrier battle group sitting helpless in the water? Would the President run the risk of deploying our naval superiority if trying to do so might only demonstrate that an opponent can shut down, blind, or confuse our forces?

The fact that our vital systems are so vulnerable to cyber war also increases crisis instability. As long as our economic and military systems are so obviously vulnerable to cyber war, they will tempt opponents to attack in a period of tensions. Opponents may think that they have an opportunity to reshape the political, economic, and military balance by demonstrating to the world what they can do to America. They may believe that the threat of even greater damage will appear credible and will prevent a U.S. response. Once they do launch a cyber attack, however, the U.S. leadership may feel compelled to respond. That response might not be limited to cyberspace, and the conflict could quickly escalate and get out of control.

These current circumstances argue for rapidly taking steps to reduce the strategic imbalance in which the U.S. is disadvantaged by the advent of cyber war capabilities. The answer is not to just add to our cyber offensive superiority. More U.S. cyber attack capability is unlikely to improve the imbalance or end the potential crisis instability. Unlike in conventional war, a superior offense cannot be certain to find and destroy all of the opponent’s offensive capability. The tools needed to cripple the U.S. may already be in the U.S. They may not even have entered America through cyberspace, where they might be discovered, but rather on CDs in diplomatic pouches, or in USB thumb drives in businessmen’s briefcases.

What is needed to reduce the risk that a nation-state will threaten to use cyber weapons against us in a crisis is for the U.S. to have a credible defense. We must cast so much doubt in the mind of the potential attacker that an attack will work against our defenses that they are he would be deterred from trying it. We want potential
opponents to think that their cyber arrows might just bounce off our shields. Or at least they should think that enough of our key systems are sufficiently protected that the damage they can do to us will not be decisive. We are a long way from there today.

Defending the U.S. from cyber attacks should be the first goal of a cyber war strategy. After all, the primary purpose of any U.S. national security strategy is the defense of the United States. We do not develop weapons for the purpose of extending our hegemony over various domains (the seas, outer space, cyberspace), but as a way to safeguard the nation. While that seems simple enough, it gets complicated quickly because there are those who believe that the best way in which to defend is to attack and destroy the opponent before they can inflict damage on us.

When General Robert Elder was commander of the Air Force Cyberspace Command he told reporters that although his command has a defensive responsibility, it planned to disable an opponent’s computer networks. “We want to go in and knock them out in the first round,” he said. This is reminiscent of another Air Force general, Curtis LeMay, who in the 1950s, as commander of Strategic Air Command, explained to RAND Corporation analysts that his bombers would not be destroyed on the ground by a Soviet attack because “we’re going first.”

That kind of thinking is dangerous. If we do not have a credible defense strategy, we will be forced to escalate in a cyber conflict very quickly. We will need to be more aggressive in getting our adversary’s systems so that we can stop their attacks before they reach our undefended systems. That will be destabilizing, forcing us to treat potential adversaries as current ones. We will also need to take a stronger declaratory posture to try to deter attacks on our systems by threatening to “go kinetic” in response to a cyber attack, and it will be more likely that our adversaries will think they can call that bluff.

One reason that many U.S. cyber warriors think that the best
defense is a good offense is their perception of how difficult it would be to defend only by protecting. The military sees how extensive the important targets are in America’s cyberspace and throws up its hands at the task of defending them all. Besides, they note (conveniently) that the U.S. military does not have the legal authority to defend privately owned and operated targets in the United States such as banks, power companies, railroads, and airlines.

This argument is the same one the Bush Administration made about Homeland Security after 9/11: that it would be too expensive to defend the U.S. against terrorists at home, so we needed to go to “the source.” That thinking has had us knee deep in two wars for the last decade at a cost projected to reach $2.4 trillion, and has already cost over 5,000 American lives.