Cyber War: The Next Threat to National Security and What to Do About It (7 page)

In case the U.S. Air Force is ever given the order to do as one of its ads suggests (“A power blackout is just a blackout. But in the future, it could be a cyber attack.”), the mission will likely fall to the Fighting 67th. Their motto, from pre-cyber days as an aerial reconnaissance outfit, is Lux Ex Tenebris (Light from Darkness). Perhaps they will soon modify it to Tenebra Ex Luce. Despite the demotion of their command, the Air Force lost little of their zeal for cyber war. In the summer of 2009, the head of the U.S. Air Force, General Norton Schwartz, wrote to his officers that “cyberspace is vital to today’s fight and to the future U.S. military advantage [and] it is the intent of the United States Air Force to provide a full spectrum of cyberspace capabilities. Cyberspace is a contested domain, and the fight is on—today.”

Not to be outdone, the U.S. Navy also reorganized. The Chief of Naval Operations, Admiral Gary Roughead (really), gave himself a new Deputy for Information Dominance. It’s not just Roughead and his sailors who are into dominance; the U.S. military in general repeatedly characterizes cyberspace as something to be dominated. It is reminiscent of the Pentagon’s way of speaking of nuclear war in the 1960s. The historian of nuclear strategy Lawrence Freedman noted that William Kaufmann, Henry Kissinger, and other strategists realized that there was a need then “to calm the spirit of offense, potent in Air Force circles…[whose] rhetoric encouraged a view of war that was out-moded and dangerous.” That same sort of macho rhetoric is strong in Air Force cyber war circles today, and apparently in the Navy as well.

Admiral Roughead created not just a Dominance office on the
Navy Staff, but a new “war-fighting” command. The 5th Fleet sails the Arab Gulf, the 6th Fleet the Mediterranean, and the 7th the China Sea. To fight cyber war, the U.S. Navy has reactivated its 10th Fleet. Originally, a small organization during World War II that coordinated antisubmarine warfare in the Atlantic, the 10th Fleet was disbanded shortly after victory over Germany in 1945. Then as now, the 10th Fleet was a “paper” or “phantom” fleet that had no ships. It was a land-based organization that filled a necessary coordinating role. Modest in scope and scale, the 10th Fleet in World War II served its limited purpose well with no more than fifty intelligence officers. This time, the Navy has much more ambitious plans for the 10th Fleet. The existing Naval Network Warfare Command, known as NETWARCOM, will continue its operational responsibilities subordinated to the 10th Fleet. Although the Navy has not done the sort of public self-promotion of its cyber warriors that the Air Force has, they insist that they have as much tech savvy as “the fly boys.” Perhaps to prove that point, one Naval officer told me, “You know, the 10th Fleet took a pretty bad licking from the Cardassians in 2374,” thus proving that the current U.S. Navy at least has Trekkies, if perhaps not as many geeks as the Air Force.

For its part, the Army’s cyber warriors are mostly contained in the Network Enterprise Technology Command, the 9th Signal Command at Fort Huachuca, Arizona. Members of this unit are assigned to the signal commands in each geographic region of the world. Network warfare units, what the Army calls NetWar units, under the Army’s Intelligence and Security Command, are also forward-deployed to support combat operations alongside traditional intelligence units. They work closely with NSA to deliver intelligence to war fighters on the ground in Iraq and Afghanistan. The Army Global Network Operations and Security Center, known by the awkward acronym A-GNOSC, manages LandWarNet, which is what the Army calls its portion of the Department of Defense’s
networks. In July 2008, the Army stood up its first NetWar Battalion. If the Army sounds like the least organized of the services to fight cyber war, that is because it is. After the decision to create Cyber Command was made, the Secretary of Defense mandated the creation of an Army task force to review the Army’s cyber mission and organization to support that mission.

While most people who followed the fight over cyber war in the Pentagon thought NSA won it, former NSA Director Ken Minihan was not satisfied, and that gave me pause. Ken is a friend whom I have known since, as an Air Force three-star general, he took over NSA in 1996. He believes that NSA and the U.S. military’s approach to cyber operations needs to be rethought. The Navy, he thinks, is focused only on other navies. The Air Force is focused on air defense. The Army is hopelessly lost, and the NSA remains at heart an intelligence collection agency. “Not one of these entities is sufficiently focused on foreign counterintelligence in cyberspace, or on gaining hold of foreign critical infrastructure that the U.S. may want to take down without dropping a bomb in the next conflict.” He believes that cyber war planning today lacks a “requirements process,” a national-level planning system to get NSA and other organizations working on the same page. “Right now, they are all focused on doing what they want to do, not what a President may need them to be able to do.”

Minihan and McConnell are both concerned that U.S. Cyber Command cannot defend the United States. “All the offensive cyber capability the U.S. can muster won’t matter if no one is defending the nation from cyber attack,” said McConnell. Cyber Command’s mission is to defend DoD and maybe some other government agencies, but there are no plans or capabilities for it to defend the civilian infrastructure. Both former NSA Directors believe that mission should be handled by the Department of Homeland Security, as in the existing plans; but both men contend that Homeland has no
current ability to defend the corporate cyberspace that makes most of the country work. Neither does the Pentagon. As Minihan put it, “Though it is called the ‘Defense’ Department, if called on to defend the U.S. homeland from a cyber attack carried out by a foreign power, your half-trillion-dollar-a-year Defense Department would be useless.”

THE SECRET ATTEMPT AT A STRATEGY

The perception that cyberspace is a “domain” where fighting takes place, a domain that the U.S. must “dominate,” pervades American military thinking on the subject of cyber war. The secret-level National Military Strategy for Cyber Operations (partially declassified as a result of a Freedom of Information Act request) reveals the military’s attitude toward cyber war, in part because it was written as a document that we, the citizens, were never supposed to see. It is how they talk about it behind the closed doors of the Pentagon. What is striking in the document is not only the acknowledgment that cyber war is real, but the almost reverential way in which it is discussed as the keystone holding up the edifice of modern war-fighting capability. Because there are so few opportunities to hear from the U.S. military on cyber war strategy, it is worth reading closely the secret-level attempt at a cyber war strategy.

The document, signed out under a cover letter from the Secretary of Defense, declares that the goal is “to ensure the US military [has] strategic superiority in cyberspace.” Such superiority is needed to guarantee “freedom of action” for the American military and to “deny the same to our adversaries.” To obtain superiority, the U.S. must attack, the strategy declares. “Offensive capabilities in cyberspace [are needed] to gain and maintain the initiative.” At first read,
the strategy sounds like a mission statement with a bit of zealotry thrown in. On closer examination, however, the strategy reflects an understanding of some of the key problems created by cyber war. Speaking to the geography of cyberspace, the strategy implicitly acknowledges the sovereignty issue (“the lack of geopolitical boundaries…allows cyberspace operations to occur nearly anywhere”) as well as the presence of civilian targets (“cyberspace reaches across geopolitical boundaries…and is tightly integrated into the operations of critical infrastructure and the conduct of commerce”). It does not, however, suggest that such civilian targets should be off-limits from U.S. attacks. When it comes to defending U.S. civilian targets, the strategy passes the buck to the Department of Homeland Security.

The need to take the initiative, to go first, is dictated in part by the fact that actions taken in cyberspace move at a pace never before experienced in war (“cyberspace allows high rates of operational maneuver…at speeds that approach the speed of light…. [It] affords commanders opportunities to deliver effects at speeds that were previously incomprehensible”). Moreover, the strategy notes that if you do not act quickly, you may not be able to do so because “a previously vulnerable target may be replaced or provided with new defenses with no warning, rendering cyberspace operations less effective.” In short, if you wait for the other side to attack you in cyberspace, you may find that the opponent has, simultaneously with their attack, removed your logic bombs or disconnected the targets from the network paths you expected to use to access them. The strategy does not discuss the problems associated with going first or the pressure to do so.

The importance of cyberspace and cyber war to the U.S. military is revealed in the strategy’s declaration that “DOD will conduct kinetic missions to preserve freedom of action and strategic
advantage in cyberspace.” Translated from Pentagonese, that statement means that rather than cyber attacks being just some support mechanism of a shooting war, the Defense Department envisions the need to bomb things in the physical world to defend against cyber attack, or to drive an enemy into networks that American cyber warriors control.

The strategic concept of deterrence is discussed in the strategy only insofar as it envisions a desired end state where “adversaries are deterred from establishing or employing offensive capabilities against US interests in cyberspace.” Since twenty or thirty nations have already established offensive cyber units, we apparantly did not deter them from “establishing.” The way to stop those nations from using that capability against us, however, is discussed as “inducing adversary restraint based on demonstrated capabilities.” However, the secrecy surrounding U.S. offensive cyber war weapons means that we have no demonstrated capabilities. By the logic of the U.S. military’s strategy, we therefore cannot induce adversary restraint. The strategy does not suggest a way around this conundrum, let alone recognize it. Thus, what is called a military strategy for cyber operations raises some of the key issues that would need to be addressed in a strategy, but it does not provide answers. It is not really a strategy, but more of an appreciation. To the extent that it provides guidance, it seems to argue for initiating combat in cyberspace before the other side does, and for doing all that may be needed to dominate in cyberspace, because to do otherwise would put other kinds of American dominance at risk.

Buried in the document is, however, a realistic assessment of the problems facing the U.S. in cyber war: “threat actors can take advantage of [our] dependence” on cyberspace; and, “absent significant effort, the US will not continue to possess an advantage in cyberspace” and the U.S. will “risk parity with adversaries.” Put another way, the strategy does note the fact that other nations may be able
to inflict cyber war damage on us equal to our ability to inflict it on them. It may actually be worse, because we have a greater dependence on cyberspace, which can play to the advantage of an attacker.

If the U.S. is so vulnerable, to whom is it vulnerable? Who are the other cyber warriors?

WAKE-UP CALL FROM KUWAIT

It may have been the first Gulf War that convinced the generals of China’s People’s Liberation Army (PLA) that they needed a special advantage, an asymmetrical technical capability against the United States.

It was the first real war the U.S. had fought since Vietnam. In the decades before the 1990–91 Gulf War, the U.S. military had been relatively constrained abroad, by the continued presence of the Soviet Union and its nuclear arsenal. The invasions of Grenada by President Reagan and Panama by the first President Bush had been small engagements in our own backyard, and yet they had not gone terribly well. In those conflicts, U.S. military operations still showed the kind of dysfunction and poor coordination that marked the failed Desert One Mission in Iran in 1979 and helped to end the presidency of Jimmy Carter. Then came Desert Storm. President George H. W. Bush and his cabinet assembled the largest coalition since World War II. More than thirty nations coalesced against Saddam Hussein, bringing together more than 4,000 aircraft, 12,000 tanks, and nearly 2 million military personnel, all paid for by donations from Japan, Germany, Kuwait, and Saudi Arabia. The war was to mark a new era in international relations, what General Brent Scowcroft, President Bush’s National Security Advisor, went so far as to call a “new world order.” In it, the sovereignty of all nations would be respected and the mission of the United Nations would finally be
fulfilled, now that the Soviet Union was no longer in a position to check such actions. Desert Storm was also the dawn of a new kind of warfare, dominated by the computer and other high technology to manage logistics and provide near-realtime intelligence. The Armed Forces Communications and Electronics Association, an American industry group, publicly documented just how dramatically the use of computer networks changed that war in its 1992 book,
The First Information War
.

While General Norman Schwarzkopf and the other military brass may not have been ready to use cyber weapons to take down the Iraqi air defense network, they were ready to embrace computer networks to target the enemy. The war fighters also loved the new breed of “smart weapons” that information systems technology made possible. Designed to replace traditional bombs that required many missions and many tons of munitions dropped to destroy a target, “smart bombs” were designed to put one bomb, and one bomb only, precisely on each target every time. They would greatly reduce the number of missions that needed to be flown and promised to nearly eliminate civilian collateral-damage casualties.

Of course, the “smart weapons” of 1991 were not so smart, and there were not too many of them. In the 1996 movie
Wag the Dog
, a fictional political operative named Conrad “Connie” Brean, played by Robert De Niro, claims that the famous missile down a chimney was done in a studio in Hollywood. “What’s the thing people remember about the Gulf War?” Brean asks. “A bomb falling down a chimney. Let me tell you something: I was in the building where we filmed that with a ten-inch model made out of Legos.” What De Niro’s character claimed wasn’t true, but the smart bombs of 1991 were overhyped. While the video was real, the tightly controlled media did not seem to realize that most of the bombs dropped were not precision munitions guided by lasers and satellites but “dumb” bombs, dropped in the thousands by B-52s. The smart bombs then
were unreliable and in short supply, but they showed the direction that warfare was moving in, and they showed the Chinese that they were decades behind.