Thursday, September 5, 2013

Thinking Again about Cyber War

Several recent media articles suggest that any physical attack on Syria would be preceded by cyber attacks. That is, the initiation of a kinetic war would begin with acts of cyber war. 
I first began thinking about, and engaging experts on, cyber war issues in the mid-1990s, when the National Defense University created a small school to serve as a sort of "Cyber War College."  Main stream faculty (I don't mean that in a bad way -- the people best respected as voices of accepted strategic thought) rejected the approach out of hand.  They just did not see cyber as a big issue in current or future military operations.  Remember -- this is the period where we were having a bitter debate about replacing the 35mm projectors in every classroom with computers and PowerPoint slides. 
            I took a different approach.  I supported the guys running the cyber learning experiment and learned as much about it as I could . . . but was very skeptical of what I saw developing, for three reasons.  
            First, I sensed a traditional American belief that we were going to create and control this technology and dominate everybody else.   That's not the way defense technology has worked in the past.  Ask J. Robert Oppenheimer, “The Father of the Atomic Bomb,” and he will tell you that, “if you build it, they will build it too”.  In fact, while our Department of Defense has been developing world-class cyber capabilities for the military, our cyber defenses of industry, finance and critical infrastructure have been losing ground.  Any cyber counter-strike will come against the American economy, and impact the American people more than the American government. The result is not likely to be pretty on our end.
            Second, the concepts I saw emerging were primarily operational with very little strategic thought.  No one seemed to be asking “once we develop and use cyber weapons, what happens next?” What would be the consequences, and the unintended consequences?  General Eisenhower initially thought of nuclear weapons as just bigger bombs.  But  President Eisenhower, quickly realized that the use of a nuclear weapon requires thinking about much more than the size of the explosion. He had to think of the Soviet response . . . what would happen next?  Nations have spent centuries developing schools of strategy for the use of conventional weapons. Modern politicians, strategists, and citizens have spent six decades developing and publicly debating strategies for using (and deterring the use of) nuclear weapons.  But all discussion of using cyber weapons has been classified and confined to the relatively few operators involved. Almost none of our citizens, traditional defense experts (think tanks, academic researchers, congressional and military staffs, etc.) OR THE MEDIA have been involved in thinking about how to use these weapons, and what will happen next. This means that what happens after we use our cyber capabilities will come as a surprise to everyone . . . including us.
Third, what disturbs me most about this new approach to warfare is that we can never know ground truth about what weapons exist and what weapons are used. If you think sorting out who used chemicals in Syria is hard, try determining:
-- Who turned off the electricity to a hospital and killed patients?
-- Who open the gates of a hydroelectric dam and flooded villages downstream?
-- Who seized control of a nuclear reactor and caused the core to melt and explode?
Last spring an American general claimed that the US could enter an enemy command and control network and prevent the launch of a missile with a nuclear warhead. A rational listener might wonder if we could just as easily enter the system and launch that missile on our own. If Iran ever launches a nuclear weapon against Israel, I expect them to go to the UN immediately and claim that US cyber experts actually did the dirty deed.  Who do you think the world would believe? How would we prove our innocence?

I am not against developing or using cyber capabilities. Defensive cyber capabilities, in particular, are absolutely essential in today's world. And I am not against operational secrecy.  There is no need to telegraph our punch when we are preparing for war.
But an unpredictable, invisible, untraceable, and poorly understood weapon is a dangerous weapon. Before we turn enthusiastic operators loose to experiment with acts of war in the volatile Mid East, I would like to see a bit more discussion of the capabilities, rules and constraints of cyber war with the people who will ultimately pay the price for either the success or failure of this venture.
That would be the citizens of the United States.