Several recent media articles suggest
that any physical attack on Syria would be preceded by cyber attacks. That is,
the initiation of a kinetic war would begin with acts of cyber war.
I first began thinking about, and engaging experts on, cyber
war issues in the mid-1990s, when the National Defense University created a
small school to serve as a sort of "Cyber War College." Main
stream faculty (I don't mean that in a bad way -- the people best respected as
voices of accepted strategic thought) rejected the approach out of hand.
They just did not see cyber as a big issue in current or future military
operations. Remember -- this is the period where we were having a bitter
debate about replacing the 35mm projectors in every classroom with computers
and PowerPoint slides.
I took a different approach. I
supported the guys running the cyber learning experiment and learned as much about
it as I could . . . but was very skeptical of what I saw developing, for three
reasons.
First, I sensed a traditional
American belief that we were going to create and control this technology and
dominate everybody else. That's not the way defense technology has
worked in the past. Ask J. Robert Oppenheimer, “The Father of the Atomic
Bomb,” and he will tell you
that, “if you build it, they will build it too”. In fact, while our Department of
Defense has been developing world-class cyber capabilities for the military, our
cyber defenses of industry, finance and critical infrastructure have been losing ground. Any cyber counter-strike
will come against the American economy, and impact the American people more
than the American government. The result is not likely to be pretty on
our end.
Second, the concepts I saw emerging were primarily operational with very
little strategic thought. No one seemed to be asking “once we develop and
use cyber weapons, what happens next?” What would be the consequences, and the unintended
consequences? General Eisenhower initially thought of nuclear
weapons as just bigger bombs. But President
Eisenhower, quickly realized that the use of a nuclear weapon requires thinking
about much more than the size of the explosion. He had to think of the Soviet
response . . . what would happen next? Nations
have spent centuries developing schools of strategy for the use of
conventional weapons. Modern
politicians, strategists, and citizens have spent six decades developing
and publicly debating strategies for using (and deterring the use of) nuclear
weapons. But all discussion of using cyber weapons has been classified
and confined to the relatively few operators involved. Almost none of our citizens, traditional defense experts
(think tanks, academic researchers, congressional and military staffs, etc.) OR
THE MEDIA have been involved in thinking about how to use these weapons, and
what will happen next. This means that what happens after we use our cyber
capabilities will come as a surprise to everyone . . . including us.
Third, what disturbs me most
about this new approach to warfare is that we can never know ground
truth about what weapons exist and what weapons are used. If you think sorting
out who used chemicals in Syria is hard, try determining:
--
Who turned off the electricity to a hospital and killed patients?
--
Who open the gates of a hydroelectric dam and flooded villages downstream?
--
Who seized control of a nuclear reactor and caused the core to melt and
explode?
Last
spring an American general claimed that the US could enter an enemy command and
control network and prevent the launch of a missile with a nuclear warhead. A rational
listener might wonder if we could just as easily enter the system and launch
that missile on our own. If Iran ever launches a nuclear weapon against Israel,
I expect them to go to the UN immediately and claim that US cyber experts
actually did the dirty deed. Who do you think
the world would believe? How would we prove our innocence?
I
am not against developing or using cyber capabilities. Defensive cyber capabilities,
in particular, are absolutely essential in
today's world. And I am not against operational secrecy. There is no need
to telegraph our punch when we are preparing for war.
But an unpredictable, invisible, untraceable, and poorly
understood weapon is a dangerous weapon. Before we turn enthusiastic
operators loose to experiment with acts of war in the volatile Mid East, I
would like to see a bit more discussion of the capabilities, rules and
constraints of cyber war with the people who will ultimately pay the price for
either the success or failure of this venture.
That would be the citizens of the United
States.
