Some people can teach and also blog prolifically. I am not of them. I pour everything I have into preparing (perhaps over-preparing) for every graduate class I teach. And so this blog dries up during the academic year, only to be reborn during academic breaks. Such a break is now upon us, before I am consumed by summer conferences and preparation of readings and syllabi for next year. So here goes.
I teach that strategy is a concept -- the “why” of an issue -- the cause and effect relationship that links action to outcome. If we do X, then we get Y. Yes, yes – it can be much more complex. There can be lots of X’s and lots of Y’s, and we may have to prioritize and de-conflict. But basically (and this is at odds with others who have been teaching strategy and losing wars for the last two decades), strategy is a concept that proposes to get Y by doing X
Policy is the “what” of an issue -- what we are going to do to achieve the ends desired. Policy is the X in the construct, "X leads to Y."
Operations is the “how” of action -- how we are going to accomplish the policy that implements the strategy and achieves victory?
Bureaucracies craft policies and manage operations to ensure that X is implemented as efficiently and effectively as possible. For a bureaucracy, X is always the answer to a given policy issue. Not implementing X requires an “exception to policy” from someone “at a higher pay grade.”
It is sometimes hard to demonstrate for students a concept of strategic cause and effect in real time. Policies are easy to see. And history shows the cause and effect of some strategies clearly in retrospect. (See the differing concepts behind the British and American air campaigns against Nazi Germany for an example.) But identifying flashes of strategic insight in the daily business of government is hard, largely because so many government documents today are labeled “strategies” when they involve no cause-effect analysis at all. Fortunately, Congress has just provided a current example of an action (requiring the President to define a term) that may have significant strategic consequences (cause and effect).
"Senate Armed Services panel adopts cyber 'act of war' provision
“The Senate Armed Services Committee this week added a cybersecurity ‘act of war’ provision to its annual defense authorization measure, requiring the president to ‘develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States.’ The committee completed its closed-door markup of the National Defense Authorization Act on Thursday and will soon release the contents of the bill." (Inside Cybersecurity)
The goal of the committee (apparently) is to increase cybersecurity by forcing the Administration to draw a line informing both friend and foe of what cyber targets we will defend by use of force. Note that the committee does not direct what definition to use, or a resulting strategy, or how to enforce it -- just that the concept of cause and effect should be identified in public.
This strategic concept (IF we define cyber war and advise our opponents THEN we can deter those opponents, and prepare for conflict should we need to fight and defeat them), is grounded on a strategic theory -- that deterrence can and will work in the cyber world. And perhaps upon confidence that we can develop a 2d theory - how to fight and win a cyber war – if we can just define when the conflict starts.
This is a great example of strategic thought, because it addresses a great strategic concern. With our current approach to national cyber security, we are doing something rare in human history - we are allowing a small group of people to create a secret theory of deterrence and war in the cyber realm, without a broader political, military or academic discussion. By comparison, during the Cold War, the specifics of nuclear weapons and operations remained highly classified, but the general strategic concepts and policies were broadly identified and debated. Superiority or Mutually Assured Destruction? Missile Defense or Second Strike Capability? Heavy throw weight or lighter MIRVs? That robust debate, and the requirement for a public defense of public expenditures on the resulting solutions, is one of the things that kept us out of nuclear war.
History provides examples of the President’s current alternative approach which might be called “strategic ambiguity.” The idea is to deter the enemy by keeping your capabilities, intent and strategic concepts a secret, leaving your opponent unsure of exactly what will happen if he makes even a limited offensive move. The system of secret alliances prior to the First World War followed this strategic concept. The result was war on an unanticipated scale, because enemies could not anticipate the results of each others’ actions.
We are already engaged in cyber war. The Secretary of Defense said so last week at the change-of-command for the US Northern Command. He described how we are launching "cyber bombs" against ISIS (and maybe others). But under what rules? What laws? Whose control? With what strategy and policy?
Somebody apparently thinks they have a handle on the proper relationship of cyber strategy, policy and operations, because they are waging cyber war in our name. Letting us in on the concepts and getting our support – while retaining essential secrecy about capabilities and operations – is a wise approach. Thanks, Senate Armed Services Committee, for a great real time example of strategic thinking.