Cyberwar, Anyone?

“One if by land, and two if by sea,” but what if by cyberspace?

Having long relied upon military prowess and diplomatic skills to project and protect its interests on the seas, on land and in aerospace, the United States now is in conflict with stateless entities seeking hearts and minds, not land or treasure. It is a global contest of words and images, waged on a battlefield called cyberspace where rules of engagement that govern traditional conflict don’t apply and plans for a multiagency effort to protect the information infrastructure have not yet been adopted. 

Should we call this struggle a war? If so, what laws and rules govern conduct? How serious is the threat of malicious intrusions into—and manipulation of—information systems, and can the vulnerabilities, particularly in the Internet, be sufficiently reduced? Should we respond to these intrusions in kind, and if so, by which agencies and by what means? And what is the role of U.S. armed forces in a battle of words? Recent events have converged to bring the subject of network vulnerability, threats, risks and responses to the fore.

Assaults on Estonian, U.S., U.K., British and German government information systems have refueled alarm over security gaps in the Internet, calling to question the ability of wired nations to function under, respond to and recover from network disruptions. The May 9, 2007, attack on Estonia obliged that nation to sever external connectivity to its government Web sites temporarily, with resultant losses in the tens of millions of euros. Reports that e-mail service in the Office of the Secretary of Defense was interrupted for several days also suggest that nation-states could have been behind the disruption as well as behind electronic dumpster diving into information systems of U.S. defense contractors. Still, while important government functions were disrupted by these intrusions, no nation has been brought to its knees. Expensive? Yes. Damaging? Certainly. Manageable? Apparently. But, casus belli?

These probes demonstrate the potential for severe disruption to governance from attacks on the U.S. critical information infrastructure by any nation-state, terrorist group or even—apparently in the Estonian instance—a mob of motivated amateurs.

The U.S. military understandably is concerned about vulnerabilities in its information infrastructure. All of its functions depend on reliable sensing, analysis and exchange of information, and too much of that travels over vulnerable civil networks. But, as Lt. Gen. Douglas E. Lute, USA, then J-3, the Joint Chiefs of Staff, has allowed, “no one in the U.S. military has been tasked with the mission of attacking these intangibles [the Internet].”

U.S. military services are attentive to the risk of a charge of war crimes if their electronic warfare tools were to severely disrupt critical civilian computers or those of noncombatant nations. Nonetheless, while admitting in congressional testimony that military ventures in this new domain are likely to raise legal and policy questions, the armed forces are girding for offensive operations in cyberspace (SIGNAL Magazine, June 2007 and August 2007).

Vice Chairman of the Joint Chiefs of Staff Gen. James E. Cartwright, USMC, speaking in his previous role as commander of the U.S. Strategic Command, told a congressional committee, “History teaches us that a purely defensive posture poses significant risks … and the best defense against cyberattacks—be they against military, civil or commercial networks—is to go on the offensive.” Commenting on these remarks in an article titled “A Look at Offensive Cyberwarfare,” Strategic Forecasting Incorporated avers that military plans for offense in cyberspace may have reached the point where “congressional oversight and approval” might be required.

A cautious and conditioned approach by the armed forces is prudent because much of this struggle is being waged through information systems outside the classic battlefield, and the consequences of offensive electromagnetic attacks are unpredictable. The battle against improvised explosive devices (IEDs) is being fought in the radio frequency spectrum where civil and military uses are inextricable. Such conditions constrain the military from employing what in the past were legitimate military electromagnetic countermeasures—then and still called electronic warfare.

Cyberspace is best defined by terms other than “mission,” “infosphere” or “environment,” as these yield no useful metrics. Cyberspace consists of two measurable elements: connectivity and content. Connectivity encompasses the physical hardware, software and connecting electromagnetic or cable media that permit the generation, transfer, storage and sharing of data. These tangible elements are vulnerable to disruption by anyone, anywhere, with the motivation and means to do so. The measure of effectiveness (MOE) of information assurance is confidence in the ability to attain and maintain information superiority in stressed networks while denying that to opponents.

The second element of cyberspace is content. Here the human mind is the target, and the goal is to influence behavior. The MOE is the ability of a strategic communications campaign to persuade a billion plus Muslims to join or remain neutral in a struggle being waged over the Internet and other media. The Economist magazine evaluated U.S. public information strategies and concluded in its July 14, 2007, edition that the Internet is al-Qaida’s “best friend.”

We ought not be surprised to find U.S. armed forces preparing for nonkinetic offensive operations against the tangible elements of cyberspace. Disrupting an opponent’s “lines of communications,” be they physical or electromagnetic, is a lawful tactic under the rules of armed conflict. At issue now is the applicability in a conflict being waged outside the boundaries of the traditional battlefield and one where adversaries are not just insurgents or terrorists but criminals and, potentially, other nation-states.

The 2006 Summer Study by the Defense Science Board (DSB) on Information Management for Net-Centric Operations assessed the military role in such a conflict and concluded that because the U.S. military is “engaging in a fundamental trade of massed forces for massed electrons … a combat information capability has become a critical weapon system.” Its April 2007 report says that potential adversaries need to know that it [our military arsenal] contains a “powerful hard- and soft-kill (cyber-warfare) means for attacking adversary information and command support systems at all levels.”  As 8th Air Force commander Lt. Gen. Robert J. Elder Jr., USAF, acknowledges in the August 2007 issue of Air Force Magazine, “the new [Air Force Cyberspace Command] will have the ability to attack the networks of other countries, but that will always be a lesser consideration.” The pertinent question is, Short of a declared war against a nation-state, what considerations would justify U.S. armed forces shutting down, say, the banking system of an opponent? Military commanders who might employ offensive information capabilities are attentive to the risks of actions not clearly governed by the rules of armed conflict. As a senior U.S. Air Force officer said, “there are no rules of engagement and no legal basis from [sic] what can be done through electronic means … Cyberwar is incredibly important, but I’m going to sit down with my lawyers and talk about it.”

It is an exasperating reality, but the Internet is a global commons, owned and occupied by millions of equities that are not subject to selective sanctions or penalties. Further, while the U.S. armed forces may be the best equipped to employ offensive network-warfare practices in a global counterinsurgency campaign, they are not the only government agency with functions held hostage by a vulnerable Internet, nor are they the one with principal authority and ability to respond.

Network warfare can and should target the information systems through which al-Qaida and other insurgents exercise command and control, and employ Web sites and chat rooms to reconstitute, recruit, train, plan attacks and propagandize their successes. The July 30, 2007, issue of Newsweek quotes a U.S. national intelligence officer reporting that “many jihadist [Internet] sites are now established in English … and are calling for attacks against the United States.” A report issued by the New York City Police Department warns that the most serious security threat to the United States is the growth of homegrown radical Islamists, whose interests and efforts are being fueled by the Internet.

That conflict has morphed into the information realm should not come as a surprise, says Texas Tech’s Southeast Asia expert Dr. Laura M. Calkins. In her case study of counterinsurgency tools in Indochina, she writes that “this Communist-led insurgency used radio broadcasts to organize, direct and monitor its members scattered through the area and to build an organization that fought the French Union Forces for nine years.” Calkins continues that “while the French, British and Americans monitored these broadcasts, many of which were in the clear, they did not recognize some of the critical information on Viet Minh activities that these broadcasts contained.” Evan Kohlmann argues in “The Real Online Terrorist Threat” (Foreign Affairs, September-October 2006) that the United States should “leave these Websites online but watch them     carefully … [as] they also offer    Western governments unprecedented insight into terrorists’ ideology and motivations.”

Bruce Schneier, a respected authority on uses and abuses in the information realm, writes that the careless and all inclusive use of the term “war” includes “everything from acts by terrorists to script kiddies having fun.” Depending upon whose ox is being gored, mischief on the Internet could be labeled cyberterrorism, cybercrime or cybervandalism. While improving defenses against any of these intrusions is a sound reaction, some commentators caution that offensive responses may be not only illegal but also not predictably effective.

Those advocating offensive actions contend that defensive efforts to insulate the Internet against abuse have been, are and will continue to be ineffective. Indeed the DSB report cautions that the “network/COTS [commercial off the shelf] approach also has the potential to significantly increase vulnerabilities to internal and external threats.” That report finds the Internet to be a deliberately “flat” network where “every piece of subscriber equipment has an IP [Internet protocol] address and grants every communicant full access to that IP address and the ability to effect switching and signaling.” It goes on to urge that “DOD activities should also include a serious look at the risks, vulnerabilities and challenges introduced by using this [commercial] technology.”

How important is the external threat? In a New York Times article titled “Who Needs Hackers?” John Schwartz contends that “some of the most serious, even potentially devastating, problems with networks arise from sources with no malevolent component.” He quotes experts from industry and academia, remarking that “systems are falling apart by themselves. … The threat is complexity itself.”

Former defense department official Christopher Mellon is another who offers no encouragement for defending the Internet. He argues in the August 2007 issue of SIGNAL Magazine that the present Web-based system “is not and will never be secure,” contending that nothing short of a totally new architecture would provide the protection required.

Paul Strassmann, former U.S. Defense Department chief information officer and now distinguished professor of information sciences at GeorgeMasonUniversity, suggests a more feasible remedy. He recommends that “we need to take about two million NIPRNET [nonsecure Internet protocol router network] and  SIPRNET [secret Internet protocol router network] sources away from computers that have removable disk drives, have universal serial bus (USB) ports and operate under the control of a Microsoft operating system that can be easily penetrated.” He continues, “Instead of monitoring two million computer devices—an infeasible task because of human error—I would rather concentrate DOD NIPRNET and SIPRNET defenses into less than 500 heavily defended computers hidden behind elaborate Web firewalls. I would also mandate the archiving of all transactions for real-time analysis by intelligence to detect compromises from inside sources. With regard to denial-of-service attacks, I would architect the entire network to make it possible to instantly shed incoming traffic from attackers and to relocate applications to one of several back-up computers.”

The DSB report is in agreement that “some things should be out of the grasp of subscribers who have no legitimate need to touch them.” Now add an order of magnitude increase in network vulnerability that surely will accompany Internet protocol version 6 (IPv6), multifunctional cell phones, unsecured USB devices and telework from home, and defense against the “insider threat” will be beyond the reach of even the most diligent security official.

Finally, there are political limits to defensive measures. No nation can unilaterally defend networks owned by nation-states, commercial companies and individuals. Almost 200 nations connect to the Internet, and there is no agreement among them as to whether or how it should or could be policed. This political constraint will persist until, as suggested by a Washington, D.C., think tank, some international body, perhaps patterned after the International Civil Aviation Organization or the International Telecommunications Union, is chartered to define standards of Internet behavior and enforceable sanctions for miscreants.

J. Michael Waller favors going on the offensive in cyberspace, but with words not bombs. In his book Fighting the War of Ideas like a Real War, Waller, a professor of international communications at The Institute of World Politics, quotes from the U.S. Army Field Manual 3-24, that “some of the best weapons do not shoot,” but laments our inability to employ this weapon. Waller’s book provides detailed instructions on what the United States needs to do to wield “messages to defeat the terrorists.” He asserts that the U.S. possesses a potential “secret weapon”—one deeply feared by insurgents—if only it could manage to meld public diplomacy, public affairs, information operations, international broadcasting and military special operations. Waller concludes, “The U.S. must be ashamed of using strategic influence … of waging ideological warfare” in that gray area between traditional diplomacy and lethal force. His secret weapon is “ridicule … a strategy that includes undermining the political and psychological strengths of adversaries and enemies by employing ridicule and satire as standard operating tools.”

Waller further asserts that because this is a war of ideas, it must be fought like a real war and that “the war of ideas cannot be run out of the State Department.” He argues that diplomats are not and should not be expected to become warriors and that public diplomacy must become a fundamental part of a “counterinsurgency and counterterrorism strategy.” Waller contends that “the military services have the warfighting mentality that creative and effective message-making requires.”

Efforts to weigh the respective merits of defense and offense become moot when one affixes to each the baggage of unforeseen and unintended consequences; that neither miscreants nor their motives can be refutably established; that users remain indifferent to federal information security standards; and that even the most robust defenses inevitably might be overwhelmed by technology and human frailty. All of which invites the conclusion that survivors on the cyberfield will be those best able to manage the consequences of catastrophic system failures, irrespective of their cause.

Col. Alan D. Campen, USAF (Ret.), is a SIGNAL contributing editor and the contributing editor to four books on information warfare and cyberwar.