Cyberwar, Anyone?
“One if by land, and two if by sea,” but what if by cyberspace?
Having long relied upon military prowess and diplomatic skills to project and protect its interests on the seas, on land and in aerospace, the
Should we call this struggle a war? If so, what laws and rules govern conduct? How serious is the threat of malicious intrusions into—and manipulation of—information systems, and can the vulnerabilities, particularly in the Internet, be sufficiently reduced? Should we respond to these intrusions in kind, and if so, by which agencies and by what means? And what is the role of
Assaults on Estonian,
These probes demonstrate the potential for severe disruption to governance from attacks on the
The
Vice Chairman of the Joint Chiefs of Staff Gen. James E. Cartwright, USMC, speaking in his previous role as commander of the U.S. Strategic Command, told a congressional committee, “History teaches us that a purely defensive posture poses significant risks … and the best defense against cyberattacks—be they against military, civil or commercial networks—is to go on the offensive.” Commenting on these remarks in an article titled “A Look at Offensive Cyberwarfare,” Strategic Forecasting Incorporated avers that military plans for offense in cyberspace may have reached the point where “congressional oversight and approval” might be required.
A cautious and conditioned approach by the armed forces is prudent because much of this struggle is being waged through information systems outside the classic battlefield, and the consequences of offensive electromagnetic attacks are unpredictable. The battle against improvised explosive devices (IEDs) is being fought in the radio frequency spectrum where civil and military uses are inextricable. Such conditions constrain the military from employing what in the past were legitimate military electromagnetic countermeasures—then and still called electronic warfare.
Cyberspace is best defined by terms other than “mission,” “infosphere” or “environment,” as these yield no useful metrics. Cyberspace consists of two measurable elements: connectivity and content. Connectivity encompasses the physical hardware, software and connecting electromagnetic or cable media that permit the generation, transfer, storage and sharing of data. These tangible elements are vulnerable to disruption by anyone, anywhere, with the motivation and means to do so. The measure of effectiveness (MOE) of information assurance is confidence in the ability to attain and maintain information superiority in stressed networks while denying that to opponents.
The second element of cyberspace is content. Here the human mind is the target, and the goal is to influence behavior. The MOE is the ability of a strategic communications campaign to persuade a billion plus Muslims to join or remain neutral in a struggle being waged over the Internet and other media. The Economist magazine evaluated
We ought not be surprised to find
The 2006 Summer Study by the Defense Science Board (DSB) on Information Management for Net-Centric Operations assessed the military role in such a conflict and concluded that because the
It is an exasperating reality, but the Internet is a global commons, owned and occupied by millions of equities that are not subject to selective sanctions or penalties. Further, while the U.S. armed forces may be the best equipped to employ offensive network-warfare practices in a global counterinsurgency campaign, they are not the only government agency with functions held hostage by a vulnerable Internet, nor are they the one with principal authority and ability to respond.
Network warfare can and should target the information systems through which al-Qaida and other insurgents exercise command and control, and employ Web sites and chat rooms to reconstitute, recruit, train, plan attacks and propagandize their successes. The July 30, 2007, issue of Newsweek quotes a
That conflict has morphed into the information realm should not come as a surprise, says Texas Tech’s
Bruce Schneier, a respected authority on uses and abuses in the information realm, writes that the careless and all inclusive use of the term “war” includes “everything from acts by terrorists to script kiddies having fun.” Depending upon whose ox is being gored, mischief on the Internet could be labeled cyberterrorism, cybercrime or cybervandalism. While improving defenses against any of these intrusions is a sound reaction, some commentators caution that offensive responses may be not only illegal but also not predictably effective.
Those advocating offensive actions contend that defensive efforts to insulate the Internet against abuse have been, are and will continue to be ineffective. Indeed the DSB report cautions that the “network/COTS [commercial off the shelf] approach also has the potential to significantly increase vulnerabilities to internal and external threats.” That report finds the Internet to be a deliberately “flat” network where “every piece of subscriber equipment has an IP [Internet protocol] address and grants every communicant full access to that IP address and the ability to effect switching and signaling.” It goes on to urge that “DOD activities should also include a serious look at the risks, vulnerabilities and challenges introduced by using this [commercial] technology.”
How important is the external threat? In a New York Times article titled “Who Needs Hackers?” John Schwartz contends that “some of the most serious, even potentially devastating, problems with networks arise from sources with no malevolent component.” He quotes experts from industry and academia, remarking that “systems are falling apart by themselves. … The threat is complexity itself.”
Former defense department official Christopher Mellon is another who offers no encouragement for defending the Internet. He argues in the August 2007 issue of SIGNAL Magazine that the present Web-based system “is not and will never be secure,” contending that nothing short of a totally new architecture would provide the protection required.
Paul Strassmann, former U.S. Defense Department chief information officer and now distinguished professor of information sciences at
The DSB report is in agreement that “some things should be out of the grasp of subscribers who have no legitimate need to touch them.” Now add an order of magnitude increase in network vulnerability that surely will accompany Internet protocol version 6 (IPv6), multifunctional cell phones, unsecured USB devices and telework from home, and defense against the “insider threat” will be beyond the reach of even the most diligent security official.
Finally, there are political limits to defensive measures. No nation can unilaterally defend networks owned by nation-states, commercial companies and individuals. Almost 200 nations connect to the Internet, and there is no agreement among them as to whether or how it should or could be policed. This political constraint will persist until, as suggested by a
J. Michael Waller favors going on the offensive in cyberspace, but with words not bombs. In his book Fighting the War of Ideas like a Real War, Waller, a professor of international communications at The Institute of World Politics, quotes from the U.S. Army Field Manual 3-24, that “some of the best weapons do not shoot,” but laments our inability to employ this weapon. Waller’s book provides detailed instructions on what the
Waller further asserts that because this is a war of ideas, it must be fought like a real war and that “the war of ideas cannot be run out of the State Department.” He argues that diplomats are not and should not be expected to become warriors and that public diplomacy must become a fundamental part of a “counterinsurgency and counterterrorism strategy.” Waller contends that “the military services have the warfighting mentality that creative and effective message-making requires.”
Efforts to weigh the respective merits of defense and offense become moot when one affixes to each the baggage of unforeseen and unintended consequences; that neither miscreants nor their motives can be refutably established; that users remain indifferent to federal information security standards; and that even the most robust defenses inevitably might be overwhelmed by technology and human frailty. All of which invites the conclusion that survivors on the cyberfield will be those best able to manage the consequences of catastrophic system failures, irrespective of their cause.
Col. Alan D. Campen, USAF (Ret.), is a SIGNAL contributing editor and the contributing editor to four books on information warfare and cyberwar.