Preparing for cyber war is very complicated
Writing in yesterday’s Washington Post, Mike McConnell — a retired U.S. Navy vice admiral, former director of the National Security Agency, and former director of national intelligence — called on the United States to prepare for cyber warfare. McConnell calls for developing a capability to deter cyber attacks (presumably through the threat of retaliation) and to develop the capabilities and policies to apply preemption against cyber aggressors who aren’t persuaded by deterrence.
Nuclear deterrence kept the peace during the Cold War. Data mining and drone hits may be keeping al Qaeda at bay. But fixing America’s vulnerability to cyber attack will be much more complicated. And disruptive — it may require the “Balkanization” of the World Wide Web and a de facto government seizure of the country’s telecommunications infrastructure.
In his essay, McConnell reminds us of some features of the internet that currently make deterrence theory impractical. Anonymity is built into the current structure. It is difficult to retaliate (or bring legal action) if one cannot identify the perpetrator. A new, redesigned, and security-conscious World Wide Web could require user authentication. But many would be un—to use such a system. After a cyber “Pearl Harbor,” some governments may require the addition of security features that defenders of privacy and individual liberty have thus far resisted. The result could be the breakdown of the World Wide Web into a multitude of internets that, due to security features, will not link to each other.
The private sector telecommunication firms that provide the backbone of the internet have made enormous capital investments on which they expect a return. Further innovation in telecommunication will require further capital investments, which won’t occur unless these firms have a prospect of making reasonable returns on those investments. These firms want a mass, unified market, not Balkanization. Governments, responsible for national security, will have a different perspective. McConnell calls for the two sides to work together on the security problem. But if a cyber “Pearl Harbor” happens first, de facto nationalization might be the result.
Finally, McConnell mentions deterrence but doesn’t get explicit on how the U.S. would or should employ retaliation (assuming it could find an attacker in the first place). Assuming legal and diplomatic remedies in a certain case are meaningless, must the U.S. respond to a cyber attack only with cyber retaliation? Once again, the analogy to the Cold War breaks down. The U.S. built a nuclear arsenal as large as it needed and made it clear that it held at risk assets that adversaries valued. The U.S. did what it needed to do to achieve “escalation dominance.” In cyber warfare, the U.S. is on the losing side of escalation dominance. With a very high density of computers and telecom systems, the more a cyber war escalates, the more the U.S. will suffer.
However, the U.S. retains (at least for now) its dominance in purely military responses. Will U.S. cyber deterrence doctrine contemplate the use of Tomahawk cruise missiles or B-2 strikes in response to a large-scale cyber attack? If an attack doesn’t go “bang,” is it war?
McConnell’s essay urges action on cyber defense. But there are a lot of cyber players inside the U.S. and they have a long list of things to work out with each other. I’m not counting on progress any time soon — and that probably won’t be fast enough.
