This Week at War: Their Own Private Internet

To prevent attacks, will the Pentagon have to cut itself off from the online world?

Here is the latest edition of my column at Foreign Policy:

Topics include:

1) The Pentagon’s cyberdefenders get a hopeless mission,

2) Can deterrence work on al Qaeda?

The Pentagon’s cyberdefenders get a hopeless mission

In the current issue of Foreign Affairs, Deputy Defense Secretary William Lynn reveals Operation Buckshot Yankee, the Pentagon’s effort to counter what Lynn terms “the most significant breach of U.S. military computers ever.” In 2008, a foreign intelligence service, which Lynn doesn’t identify, slipped malicious software code onto a flash drive. This flash drive was subsequently inserted into a U.S. military laptop computer in the Middle East, spreading an infection across both classified and unclassified Defense Department networks. The infection was designed to extract information from these networks and deliver it back to the foreign intelligence service. Lynn describes the Pentagon’s response to this incident as “a turning point in U.S. cyberdefense strategy” and a catalyst for wide-ranging reforms.

According to Lynn, more than 100 foreign intelligence organizations are attempting to break into U.S. networks. Lynn believes that a dozen determined hackers, if they found a vulnerability to exploit, could steal the U.S. military’s plans, blind its intelligence systems, or disrupt its military operations. On the current cyber battlefield, offense is dominant, with U.S. cyberdefenders constantly lagging behind.

Lynn states, “[T]he United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun.” In this case, the threat of punishing retaliation doesn’t apply — cyber attackers hide their identities and mask the origins of their attacks.

The U.S. government’s first response has been to get organized. The military’s cyber operations have been collected into a Cyber Command, purposely co-located with the National Security Agency (NSA). Next, the Pentagon has extended its cyber expertise to its network of essential outside contractors and to critical civilian infrastructure that the Pentagon requires for its operations. Finally, the Pentagon is establishing cyber defense alliances with the Department of Homeland Security and selected foreign allies.

These are all logical steps that the government always takes when it faces a new persistent problem. Yet by Lynn’s description of the problem, the Pentagon faces an unending siege on terms very unfavorable for those responsible for its cyber defense. Lynn and his colleagues are placing their hopes on an improved model of “active defense.” In addition to standard computer “hygiene” (anti-virus software and firewalls), the Pentagon now works with the NSA’s signal intelligence capabilities to anticipate intrusions, classify them when detected, prevent them from making a penetration, and if all of else fails, chase down and quarantine threats after they make it inside.

Although Lynn disparages a defensive Maginot Line mentality, the “active defense” he describes sounds like soldiers forever on the ramparts. Lynn aims to deter hackers by denying them the benefits of an attack. But as long as there is no cost for attacking, there is no reason to stop trying. Lynn and his colleagues hope that better cooperation within the U.S. government, and with the technology industry, computer researchers, and foreign allies, will ensure that the United States maintains its technological edge and thus the success of its cyber defenses. Regrettably, in spite of these resources, the U.S. faces a whole world of intruders and should not count on any enduring qualitative advantage over its adversaries. And that world of intruders can keep attacking without cost or risk until they slip by the defenders.

What is the answer? Lynn describes it near the end of his article: “[The Defense Advanced Research Projects Agency (DARPA)] is also challenging the scientific community to rethink the basic design of the Pentagon’s network architecture so that the military could redesign or retrofit hardware, operating systems, and computer languages with cybersecurity in mind.” In other words, the Pentagon and its supporting infrastructure should leave the current cyber battlefield that so favors its adversaries. Instead of using commercial off-the-shelf computer hardware, software, and standard Internet protocols, the Pentagon would design and install customized and exclusive systems (at least for its classified and operational applications) that would deliberately be incompatible with the rest of the Internet.

The U.S. government has a perfectly horrible record at efficiently executing large computer projects. Such an effort to overhaul the Pentagon’s computer systems would be the largest, costliest, and most complicated yet. It is thus understandable that Lynn and his colleagues would prefer to give their less-costly active defense approach a try. But this decision also leaves in place the structure that gives enduring advantages to the Pentagon’s cyber adversaries. Active defense and truly isolating the Pentagon from the rest of cyberspace are not mutually exclusive efforts. While DARPA works on cutting off the Pentagon from the rest of the world, the Pentagon’s cyber warriors will get no sleep defending the fort.

Can deterrence work on al Qaeda?

Western academics and military analysts spent decades during the Cold War working out theories of deterrence to prevent a war with the Soviet Union. Now one of those theorists — Paul Davis, a researcher at the Rand Corp. — has published a study that attempts to fashion a theory of deterrence against al Qaeda. Davis’s study is based on his review of recent academic research, blended with his attempts to fashion models and organize the variables that bear on al Qaeda’s decision-making and its ability to sustain its operations. Many hope that deterrence theorists could make as large a contribution to countering al Qaeda as they did to preventing World War III. Alas, Davis’s summary appraisal — “deterrence and other influence efforts are desirable because of their upside potential rather than the certainty or expectation of good results” — is not hopeful.

Davis takes the now-standard view that al Qaeda is a network system rather than a singular entity. He then explores the possibility that counterterrorism actors like the U.S. government might exert behavior-modifying “influence” on various parts of the al Qaeda system. During the Cold War, deterrent influence was directed at the decision-making calculations of top Soviet leaders. With al Qaeda, Davis largely bypasses the top leadership and instead focuses on the decision-making calculations of lower-level individuals and the population in which al Qaeda attempts to find shelter.

After diagramming the various social factors — such as grievances, peer group persuasion, the search for social status, disruptive societal change, etc. — bearing on individual and population support for al Qaeda, Davis seems to conclude that the United States’ ability to have a direct and positive influence on these factors is limited, except perhaps in the very long run. By contrast, Davis seems to agree with those who believe that direct attempts by the United States to manipulate these social factors against al Qaeda are more likely to makes things worse.

Davis suggests that small successes at tactical deterrence may over time accumulate to larger strategic success. For example, physical hardening of probable terrorist targets (such as airports and iconic buildings) can deter successful attacks. If such attacks are deterred for many years, Davis suggests that terror groups could lose their credibility and thus support from demoralized leaders, financiers, recruits, and the population.

Much more controversially, Davis examines the role of collective punishment. He points to Israeli research, based on interviews of current and would-be terrorists, which concluded that individual terrorist members can sometimes be deterred or dissuaded by knowledge that participation would bring severe harm to their families. That a suicide bomber may care more about his family’s lives than his own provides leverage for the counterterrorist.

Collective punishment presumably remains well beyond the pale for U.S. policymakers. As long as the damage done to the U.S. homeland by terrorists remains minimal, these policymakers get a pass at having to contemplate such harsh moral dilemmas.