The Pentagon has standing rules of engagement for network defense, such as the right of self-defense. But the line between self-defense and offensive action can be difficult to discern.
"This is a big, big problem," said one former intelligence official who noted that it took years to develop nuclear deterrence doctrine. "We are just at the beginning of figuring this out."
But the Pentagon's problem of cyber defense more closely matches the paradigm of insurgency/counterinsurgency than the Cold War structure of deterrence through the threat of retaliation. Saturday's Washington Post article on cyber defense replayed all of the recent arguments of counterterrorism versus counterinsurgency, this time played on the World Wide Web.
The Washington Post article was an interesting follow-up to Deputy Defense Secretary William Lynn's essay on cyber defense in Foreign Affairs, which I covered in my last column at Foreign Policy. The anonymous Pentagon officials in Saturday's article discussed a much more aggressive offensive response to cyber threats compared to Lynn's description in Foreign Affairs. Unwittingly mimicking the 2002 debate over what the U.S. should do about Saddam Hussein's Iraq, these officials discussed the possibility of preemptive cyber strikes against threats lurking inside computer servers located in foreign countries. Other analysts responded with concerns over the legality of such preemptive attacks and speculation whether diplomacy with the countries hosting those servers might be a more effective course.
The parallels with terrorism and insurgency are plain. Cyber insurgents hide amongst "the people" and use the anonymity and the design of the internet to mask their location. According to the Washington Post article, many U.S. officials are unsatisfied with a purely defensive (can we call it pre-9/11?) approach. Similar to advocates of a pro-active "counterterrorism" approach, they favor preemptive raids on emerging cyber threats. In contrast, a "cyber counterinsurgency" approach may be sprouting. This group could be concerned that an aggressive "cyber counterterrorism" approach could have damaging unintended consequences on neutral computer systems, driving their operators away from U.S. interests. Just as with real counterinsurgency, the foreign-located servers are the "population" and "key terrain," which the U.S. must strive to get on its side. And in a guerilla war over computer servers, the U.S. presumably has more to lose than do the insurgents.
Deterrence and retaliation doesn't seem the right model for cyber war. Instead, the emerging debate over cyber defense seems to be a replay of this decade's debates over terrorism and insurgency. Is it a law enforcement problem or a military problem? Pure defense, regardless of how "active," doesn't seem enough; the anonymous attackers have too much of an advantage. Thus calls for preemptive cyber attacks, shutting down threats before they can do crippling damage to the U.S. But are such preemptive attacks legal and might they have unintended consequences, driving more servers to cease cooperating with the U.S.? After Iraq and Afghanistan, counterinsurgents may have another battle to fight, this time "war amongst the servers."
Comments
That's not what I was saying at all. They are great tools. But they can be integrated into combat operations without becoming necessary.
Take, for example, the new M777. The digital system that ties the gun into the FDC and the FDC into the observers makes mission processing easier and faster. However, if the digital system goes down, it can simply be unhooked and fire missions can be conducted the good old fashioned way.
That's an example of correctly utilizing cyber assets without them becoming a liability.
Once you cannot operate without a cyber system, you're in trouble.
I find it best to not look at Cyber as a type of mission, but rather as a new domain that we have to be able to operate within securely.
As an example, as man went to sea, he added a new domain and came up with capabilities to operate securely upon that domain. When man went into the air, and under the sea, he did the same for those domains. Same for into space, and now Cyber.
Do we need a "Cyber Service"? I don't know, I doubt it. We do, IMO, however need to recognize that it is a new domain in which we must be able to operate, and one in which traditional concepts of deterrence are not particularly effective, nor one in which one can simply patrol lanes to operate within. It is a domain that is shared by all, good and bad, and we have no special claim to any aspect of it. We need to look at it wholistically and develop a comprehensive approach of creative deterrence options, defense, offense, etc. We will need to attract the best and brightest who understand this domain and give them the latitude to do their job.
I am not a cyber expert and of course, I'm not counter-insurgency expert either. But I really think its a tremendous intellectual leap to say that cyberwarfare is like counterinsurgency. In fact, I think I can hear COL Gentile unscrewing himself from the ceiling as we speak. ("COINdinistas think population centric COIN is the solution to every problem!")
Yes, cyber threats are able to manipulate "non-threat" computers as a means of executing attacks. But this is not the same as an enemy hiding among the population. There are no "hearts and minds" to win or "trust" to influence. There are simply 1s and 0s that can be manipulated equally by any side. The argument for a "cyber-counterinsurgency" would have to make a much stronger case than is presented here.
At best, you have the argument between defensive and pre-emptive warfare and the arguments between the "precision strike" dreams of an Air Force enamored with Effects Based Operations and the counter-argument for a "key terrain" focused Army that believes wars are always won by "seizing and holding terrain" whatever that terrain may be. That is not the same as COIN.
Furthermore, Xenophon: the low power of the 5.56mm round, not to mention the simple fact that firearms jam and run out of ammo also makes them a weakness. Wars were waged for centuries without them...we most certainly need to re-equip all US military personnel with the trusty sword, shield, and spear.
Yes, computers are a vulnerability. Yes, we need to retain the ability to employ without computers (such as being able to read a hard copy map). But computers are essential for executing war in the manner in which we do now which is to say with a heavy eye on limited casualties and an emphasis on maneuver over mass (certain aspects of COIN doctrine exempted of course). Eliminating computers would require a complete redesign of the US military and how it integrates forces.
The key is not to get rid of the computer, its to better integrate the computer into doctrine so that its recognition as a CoG drives the appropriate defensive and offensive measures. Simply throwing up our hands and saying, "protecting the computers is too tough" is not an acceptable solution.
<i>The Pentagon has standing rules of engagement for network defense, such as the right of self-defense.</i>
The best defense against cyber attacks is not relying on computer systems for defense. They can be great tools, but any computer system that is considered mission essential is a weakness. War was waged for centuries without them.