Nuclear deterrence kept the peace during the Cold War. Data mining and drone hits may be keeping al Qaeda at bay. But fixing America's vulnerability to cyber attack will be much more complicated. And disruptive -- it may require the "Balkanization" of the World Wide Web and a de facto government seizure of the country's telecommunications infrastructure.
In his essay, McConnell reminds us of some features of the internet that currently make deterrence theory impractical. Anonymity is built into the current structure. It is difficult to retaliate (or bring legal action) if one cannot identify the perpetrator. A new, redesigned, and security-conscious World Wide Web could require user authentication. But many would be un—to use such a system. After a cyber "Pearl Harbor," some governments may require the addition of security features that defenders of privacy and individual liberty have thus far resisted. The result could be the breakdown of the World Wide Web into a multitude of internets that, due to security features, will not link to each other.
The private sector telecommunication firms that provide the backbone of the internet have made enormous capital investments on which they expect a return. Further innovation in telecommunication will require further capital investments, which won't occur unless these firms have a prospect of making reasonable returns on those investments. These firms want a mass, unified market, not Balkanization. Governments, responsible for national security, will have a different perspective. McConnell calls for the two sides to work together on the security problem. But if a cyber "Pearl Harbor" happens first, de facto nationalization might be the result.
Finally, McConnell mentions deterrence but doesn't get explicit on how the U.S. would or should employ retaliation (assuming it could find an attacker in the first place). Assuming legal and diplomatic remedies in a certain case are meaningless, must the U.S. respond to a cyber attack only with cyber retaliation? Once again, the analogy to the Cold War breaks down. The U.S. built a nuclear arsenal as large as it needed and made it clear that it held at risk assets that adversaries valued. The U.S. did what it needed to do to achieve "escalation dominance." In cyber warfare, the U.S. is on the losing side of escalation dominance. With a very high density of computers and telecom systems, the more a cyber war escalates, the more the U.S. will suffer.
However, the U.S. retains (at least for now) its dominance in purely military responses. Will U.S. cyber deterrence doctrine contemplate the use of Tomahawk cruise missiles or B-2 strikes in response to a large-scale cyber attack? If an attack doesn't go "bang," is it war?
McConnell's essay urges action on cyber defense. But there are a lot of cyber players inside the U.S. and they have a long list of things to work out with each other. I'm not counting on progress any time soon -- and that probably won't be fast enough.
Comments
Key networked infrastructure vulnerabilites, of the cyber and national power grid kinds, are similar in that the "key nodes" of national security value are fully linked into the haphazard mish-mash of non-key nodes in the rest of their respective (and interconnected) networks.
In both cases, a potential solution is conceptually simple, technologically difficult, and economically unlikely under current arrangements: Re-create the key sub-networks separate from the rest of the GIG, thus protecting your key networks from intrusion. This of course makes the cyber network potentially much more vulnerable to physical attack, no matter how well hardened, as there are fewer key targets to destroy be those targets fixed or mobile, but this solution does yield a viable ability to defend from electronic attacks of various kinds.
Mr. Haddock's arugment about government's need to stay out of the internet is well taken, up to a point, and certainly applies for most of the internet's traffic, but let us not forget who paid for the foundational research and technology of the web in the first place: The US taxpayer through the US government. Private industry enjoys the fruits of that investment, much as it enjoys the fruits of the Eisenhower Insterstate System, the TVA, and other key private enterprise enablers that private enterprise would never have established wholly on their own dime and in the absence of government participation.
A somewhat usable model for sustained cyber warfare can be found studying the situation in the Islamic Republic of Iran today.
There are many actors present in a sustained campaign, with varying levels of different state's participation.
The peripheral effects of this cyber struggle have been felt not only in Iran, but also in the US, China and elsewhere.
Iranian governmental counter-measures are particularly worthy of study.
Winning cyber warfare is sort of like kissing your sister. Everything in cyber warfare looks like, has representations like, and even has the appearance like you might expect in any conflict spectrum. But, it just isnt the same.
Those who have been looking at cyber warfare conflict models have tried handily to apply models from the high conflict realm. Thermo-nuclear models of deterrence are currently in vogue. Within the Army discussion over what the maneuver in cyber warfare is, oh and how it is analogized. Several authors have examined strategic air war as a model for cyber conflict.
They are all wrong.
When pulling the pieces of theory and historical thought together threads of Carl vC and Sunny TZ get used without a lot of expertise in the operational field of cyber space. Let us consider the terrain in question. The realm of cyber space is inclusive of all operating telecommunications, radio, physical, vocal, mental, cognitive, instruments, and constructs and is not simply the Internet (or World Wide Web). The usual description of cyber space as man made is as simplistic and wrong headed as saying a city is a man made construct. Sure, the buildings and roads are man made but the ideas and histories of the people are simply cognition.
As such we can immediately discount those talking about cyber "Pearl Harbors" as simplistic in their Luddite and inarcane ways. Thank you for speaking now sit down. The Internet is a fragile physical construct carrying a vast wealth of information that far exceeds the physical infrastructure costs with the intangible worth. Some of that worth is the timid anonymity of users and lack of attribution. Some of that worth is the freedom of expression to foster democracy. Some of the worth or meta-value is the simple component of legitimacy in communication conduits.
We need to give up the idea of "winning" or "losing" a cyber war. Can we truly win an insurgency? The insurgent seeks to fight in an asymmetric conflict not to win, but to delegitimize the governmental authority. Terrorism as a tactic has no hope of winning the physical engagement but can cause social unrest and change. The Achilles heal of the current flaunted analogies is that they are failed as "shock and awe" failed in the invasion of Iraq. The cyber villains simply go home and wait you out. The costs of maintaining an Army in the field is prohibitively expensive. The battle never will never be enjoined except when the cyber adversary feels they can have the desired impact. When the Army quits the field in a Clausewitz move the cyber adversaries return to peck at the weak heals of the unprepared nation state.
There is nothing new here. By making cyber new, arguing over models, and trying to explain it, we have lost the first rounds of battles already. I read recently that the government was reconsidering its hands off the Internet position. How is anything else legitimate? The government does not own the Internet, but it is owned by private industry. The government has no legitimate role in fighting wars on the Internet. It is the effective response of replacing corporate security guards with special operator forces in office buildings. The corporate entities own the space, operate the space, dictate the use of the space, and are regulated as utilities to protect that space, and government has no substantial legal recourse in the space.
Critical infrastructure is important to everybody, but other than monitoring and investigating after criminal events the pipe and oil industry does not have the Army or NSA running operations on its infrastructure. The fact the telcos let the NSA into their network has resulted in heaps of scorn. Only legislative cover in the form of Tort protections has kept companies intact. This is a further erosion of legitimacy for what reason or result? The medical industry one of the most legislated and tightly controlled industries on the planet does not have the Marine Corps trying to weaponize stitches and band-aids. If corporate personhood is considered then companies have rights to protection from government annexation. And, how do you annex the Internet as a trans-national utility? Even in China where much of the infrastructure is simply owned by the nation-state they have issues with control.
If you want to realistically talk about models of conflict in cyber space youd do better to consider that conflict through a COIN model than anything else. The substantive discussion is stopping the billions of dollars in lost revenues a year, and consistent bleeding that is already happening. Achilles has tendonitis and cyber is the bite of a thousand ducks. Cyber space could be definitely destroyed by government intrusion but it will only be one by legitimacy of governance. That doesnt mean forcing more egregious laws written by unknowing tube-tastic legislators is a good idea. It means operating in the space as a partner though to be honest it a very limited partnership for government as maybe a minority member.