This Week at War: Lesson from Cyberwar I

Here is the latest edition of my column at Foreign Policy:

Topics include:

1) What does cyberwar look like? In 2008, Georgia found out.

2) Stuart Levey, Treasury's sanctions supremo, didn't get results. What now?

What does cyberwar look like? In 2008, Georgia found out.

In most ways, the brief war between Russia and Georgia in August 2008 was a throwback to the mid-20th century. A border dispute, inflamed by propaganda and whipped-up ethnic tension, resulted in a murky case of who-shot-first, an armored blitzkrieg, airstrikes, a plea for peace by the defeated, signatures on a piece of paper, and the winner's annexation of some territory. So far, so 1939. But one aspect of this little war was very much in the 21st century, namely Russia's integration of offensive cyber operations into its overall political-military strategy. The August war was a preview of how military forces will use cyber operations in the future and what commanders and policymakers need to prepare for.

In a new piece for Small Wars Journal, David Hollis, a senior policy analyst with the Office of the Undersecretary of Defense for Intelligence and a reserve Army officer at U.S. Cyber Command, describes how the Russian government integrated cyber operations into its campaign plan against Georgia. Hollis notes that though the Russian offensive cyber operations in the Georgia war were obvious, they were masked through third parties and by routing the attacks through a wide variety of server connections, all standard practices of cyber operations. As a result, Georgian and other investigators cannot conclusively prove that the Russian government conducted these cyberattacks. Indeed, the Kremlin denies using cyberwarfare in the conflict, a somewhat odd thing to be embarrassed about while Russia's tanks roamed around the Georgian countryside and its aircraft bombed Georgian targets.

According to Hollis, Russian offensive cyber operations began several weeks before the outbreak of the more familiar kinetic operations. Russian cyberintelligence units conducted reconnaissance on important sites and infiltrated Georgian military and government networks in search of data useful for the upcoming campaign. During this period, the Russian government also began organizing the work of Russian cybermilitias, irregular hackers outside the government that would support the campaign and also provide cover for some of the government's operations. During this period the government and cybermilitias conducted rehearsals of attacks against Georgian targets.

When the kinetic battle broke out on Aug. 7, Russian government and irregular forces conducted distributed denial-of-service attacks on Georgian government and military sites. These attacks disrupted the transmission of information between military units and between offices in the Georgian government. Russian cyberforces attacked civilian sites near the action of kinetic operations with the goal of creating panic in the civilian population. Russian forces also attacked Georgian hacker forums in order to pre-empt a retaliatory response against Russian targets. Finally, the Russians demonstrated their ability to disrupt Georgian society with kinetic and cyber operations, yet refrained from attacking Georgia's most important asset, the Baku-Ceyhan oil pipeline and associated infrastructure. By holding this target in reserve, the Russians gave Georgian policymakers an incentive to quickly end the war.

Faced by overwhelming Russian air power, armored attacks on several fronts, and an amphibious assault on its Black Sea coastline, Georgia had little capability of kinetic resistance. Its best hope lay with strategic communications, with transmitting to the world a sympathetic message of rough treatment at the hands of Russian military aggression. According to Hollis, Russia effectively used cyber operations to disrupt the Georgian government's ability to assemble and transmit such a plea. Meanwhile, Russia's own information operations filled in a narrative favorable to its side of the case, removing Georgia's last hope for strategic advantage.

Hollis points out that the effectiveness of cyber operations, especially denial-of-service attacks, can be fleeting; in the recent duels between cyberattackers and defenders of WikiLeaks, both sides mostly fired blanks. But in August 2008, Russian planners tightly integrated cyber operations with their kinetic, diplomatic, and strategic communication operations and achieved cyber disruptions at the moments they needed those disruptions to occur. The Georgia episode provides a good case study for cyberwarriors preparing for the next such conflict.

Stuart Levey, Treasury's sanctions supremo, didn't get results. What now?

On Jan. 24, the Wall Street Journal reported that Stuart Levey, U.S. Treasury undersecretary for terrorism and financial intelligence, will leave his post in one month. David Cohen, Levey's deputy with long experience in the Treasury Department, will very likely succeed Levey. For nearly seven years, Levey has labored to isolate the North Korean and Iranian governments from the international financial system. Levey used diplomacy, moral suasion, and his deep connections with the global banking system and in the process revolutionized the employment of financial sanctions as a tool of statecraft. Unfortunately, he will leave office having failed to achieve his goals, namely to obtain leverage sufficient to change the behavior of the North Korean and Iranian governments. His bosses will now have to decide what to try next.

Last week's negotiation in Istanbul between Iran and the P5+1 group ended in quick failure, revealing that many years of increasingly restrictive sanctions against Iran have failed to produce effective negotiating leverage. And in spite of being the most commercially and financially isolated country in the world, it took North Korea only a year and half to build a large uranium enrichment facility, equipped with 2,000 centrifuges and advanced control systems.

Levey's disappointing results do not mean that sanctions should not have been tried or that the U.S. government and its partners should not continue to tighten them. Western policymakers surely hope that sanctions will eventually produce effective negotiating leverage without inflicting deep pain on civilian populations. It is worth questioning whether such fine-tuning -- effective leverage without civilian pain -- is realistic. The civilian population in North Korea suffers more than any (something for which Kim Jong Il is responsible), without the achievement of much negotiating leverage. And if things became really uncomfortable for a targeted regime, it could play the "victim card" to fight back against sanctions, as Saddam Hussein did with increasing success before 2003.

If sanctions aren't working, what then? Policymakers will inevitably look to their military and paramilitary assets to produce negotiating leverage. Military and intelligence staffs will be asked to prepare options involving the use of covert action, unconventional warfare, or the recruitment of proxy combatants. Political leaders generally first chose sanctions in order to avoid the privations of war. Next will be the hope that "small wars" will preclude a large one. In Iran, some entity has employed covert action -- the Stuxnet computer worm and the assassination of two nuclear scientists -- in an attempt to slow down Iran's nuclear program. How many other realistic "small war" options exist against Iran and North Korea remains a mystery.

When civilian masters have concluded that sanctions aren't working, they will put pressure on their military planners to come up with some practical "small war" options. If the Treasury's leverage isn't enough, the Pentagon's planners will likely be asked to produce more. These planners need to be careful that their plans produce more leverage instead of more trouble.