This Week at War: Waiting for the Cyberbarbarians

In my Foreign Policy column, I discuss why the Pentagon is having so much trouble coming up with a doctrine for cyber warfare. I also discuss why everyone, especially other dictators, is studying Qaddafi's downfall.

Cyberwarfare unleashes confusion on Washington

Last month, while reviewing his career a few days before retirement, former Joint Chiefs Chairman Adm. Mike Mullen discussed what he sees are the two "existential" threats facing the United States. After nuclear weapons, Mullen listed cyberattacks, which, he said, "actually can bring us to our knees." During the Cold War, the United States developed an elaborate deterrence doctrine, backed up by an enormous investment in strategic nuclear weapons. Asked about similar preparation for the cyber threat, Mullen said, "We're a long way from that right now." This week, Air Force Gen. C. Robert Kelher, commander of Strategic Command, the command responsible for the Pentagon's cyber operations, said there still needs to be "a full conversation" about doctrine, rules of engagement, and legal issues regarding the Pentagon's responses to cyberattacks.

While policymakers in Washington converse, a new computer worm called Duqu arrived in Europe. Duqu, apparently a derivative of the Stuxnet worm that briefly crippled Iran's uranium enrichment plant at Natanz, has been quietly gathering intelligence data and documentation on certain industrial control systems. Stuxnet set back Iran's nuclear program by delivering false instructions to the industrial control system at Natanz. Duqu, termed "extremely sophisticated" by the computer security firm Symantec, seems to be performing reconnaissance for a future attack on a discrete industrial control system.

If, as Mullen asserted, a sophisticated cyber attack "can bring us to our knees," why does the U.S. government seem to have such difficulty formulating a doctrine to adequately address the threat? The Pentagon's official cyberstrategy, a brief and vague document unveiled in July, called for better cooperation and training, but apparently failed to give Kelher and his command the guidance and authorities he needed to establish a retaliatory doctrine and cyberwar rules of engagement.

Why is the Pentagon struggling to make progress on an issue that Mullen, Kelher, and others view with such gravity? The simplest explanation may be that the obstacles to establishing deterrence and rules of engagement in cyberspace are formidable and continue to resist policymakers' attempts at a solution.

For example, this week the New York Times revealed that, last March, Obama administration officials considered, then rejected, a proposal to use cyberweapons to attack Libya's air defense system at the beginning of NATO's air campaign. One reason for rejecting this course of action was that the cyber-reconnaissance necessary to prepare the way for the attack would have taken too long while a government armored column was approaching Benghazi; U.S. Navy Tomahawk land-attack cruise missiles made much quicker work of Libya's air defense system.

But a more important argument against a cyberattack was the desire to avoid setting a precedent that other adversaries could later exploit against the United States. Similarly, the U.S. government considered hacking Osama bin Laden's bank accounts but refrained because officials feared that such an attack could cause investors to lose faith in the safeguards underpinning the global financial system. The common theme is that the United States, including its military forces, is among the heaviest users of computer networks and thus has the strongest incentive to avoid escalating combat in this domain.

Effective deterrence requires demonstrating a threatening capability that intimidates would-be adversaries. Nuclear weapons tests in the 1950s, not to mention the attacks on Hiroshima and Nagasaki, served this purpose for the United States and the Soviet Union during the Cold War. This week, Kelher hinted at his command's offensive cyberpower. But until demonstrated, it remains hypothetical and likely of little deterrent value, especially against anonymous non-state actors. And for the reasons stated above, such a demonstration seems unlikely.

The "full conversations" on doctrine and rules of engagement that Kelher is waiting for are not likely to occur any time soon. Wanting to avoid escalation in cyberspace, U.S. policymakers are forced into a reactive posture, war-gaming how they would respond to attacks and mitigate their consequences. The difficulty of the cyber issue is one more example of how irrelevant the lessons of the Cold War are to many current problems. Meanwhile Duqu is out there ... somewhere.

Rulers everywhere are studying Qaddafi's demise

Muammar al-Qaddafi's death marks the end of the first phase of Libya's revolution. The leaders of that revolution were united by the goal of toppling Qaddafi and his regime. With that task accomplished, it remains to be seen whether the task of bringing stable governance to Libya will also keep them united. Meanwhile, U.S. and European policymakers will make an assessment of what they learned from their intervention in Libya. But perhaps the most attentive students of Qaddafi's sudden demise will be other authoritarian rulers, who will want to avoid his bloody end.

U.S. Secretary of State Hillary Clinton made a surprise visit to Tripoli the day before Qaddafi was gunned down. Washington naturally wants to take advantage of the opportunity to establish positive relations with a country that was an international pariah during most of Qaddafi's time in power. Who and what the United States will ultimately be dealing with in Tripoli remains in flux; a senior U.S. government official traveling with Clinton noted that some of the militias that fought Qaddafi have not joined the transitional governing structure, such as it is.

Clinton was able to visit Libya's revolutionary leaders in a conquered Tripoli because of NATO's military assistance to the rebels. As I noted when Qaddafi's rule collapsed in August, the campaigns in Kosovo in 1999, Afghanistan in 2001, Iraq in 2003, and Libya in 2011 show that it takes surprisingly little military power to overthrow brittle authoritarian regimes. In three of those cases, air power plus special forces support to local rebels were eventually decisive. The effectiveness of this military model creates a tempting tool for U.S. policymakers.

But these cases also display the now well-known long-term costs that follow the overthrow of fragile dictatorships. For Libya, it is still too early to determine whether the United States and Europe even achieved their original objectives. NATO's intervention in March was sparked by an urgent need to prevent a humanitarian disaster as Qaddafi's armored column approached Benghazi. That particular incident was prevented and Brother Leader was eventually toppled. But Libya's revolutionary leaders now need to avoid an outbreak of tribal and factional fighting to prevent a different, but equally worrisome, humanitarian crisis.

NATO has yet to see whether its campaign in Libya has helped or hurt its security interests. Libya's vast warehouses of weapons, most notably those holding stocks of man-portable surface-to-air missiles which could threaten airliners, have been thoroughly looted. The U.S. government has hired contractors to attempt to repair these breaches, but likely much too late.

The policy alternative would have been to do nothing for the rebels and watch as Qaddafi crushed the rebellion, a course the West seems resigned to in Syria. The Obama administration and European leaders took a gamble that has produced short-term humanitarian benefits and the chance of a new start in Libya. That is something. But it is still early in the game.

Finally, what will other authoritarian leaders learn from Qaddafi's downfall? They will be well-advised to cultivate their relationships with China and Russia, countries which can protect them with vetos at the U.N. Security Council. It was surprising that China and Russia did not veto the Security Council resolution that authorized the Libyan intervention. By contrast, China and Russia quickly shot down in the Security Council a recent attempt to condemn the crackdown in Syria. China similarly protected Sri Lanka from any international interference when it crushed its Tamil rebellion, with awful consequences to the civilian Tamil population.

As the fighters closed in on him, Qaddafi may have lamented his decision in 2003 to turn over his nuclear weapons program to the United States. His chemical weapons stockpile was no deterrent to NATO intervention. But nuclear weapon states like North Korea seem to have achieved a protected status.

U.S. policymakers will have to live with the possibility that intervention in Libya may have enhanced the utility of nuclear weapons and the diplomatic positions of China and Russia. The other side of the ledger is the realization of how frail many authoritarian regimes really are. And how the United States may have a workable military model to use against these regimes if required.