Emerging cyber doctrine replays the CT/COIN debate
Last Saturday evening, the Washington Post published an article on the U.S. Defense Department’s still-evolving plans for how it intends to defend its computer networks from cyber attacks. Recalling the intellectual struggle over deterrence theory during the early days of the Cold War, the article ended on this note:
The Pentagon has standing rules of engagement for network defense, such as the right of self-defense. But the line between self-defense and offensive action can be difficult to discern.
“This is a big, big problem,” said one former intelligence official who noted that it took years to develop nuclear deterrence doctrine. “We are just at the beginning of figuring this out.”
But the Pentagon’s problem of cyber defense more closely matches the paradigm of insurgency/counterinsurgency than the Cold War structure of deterrence through the threat of retaliation. Saturday’s Washington Post article on cyber defense replayed all of the recent arguments of counterterrorism versus counterinsurgency, this time played on the World Wide Web.
The Washington Post article was an interesting follow-up to Deputy Defense Secretary William Lynn‘s essay on cyber defense in Foreign Affairs, which I covered in my last column at Foreign Policy. The anonymous Pentagon officials in Saturday’s article discussed a much more aggressive offensive response to cyber threats compared to Lynn’s description in Foreign Affairs. Unwittingly mimicking the 2002 debate over what the U.S. should do about Saddam Hussein’s Iraq, these officials discussed the possibility of preemptive cyber strikes against threats lurking inside computer servers located in foreign countries. Other analysts responded with concerns over the legality of such preemptive attacks and speculation whether diplomacy with the countries hosting those servers might be a more effective course.
The parallels with terrorism and insurgency are plain. Cyber insurgents hide amongst “the people” and use the anonymity and the design of the internet to mask their location. According to the Washington Post article, many U.S. officials are unsatisfied with a purely defensive (can we call it pre-9/11?) approach. Similar to advocates of a pro-active “counterterrorism” approach, they favor preemptive raids on emerging cyber threats. In contrast, a “cyber counterinsurgency” approach may be sprouting. This group could be concerned that an aggressive “cyber counterterrorism” approach could have damaging unintended consequences on neutral computer systems, driving their operators away from U.S. interests. Just as with real counterinsurgency, the foreign-located servers are the “population” and “key terrain,” which the U.S. must strive to get on its side. And in a guerilla war over computer servers, the U.S. presumably has more to lose than do the insurgents.
Deterrence and retaliation doesn’t seem the right model for cyber war. Instead, the emerging debate over cyber defense seems to be a replay of this decade’s debates over terrorism and insurgency. Is it a law enforcement problem or a military problem? Pure defense, regardless of how “active,” doesn’t seem enough; the anonymous attackers have too much of an advantage. Thus calls for preemptive cyber attacks, shutting down threats before they can do crippling damage to the U.S. But are such preemptive attacks legal and might they have unintended consequences, driving more servers to cease cooperating with the U.S.? After Iraq and Afghanistan, counterinsurgents may have another battle to fight, this time “war amongst the servers.”