Essay contest (1): Information control is the desired effect, so cyber will be key in limited warfare — especially non-kinetic
- By Thomas E. RicksThomas E. Ricks covered the U.S. military for the Washington Post from 2000 through 2008. He can be reached at firstname.lastname@example.org.
By Christopher Porter
Best Defense contest contestant
No single change will be more important — or more difficult — for the U.S. military to adopt for success in Information Age warfare than to stop conceiving of cyber threats, and developing U.S. capabilities, in terms of kinetic effects. Secretary Carter, in announcing this year’s defense budget, like almost all military and civilian leaders, justified a well-grounded worry about cyber threats, in terms of the potential for advanced adversaries like China or Russia to leapfrog U.S. developments and wield computer network tools that disable critical infrastructure or deal catastrophic loss of life.
While these nightmare “Cyber Pearl Harbor” scenarios should be carefully considered, they need not be the basis for an all-encompassing security strategy where such incidents are likely to be rare. Washington embraced the United Nations Group of Government Experts report condemning cyber operations that target critical infrastructure in peacetime; only in wartime, when disabling cyber tools is useful but not the only option, will the United States be willing to use them. U.S. military spending, priorities, and defensive posture mostly operate from the assumption that adversaries will be similarly constrained.
Conversely, the use of cyber tools to influence political and public thinking outside full-scale war is already being proven. China — the putative future adversary around which we are “rebalancing” — felt comfortable unleashing its Great Cannon in peacetime against a U.S. technology company to keep the New York Times out of the mainland. The Russian government plans to spend $250 million developing cyber weapons so damaging that they provide a nuclear-like deterrent; such weapons, however, are unlikely to keep Moscow from conducting the “information confrontation” special operations lauded in Russia’s just-released 2016 national security strategy — including an instance when Russia probably posed as a hacking group aligned with Islamic State to take out a French television station opposed to Moscow’s interests in Syria.
Ironically, the United States, despite having Silicon Valley, DARPA, and decades of lead time over its rivals, still finds itself with the “second-mover advantage” of learning from our rivals’ successes. Moscow appears to be winning at least one, and maybe two, limited wars this way. Beijing probably noted the lack of U.S. willpower and capability to respond when choosing to launch disabling attacks of their own even in the midst of negotiations with the United States to place restrictions on the use of cyber operations — to say nothing of the gradual economic advantage they have earned their companies through economic espionage.
The key for these would-be cyber near-peers is that, like terrorism in the decades leading up to 9/11, conducting such attacks advances their foreign policy goals without leading to war. The very nonlethal nature of these techniques is their attraction, allowing for projection by great powers and asymmetric attacks alike. A cyber weapon that disables access to information, steals or encrypts data, or manipulates the content of decision-making systems is at least as likely to advance a nation’s foreign policy goals and affect its national security as one that causes physical destruction.
Although cyber “weapons” as a reversible means of taking over infrastructure (Why rebuild after the war when you can just reboot?) is a noble, theoretical way for the United States to use these capabilities, it is likely not the primary motive shared by the threat actors degrading U.S. press and artistic freedoms, hounding ethnic and religious minorities advocating for recognition of their human rights, bankrupting major corporations through intellectual property theft, blackmailing and threatening the lives of private citizens, or spreading terrorist propaganda through website defacements and unremovable online propaganda.
Not since the Barbary Wars have American citizens and commercial interests been so routinely undefended from foreign threat. The most advanced threats operate with de facto immunity provided by their host governments. Yet, the cyber threats most Americans care most about are still treated as law enforcement issues, in an echo of the same hubris that left the fight against al Qaida to district attorneys for so long.
Solutions probably include the U.S. military preemptively disabling threat actor networks; getting involved in countering large-scale operations that affect many small U.S. businesses; and investing in real-time information sharing networks that include the private sector, which is often the first line of defense. But without a change to the military mindset that thinks of cyber tools in terms of their physical effects we cannot begin to even have the discussions necessary to defend against the coming wave of not-quite-war-worthy cyber threats, much less defeat them. The military must start by asking the right questions based on the right premises before looking for the right answers.
Christopher Porter is a Senior Threat Analyst at FireEye, a cybersecurity company. He has a Master’s in Decision and Information Science from the University of Florida, where he studied health information technology and security. He now has over a decade of experience working with private and public partners to develop better cybersecurity policies. His current research interests include the use of geopolitical analysis to anticipate cyber attacks, the role of cyber operations in grand national strategy, and counterdeception and attribution of advanced persistent threat (APT) groups.
Image credit: YouTube