Don’t buy the overpromises of cyber, because it consistently under-delivers

By Conrad Crane
Best Defense guest columnist

Over the last few years, I have been involved in numerous military wargames where players envisioned extravagant results from cyber-operations. I have heard former Secretary of Defense Leon Panetta and former Chairman of the Joint Chiefs of Staff General Marty Dempsey both state that increasing cybercapabilities would compensate for reductions in conventional force structure.

I think it is time to do some expectation management about the cyberrealm. Exercising cyberpower will not be as easy as proponents claim. Offensive cyberattacks by states will always require rigorous centralized control, and will probably be far less prevalent than most scenarios project. I suspect we will spend much more effort responding to cyber barrages than inflicting them.

There are a number of reasons for this sobering truth. The first is that in the cyberrealm, the more capabilities you have, the more vulnerabilities you have. Hence, nation states are easier to attack, and easier to deter. Less sophisticated adversaries have much less to target, and often rely primarily on the mostly inviolate global commons. For example, during the Arab Spring, Egyptian government forces tried to neutralize the mobilization of opposition groups by shutting down the internet. To their chagrin, the government realized they needed it as much as their opponents, and had to turn it back on.

Recent news reports have highlighted the disappointing beginning to an unprecedented American cyber-offensive targeting the Islamic State. Conducted by U.S. Cyber Command, the campaign is designed to reduce the ability of the terror group to run operations, recruit fighters, and manage funds. However, so far CYBERCOM does not appear to have figured out how to effectively attack a non-state actor such as the Islamic State.

Nation states such as ours are much more open to attack, facilitated by the second reality of the cyber realm, there are unlimited electrons to fire at us, which leads to the third reality, that you cannot defend everything successfully all the time, especially when you have as many targets as we do, and no integrated defensive structure. There is no unifying control or standard security measures over the .mil, .org, .com, and .edu domains. There is not even any clearly defined domestic cyber-jurisdictions between the National Security Agency, Department of Homeland Security, and Federal Bureau of Investigation. Interagency dividing lines get even more complicated outside our own national borders.

In an unrestrained cyberwar, I can foresee a future resembling a Mad Max movie, where the Department of Defense stubbornly defends its own cyberdomain while the rest of the cyberworld disintegrates around it. Perhaps that isolation has already begun. Current computer security settings at the Army War College even block access to .gov websites. The cybersecurity dilemma is that restricted access makes the system more secure and less useful. The level of safety goes up as the degree of utility goes down.

Among the cybercapabilities we have, I am sure there are a number of potentially devastating software programs that we can use to degrade our enemies, which serves as a powerful deterrent, especially against states. But the fourth cyberreality restrains the use of such weapons, because once you have fired a cyberbullet, you have proliferated it to all kinds of possible foes. We have already seen the code from Stuxnet appear in malicious software targeting our own systems. One of the dilemmas faced by Cyber Command is to ensure that whatever is used to degrade the Islamic State cannot then be turned successfully on us. And we have a lot more vulnerabilities to target than they do.  

Conrad Crane is the Chief of Historical Services for the U.S. Army Heritage and Education Center at the U.S. Army War College. He was the lead author for the 2006 counterinsurgency field manual, and has just published a book about his experiences, Cassandra in Oz: Counterinsurgency and Future War. This article represents his views, and do not purport to reflect those of DoD, the Army, or the Army War College.

Photo credit: Wikimedia Commons