Modern Military Strategy
Page 26
Further reading
Cebrowski, Arthur K. and John J. Garstka. ‘Network-Centric Warfare: Its Origins and Future’, U.S. Naval Institute Proceedings 124:1 (January 1998).
Cohen, Eliot A. ‘A Revolution in Warfare’, Foreign Affairs 75:2 (March/April 1996).
Farrell, Theo and Terry Terriff, Eds, The Sources of Military Change (Boulder, CO: Lynne Rienner Publishers, 2002).
Farrell, Theo, Sten Rynning and Terry Terriff. Transforming Military Power since the Cold War: Britain, France, and the United States, 1991–2012 (Cambridge: Cambridge University Press, 2013).
Gray, Colin S. Strategy for Chaos: Revolutions in Military Affairs and the Evidence of History (London: Frank Cass, 2002).
Krepinevich, Andrew F. ‘Cavalry to Computer: The Pattern of Military Revolutions’, National Interest (Autumn 1994).
Krepinevich, Andrew F. The Military Technical Revolution: A Preliminary Assessment (Washington, DC: Center for Strategic and Budgetary Assessments, 2002).
Mazarr, Michael J. The Military Technical Revolution: A Structural Framework (Washington, DC: Center for Strategic and International Studies, March 1993).
Owens, William A. ‘The Emerging System of Systems’, Military Review (May/June 1995).
Owens, William A. Lifting the Fog of War (New York: Farrar, Straus and Giroux, 2000).
Rosen, Stephen Peter. Winning the Next War: Innovation and the Modern Military (Ithaca, NY: Cornell University Press, 1991).
Sloan, Elinor. The Revolution in Military Affairs (Montreal: McGill-Queen’s University Press, 2002).
Sloan, Elinor. Military Transformation and Modern Warfare (Westport, CT: Praeger Security International, 2008).
Toffler, Alvin and Heidi Toffler. War and Anti-War (New York: Warner Books, 1993).
8 Cyberwar
Strategic thought on cyberwar is in its infancy. Like airpower in the 1910s, today ideas, principles and doctrine on how best to use this potential weapon are at the early stages. And just as lingering questions about whether airpower could be usefully employed as an instrument of war were answered by the experience of World War One, so too did a real-life conflict point to a role for cyber attack in war, this time the Russia–Georgia conflict of 2008. Debates from the 1990s about whether offensive or only defensive information warfare was admissible were replaced in the 2000s and 2010s with explicit attempts to develop offensive capabilities and accompanying doctrine on cyberwar.
This chapter examines strategic thought on the conduct of war in the cyber dimension. One area where cyberwar breaks markedly from airpower, seapower and landpower is in having natural boundaries with regard to the subject matter. The rough contours of what may be considered part of airpower, seapower or landpower are readily identifiable, but what exactly do we mean by cyberwar? The confusion is implicitly alluded to above with the use of the term ‘information warfare’, only one component of which is, in actual fact, cyberwar. As a result, we begin by defining the parameters of cyberwar for the purposes of this volume, before examining the ideas of key strategic thinkers on cyberwar. They include, among others, Martin Libicki, John Arquilla and David Ronfeldt of the RAND Corporation, the Pentagon’s military leadership, and the PLA. Information is admittedly sparse, in part because strategic thought on cyberwar is relatively new, but also because the combination of military organizations as strategic thinkers, and the close link between cyberwar and intelligence assets, means that only limited information exists in the unclassified domain. What follows no doubt only scrapes the surface of the true depths of contemporary strategic thinking on cyberwar.
What is cyberwar?
Cyberwar, here, refers to hostile actions in cyberspace. Also called cyber attack or computer network attack (CNA), it can be defined as ‘the use of deliberate actions – perhaps over an extended period of time – to alter, disrupt, deceive, degrade or destroy adversary computer systems or networks and/or programs resident in or transiting these systems or networks’.1 Although the most straightforward means of executing a CNA is to physically destroy an adversary’s computers, our concern here is the use of digital weapons, not kinetic attack. Cyberwar is an offensive cyber operation, as is another cyber operation, computer network exploitation (CNE). But CNE is distinct from CNA in that those engaged in CNE do not want to disturb the normal functioning of a computer system; rather, the idea is to obtain information, likely over an extended period of time. CNE is an espionage or intelligence-gathering activity and is not included here as part of cyberwar. (In practice, of course, it can be difficult for a state to determine if it is the target of CNA or CNE, because the two are closely linked from a technical point of view.)
Defining cyberwar as comprising the limited parameters of CNA is itself an evolution in strategic thinking about cyberwar, which has had several meanings, titles, loose references and contexts in the decades since the end of the Cold War. One of the earliest attempts to define cyberwar was made by two RAND researchers, John Arquilla and David Ronfeldt. In an influential 1993 journal article titled ‘Cyberwar is Coming!’ they stated ‘cyberwar refers to knowledge related conflict at the military level … [It] refers to conducting military operations according to information related principles … It means disrupting and destroying information and communication systems … It means trying to know everything about an adversary while keeping the adversary from knowing much about oneself.’2
Two points emerge from this early discussion. First, Arquilla and Ronfeldt’s conception of cyberwar largely echoed ideas that subsequently became associated with what was referred to in the 1990s as the RMA. The term ‘cyberwar’, they note, was coined to discuss the military implications for warfare of the information revolution, including technological, doctrinal and organizational changes, as well as the move from mass to information dominance. These ideas are discussed in Chapter 7 as part of the RMA and thus are not examined here.
A second point is that Arquilla and Ronfeldt’s discussion of cyberwar as involving the destruction of information and communications systems alluded to the broader concept of ‘information warfare’. A catch-all phrase from the 1990s, the content of ‘information warfare’ was first methodically dissected by Martin Libicki. In ‘What is Information Warfare?’, a 1995 study for the National Defense University, Libicki identified seven forms of information warfare prevalent in the literature at the time which, taken together, would lead one to concur that there was little that could not be considered information warfare. The forms included command and control warfare against the enemy’s head and neck, whether through physical attack or CNA on military targets; intelligence-based warfare; electronic warfare; psychological operations (PSYOPS); hacker warfare – that is, CNA on civilian targets; economic information warfare; and cyber warfare, described at the time as ‘a grab-bag of futuristic scenarios’.3 All of these things were considered different modes of information warfare or operations and their common element was that they were forms of warfare that somehow affected an enemy’s information.
Some suggested modes or components of information warfare involved destroying information systems with weapons of pure information, such as computer viruses. But many components were not new and had nothing to do with the use of bytes as instruments of war. PSYOPS, for example, is a form of warfare dating back decades, even centuries, and might involve such non-technological things as distributing leaflets and wristbands. Electronic warfare, involving the electromagnetic spectrum, has a long history and is familiar from such activities as the suppression of enemy air defences. Command and control warfare includes the ‘anti-head’ action of the shipboard sniper that killed Admiral Nelson, and today more often than not refers to physical precision strikes against command centres, also described as ‘decapitation’ in our discussion of airpower.
In the second half of the 1990s the Pentagon dropped the term ‘information warfare’ in favour of ‘information operations’ to accommodate things such as propaganda that took place during peacetime. Today it is th
us more current to locate cyberwar within a broader conception of ‘information operations’, although the content of this term reads little different from the original information warfare. The US military’s joint publication Information Operations defines such operations as the integrated employment of electronic warfare, computer network operations and psychological operations to influence, disrupt and corrupt adversary information and information systems while defending one’s own.4 Parts of the US military also continue to include physical attack in the overall schema. The US Army’s TRADOC, for example, defines cyber attack to include CNA, electronic attack and physical attack.5
Despite the organizing principle of somehow affecting adversary information, the various components of information operations arguably have little business being considered as a single category of operations. Most of the diverse aspects can stand on their own as a separate discipline. Moreover, as Libicki notes, ‘it is a daunting theoretical challenge to cover, in one treatment, computer hackers, electromagnetic wizards, drivers of airborne radar, leaflet droppers, bombers and sharpshooters’.6 Our concern here is altering, disrupting, deceiving, degrading or destroying adversary computer systems or networks through the use of hostile digital attack. The parameters of what comprises cyberwar are necessarily limited to that of CNA so as to identify as coherent an area of inquiry as we do with respect to other warfare domains.
Permissibility
Although numerous types of operations have been included under the broader information warfare/information operations rubric, when debates were underway in the 1990s as to the permissibility of information warfare, they implicitly and invariably centred on one particular type of operation: computer strikes against computer systems. As late as 1998 ‘offensive information warfare’ – meaning CNA – was considered taboo for public discussion. Critics charged that the Pentagon was legally prohibited from striking back against those seeking to access its computers and that it should stick to strictly defensive means such as blocking or slowing down information requests. ‘The debate on defensive hacker warfare concerns the appropriate role for the DoD in safeguarding non-military computers’, Libicki noted in his 1995 National Defense University study, ‘The debate on offensive hacker warfare concerns whether it should take place at all’.7
Within a few short years the ongoing deliberation was resolved in favour and the Pentagon was actively studying the use of cyber attacks to cripple or control adversary computer networks. In 1998 the Pentagon established the Joint Task Force – Computer Network Defense with a mandate to protect the Pentagon’s computer networks, and in 2000 the Task Force was also assigned an offensive mission. A few years later the organization was split into two, separating the offensive and defensive areas of focus. A 2002 presidential national security directive reportedly ordered the US government to develop guidance on launching cyber attacks against enemy computer systems, but the 2003 National Strategy to Secure Cyberspace focused only on the less controversial computer network defence. A new version was not released by the Obama administration.
Toward the end of the 2000s the United States dropped the pretext of a solely or predominantly defensive orientation. No doubt prompted by the cyber attacks against Estonia in 2007 (see Box 8.1) and Georgia in 2008, in 2010 it created US Cyber Command as a subcommand under US Strategic Command. The Command reunites the offensive and defensive cyber missions and is explicitly charged with the authority not only to defend but also, should it be directed to do so by the President, attack adversaries. To this end it is developing offensive cyber weapons, in addition to defensive capabilities. The director of the National Security Agency is double-hatted as commander; his mandate is to conduct full-spectrum operations to defend American military networks and attack other countries’ systems. Along these lines, for example, the US Air Force has been advised to develop an ‘integrated attack’ capability, meaning the integration not only of air and space but also cyber capabilities into joint operations.8 Possible US offensive cyberwar options could range from a ‘low-intensity’ cyber intrusion such as listening in on the adversary’s communications, to a ‘high-intensity’ attack that cripples an enemy’s air defence system to clear the way for a bomber attack. Despite the official mandate change, US officials remain hesitant to talk about offensive cyberwar, preferring to emphasize the need to defend computer networks, albeit in an ever more offensive manner (see below).
Box 8.1 Cyber attack against Estonia
• The April 2007 decision by the government of Estonia to remove a Soviet war monument from the centre of the capital, Tallinn, to a military cemetery sparked rioting by several thousands of protestors from Estonia’s large ethnic Russian population and a condemnation from Russia.
• At roughly the same time websites across Estonia came under cyber attack. The rioting soon ended, but the internet attacks continued and intensified until mid-May, targeting and making inaccessible the websites of banks, political parties, major companies, news organizations and those of almost the entire government, parliament and presidency.
• Although Estonia recovered quickly, the event was notable because it was the first known incidence of such an assault on a state. Estonia suspected the Russian government as the perpetrator, yet the nature of cyberwar is such that this cannot be conclusively determined.
• This action against a NATO member raised questions within the Alliance about whether a cyber attack constitutes an armed attack under Article V of the North Atlantic Treaty. At the 2014 NATO Summit the answer was resolved in favour of ‘yes’, albeit on a case-by-case basis (see below).
Meanwhile NATO as an organization confines itself, at least officially, to a focus on computer network defence. The NATO strategic concept of 2010 states the cyber dimension of modern conflicts will figure in NATO doctrine but that it will do so in the form of improving capabilities to detect, assess, prevent and recover in the case of a cyber attack. There is no mention of offensive cyber activity as a tool of warfare. In 2011 NATO’s Allied Command Transformation leadership confirmed NATO’s defensive approach.9 Consistent with this, a NATO Centre of Excellence on Cooperative Cyber Defence, established in 2008 in the wake of the cyber attacks on Estonia, focuses explicitly on defence activities. Currently NATO has a ‘NATO Policy on Cyber Defence’ (but not offence), and cyber defence is explicitly stated to be part of NATO’s core task of collective defence.10
In contrast to America’s gradual shift in emphasis, and NATO’s guarded stance, China appears to have taken the decision in the late 1990s to develop an offensive information warfare capability. The 1991 Gulf War demonstrated that it was not possible for a state to confront the United States directly on the conventional battlefield, while the 1996 Taiwan Crisis indicated to China the potential need to confront the United States in the future. To square this circle, China turned to focus on ‘asymmetric’ approaches that would target US weaknesses and vulnerabilities – one of the first on the list being the dependence of America’s technologically advanced military on computer systems and networks. US cyberwar experts have documented the explicit discussion by Chinese information operations theorists, including high-ranking generals, about offensive actions in cyberspace since about 1999 onward.11 China’s relative openness in this area contrasts with that of Russia, which has practised cyberwar (notably in Georgia in 2008 and in Ukraine in 2014 and 2015) but not published unclassified strategic thought in this area.
Strategic thought
It is against this backdrop that strategic thought on cyberwar has developed. If a contemporary Sun Tzu were to write a treatise on the conduct of war in the cyber dimension, what would it look like? The conduct of cyberwar flows naturally from the unique character and resulting goals of cyberwar.
The character of cyberwar
Perhaps the most notable distinguishing characteristic between the cyber dimension of warfare and that of other domains – sea, land, air and space – is that there is not one definable expanse to be conquered. Cyberspac
e is a replicable construct and, being replicable, it exists in multiple locations at once. There is not a cyberspace that exists, with distinct parameters and perimeters within which conquest can take place. Rather, every system and every network can hold an unlimited number of spaces. Moreover, cyberspace is a vastly shifting landscape compared to the other domains. Portions of cyberspace continually change, evolving and expanding with technological innovation and the addition, removal, replacement or reconfiguration of networks.
If we conceptually look at just one cyberspace in time, however, we see that even this is unique in nature because it is characterized by a complete lack of boundaries. Unlike kinetic weapons, a CNA can reach across the world at the speed of light, invisibly transiting many international borders en route to its target. ‘The lack of geopolitical boundaries’, points out the US Joint Chiefs of Staff in the National Military Strategy for Cyberspace Operations, ‘allows cyberspace operations to occur rapidly nearly anywhere’.12 The instantaneous nature of cyberwar and the ability to attack the entire domain simultaneously are characteristics that make the cyber dimension of warfare particularly potentially dangerous.
The character of cyberwar is also distinguished by the fact that, unlike its kinetic brethren, an attack using cyber weapons has the potential to wreak widespread, massive damage. Although the immediate effects of cyber attack are unlikely to be comparable to WMDs, a large-scale cyber attack could significantly affect the functioning of society, leading to many indirect casualties. Some have gone so far as to argue cyberwar is potentially as destructive as nuclear war, a notion discounted by Libicki on the grounds that cyberwar is largely temporary and rapidly over.13 A better characterization is that ‘[l]ike chemical and biological weapons, cyber weapons can target large masses of people … Unlike biological and chemical weapons they affect humans indirectly rather than directly. Cyber weapons thus … occupy a completely new niche by their nature.’14