Modern Military Strategy
Page 27
The goal of cyberwar
The fact that cyberspace is a replicable construct means that the operational goal of cyberwar cannot be to destroy cyber capabilities, in the sense that a land force may seek to destroy an enemy’s land forces. ‘While something akin to conquest can be defined for cyberspace, cyberspace itself cannot be conquered in any conventional sense.’15 Permanently damaging a system through CNA is not an option. As systems are attacked, vulnerabilities are revealed, repaired and routed around. The systems themselves are hardened and are likely to become less, not more, vulnerable and less, not more, resistant to further coercion.
With destruction not an option (except in relatively rare cases when a cyber attack leads to physical damage) the cyber warrior looks to other objectives. The immediate goal may be to blind the opponent by creating so much noise around the signal that the useful information carried by it is lost in a sea of fuzz; to disrupt access to data; to corrupt information by adding false bits to existing ones, thereby deceiving the opponent and, related to this, to confuse or disorient the opponent by undermining the credibility of information; to steal information; and to manipulate opponent systems by making them do what their designers did not want them to do (see Box 8.2). A prevailing theme in the US literature is the goal of denying the enemy freedom of action. The US Joint Chiefs of Staff speaks of ‘ensuring our freedom of action and denying the same to our adversaries’ in order to secure ‘information superiority’16, and US Cyber Command stresses that the principal effect of cyber warfare is to deny the enemy freedom of action in cyberspace.
Box 8.2 The Stuxnet virus
• A good example of the use of cyberwar to manipulate opponent systems is the Stuxnet virus.
• In 2010 Iranian officials acknowledged that computers at one of its nuclear plants had been infected by a computer virus called Stuxnet.
• The malware worm was designed to lay in wait, searching for and targeting specific equipment that exists at Iran’s uranium enrichment plant at Natanz.
• The virus caused programmable logic computers made by the German electronics company Siemens, which are used at the plant to control gas centrifuges, to spin out of control and break. Gas centrifuges can be used to produce highly enriched uranium.
• The virus also covered its tracks by fooling operators into believing the equipment was working as usual. As a result, it was not discovered for over a year.
• It is unclear how many centrifuges were affected and how much damage was done, but it is thought that the Stuxnet virus set back Iran’s suspected nuclear programme by some years.
• The Stuxnet virus marked a watershed in warfare because it demonstrated that cyber activity can have kinetic, physical effects.
• The virus was so sophisticated that computer security experts suspected from the beginning it was launched by one or more state actors. In 2012 the White House confirmed the virus was a joint project between the American and Israeli governments, designed to set back Iran’s ability to create weapons-grade uranium.
Ultimately, the strategic goal of offensive cyberwar may be to coerce the opponent, assert status or ‘teach other countries a lesson’, disable an enemy capability, or support other service elements in prevailing in ongoing hostilities. US think tanks have identified a possible end goal of ‘strategic cyberwar’, defined as state-on-state conflict carried out in cyberspace for the primary purpose of compelling the other side to accede.17 It is possible for states to wage cyberwar for an extended period of time while refraining from physical violence. But unlike airpower, where there is some question as to whether it can ‘win’ a war on its own, cyberwar is quintessentially a supporting form of warfare. ‘It is virtually impossible to take land by cyberwar’, Libicki points out, ‘which is fine: Land has mostly gone out of fashion as a motive for conflict’.18 US Cyber Command has similarly implied that cyber weapons would be used mainly as an adjunct to conventional military operations.
The actors
Implicit in this discussion of the character of cyberwar is that it is only useful as a form of warfare against entities with fairly extensive computer networks. For this reason cyberwar is particularly amenable to state-on-state warfare, and even here there are examples – Serbia during the 1999 Kosovo conflict and even Iraq in 2003 – of states possessing few high-value cyber targets during warfare. Cyberwar’s requirement that an enemy have similar capabilities or vulnerabilities differentiates it from other forms of conflict. US air and space capabilities are, if anything, more dominant against adversaries with no such capabilities. By contrast, in cyberwar adversaries must have a footprint – ‘no footprint, no impact’.19 Thus when we discuss the conduct of war in the cyber dimension the predominant focus of our analysis is the state actor.
The conduct of war
Martin Libicki. The character and possible goals of cyberwar form the backdrop against which there has been some strategic thinking on the conduct of war in this dimension. In his book Cyberdeterrence and Cyberwar, Martin Libicki draws out some principles in the conduct of cyberwar. He implies, for example, that cyberwar is non-incremental in nature. ‘At first glance cyberwar lends itself to an incremental approach because it presents such a broad range of options for contemplation … At second glance, an incremental approach may be wrong.’20 This is because the relationship between cyber activities and their effect is non-linear in nature. Tactical attacks can bring only mild annoyance for long periods of time and then suddenly cross a threshold into strategic effect. The notion, prevalent in other domains, of starting a conflict with a series of probes, and learning in the process one’s own and one’s adversary’s weaknesses, does not hold up in the fifth domain. Because learning takes place so quickly on the part of the adversary and because cyberwar is ultimately non-incremental in nature, a better approach in this domain is that of surprise. ‘Cyberattacks are about deception, and the essence of deception is the difference between what you expect and what you get: surprise … cyberwar is tailor made for surprise attack … for a one-time bolt from the blue.’21
The PLA. As indicated above, strategic thought on cyberwar has also been underway for some time in the PLA. Historically China’s warfare approach has been ‘active defence’, meaning the country would not initiate an attack but would be ready to respond if attacked. In the information era this has changed to one of active offence in the conduct of war. The view is that the key to effective cyber operations is to take the initiative, launch cyber offensives and even act pre-emptively. The approach is closely linked to China’s overall perspective on ‘informationized’ warfare – the incorporation of advanced technologies into military operations – under which all activities now revolve around gaining information superiority on the battlefield.
China’s military has developed a strategy called Integrated Network Electronic Warfare, designed to guide the combined employment of network warfare tools (bits) and electronic warfare weapons (electromagnetic waves) against an adversary’s information systems. The strategy points to several possible principles of cyberwar. Cyber attack, it is argued, should be used in the early or opening phases of a conflict. The idea is to exploit a temporary period of adversary blindness with a series of traditional firepower attacks, i.e. physical strikes, on platforms and personnel. The cyber approach is also targeted, in that its integrated warfare method specifically identifies enemy C4ISR (command, control, communications, computers, intelligence, surveillance and reconnaissance) and logistics systems networks as the highest priority for information warfare attacks. ‘Attacks on an adversary’s information systems are not meant to suppress all networks, transmissions, and sensors … [but] only those nodes which the PLA’s IW [information warfare] planners assess will most deeply affect enemy decision making, operations, and morale.’22
The PLA’s approach is thus qualitative and effects-based in nature, organized around a determination of the operational centre of gravity as represented by those nodes. In line with the goal of denying
an opponent his freedom of action in cyberspace, China seeks information dominance or superiority by attacking an adversary’s C4ISR infrastructure to prevent or disrupt the acquisition, processing or transmission of information in support of combat operations. Finally, the PLA identifies the requirement for coordinated or simultaneous attacks on enemy networks and systems, and highlights the value of silent or undetected operations either to steal or manipulate information.
The US military community. The scholarly US literature on cyberwar indicates that at least 13 different doctrinal documents at the Office of the Secretary of Defense, DoD, Navy, Army, Air Force and STRATCOM levels outline how America will fight a cyberwar. Despite this, however, information on America’s conduct of war in the cyber domain is relatively limited – and for good reason. The quality of a CNA is derived from the ability to deceive, overcome or circumvent defences, while the quality of the defence is based on the ability to anticipate an enemy’s offensive approaches. Once offensive or defensive techniques are known, in relatively short order corresponding enemy defences and offensive approaches can be engineered.
That said, it is possible to identify in US strategic thinking some notable aspects of the conduct of war in the cyber dimension. A key theme in US military literature is the requirement to take the offence. Unlike in the other domains, where questions have historically arisen as to whether the offence or defence dominates, in the cyber domain the query is definitively answered in favour of the offence. ‘The offensive form of cyberspace operations’, officials from US STRATCOM argue, ‘is far superior to the defensive form’.23 A former US Deputy Secretary of Defense, William Lynn, similarly stresses cyberwar’s amenability to an offensive approach. ‘In cyberspace’, he argued in 2010, ‘the offense has the upper hand’ because the Internet, designed to be rapidly expandable and without boundaries, creates an inherently ‘offense-dominant environment’.24 Similarly, US allies have argued cyberwar strongly favours the attacker over the defender.25
Although the dominance of the offence is a predominant theme in the US literature, that is not to say that the defence does not figure in strategic thinking about this warfare domain. The notion of defence is prevalent but it is presented within an active rather than passive construct. A former commander of US Cyber Command has stated that the United States needs to develop dynamic rather than passive defences, meaning searching for adversaries on networks before they attack, rather than blocking attacks after they have been launched and detected.26 To do otherwise is akin to letting a burglar stand outside your door trying successive keys until one unlocks the door, rather than actively seeking to locate and apprehend the burglar before he walks up the step. The Pentagon refers to this concept as active defence – hunting within the military’s own networks. Along these lines, US defence analysts have stressed that computer network defence is more than building better firewalls and anti-virus software.27 It also involves seeing the threats before they come and perhaps allowing the US military to reach out into the adversary’s cyber systems using CNA for cyber response. This is much different from the original perspective presented in the mid-1990s that most of what US forces could usefully do in information warfare would be defensive, and that those defences would be passive. (It is also distinct from China’s former approach, noted above, which used the same term but was more passive in nature.)
The US National Research Council concurs that passive defence is insufficient to ensure security and that it makes no sense to allow an adversary to pay no penalty for failed attacks until he succeeds or chooses to stop. They suggest taking measures to eliminate or degrade an adversary’s ability to successfully prosecute an attack. Under this rubric, a CNA might be used for defensive purposes, to neutralize a cyber threat before it arrives at one’s door. The Council, like China – and as practised by Russia (see below) – also points to the use of cyber attack in the early or opening phases of a crisis, before overt conflict begins.28
US military leaders stress the requirement for speed in the conduct of cyberwar. ‘The speed at which information moves in cyberspace approaches the speed of light’, the Joint Chiefs of Staff has pointed out. ‘In war, operational speed is a source of combat power. When this speed is exploited, increased efficiency and productivity can result.’29 Part of this involves using the speed of information flow to gain and maintain the initiative and to operate within the enemy’s decision cycle. Beyond this, Lynn has stated that cyber warfare is like manoeuvre warfare in that speed and agility matter most, while US allies have drawn attention to speed, surprise and economy of force as characteristics of war relevant to cyberwar.30 Observers have cautioned that the speed with which electronic attacks can be conducted leaves ‘little time for cool headed reflection’ and favours pre-emptive attack.31 A prevailing theme is also a silent and surreptitious approach. One US cyber security firm has argued: ‘Hacking used to be about making noise. Now it’s about staying silent.’32 The best approach to cyberwar, some argue, is to infiltrate the enemy’s computers and networks, spy on them and surreptitiously change pieces of their communications without them knowing it.33
Russia. One cannot point to a body of Russian strategic thought on cyberwar. Nonetheless, it is possible to draw out elements of its perspective on the conduct of war in the cyber dimension by looking at Russia’s brief war with Georgia in August 2008, during which it allegedly launched cyber attacks against Georgia (this has not been definitively determined). Analysts note the war was historic and unprecedented because it was the first time there had been cyberspace domain attack coordinated with conventional warfare. The case drew out several potential principles for the future conduct of cyberwar, including the notion of parallel or simultaneous attacks by kinetic and cyber forces. At the operational and tactical level of war alleged Russian cyberspace operations were closely synchronized with those in the land, sea and air domains to achieve the desired effect.
Russia also undertook to identify the opponent’s cyber centre of gravity, in this case the Georgian government’s ability to communicate with the outside world and put out its message. Russian patriotic hackers worked against Georgian systems in the weeks leading up to the actual kinetic war, underscoring the value of preparatory operations – including reconnaissance activities and probing attacks – well in advance of any CNA conducted in actual support of a traditional military operation. The fact that Georgian hackers were targeted first reinforced as an important element in the conduct of cyberwar the idea of pre-emption to disrupt, degrade and even remove retaliatory capability. Based on the Russia–Georgia war example, analysts argue future patriotic hackers will be using the cyberspace equivalent of fire and manoeuvre operations directly in support of warfare in other domains.34
War questions
Thresholds
The advent of war in the cyber domain has raised a number of interrelated war questions. The first and most basic is whether cyberwar can be considered war. The definition of war as a conflict carried on by force of arms between nations or between parties within a nation is problematic when it comes to cyberwar. And yet, as one NATO official put it: ‘If a member state’s communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber attack?’35 The query was posed in the context of questions raised over whether Russia’s presumed cyber attack on Estonia in 2007 constituted an act of war that required a response under Article 5 of the North Atlantic Treaty. In the wake of Russia’s action in Crimea in 2014, which included a highly coordinated cyber campaign aimed at civilian and military targets, NATO took steps to answer the question. Later that year NATO leaders agreed: ‘Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack … A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.’36 As for
what sort of thresholds would actually trigger a response, this was left unstated. A NATO Centre of Excellence has explicitly tackled the idea of thresholds, but its findings have been inconclusive (see Box 8.3).
Box 8.3 Cyber attack as a use of force or an armed attack
• In 2009 the NATO Cooperative Cyber Defence Centre of Excellence invited an international group of experts to write a manual of law governing cyber warfare.
• The ‘Tallinn Manual’, so-called because the Centre is in Tallinn, Estonia, defines a cyber attack as ‘a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects’ (p. 106).
• The manual addresses the question of when a cyber attack would be considered a ‘use of force’ (Article 2(4) of the UN Charter). It argues states would characterize a cyber operation as a use of force based on the following criteria:
a severity (scope of damage, duration and intensity);
b immediacy (consequences that manifest quickly);
c directness (the degree of causal link between the cyber operation and the consequences);
d invasiveness (the degree to which it impairs the sovereignty of the state);
e measurability of effects (are the consequences apparent?);
f military character (is there a nexus between the cyber operation and an ongoing military operation?); and
g state involvement (the degree of linkage between the operation and a state actor).