SPECIAL SERIES:Cybersecurity: The Next Great Battlefield
In this series of articles running through July, RealClearPolitics and RealClearDefense take an in-depth look at the intersection of cybersecurity, technology, and warfare in the 21st century. Below is Part 11.
It seemed fitting, even at the time, that the vast carnage of World War II was finally ended by a weapon of such enormous destructive power that it altered mankind’s concept of the very nature of war.
Today, cyber weapons are as disruptive a technology as the atomic bomb, requiring a new round of innovative thinking. The task before us is to make sense of an entirely new order that blends the physical and non-physical worlds into a seamless and seemingly limitless battle space.
The implications of Hiroshima and Nagasaki – if this was to be the new way of battle -- were terrifying. Within a year, the publication of Bernard Brodie’s “The Absolute Weapon” anticipated the doctrine of massive retaliation. The generation of strategists that first grappled with the awful power of nuclear weapons had to reconsider every aspect of war, “thinking about the unthinkable,” in futurist Herman Kahn’s most famous formulation.
Despite several close calls, Armageddon did not come. But with cyber weaponry, we now must manage to be lucky again. One way to help our chances is to not equate the two threats. This is a new technology, requiring new paradigms. David Sanger, author of “The Perfect Weapon,” expressed it to me this way in a recent interview: “All the questions that come up in nuclear deterrence are the same as the questions that come up in cyber -- and every one of the answers is different.”
Here are five ways in which cyber weapons differ from nuclear armaments – and, for that matter, why they may be unlike anything that military strategists have previously encountered.
1. Cyber is not a “domain” of war; it is a new reality. The term “domain” is important in military parlance, and of relatively recent vintage. It was first used in official U.S. doctrine in 2000, and it implies a separate and unique sphere of conflict. The first four “domains” are land, sea, air, and space – each with its own military branch that has (or may soon have) authority within that domain: Army, Navy, Air Force and now a proposed Space Force. In 2009, the U.S. declared cyber “the fifth domain,” and NATO followed suit in 2016.
This may be misguided. Cyber, by definition, transcends the physical world. If the primogenital strategic domain is land, there is a logical progression as technology advances and adds sea, air and then outer space, expanding the physical theater of war. But cyber doesn’t merely extend and expand the current battlespace, it thoroughly redefines it. While you can imagine land battles that don’t include sea power, or you can imagine air war without engaging space weaponry, it is now impossible to think about any form of conflict without including cyber strategy, if only because everything runs on networked computers. Cyber doesn’t exist in its own dimension; it affects every other one.
2. Arms control won’t work. Except for a few early strategists who considered the utility of nuclear weapons on the battlefield, the major debate over nuclear weapons quickly moved to how to deter an attack, and how to control the proliferation of nuclear weapons. Arms control in the nuclear age has – knock on wood -- been surprisingly effective.
While the 1970 Nuclear Non-Proliferation Treaty didn’t freeze the number of nuclear powers entirely, it certainly slowed the growth of membership in the club. With a limited number of nuclear powers in the world, walking nations back from the nuclear brink via carefully constructed bilateral and multilateral agreements seems possible. But an arms control regime for cyber? Forget about it. There are already too many actors with access to cyber weaponry. And they’re not all nation-states. And nobody’s honest about it anyway, which makes treaties problematic. How would such pacts even be enforced?
3. Time is not on our side. The first atomic bombs were dropped in 1945. While nuclear strategists started scribbling their thoughts almost immediately, it wasn’t until 1962 -- 17 years later – that the term “mutual assured destruction” was coined by Donald Brennan of the Hudson Institute. It took that long to settle on the doctrine that became the central organizing principle for strategic thinking and debate. Today, we don’t have the luxury of time. The development of cyber weapons is galloping along at, well, cyber speed. Herman Kahn lamented in the 1960s that civilian analysts couldn’t keep up with advancements in offensive missile technology, but that was nothing compared to the furious pace of today’s advances in cyber.
4. Deterrence is dead, but a first strike isn’t what it used to be. In nuclear strategy, the big fear is a massive preemptory strike, so the entire point is to keep your adversary from firing first. You do this by making sure that you have a survivable second-strike capability – nuclear weapons that are hardened or hidden to the point where the other guy could never be sure that if he struck first, he would truly disable you. As a result, it doesn’t make sense to unleash a holocaust on your enemy, because within minutes his surviving missiles would obliterate you and yours. In this way a delicate “balance of terror” is maintained between nuclear adversaries -- and it has worked surprisingly well.
In cyberspace, there is no advantage to a massive first strike – or at least none compared to the advantages obtained by keeping up a low-grade, constant level of harassment, espionage, and disinformation. A “Cyber Pearl Harbor” that some have warned about -- that is, a massive, out-of-the-blue cyberattack that would disrupt critical infrastructure -- makes little strategic sense. In fact, cyber weapons provide the ultimate “short-of-war” arsenal, and are deployed along a continuum that includes espionage, commercial theft, blackmail, harassment, disinformation and outright destruction. Countries – including the United States – are already constantly probing one another’s networks, gathering information, stealing secrets or planting bugs that are just lurking, ready to be turned into viruses at the opportune time.
"You have to defend on the presumption of breech. They're getting inside the wire. Get over it. Operate while under attack."
And at any rate, attacks can’t be deterred, because the bad guys are already in the house. “You have to defend on the presumption of breech,” former NSA and CIA Director Michael Hayden told RealClearPolitics. “They're getting inside the wire. Get over it. Operate while under attack. It is almost as if rather than the moat, the castle wall, or the Maginot line, it's a constant engagement in which you are fighting within your own network.”
5. Cyber conflict is already here. Beyond the atomic bombs dropped on Hiroshima and Nagasaki, all nuclear strategy is based solely on theory. In contrast, we’re already in a cyber conflict on many levels. We bemoan the Russians interference in our election system. We are furious that the North Koreans hacked into Sony to fry its system and steal and publish its embarrassing emails. We call for tariffs and trade barriers when the Chinese steal intellectual property.
But the United States is not simply playing goalie in this new world, although you hear a lot more about the need for cyber defense than for cyber offense. The U.S. and Israel used a malicious cyber worm called Stuxnet to destroy Iran’s uranium centrifuges. While it isn’t yet talked about too much outside the defense community, the wonderfully alliterative term “left of launch” should soon be entering the public debate. It refers to infiltrating an adversary’s launch codes in order to blow up a missile before it leaves the ground. Many suspect that we’ve already done so in North Korea. At any rate, the idea of a preemptive strike on a country’s military assets during peacetime – or even during a time of heightened tensions -- is pretty much the definition of an act of war. It is something we may want to think about before going too much farther down the path we’re on, lest someone else gets the idea that we’re okay with it.
In short, cyber weapons require an entirely new level of strategic thinking. The oldest (and perhaps truest) cliché in military strategy is the one about generals always preparing to fight the last war. Today, we can’t afford to have strategists using the last generation’s mental maps. The cyber war is already here; we’re already in it, and the sooner we come up with strategies, norms, and doctrines that reflect this new world, the better.
Andrew Walworth is a senior fellow at the Murrow Center for a Digital World at the Fletcher School of Law & Diplomacy and co-host of the podcast “RealClear Cyber Today.”