There is a desire by a constituency to promote solutions to problems that they are uniquely suited to solving. If asked about how to clean up air pollution a mechanic will likely tell you to tune up your car and make sure it is running as efficiently as possible. Ask an ethanol producer and they will tell you switching to their form of fuel will solve the air pollution problem. Neither is wrong, and unfortunately neither is right. This is where we find ourselves currently in considering the issues of cyber conflict. Each group (constituency) brings their own brand of solution to the entirety of a problem.
Cyber warfare is a concept that leads to a substantially misguided discussion for a form of conflict. First what is cyber, and then what is war? These terms themselves are horribly misaligned and left to political or philosophical interpretation. Cyber warfare artificially constrains the mind to particular visualizations of the realm of conflict. Proponents of this discussion have begun questioning the relative utility of the term and critics jump at any chance to erode the idea of conflict. Opponents of the principles of any conflict are harsh to judge the entirety of cyber conflict as unnecessary or entirely without merit.
The principle of secrecy-politics is eroding the credibility of the cyber warfare discussion. Media and government agencies report the appellation of cyber warfare as having near god-like powers of totality in destruction. What evidence can be provided to support such a statement that cyber warfare is all that and a snack? To answer this we have to be careful. We do need to beware the classified boogeyman. As an aside I’m usually not offended by the “we could have a real talk if this was a classified environment” discussion-ending statement. There is zero evidence in saying something is classified and should be taken on face value as a given. I figure as long as government types were going to continue using that kind of reasoning I’d start charging for anything I had to say worth hearing. All government readers will be getting a bill for a $100K (each). Over classification is one way of eroding the merits of the discussion, and worse it may hide evidence of contrarian points of view.
One consistent way of derailing the cyber warfare discussion is artificially trying to argue the middle case where things are fuzzy rather than hash out the details where we can agree first. If you think of the conflict spectrum as a box plot where peace is one edge, all out end of the world war on the opposing edge, and most conflict fits in the norm center we can facilitate a discussion. Acknowledge the center cases in norm of the curve is fuzzy, and talk about the skew towards war. That allows for the discussion to move forward.
We should be able to deduce that cyber as a terrain has a specialty form and hybrid form that informs the discussion. Warfare on land, sea or in the air has a specific set of patterns that make it both similar to and different than the other terrains. Naval warfare between ships has a specific set of tactics and stratagems that set it aside from mobile armor in the desert. Each of the specific terrains has the ability to hybridize and act upon the other terrains. Hybrid warfare in the era of joint operations has become the normal course of planning and implementing operations.
Warfare though is about mass casualty capability and in eroding the will of the adversary. Whether a devotee of Clausewitz, or Sun Tzu (sic) the political will of the nation state is tied to the populace. So, how are you going to create a mass casualty event through cyber means? This is a scary premise to many. Seventy years after the last major world war our society has escaped into a kind of fugue state believing it can never happen again. This is historically inaccurate, socially inaccurate, and likely much the same thoughts other societies have had before they became engaged in major conflict. The rejection by some on the simple merit of the discussion is a slap in the face of the previous example of secrecy politics. If we can’t have the discussion about major casualty event as politically incorrect, so therefore then it doesn’t exist as a policy or capability, is an ignorant and misguided deductive flaw. Regardless of the security implications the discussion in both directions is valid. That’s the great thing about being me I don’t have a security clearance so I can discuss stuff without reprisal…
So let’s look at a few things:
1) Cyber doesn’t rot food in the fields, doesn’t dry up gasoline in gas tanks, and last time I looked requires a computer to release the genie inside. The real infrastructure systems all have a human in the loop just to protect against this attack strategy. In general human systems have resiliency that is never taken into account when generating catastrophic cascading failures. The number one mistake in information security and cyber warfare is ignoring the human as an actor and agent within the system.
2) Blue Cascades (talked about in Black Ice by Verton), and a variety of other investigations have “proven” that infrastructures are way more resilient to deplorable computer behavior than we have been led to believe. Engineers in general understand that infrastructure systems fail and doing so gracefully is important. Cascade failures are possible and don’t need cyber agents of destruction to create chaos. Engineering those failures though without hybrid attack strategies rarely occur.
3) Threats against government entities ARE NOT threats against the people. Saying there are millions of attacks against the Pentagon because people are pinging firewalls proves we need some good metrics and leadership looking at problems. Because, whoever is reporting the current stats really needs to find an engineer with a clue.
4) Cyber warfare has become synonymous with computer security. This is the grievous mixing of tactics with strategy. Protecting an armored tank park is not the same as mobile high speed armored warfare. With computer security a failure at all levels of implementation we’re supposed to believe the Pentagon suddenly has a handle on cyber warfare? Allowing the discussion to wander and not being specific in the terms used has created a vast hole in the relevant discussions.
6) Take down the stock exchange? A flash panic was wiped from the records within days returning billions of losses and gains as if it never happened. The MCIWorldcom outage due to a misapplied Y2K patch at the Chicago Board of Trade in 1999 is another good case-study for resiliency in the face of substantial impact.
7) Stuxnet and other SCADA device controllers have impacts on the real world through their interaction at the hardware level with real world. SCADA senses the world, moves levers and arms, turns on switches, and moves things. Numerous researchers have discussed this vulnerability, but relatively few attacks have been attempted against this vector. This follows the Duggan threat matrix model that you need a vulnerability, a threat, and
It is easy to discuss the catastrophic and fear inducing cascading failure to gain support for the cybergeddon treatise. There are certain inherent fear responses that must be present for an argument of cybergeddon to be accepted as real thus requiring a response. Absent unreasoning fear and accepting evidence to the contrary a rational decision can only be met by decrying cybergeddon as a fairly tale. This does not suggest that cybergeddon could not happen anymore than saying land warfare would be used as a single terrain to answer end-of-the-world war scenarios. Any substantial conflict is going to be a hybrid war but a blind eye to any domain could be the fulcrum that asymmetric warfare is balanced upon.
Regardless of the terrain of conflict nation state and non-state actors rarely engage in symmetric conflict where the competitors are fully balanced. Pirates attack unarmed merchants, and the navy brings to bear overwhelming force to combat pirates. Each side in a conflict attempts to push against the weakness of a competitor and protect their weaknesses. Specific weaknesses can be utilized to erode strengths. Whether that erosion is through information dominance and signals intelligence or it is a social protest that can be utilized to erode adversaries will. From what I understand of the “classified” national military strategy we don’t even plan on using cyber to respond but have a shiny arsenal of missiles to use in case we are attacked by cyber means.
If we were to list out the specific elements of nation-state power in each of the domains the kinetic conflict element would like lead the list. Bombs, bullets, missiles and other elements of bang would rush to our lips. Followed closely by statecraft and diplomacy conducted through trade and barriers to economics. The DIME model turning on a military pinwheel seems to generate from the discussion. Regardless of the actual tools applied to the DIME model cyber must be able to act in similar fashion as the other terrains.
Cyber most assuredly works on the intelligence element. Have we used cyber to spy on peer competitors and such? Undoubtedly but a selective use of Metasploit and Google is the hacking equivalent of a Yugo at the Indianapolis 500. Statistical analysis and pattern recognition of adversaries are much more important if they lead to an enhanced understanding of the adversary. Why would we throw away the intelligence and analytic techniques we have always used just because we have cyber? When space became a venue for observation the talents and capabilities of aerial reconnaissance analysts informed the new space terrains techniques. Using the same tools/strategies that are used in other domains allows cyber as a terrain to enhance intelligence gathering. The direct use of the cyber domain by other state actors seems to suggest that intelligence is the special case for cyber. Heavy transport was a special case for naval activities, whereas high-speed transport was the case for air as a terrain/capability. Intelligence gathering by observation was the case for space as a terrain.
Expecting cyber to supplant the other terrains as the only terrain of conflict ignores the generations of human strife. Not all have this view, but enough of the broader community seems to think in a Billy Mitchell way of thinking the only war you’ll get is the war they give you. Billy Mitchell was talking about air force upon air force conflict. He was right, but he was also wrong. Unfortunately air war was one kind of war and Vietnam, and subsequent conflicts showed that land war was still viable. Attempting to say that cyber on cyber is required ignores the later adaption’s and the speed of adaption may or may not be an issue.
Adapting new tools to the spectrum of conflict seems reasonable, but relatively ignoring the scores of evidentiary points that the other terrains remain as viable future fields of conflict does not. Artificially constructing arguments against hybrid warfare also ignores the nature of previous and modern conflicts. Cyber on cyber may be an issue we have to deal with but history over the long run suggests that hybrid warfare models will predominate and that inclusion of a new terrain is best done considering the capabilities of all the actors in the other terrains.
Traditionally intercepting and destroying communication conduits has always been a conflict activity. Towards that end cyber has a special place and likely a longer history than many are willing to accept. The bane of short vision horizons towards future conflict has resulted in a minimal understanding of the history and lessons of the past.
When Gordon Moore announced the 24 month paradigm for transistor density doubling and later adapted it few likely realized the broad implications to cognitive processes. Shortening a vision horizon to 24 month generations ignores the human in the system. This leads to cyclical repeats within the computer realm of research redundancy and discovery of “new” ideas that are actually only two or three (computer) generations old. This interestingly enough is further proof of the viability of cyber as a new terrain. The fighting of the last war (regardless of time paradox) strengthens the case of similarity between other terrains of conflict and cyber as a terrain.
Toward this current fugue state we see alternative points of view that have led to stymied discussion. The fugue state is a form of selective amnesia that forgets the history of conflict, the history of each terrain, the memory of the reality that is conflict and leaves the nation-state vulnerable. The alternative points of view draw toward continuation of discussion rather than selectively solving the problems. The conflation of cyber security (defense of information systems) with cyber warfare (political purposed conflict in cyber space) further erodes the debate leading to a dissociative state of confusion. The fact that large amounts of money haven’t been spend on the security space, but could be spent on the conflict realm even weakens the credibility of the entities in discussion. Cyber fugue, is a recursive amnesia state of sustained ideological conflict.