Rickover and Mitchell were visionary ambassadors and petty tyrants of their respective domains of war fighting. Each working in their own peculiar way eviscerated leadership on the way to promoting new ways of waging war. The history is pretty detailed but neither approach will work in the cyber domain. Neither leader had to do deal with an entrenched industry already operating within the domain, or had to deal with a population that might use the same tactics, techniques and procedures against the nation state.
In pundit land we can’t even define a common lexicon and the “rice bowl” mentality inside the Beltway, and the cult of personality are eroding the legitimacy of cyber before our eyes. You’re a high-powered government/industry big shot with a large staff and the ear of industry/government and world leaders? Welcome to the punditcy you have as little or as much influence as the latest blogger. I know some irony there right?
The big military, centralized control, large scale system deployment, bazillion people employed by large profitable firms is such an enticing way to build up the next big domain called cyber. It is of course, balderdash. Where else have we seen the power of the nation state eroded through irregular and unexpected avenues as the conflict was prosecuted? Darn if we haven’t talked about insurgency and low intensity conflict as a model for cyberspace already. We have the intellectual leaders who have looked at this model like Arquilla, Denning, Ronfeldt, Nagl, and others.
But, I can’t put together a program around that model you say. What would my funding model be? Why look over here and see the principles of counter insurgency are broken on the back of Colonel Gentile! The truth is out there. The offense doesn’t care that your defense was mangled at cross-purposes with the domestic agenda. Cyber offense it’s like a whole ‘nother animal. Instead of trying to figure out the funding model we should be trying to figure out the problem. Nero tune up your fiddle.
To put it mildly “Honey badger don’t care.”
Cyber offense isn’t just information operations, network, spectrum, <insert rice bowl here> strategies of attacking the other guy. But, thank you for brining all of your pretty little biases to the table. If’n we’re going to make things go boom we might not want to shoot or own assets off.
Look, Hyman and Billy were great guys looking to spend big budgets building tin cans that either sunk or crashed from time to time. Cyber conflict isn’t going to be that. It doesn’t fit in some neat program or office and none of the “back stabbing” blaming the Russians or Chinese or France is going to fix it. We’ve got enough people wallowing around crying big ol’ cyber tears.
Here is the thing. If you shoot, I get to respond, then you can respond, then I respond, and we call that war until we stop. None of this silly stuff people have been writing books about is war. We’re talking about good ol’ fashioned break stuff and kill people. If you don’t know what I’m talking about there is this guy called Clausewitz who can explain it. Cyber though isn’t a linear kind of thing where you line up troops and everybody whacks at each other until you’re all tired and want to go home. Cyber is different. That’s why it is a new domain…
Cyber is waged over time. It breaks the normal rules as I reach back into your supply chain two or three generations of equipment and wait for your refresh cycles to inject logic bombs. Heck I might even get you to subsidize my attack vector! Cyber is waged through complex cognitive efforts. Information and messaging of intent and political will are valid contextual elements to cyber. Cyber is how you pay to be attacked. Most of the infrastructure for attack isn’t created and built where you live it is built by your adversary for you to use. With a hat tip to Mao you’re using the adversaries own infrastructure do dissuade, disable, or disrupt their activities. Cyber isn’t just a network. You’ll find cyber in the system behaviors where the act of pulling one plug has unexpected behavioral consequences. Cyber is about being where you shouldn’t, long before you need to, so you can do things you’re not supposed to.
I see lots of young TCP/IP cowboys talking about crafting packets of pain to ruin the networks of adversaries. Then I see these cute little red team guys. They’re just so cute. They talk about penetration testing networks. They get their scope of work, their rules of engagement and they blow through the networks like a 3-day binge beer fart. Enumeration it’s so 2000. The adversary doesn’t have “rules of engagement” and blowing through a network is mildly interesting. It is a great practice for counter intelligence and anti-espionage. What’d you blow up and how much did you break? That network security stuff ain’t war!
Come talk to me about heart monitors blowing patients hearts up, the immediate deployment of 50K or 80K air bags in cars, the cessation of fly-by-wire commands in airliners, the interruption of electronic brakes in all North American elevators, ships ballast system flipping them (word!), Air Traffic Control systems suddenly redirecting flights to Area 51, and so on. Give me some kinetic impact. Breaking stuff is easy. The strategic investment is into what you want to break. The clay feet on this statue to the improbable is the target may be yourself. Billy and Hyman never had to consider that utilizing a nuclear naval or strategic air asset might mean blowing up Seattle. We vaporized the city but all ur bytes belong to us.
Remember cyber is different. The model of force-on-force is so last century. The strategic impacts of cyber are already in play. How much are we spending on it? What is the evidence to support that expense? Why are we spending on certain facets of the problem space and not others? And, always ask yourself, “If we’re not doing it right who is profiting by us doing it wrong?” Someday I’ll get a job with an op-tempo that lets me look at these questions until then I just get to throw rocks during my lunch hour.