Freedberg writing “Military Debates Who Should Pull The Trigger For A Cyber Attack” Quotes General Cartwright (Ret) as saying
“We’ve been thinking 90% defense, 10% offense. That’s bass-ackwards for us.”
Later in the article Chairman of the Joint Chiefs of Staff General Dempsey says,
“We need cyber to be wired into the whole force, In the future, cyber will become both a standalone warfighting instrument with global reach and a ubiquitous enabler of the joint force. In other words, cyber forces should be capable both of operating on their own, like strategic bombers on long-range missions deep into enemy airspace, or in close conjunction with other combat arms, like those same bombers providing close air support to ground troops in Afghanistan. Right now, however, the military is at a stage with cyber more comparable to the early, awkward days of aviation in the 1920s, when everyone knew this new technology could have awesome effects but no one was quite sure how.”
Sage concerns by the Chairman, but perhaps he misunderstands the domain. Network centric enhancement to make war is not the same as being able to make war in cyberspace. Similarly the ability to manage and provision a network is not the same as waging war.
Though admittedly I read these comments with my own biases I don’t see much to be really concerned with and some things that I’ve been thinking about for a few years are starting to be stated by leadership which is nice to see. The 90% defense and 10% offense comment with follow up concerns by many I’ve read tell me that my thinking may be more on target than I originally thought. The chairmans comments are instructive if slightly misplaced. The concept of mission command has been a principle of strategic weapons (submarines, atomic weapons, bombers) primarily and expectation of units where things have gone extremely poorly (losing, cut off, decimated, etc.), and with the special operations forces working in clandestine or covert roles. One thing that is important to understand is that these concepts do not necessarily apply across the entirety of the domain.
I think that we’re diverging significantly from the old world of cyberspace into a newer set of taxonomical and ontological concepts. Perhaps we’re finally beginning to mature the thinking of the domain. The focus on offense is not yet nearly the focus we need. In my opinion we do focus to much on defense. The problem is we have continued to focus on information security as if that is a form of cyber war. The focus on computer security artificially limits what could be considered valid forms of attack and most obviously has nothing to do with nation state attackers. In reverse the language of war being applied to the management principles of information systems causes inappropriate risk calculations, increases costs outside the requirements, and inhibits innovation and efficiency at significant social costs.
Basically, information security is a form of management and cyber war is a form of conflict. That they happen in the same domain and have different goals is no different than the gate guards that protect your gated community from bad guys. The Wackenhut security guys carry guns, but their entire mission set is quite different from the rather impressive troops of say Seal Team 6. As a community of interest we continue to conflate these two roles at extreme cost and significant increase in strategic level risk.
So I think General Cartwright is likely correct that we focus to much on information hygiene and management of information systems as part of national power. It is kind of like resourcing run amok. All the rack rats and keyboard cowboys are now cyber ninjas at much better compensation. There is a significant toll on society, public trust, and civil liberties. Having the NSA be the center of that kind of process impacts trustworthiness and distracts from what should be their central mission. The historical reasons aside the NSA shouldn’t be acting as the cyber equivalent of a plumber. That’s what DHS is for, and if DHS doesn’t have the skills that is a resource priority issue not an excuse to fail.
The projection of national power through cyberspace requires tools and techniques that are primarily offensive. The tank, rifle, F15, atomic bomb are forms of force whether they are putting steal on target or not. Mere ownership of them is a form of force. Though I like the farcical concept of soft power (an idea only the military could create). Power requires the ability to apply force to make somebody do something, or make them stop doing something. We need to stop mixing the management of information systems with the projection of national power and start developing real tools, techniques, operational concepts, and doctrine that realize that goal.
Understand that the projection of national power is not a network centric, hacking, cracking schwacking problem. Most network intrusion techniques as currently developed are along the lines of national power by musket in a sharks with lasers world. The Title 10/50 dichotomy of US national policy and centralization of information security resources in a Title 50 organization are inherent impediments to national organized information systems security. Separation of the cyber as plumbing from the cyber as soldiering is increasingly important for the continued efficiencies and capabilities of the modern nation state to continue. The projection of national power should be an entire offensive set of weapons that do not rely on the enemies lack of cyber hygiene to allow them to work. Cyber weapons must deny, disrupt, degrade, destroy the opposing forces or resistance without relying on their self imposed vulnerabilities. Until we can do that and resource this concept it is muskets in a world of sharks with lasers.