Conventional War Strategy Doesn't Work in Cyberspace

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Conflicts in cyberspace are so unlike clashes in the real world that the military must think differently about strategically cyberwarfare than they would conventional war.

"The primary purpose of fighting is to disarm the other side," Martin Libicki, senior management scientist at the think tank RAND Corp., said in an interview with GovInfoSecurity.com (transcript below) " Think about that analogy in cyberspace and it falls apart. It is very difficult to disarm another nations ability to use hackers in cyberspace and you almost certainly cannot do it with hackers themselves."

Libicki is speaking of strategy, because cyberattacks would be unlikely to cause significant damage to the enemy as does conventional warfare. "One of the differences between cyber and other forms of warfare is that cyber is largely untested. Sometimes it works, sometimes it doesn't," said Libicki, who recently authored a RAND report, Cyberdeterrence and Cyberwar, which argues that strategic cyberwarfare shouldn't be a priority for America's armed services..

Yet, he said, cyber should be considered as an ancillary weapon by the military during tactical military operations. For instance, the military could disable the enemy's computer systems used to launch missiles. "In many ways, it's not very expensive to generate an offensive cyberwar capability, and though the odds of success aren't guaranteed, there may be circumstances in which the odds are fairly high enough that it's worthwhile in taking the chance and carrying out a cyber attack in conjunction with physical warfare," Libicki said.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

In the interview, with GovInfoSecurity.com managing editor Eric Chabrow, Libicki explains why:

• Cyberwarfare as an offensive strategy isn't advisable;
• Creating a separate service branch on par with the Army, Navy and Air Force that's dedicated to cyberwarfare is a bad idea; and
• Industry should take the lead in defending the nation's critical IT infrastructure, with help and possibly regulations from government.

Libicki joined RAND in 1998. His research focuses on the relationship of IT to national security and other public policy goals. He previously worked for the Navy on industrial preparedness and what is now the Government Accountability Office's energy and minerals division. Libicki received his Ph.D. in industrial economics and master degree in city planning from the University of California at Berkeley and bachelor degree in mathematics from the Massachusetts Institute of Technology.

ERIC CHABROW:: What is the main thesis behind Cyber Deterrence and Cyberwar?

MARTIN LIBICKI:: The main thesis of Cyber Deterrence and Cyberwar is that conflict in cyberspace is so dissimilar from conflict in the physical media, one should very cautiously take metaphors and understandings and precepts from the world of physical media and apply them to cyberspace.

Traditionally, in the Clausewitzian view of war, one of the purposes of fighting, probably the primary purpose of fighting, is to disarm the other side. Think about that analogy in cyberspace and it falls apart. It is very difficult to disarm another nations ability to use hackers in cyberspace and you almost certainly cannot do it with hackers themselves.

The wars that I have heard of, if this is still relevant, is the ability to zap somebody's laptop, but in the world in which laptops are $300 each, that doesn't really get you very far because you can always go out and get another one. You can't take down hackers with computer hacking, you can take down networks, but if the hackers are in fact on your network to begin with that isn't going to do any good.

But the bottom line here is that many of our notions of warfare are based on destroying the other side and that simply doesn't apply in the cyberwar. There are a lot of people who talk about cyber deterrence by looking at the nuclear realm. In the nuclear age, you had a problem of a weapon for which there was no basic defense and, therefore, we generated theories of deterrence, which said we can't keep you from exploding a nuclear weapon on our soil, but what we can do is threaten to do the same to you so that no rational person would think of starting a nuclear war.

People who look at cyberspace look at the costs and difficulty of defense and say, "Oh, it's impossible." The offense always has an edge and the bad guys are always going to get through, so the only way that we are going to keep our networks intact is to threaten to do likewise to our adversaries. The problem, is in the world of cyber, is that you have a large number of practical difficulties.