Conventional War Strategy Doesn't Work in CyberspaceStrategists Mustn't Approach Virtual, Real Warfare the Same Way
"The primary purpose of fighting is to disarm the other side," Martin Libicki, senior management scientist at the think tank RAND Corp., said in an interview with GovInfoSecurity.com (transcript below) " Think about that analogy in cyberspace and it falls apart. It is very difficult to disarm another nations ability to use hackers in cyberspace and you almost certainly cannot do it with hackers themselves."
Libicki is speaking of strategy, because cyberattacks would be unlikely to cause significant damage to the enemy as does conventional warfare. "One of the differences between cyber and other forms of warfare is that cyber is largely untested. Sometimes it works, sometimes it doesn't," said Libicki, who recently authored a RAND report, Cyberdeterrence and Cyberwar, which argues that strategic cyberwarfare shouldn't be a priority for America's armed services..
Yet, he said, cyber should be considered as an ancillary weapon by the military during tactical military operations. For instance, the military could disable the enemy's computer systems used to launch missiles. "In many ways, it's not very expensive to generate an offensive cyberwar capability, and though the odds of success aren't guaranteed, there may be circumstances in which the odds are fairly high enough that it's worthwhile in taking the chance and carrying out a cyber attack in conjunction with physical warfare," Libicki said.
In the interview, with GovInfoSecurity.com managing editor Eric Chabrow, Libicki explains why:
- Cyberwarfare as an offensive strategy isn't advisable;
- Creating a separate service branch on par with the Army, Navy and Air Force that's dedicated to cyberwarfare is a bad idea; and
- Industry should take the lead in defending the nation's critical IT infrastructure, with help and possibly regulations from government.
Libicki joined RAND in 1998. His research focuses on the relationship of IT to national security and other public policy goals. He previously worked for the Navy on industrial preparedness and what is now the Government Accountability Office's energy and minerals division. Libicki received his Ph.D. in industrial economics and master degree in city planning from the University of California at Berkeley and bachelor degree in mathematics from the Massachusetts Institute of Technology.
ERIC CHABROW:: What is the main thesis behind Cyber Deterrence and Cyberwar?
MARTIN LIBICKI:: The main thesis of Cyber Deterrence and Cyberwar is that conflict in cyberspace is so dissimilar from conflict in the physical media, one should very cautiously take metaphors and understandings and precepts from the world of physical media and apply them to cyberspace.
Traditionally, in the Clausewitzian view of war, one of the purposes of fighting, probably the primary purpose of fighting, is to disarm the other side. Think about that analogy in cyberspace and it falls apart. It is very difficult to disarm another nations ability to use hackers in cyberspace and you almost certainly cannot do it with hackers themselves.
The wars that I have heard of, if this is still relevant, is the ability to zap somebody's laptop, but in the world in which laptops are $300 each, that doesn't really get you very far because you can always go out and get another one. You can't take down hackers with computer hacking, you can take down networks, but if the hackers are in fact on your network to begin with that isn't going to do any good.
But the bottom line here is that many of our notions of warfare are based on destroying the other side and that simply doesn't apply in the cyberwar. There are a lot of people who talk about cyber deterrence by looking at the nuclear realm. In the nuclear age, you had a problem of a weapon for which there was no basic defense and, therefore, we generated theories of deterrence, which said we can't keep you from exploding a nuclear weapon on our soil, but what we can do is threaten to do the same to you so that no rational person would think of starting a nuclear war.
People who look at cyberspace look at the costs and difficulty of defense and say, "Oh, it's impossible." The offense always has an edge and the bad guys are always going to get through, so the only way that we are going to keep our networks intact is to threaten to do likewise to our adversaries. The problem, is in the world of cyber, is that you have a large number of practical difficulties.
Few Intuitive Clues in Cyberspace
The number one practical difficulty, and which many people will acknowledge, is trying to figure out who carried out the cyber attack on you. Cyberspace is a virtual construct. You don't have any of the intuitive clues that you have in the world of physical space. A person can attack you without being anywhere near you. A person can attack you without showing any activity that is anywhere associated with a country from which he comes from.
It might be felt, for instance, that if you knew where the server was or where the computer was, or more generally the box was that the attack took place, you had a pretty good idea of who attacked you. But, in fact, in cyberspace that can be completely misleading against anything but a fairly idiotic adversary. Somebody could be coming in from a cyber cafÃ© in any of several hundred different countries. Somebody could be hijacking a WiFi connection, again, in many different countries. It won't be too long, in fact to a certain extent it is true now, that you can conduct a cyber attack by using a cell phone, and in many of the world's countries cell phones are not associated with individuals; they are disposable. You can drop a virus into a third-party computer and control that computer and use that computer to launch an attack.
A lot of the physical queues that you use for attribution are simply not going to work, but there are many other reasons why the analogy between nuclear deterrence and cyber deterrence start to fall short.
CHABROW:: Is there a role for some type of cyber offense for the United States or other nations?
LIBICKI:: Cyber offense comes in two categories. One is operational cyberwarfare and the other is strategic cyberwarfare. In operational cyberwarfare, what you are basically trying to do is use cyber means to help physical means do their job. If you want to bomb a particular target, the enemy has air defenses, you want to find some way to deal with the air defenses. You could use physical means, that is to say blow up the radars. You could use electronic warfare means, which is to say make sure the radar doesn't pick up your incoming aircraft. Or, you can use cyber means, which is a way of confusing the computers in such a way as to either prevent it from picking up the aircraft or picking up the aircraft too late to really do them any good.
One of the differences between cyber and the other forms of warfare is that cyber is largely untested. Sometimes it works and sometimes it doesn't. But in some sense, once could say the same about many other forms of warfare, although I think for cyber we know a good deal less about the percentage of effectiveness. That is operational cyberwarfare and I believe in any military that is of a mind to conduct real warfare against an adversary, they ought to be of a mind to conduct cyberwar against an adversary to the extent that cyberwar is a cost effective means of projecting military force. In many ways it is not very expensive to generate an offensive cyberwarfare capability. And, although the odds of success are not guaranteed, there may be circumstances in which the odds are fairly high enough that it is worthwhile on taking the chance and carrying out a cyber attack in conjunction with the physical warfare.
On the other hand you have strategic warfare. The notion that we can get other countries to surrender by disabling their power supply, banking, electricity, phones, etc., etc., the same things that we worry about having been done to us. Here I would say a little more caution is required, partially because of the many uncertainties of cyberspace, which is to say you don't always know what you have done, collateral damage can be very difficult to predict sometimes and it is often very easy to mask the effects. But I would also argue that it is inherent in conflict in cyberspace that there is a certain serious flaw in the matter.
Complexity Leads to Flaws
Let me step back and start with two items, one of them technical and one of them not. The technical item is, if you get into somebody else's system and muck around with it, it is because somebody else's system has a flaw. In theory, and to a large extent although not 100 percent in practice, computer systems do what their owners and operators want them to do. That is how they are designed. But computer systems are complex and because they are complex they have flaws, and a certain percentage of these flaws will allow bad guys to take over your computers, or bad guys to do something to your computers you don't want them to do
It is in the nature of flaws, however, if you realize that you have a particular flaw, you have a great incentive to try to correct it and if you figure that in fact correcting it is not going to be all that easy, there are various other methods you can have, which can either eliminate or mitigate the damage. That is to say that you can reduce access between the relevant network and the outside world. You can also reduce to a certain extent your dependence on that network. In other words, you have a great deal of discretion about how vulnerable you want to be.
Now let me put that aside for a moment and get to the next point. When you are in the coercion/deterrence/compellance game, you are always dealing with some sort of mix between anger and fear. That is to say, if you attack somebody as a way of demonstrating your cyber capabilities, there is a certain likelihood that the other side is going to get angry and being angry will want to hit back. But there is also a certain likelihood that the other side will become more fearful of you and becoming more fearful would not want to hit you back. Or, more generally, would want to do other things that would not make you quite so likely to carry out a cyber attack.
Anytime that you engage in strategic warfare, that is anytime you engage in warfare not for the purposes of disarming the other side, but for the purpose of changing its calculus, you always have to ask yourself: Where on the fear-versus-anger spectrum you are going to end up?
I would suggest that if you are using a weapon that only gets worse over time, your fear component tends to be more dominate. That is to say if you take a look at our air campaign against the Serbs in 1999 over Kosovo, we gradually convinced the Serbs over a three month period that things were only going to get worse for them; that NATO planes could fly in more or less unmolested and that our choice of targets, which had been previously relatively precise and military oriented, might at some future point become imprecise, or more generally, more civilian oriented. They were looking at their hand and it was only going to get worse.
More Attacks, Fewer Fears
In cyberspace, because of the inherent capability of fixing errors, you have the prospect that people will take a hit, maybe one, maybe two, maybe a few, and calculate that in fact that they are going to be getting safer rather than less safe over time. Which is to say at the cost of reducing their assets of their network or at the costs of putting resources in to fixes, they have less and less a fear of a cyber attack over the course of your campaign, in which case your fear component is lower and your anger component is unabated.
If you try to wage strategic war using cyberwar in whole or in large part, you have the risk in fact of triggering anger, without necessarily triggering fear. Let me give you just one other example.
Imagine the scenario under which a large country with an island off its coast wishes is to essentially acquire to acquire the island. It knows that we might intervene and it wants to ward us from intervening, so it goes and reaches into the United States and turns out our lights. Now hat happens at this point? Well, they have proven that they can turn out our lights at least the first time, but what they have also done is they have turned the conflict with their offshore island from a local matter into a global matter. Which is to say prior to the cyber attack we could say, well it is an internal matter and it is taking place far away and we don't have a formal alliance with that island and the island was not behaving in a 100 percent correct manner so we will let these two guys hash it out.
Afterward, the nature of the conflict changes and it ceases to become a tactical/operational conflict in a far away ocean and becomes a strategic conflict because if we do not respond to such an obvious attack, then we broadcast to the world that we are capable of having our foreign policy altered, we are capable of backing down from a crisis if somebody goes after our networks; and that is not a message we want to send.
To a certain extent, we have a limited say over how vulnerable we are, but we have a great deal of say over how we react to our vulnerability. Deterrence after all is in the mind of those being deterred and if you refuse to be deterred, you are not deterred.
CHABROW:: Is that why the study suggests the use of negotiations and diplomacy as a means to defend our cyber assets?
LIBICKI:: Diplomacy and negotiations are always a means of defending any of our interests, but I would suggest it is the alternative of the relatively weak as it worked not by exceptions. By contrast, negotiations and diplomacy are relatively stronger. There are other sorts of pressure that we can take going back.
For instance, the notion that every nation is connected to a network, in essence into the same network, is basically a notion that we trust nations that are connected to the network to act correctly. If there is a particular nation whose access to the network is causing problems for others in such a way that the problems start becoming a net minus rather than a net positive, then the rest of the world has the scope, one could say they have the right to get together and say, well extending network privileges to this country is in fact a privilege and this privilege has to be earned by good behavior and if the behavior is not good, why are we extending this privilege?
I don't want to suggest that all of our responses to cyberwarfare are necessarily going to be in the talking stage. There are other action that can be taken, but you have to weigh, as it were, your way of actions against what they can and cannot do.
CHABROW:: Two Army colonels earlier this year proposed that a fourth branch of the military on equal footing with the Amy, Navy and Air Force be created to address cyber offense and defense. What do you think of that idea?
LIBICKI:: It is probably not a good idea because there are essentially three things that you can do in cyberspace. You can do defense, you can do offense and you can do espionage. I think the espionage angle is fairly well taken care of and I don't have anything to add over here. We seem to be doing an adequate within our institutional capabilities.
In terms of defense, first of all. you don't have to have a uniform on in order to do defense. In fact, most of our defense is not done by uniformed personnel. And second of all, most of what you do for defense is going to be a subset of what you do for general computer administration. In other words, the same guys who make sure that your Microsoft Office is running, are also generally the same people who make sure that you don't have a virus on your machine. So most of the activity in defense is going to be bottoms up and a great deal of it is in practice going to be civilian.
That leaves offense and I am sure these gentlemen are thinking about offense when they do that. I would argue that if you are looking at offense, separate and apart from exploitation, you are actually looking at a very small number of folks. Because it is in the nature of offense that (a) to be good at it you have to be really, really sharp, and (b) you are dealing with a handful of tricks that you want in the hands of the right people.
In other words, if you are going after a sophisticated defense, you are going to be relying on finding vulnerabilities that these guys didn't know they had, which is another way of saying there was a zero day of vulnerabilities. The number of zero day vulnerabilities is limited. They are actually very precious commodities and you don't put them in the hands of a mass organization.
When you count up the number of people who would be really good at offense, separated from espionage for which certain sort of mass effects are possible, it turns out to be fairly small. And being very small, I wouldn't put it on the same standing as the other four services.
More generally, there is something to be said for not touting your cyberwar capabilities too much. Part of what you use cyberwar for is to instill uncertainty and doubt in the minds of the adversaries, about whether the information that they are getting is correct. And, it seems to be, and this may be challenged, that a high profile in this matter is probably not a good thing; that in fact, you want to surround your offensive cyberwarfare capabilities with as much uncertainty and doubt as you want to induce in the adversary yourself.
CHABROW:: We see several of the branches developing these cyber commands to address or defend our cyber interests--
CHABROW:: --Is the military the best organization to defend America's critical cyber assets?
LIBICKI:: Oh no, not at all. But that is not why this service is organizing it. I mean their first job is to protect their own cyber assets and that is a serious piece of work. Let me take it form this short no answer and sort of do you an elaboration.
A few minutes ago I said almost all cyber defense is a local and that is during the civilian business. If, for instance, you are going to keep hackers from a power grid, you are going to have to understand the architecture in fairly fine detail of the power grid, the software they use, the trust relationships they put together, how people access the network and all the minutia, which you are going to have to find out from none other than the power industry.
Now the power industry is not only going to start off knowing its system better than the military can, but they are also going to be able to hire whoever they need to hire to make sure that their system is doing what they want it to do. The military can only come in as an outsider. It can only come in as somebody who doesn't understand power generation, because very few military officers actually generate power as part of their job, and comes in as an outside entity that is part of the government when a lot of private enterprise in this country is very nervous about letting the government see anything that they do, and they only do so under the force of law, so to speak.
So the question then becomes, if you have to say is one highly trained individual working for the military going to be more effective at defending the electric power industry than a similar individual hired by the electric power industry, the answer is clearly, not at all.
What is useful is if the various institutions have a strong incentive to defend themselves, which is to say understand that they will bear all of the costs if there is a cyber attack if their systems go down and customers are deprived of value from their systems. As long as those incentives are correct, and as long as the various institutions are kept informed of the threat and the various technologies and standards, in other words ancillary roles for government, I don't think that there is a particularly powerful role for the federal government to play in defending the country's cyberspace.
CHABROW:: Obviously though, there are a lot of people who may distrust the motives of the private sector who they feel would be motivated mostly by profit to protect these assets.
CHABROW:: I guess you are suggesting that profit is a big motivator for them and any penalties that they would have to absorb would get them to do what is proper?
LIBICKI:: That's right. At that micro cost benefit analysis level, the profit motive actually works pretty well. As we both suggested however, that requires that the incentives be correct. There are a lot of people thinking about incentives in the security business, but I don't think it is an unsolvable problem.
CHABROW:: Do incentives include some form of regulation?
LIBICKI:: It could. For instance, you have your banks, right? Now what happens if a bank fails? Well the taxpayer picks up the money and that is why we have a Federal Deposit Insurance Corp. For that reason, it would not strike me as inappropriate for the FDIC to have somebody on its staff, more than one person on staff, to say First Bank of Omaha, we want to make sure that you folks are not subject to catastrophic failure, which we the taxpayers will have to pay for, because your cyber security is weak and I think it is incumbent upon you to at least give some indication to us that the chances that your bank will go under because of a cyber attack are miniscule or as they say in technical terms, an epsilon of zero. A similar capability within the Federal Electric Regulatory Commission probably would not be inappropriate, also.
One of the things that people said proved helpful during the Y2K run up was a requirement that the SEC had levied on publicly traded corporations that their statements to the SEC discussed their risks from the possibility that they would not mitigate Y2K, and that seemed to me a real legitimate role of government. And, so that when you have sectors that are already being regulated, and many of the critical sectors are in fact being regulated, I don't think it would be a terrible stretch of the government's authority to actually require some demonstration from the folks you are regulating that they have made prudent preparations against that.