T H E

S T R A T E G I C

E L E M E N T S

O F

C Y B E R

W A R F A R E

Yo u k n o w t h a t t h e b e s t y o u c a n e x p e c t i s t o a v o i d t h e w o r s t .1 C Y B E RWA R F O L L I E S : M I S U N D E R S TA N D I N G S & H U B R I S

Cyber warfare is presently sometimes misunderstood and misinterpreted by conventional military defense planners.2 The first error is to believe that cyber war is analogous to industrial war where the utility of force at scale is sacrosanct.3 That is, Clausewitz’s principles of strategy apply.4 Instead, two of the fundamental questions that the cyber defense strategic planner must ask is: “Has the paradigm changed? Is the application and utility of force even relevant to address the landscape of cyber threats this nation presently faces?” 5
U N D E R S TA N D I N G T H E C Y B E R S Y S T E M T H R E AT E N V I R O N M E N T

What follows are a series of propositions that measurably describe the substance of what we presently understand concerning the reality of cyber warfare. Hopefully, with a better understanding of what constitutes cyber warfare, this framework can provide defense planners increased leverage for developing cyber ecosystem threat deterrence measures: All cyber warfare is ultimately asymmetric warfare. If the U.S. spends $10,000,000 to build and deploy a cyber weapon, the opposition will be able to reverse engineer this weapon and use it against us for less than $100,000. Budget and force profile provide little competitive advantage. In this environment only time is the true competitive advantage;6 What is different about cyber warfare is that the technologies underlying weapons of mass destruction (WMD) i.e. chemical, biological, radiological, and nuclear weapons (CBRN) require access to hard-to-acquire and often large scale, sophisticated weapons programs. However, cyber warfare weapons, along with other networked technologies such as genetics, nanotechnology, and robotics are widely within the reach of individuals or small groups; Cyber weapons are potentially so powerful that accidents, abuses, and deliberate malicious attacks are capable of producing circumstances whereby, for example, instead of global GDP going from $60 to $240 trillion (in $2005 purchasing power parity) by 2050, it declines to $6 trillion;7

LYLE A. BRECHT --- DRAFT 1.17---- CAPITAL MARKETS RESEARCH ---- Saturday, September 24, 2011

PAGE 1 OF 7

T H E

S T R A T E G I C

E L E M E N T S

O F

C Y B E R W A R F A R E

Thus, we now have the possibility of threats not just of weapons of mass destruction, but of knowledge-enabled mass destruction (KMD) weapons; KMD weapons will most likely use the power of self-replication to amplify their destructiveness by many orders of magnitude. Knowledge alone will enable the use of and destructiveness of these weapons; 8 The cyber ecosystem will shortly become the favored environment for novel strategic warfare initiatives and weapons development.9 Both cyber security 10 and cyber warfare,11 although interlinked and enmeshed, are proceeding apace rapidly and, for the most part, independently; Threats to the cyber ecosystem follow a power distribution in number and severity of system related threats over time (i.e. only a few threats will be severe and large scale, but potentially catastrophic); Sources of threats to the national cyber ecosystem are local, national, regional and global and constitute a national security threat in their severity and cost to the national economy only when they occur at scale;12 Practically speaking, the cyber ecosystem’s vulnerability is often determined by the lowest common denominator of present technical capabilities. It is unlikely from a game theory perspective that the cyber ecosystem can ever achieve 100% security. That is, there will always be some level of probabilistic risk in the system that is not able to be adequately managed; With cyber weapons, there presently is no countervailing strategic game doctrine for cyberspace, like MAD (mutual assured destruction), that has the potential to actually deter First Use.13 The notion that the doctrine of nuclear deterrence can be retrofitted and used to deter cyber attacks is not reasonable.14 Because cyberspace threats can be initiated easily by privatized transnational groups, without the knowledge of national governments by rogue elements within the state, and the originating location of the attack readily masked and even transposed to a predetermined DNS, the threat of nuclear armageddon in response to a cyberattack appears both unwarranted and unproductive; The notion of attacks and counter attack measures in the digital environment are not directly transferable from the experience with the analogue environment of conventional war fighting. For example, the development

LYLE A. BRECHT --- DRAFT 1.17 -- CAPITAL MARKETS RESEARCH --- Saturday, September 24, 2011

PAGE 2 OF 7

T H E

S T R A T E G I C

E L E M E N T S

O F

C Y B E R W A R F A R E

and deployment of offensive weapons in cyberspace have a higher probability of mimicking HIV i.e. the release into the environment a wild-strain retrovirus that cannot be effectively inoculated against than of deterring attacks or ‘punishing’ supposed attackers; The use of cyberspace for intelligence gathering and war fighting should be limited by thoughtful multi-lateral non-proliferation agreements. For example, with offensive cyber weaponry, the potential for a serious problem is the capture of a digital agent by a hostile force and the alteration of the code to infect domestic data stores. With the potential for selfreplication, and modification of basic code sets, once these sophisticated agents are released in the wild, it may not either be affordable or feasible to turn them off easily. Friends and foes will suffer.
STRATEGIC IMPLICATIONS

The first duty of the state is to contain chaos15 A Fabian strategic posture that buys time and builds domain understanding will be most productive and economically justified.16 Strategic initiatives whose intent is to impose complete control over cyber ecosystem threats are unlikely to ultimately be productive even if short-term results are achieved. That is, policies must be primarily based not on an a hegemonic ideology of security at all costs, messianic projects to thwart threats and militarism but on geopolitical, economic, and environmental interests; The accumulation of collaborative strength, coercion, and balance of power among nations will become more important than the ideology of ultimate national cyber security and projection of power through supposed advantageous novel cyber weaponry. Competent, economically-based strategic geopolitical interests must take priority over military interests;17 A global arms race in cyberspace is presently beyond the capabilities of any nation, including the U.S.18 Instead, a military doctrine of strategic sufficiency is warranted. The defense of the cyber ecosystem demands novoe myshlemie (new thinking). The present lack of realistic and new thinking-based strategic goals for the defense of the cyber ecosystem, a result of militarism and great power chauvinism, is likely to end badly.

LYLE A. BRECHT --- DRAFT 1.17 -- CAPITAL MARKETS RESEARCH --- Saturday, September 24, 2011

PAGE 3 OF 7

T H E

S T R A T E G I C

E L E M E N T S

O F

C Y B E R W A R F A R E

The defense of the cyber ecosystem opens the opportunity for the demilitarization and humanization of our thinking, away from placing power, prestige, status quo maintenance, and state interests ahead of survival of the human species on earth. The opportunity for the ultimate defense of the cyber ecosystem is the construction of a new world order on the basis of cooperation and nonviolence through strategic sufficiency.19 From a tactical perspective, if strategic sufficiency is adopted a statesponsored cyber attack may be best left to a cyber-SPEC OPS, rather than conventional forces. The objective would be to learn the sources and means of attack and understand countermeasures rather to destroy primary sources of data. This is a very different vision of what constitutes acceptable “conflict” and what to do about it in that it always begins with the three elements of special operations. The three elements being: limiting the number of objectives, good intelligence, and innovation. These special operations strategic elements are all designed to provide an advantage of time and nimbleness versus force strength by keeping things as simple as possible. 20 Prussian chief of staff Helmunt von Molke’s dictum that “No plan survives first contact with the enemy” is even more applicable to cyber warfare.21
ENDNOTE 1 Italio Calvino, If on a Winter’s Night a Traveler (1979) in William Poundstone, Prisoner’s Dilemma (New York: Doubleday, 1992), 53.
2

Even the term cyberwarfare is a misnomer in that it implies an affinity with conventional war where territory can be won or lost and ultimately the war can also be won or lost through the application of force. Richard A. Clarke in his book Cyber War (May 2010), defined cyberwarfare as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption." Yet, what will become clear as the future unfolds is that malicious intrusions and disruptions of a national cyber ecosystem may have little to do with the intensions of a nation state, that defense against these intrusions will have little to do with the application of force, and that this is a struggle that cannot be won or lost in any conventional understanding of these terms. “Knowing when to end a war relates to war aims and measures of success. A war’s aims should be definitive enough so that success can be measured in some clear way. This is easiest to do where the aims concern discrete things such as the destruction of material targets. Measuring success becomes harder as aims become more political and psychological, such as weakening or toppling a regime, encouraging opposition or deterring further action.” See Jeffrey White, “What Would War with Iran Look Like?” at http://www.the-american-interest.com /article-bd.cfm?piece=982.

LYLE A. BRECHT --- DRAFT 1.17 -- CAPITAL MARKETS RESEARCH --- Saturday, September 24, 2011

PAGE 4 OF 7

T H E

S T R A T E G I C

E L E M E N T S

O F

C Y B E R W A R F A R E

3

If it is true that industrial “Military force when applied has only two immediate effects: it kills people and destroys things [and]... “That is the true measure of its utility”, a reasonable question is if threats to the cyber environment are even appropriate for the military domain. For example, if industrial warfare is characterized by the strategy of nuclear deterrence as the underlying conceptual framework, if the “test of a good strategy is that it achieves its object without the necessity for battle” - where does this strategy fit for protecting the information economy? The argument for addressing this threat landscape, “it is no longer practical for the politicians and diplomats to expect the military to solve the problem by force, nor it it practical for the military to plan and execute a purely military campaign, or in many cases take tactical action, without placing it in a political context, with both politicians and the military adjusting context and plan accordingly throughout operation as the situation evolves.” See General Rupert Smith, The Utility of Force: The Art of War in the Modern World (New York: Alfred A. Knopf, 2007), 8, 15, 375.
4

See Carl von Clausewitz, On War, edited and translated by Michael Howard and Peter Paret (Princeton, NJ: Princeton University Press, 1976).
5 6

General Rupert Smith, 6.

See: http://www.whitehouse.gov/files/documents/cyber/Brecht%20Lyle%20-%20NATIONA L%20CYBER%20SYSTEMS%20INFRASTRUCTURE%20SECURITY%20REVIEW %20CONCEPT%20PAPER.pdf.
7

Army General Keith Alexander, commander of the new U.S. Cyber Command and Director of the U.S. National Security Agency says that destruction by cyber-attacks was outranked only by nuclear bombs or other weapons of mass destruction. See: http://p.washingtontimes.com/news/2011/sep/13/computer-based-attacks-emerge-asthreat-of-future-/?page=all. Global GDP estimate is from U.S. Central Intelligence Agency.
8

Bill Joy, “Why the future doesn't need us,” Wired (June 2008) at http://www.wired.com/wired/archive/8.04/joy.html.
9

“Last year, Symantec discovered 286 million new and unique threats from malicious software, or about nine per second, up from 240 million in 2009. The company said that the amount of harmful software in the world passed the amount of beneficial software in 2007, and as many as one of every 10 downloads from the Web includes harmful programs.” See http://www.nytimes.com/2011/06/18/technology/ 18security.html?src=recg.

LYLE A. BRECHT --- DRAFT 1.17 -- CAPITAL MARKETS RESEARCH --- Saturday, September 24, 2011

PAGE 5 OF 7

T H E

S T R A T E G I C

E L E M E N T S

O F

C Y B E R W A R F A R E

10

“In January 2008, President George Bush signed National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 — more commonly known as the Comprehensive National Cybersecurity Initiative (CNCI). The CNCI recognizes that cyber security must be elevated to a level of importance on par with an organization’s core functions and missions. It emphasizes that cyber security is a leadership responsibility, not just a function of the Chief Information Officer and information technology staff. And it acknowledges that effective cyber security is multidimensional, multifaceted, and actively involves the entire organization.” See update at http://www.fas.org/irp/eprint/cnci.pdf.
11

Either force or counter-force measures applied with the frame that cyberspace is just another ‘war-fighting environment.’ The subtext typically assumes that ‘National Defense’ means force projection and is based on Deterrence Doctrine, which today relies on fundamentally on U.S. Nuclear Posture. See http://www.scribd.com/doc/16490356/Rethinking-Nuclear-Deterrence.
12

One cyber security expert estimates that “at least 6 percent of the more than 4 billion IP addresses in the world are zombie machines” controlled by botnets run by criminal syndicates. The largest recently discovered criminal botnet links millions of computers in 172 countries. See http://www.csmonitor.com/USA/2011/0629/ Biggest-ever-criminal-botnet-links-computers-in-more-than-172-countries/(page)/2.
13

Gen. Kevin Chilton, the head of U.S. Strategic Command, said “I think you don’t take any response options off the table from an attack on the United States of America,” Chilton said. “Why would we constrain ourselves on how we respond?.... “I think that’s been our policy on any attack on the United States of America.... “And I don’t see any reason to treat cyber any differently.” (“U.S. General Reserves Right to Use Force, Even Nuclear, in Response to Cyber Attack,” Global Security Newswire May 12, 2009).
14

At stake here, although it is not yet often realized, is nothing less than “our understanding of the social imaginary by which we frame our world.” The political theological question is if the “world-destroying power American nuclear arsenal” should be, much less can productively be, put to use to punish “potential enemies and thus one in which politics can turn into life threatening violence” in response to ‘attacks”’ on the nation’s cyber ecosystem? That is, does the faith in the principles of sovereignty still apply to the highly interconnected and interdependent infrastructure of the nation’s networks and all that encompasses the national cyber ecosystem? See Paul W. Kahn, Political Theology: Four New Chapters on the Concept of Sovereignty (New York: Columbia University Press, 2011), 10, 11, 26.
15

Perestroika desiat let sputsia in Grigory Pomerants, Zapiski gadkogo utenka (Moscow: Moskovski rabochili, 1998), 29-30, 60 in Vladislav M. Zubok, A Failed Empire: The Soviet Union in the Cold War from Stalin to Gorbachev (Chapel Hill: The University of North Carolina Press, 2007), 318.

LYLE A. BRECHT --- DRAFT 1.17 -- CAPITAL MARKETS RESEARCH --- Saturday, September 24, 2011

PAGE 6 OF 7

T H E

S T R A T E G I C

E L E M E N T S

O F

C Y B E R W A R F A R E

16

Quintus Fabius Maximus Verrucosus Cunctator (ca. 280 BC – 203 BC) was a Roman politician and general, born in Rome around 280 BC and died in Rome in 203 BC.... Fabius was well aware of the military superiority of the Carthaginians, and so when Hannibal invaded Italy. Fabius refused to meet him in a pitched battle. Instead he kept his troops close to Hannibal, hoping to exhaust him in a long war of attrition. Fabius was able to harass the Carthaginian foraging parties, limiting Hannibal's ability to wreak destruction while conserving his own military force. The delaying tactics involved a pincer of not directly engaging Hannibal while also exercising a "scorced earth policy" practice to prevent Hannibal's forces from obtaining grain and other resources.... According to Ennius, unus homo nobis cunctando restituit rem – "one man, by delaying, restored the state to us." Virgil, in the Aeneid, has Aeneas’' father Anchises mention Fabius Maximus while in Hades as the greatest of the many great Fabii, quoting the same line. While Hannibal is mentioned in the company of history's greatest generals, military professionals have bestowed Fabius' name on an entire strategic doctrine known as "Fabian strategy", and George Washington has been called "the American Fabius” (Wikipedia).
17

See: http://www.atlantic-community.org/index/articles/view/An_Emerging_Cyber_Cold_War
18

One assessment of the Cold War and the resulting arms race between the U.S. and the U.S.S.R. is that it might be characterized as a “zero-sum battle between two messianic centers of power.... a competition between very distant cousins, who fought over the best way to modernize and globalize the world, not between friends or foes of modernization and globalization” (Zubok, 343-4).
19

During 2008, the nations of the world spent nearly $1,500 billion (U.S.) on their military forces for the purported purpose of national defense. In the past 64-years, since the end of WWII, the total spent on national defense globally is around $40,000 billion. One consequence of this massive, ongoing diversion of global resources (human, economic, scientific and technological capital) from meeting basic human needs is the continued immiseration of many billions of the earth’s human population and the the neglect of pressing critical global environmental, social, and economic issues. As President Dwight Eisenhower stated in 1953: Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The most obvious weakness to allocating so much of the world’s capital to national military preparedness is that it often fails to protect nations from the war and destruction it is supposed to prevent. See http://www.scribd.com/doc/20228926/Economic-Games-Behind-Nuclear-Deterrence.
20

William H. McRaven, SPEC OPS: Case Studies in Special Operations Warfare: Theory and Practice (New York: Ballentine Books, 1995), 11.
21

McRaven, 158.

LYLE A. BRECHT --- DRAFT 1.17 -- CAPITAL MARKETS RESEARCH --- Saturday, September 24, 2011

PAGE 7 OF 7

Sign up to vote on this title
UsefulNot useful