Cyberwar May Be Coming To A Computer Near You

The Pentagon is about to publish its long awaited strategy for cyber warfare, the unclassified portions of which are likely to be made public sometime next month. In so doing, the Department of Defense (DoD) is acknowledging what all observers of the IT revolution have known for years: cyberwar is already a reality. During Russia’s 2008 assault on Georgia a cyber interdiction campaign was waged on that country’s computer and communications infrastructure. Although the Russian government was never officially identified as the source of the attack, the timing and character of the cyber offensive make it likely that it was sponsored and directed, even if not actually conducted, by Moscow. There have been published stories alleging Chinese efforts to place viruses in the computer networks that control the U.S. power grid. There is also the widely reported Stuxnet virus used to attack Iran’s nuclear material processing capability. Cyber attacks are commonplace; can a full fledged cyber war be far behind?

What is more important is that the strategy defines the basic rules of engagement for cyber warfare and lays out guidance for the Services as they develop doctrine, operational art and tactics. Cyber warfare needs to be thought of holistically, as part of an overall campaign involving not just intelligence collection, defensive measures and offensive actions but also the use of all means available to the nation and the military. The new strategy apparently will permit the use of so-called kinetic means (bombs and bullets) in response to a cyber attack. It also recognizes that cyber war is in many ways a subset of the larger arena of electronic warfare.

Cyber warfare is occupying an increasing place in the business planning of U.S. defense companies large and small. Many already have extensive cyber operations supporting the Intelligence Community, DoD and the Department of Homeland Security. One of the challenges for these companies in capitalizing on their capabilities is the tendency for cyber warfare activities to be so highly classified and compartmented that it is difficult to create critical mass or to migrate skills in one area into adjacent markets.

Cyber war is a particularly challenging area for the military for two reasons. The first is the problem of attribution. Unlike conventional or nuclear attacks which can generally be traced back to their source, most cyber attacks to date have been done anonymously or through the use of host computers. The second problem is that most of the world’s IT infrastructure and potential targets for cyber attacks are in civilian hands. An increasing amount of cyber activity is taking place in the “cloud” supported by server farms that can be located anywhere in the world. So a cyber attack on a server farm in Moldova could directly affect the operation of U.S. companies. Similarly, a cyber attack by the U.S. military on foreign computers or networks could impact those same companies. Unfortunately, to the extent that military and government networks become increasingly hardened against cyber attack aggressors will be tempted to go after softer, civilian and commercial networks. The result may be the cyber equivalent of the urban bombardment that destroyed dozens of major cities in Europe and the Far East during World War Two.

The publication of the cyberwar strategy may also help jump start a long postponed public debate over the nature of such a war and how it should be deterred, if possible, or fought if necessary. The last technology to revolutionize warfare to the same extent as IT is doing was that which led to the creation of nuclear weapons. The nuclear revolution in military affairs sparked an arms race. But it also generated a wide-ranging and very spirited debate about how such weapons fit into the conduct of military operations, including whether or not they were legitimate weapons of war, how they might be used to deter conflict and was a nuclear warfare winnable. This kind of debate has not yet occurred with respect to cyber war. Part of the reason is that so much information remains classified. But it also has not been encouraged by those directly involved in formulating cyber warfare policy and strategy. Where are the Bernard Brodies, Herman Kahns, Thomas Schellings, Henry Kissingers and Colin Grays of the cyber age?