Cyber Strategy – Different From A Shooting War

Big hack of pretty much everything in Ukraine this morning: internet, power plants, government. I wrote this post before that happened, but it applies.

The Obama administration was in an extremely difficult position after learning about Russian hacking of last year’s election. Several factors came into play: the difficulty of dealing with international cyber attacks, intransigent Republican partisanship, and the decaying relationship with Russia. I’m going to break down those factors into at least two posts.

Cyber attacks present a national security problem different from any encountered before. Lumping them into a designation of “cyberwar” projects assumptions of conventional war onto them and distorts the difficulties and possibilities. I haven’t seen much analysis of these differences and how they affect strategy. Please point me to them, if they exist. Most punditry assumes that cyber attacks can be equated to war, and numerous opinion articles have referred to the Russian hacks as a form of war. In this post, I will consider only that part of last fall’s situation. A later post will consider the political ramifications.

The weapons of war have been physical and obvious. Troops and tanks lining up along a neighbor’s border have a number of characteristics that cyberweapons turn on their heads.

• The capability and purpose of the military deployment can be inferred within a range. Numbers of tanks and troops can be estimated from readily available satellite photos, leading to estimates of plans and goals. Timing can be kept secret.
• The military deployment is attributable. There is no doubt which nation put it in place.
• A military response must be considered. Diplomatic and other responses are also possible.
• An extensive history can be drawn on for the tactics most likely to be successful.

Now consider hacking another country’s election process. I’m going to keep close to the scenario from last fall’s election, but I will be making general points.

• Capability and purpose may not be immediately obvious. Depending on the levels of defense, an attack may not even be noticeable.
• Attribution is difficult and depends on the skill of the attacker and the tools of the defender.
• Cyber attacks are new enough that conventions on responses have not been developed. Does a theft of data justify a physical response? Diplomatic warnings may reveal to the attacker which systems are vulnerable, and by how much. A cyber response, particularly a damaging one, must be sure of attribution. What is the equivalency of cyber damage and physical damage?
• Capabilities for attacks and defenses change constantly. The attacker must expect that they won’t be able to use the same attack against the same target twice because using it gives up information that can be used to block it the next time. Preliminary probes to determine what kind of weapon to use may give away the intention of an attack so that the defender can harden defenses.

The differences are so profound that calling cyberattacks “war” damages our ability to think through a strategy to deal with them.

Are cyber attacks a national security concern? Yes.

Do we need to defend against them? Yes.

Should we retaliate? Yes. Retaliation should be timely, but it may take time to attribute a cyber attack. It should be proportional, but we have not figured out the proportionality of cyber damage to real-world damage. The theft of voter information? Damaging voter rolls? Slowing down electrical service without damaging equipment? A DDOS attack on government websites? When does a shooting war begin? All of which is complicated by the possibility that the damage is not fully understood.

One method of retaliation is to expose the activity and what is known about the attacker. This can undermine an operation that requires secrecy and bring down a variety of penalties on the attacker, ranging upt to sanctions. But exposure of the activity can also give credit and credibility to the attacker while exposing the methods used to identify the attacker and perhaps which systems were vulnerable.

Similarly, there have been calls to deter further Russian cyber attacks. Deterrence is the threat that if you do X, we will do Y. Again, proportionality is desirable. Threatening a particular outcome can reveal a cyber capability that would be more effective if kept secret. And if you don’t know the opposition’s defenses, you may not be able to credibly threaten.

This is a quick overview of what I see as major differences associated with the characteristics of cyber attacks. All of this likely went into the Obama administration’s thinking on how to respond to last fall’s Russian cyber campaign against the American election. The decisions they made can’t be evaluated without taking these characteristics into account. The politics of dealing with the situation shortly before a presidential election further complicated those decisions. I’ll examine the politics in the next post.

 

I just found an article that addresses, in a more academic way, the points I’ve made above. I have access only to the abstract, but there seem to be parallels with what I’ve said.

 

Cross-posted at Balloon Juice.