Sanity on Cyber War
There's Nothing New Under the Sun
By Michael Tanji
Much has been made about the electronic fight that occurred alongside the physical one between Russia and Georgia. Predictably, talk of “cyber war” and the dawn of a new age of conflict abounds. Never mind that we have seen this before: China vs. Taiwan over Taiwanese independence; China vs. the US over various issues; Islamist Groups vs. the US during operations IRAQI and ENDURING FREEDOM; Serbia vs. the US and NATO during ALLIED FORCE, and numerous other conflicts. Then, as now, we see that conflict in cyber space falls far short of apocalyptic.
To be sure, there are serious threats in cyber space. Chinese intrusions into government, military and commercial networks are legion, but this has been going on more or less unabated for years. Few remember that it was Russian intelligence that used German proxies to break into the networks at a national lab … in the 80s. Whether we are talking about state-sponsored activities or criminal practice, there is a common thread: the need to have the ‘Net up in order to make things happen. This is why cyber war, as many envision it, is a fantasy.
For the sake of argument though, let’s assume there was a threat actor that did want to destroy or degrade the ‘Net – or at least off of our portion of it – for military gain. A quick search online for an Internet traffic map illustrates the folly of the concept of cyber space sovereignty. Georgia’s status as a “cyber locked” country – only one way in and out electronically – is something of an anomaly; generally speaking you cannot just take country X off-line and leave innocents untouched. For some belligerents this might not be an issue, but unless you’re declaring war on the world it make sense to limit potential counter-attackers (true in both the virtual and actual worlds).
Recent discussions on the threat of an Electro Magnetic Pulse (EMP) cannot be ignored here, but some perspective is in order. If an adversary detonates a nuke in the atmosphere over the US, we’ve probably got one or two more issues to deal with before we get around to restoring everyone’s Facebook page. The equipment and power necessary to cause the same effect without a nuke would be, well, about as obvious as a large wooden horse parked outside your door. Not having the ‘Net during such a crisis would hinder recovery, as the ad hoc construction of support and recovery web sites after Hurricane Katrinia and other disasters demonstrated. But catastrophic electronic attack is still largely recoverable and bloodless, unlike the analog in meat space.
Serious analysts of these issues talk about an adversary’s capabilities and do not use “cyber” as an adjective in front of every physical-world equivalent. Why? Because the means isn’t as important as the impact.
Take terrorism for example. Who is terrorized when terrorists or their sympathizers take down a web site? No one. What threat does a terrorist group that launches attacks that were new five years ago pose? Not much. Terrorists do a lot of things online, but fight well is not one of them. Nation-states have much more significant capabilities, but going back to an earlier point about espionage, they are having much more success exfiltrating data to risk destroying the source of said data. Exploiting your adversary’s networks and systems is this age’s neutron bomb; all the pesky people (and potential insurgents) are gone, all the goodies are left to plunder.
There is a reason why few in the kinetic war business take cyber war seriously: people don’t die (that might change soon enough for some), property is easily recovered, territory is not lost, and sovereignty is not threatened. One could argue that in the Estonia example a mode of operation was threatened, but certainly not their way of life or culture. Radovan Karadzic is in the Hague to face charges of war crimes; Dragan Vasiljkovic, who reportedly led Serbian cyber attacks while his colleagues conducted more visceral ones, is not exactly on the fast track for the gallows. I am fairly sure the widows of Srebrenica would have loved to have suffered at the hands of e-brigands vice the real sort.
In fact it is precisely this attitude that “it’s just data” that is the greatest hindrance to success in defending digital assets and having related disciplines taken seriously in a military context. No government official or corporate executive will admit it, but bits play second fiddle to hard assets. No amount of arguing about the nexus of the two, or how you can hardly use the latter without the former makes headway. It is why NIPRnet is consistently owned by various adversaries; why external viruses penetrate internal networks, and why millions of dollars worth of data can be traded illicitly over the ether largely without consequence. When those at the top don’t get it, the best we can hope for is re-action (to the next attack or embarrassment).
As a practitioner in this field for many years it is interesting to note the cycle of hype, spending, work and stagnation that occurs about every ten years. In all that time there has been no great leap forward in defense or security though attacks have gotten more sophisticated, diverse and powerful. Debating the need for an e-weapons proliferation scheme - as if one could regulate computer code as one does fissile material – is what passes for serious thought. There is also a strive to make all of this “new,” when in reality I can pull a nearly 30-year-old book off of my library shelf that documents the same sorts of events we are witnessing today.
Cyber space is a dangerous place, and it always has been, but we need to be preparing for war: period. Every conflict will have a cyber component too it; the next war will not be exclusively electronic. To steal a phrase from the Infantry: If they’re not there, you don’t own it. The Russia-Georgia “cyber war” is only an issue because the Russian Army is physically sitting in Georgia. Absent that, cyber war to date is largely just nationally-motivated digital graffiti.