[Infowarrior] - Cyberspace Spawns a New Fog of War

[Richard Forno]

Cyberspace Spawns a New Fog of War 
By Col. Alan D. Campen, USAF (Ret.), SIGNAL Magazine

September 2010

http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=2375&zoneid=301

An old doctrine illuminates the obsolescence of traditional rules.

Military commanders long have complained of limited situational awareness because of faulty intelligence and disruption of their lines of communications. Gen. Carl von Clausewitz called this “the fog of war.” Today’s military commanders face a distinctly different threat to their lines of communications because cyberwar casts a shadow far beyond Gen. Clausewitz’s conventional battlefield and the rules of engagement that govern armed conflict.

Senior military commanders assert that coming to terms with this new threat to information systems requires not only some new technology and revisions in doctrine, organization and management but also a change in military culture itself. U.S. military forces have become too dependent on the data flowing through vulnerable digital information systems they neither own nor control, and they no longer are confident in their ability to function in this highly stressed information environment.

Joint Chiefs of Staff Chairman Adm. Mike Mullen, USN, says, “Cyberspace will change how we fight.” Gen. Keith B. Alexander, USA, commander of the U.S. Cyber Command, and director of the National Security Agency, says that network warfare has evolved so rapidly that there is a “mismatch between our technical capabilities to conduct operations and the governing laws and policies.”

The cadre of U.S. Air Force officials who labored to shape what has since become the 24th Air Force knew they were entering an ill-defined, unexplored and heavily contested domain. Lt. Gen. Robert Elder Jr., USAF, then commander of the 8th Air Force and joint functional component commander for Space and Global Strike, U.S. Strategic Command (STRATCOM), invited the RAND Corporation to advise his military planners on cyberwarfare.

In a report titled Cyberdeterrence and Cyberwar, RAND analyst Martin C. Libicki responded with sobering observations on the  limits of power in cyberspace. While specifically addressing Air Force hopes to “fly and fight in cyberspace,” his observations apply to each of the military services and to other government agencies as well.

The report makes several key points: Cyberspace is its own medium and must be understood in its own terms and rules; deterrence and warfighting tenets established in land, sea, air and space do not necessarily translate reliably into cyberspace, and attempts to transfer policy constructs from other forms of warfare not only will fail but also will hinder policy and planning; and the medium is fraught with ambiguities about the identity of the attacker, its objective and what damages resulted. Also, as an offensive strategy, cyberwarfare is questionable because its potential for unpredictable collateral damage is high and permanent effects are hard to measure; attempting a cyberattack in the hopes that success will facilitate a combat operation may be prudent, and betting the operation’s success on a particular set of results may not be; and defending military cyber systems is like but not equal to defense of civilian systems.

Coming to terms with this new fog of war requires more than simply identifying the ways cyberwar differs from conventional battlefields and making adjustments in technology and tactics deemed prudent. The words used to define the cyberthreat and the objectives and proposed methods of conducting cyber operations are critical, because words carry baggage.

As an example, the term psyops has been purged from the military lexicon because it became politically contentious. Another term is information operations, or IO, the meaning of which has morphed so often that members of a vexed Senate Armed Services Committee directed the U.S. Defense Department to define the term, identify the players and explain how it is managed.

Words shape debate and mold organizations. What we call “things” quickly solidify into policy, doctrine, organization and training, and from that, budgets that foment turf battles among equity-entrenched organizations.

Cyberwar is a most troublesome term. How can we develop a national or international strategy for waging cyberwarfare when so few agree on the nature, intensity or risks of a cyberthreat? Is it war or something less? Who should be empowered to counter the threat—government, owners or users? And, what form of public-private partnership is needed to defend the nation’s critical information infrastructure?

An article in the spring 2010 edition of Air and Space Power Journal calls cyberwar “a loaded term that invokes various definitions from different organizations and people.” White House cybersecurity coordinator Howard Schmidt finds cyberwar a “terrible metaphor.” IEEE Computer Society President James Isaak cautions that the term “war” makes people think that it is exclusively a government problem.

In a blog titled Cyberwar or Not Cyberwar, information security veteran Amit Yoran explains, “A warfare connotation or cyberwar label provides for a natural inclination to place greater emphasis on the role of the military and intelligence community.”

The global dimension of this disagreement is clear from papers and remarks from representatives of more than 40 countries at the May 2010 First Worldwide Cybersecurity Conference. Many there complained that the catch-all term “cyberwarfare” was hurting international efforts to cooperate on Internet security.

What lacks is a workable taxonomy, says Microsoft Vice President and former defense official Scott Charney. This taxonomy would categorize and then differentiate among the vastly different actors, motives, threats and risks.

National Defense University professor Daniel Kuehl offers a useful taxonomy. He asserts that the base word cyber—a term derived from Norbert Wiener’s cybernetics theory of control and communications between animal and machine—must be parsed into three distinctly different elements. First is the connection—the network; then the content—the message; and finally cognition—the message effect. This deconstruct reveals the vastly different human skill sets and organizations, ranging from computer network operations to public affairs, that are involved in managing information as it flows between the machine and the human animal.

Meanwhile, each military service, responding to its differing definitions of the cyber challenge, has assessed its military kit; found where it lacks in doctrine, tools and skills; formed a cyber organization; recruited and is training a work force; and has published interim doctrine and regulations. Reconciliation and deconfliction of the different approaches to cyber operations will be an important initial task for the new subunified U.S. Cyber Command.

However, coming to terms with the changes wrought by cyberwar involves more than semantics. It changes not only how we fight—as Adm. Mullen reminds—but also when, where and whom we fight. These nontrivial issues are unaddressed in extant rules of engagement.

History, experience, protocols, laws and accords are not helpful; they are little more than launching points for development of a new national security policy to be led by the Defense Department.

Senior defense officials, charged with developing a coherent doctrine for cyberwarfare, admit that not everything that happens in cyberspace is an act of war, and they are struggling with nontechnical issues such as defining and establishing doctrine for cyberwar. While affirming that the laws of armed conflict do and will continue to apply to cyberwar, Defense Department Principal Undersecretary for Policy James Miller admits the military “still has to establish what an act of aggression looks like in cyberspace and decide the rules for responding—both digitally and physically.”

Senior U.S. military officials have concluded that neither policy nor doctrine has recognized that personal computers have undergone a change from tools of convenience—exclusively attended by technologists—to tools of absolute necessity in military operations. This, says STRATCOM Commander Gen. Kevin P. Chilton, USAF (SIGNAL Magazine, May 2010), demands a cultural shift that respects information as a weapon, accompanied by doctrine that assigns responsibility and accountability for its protection to commanders and users, not administrators.

Joint Chiefs Vice Chairman Gen. James Cartwright, USMC, adds that the military needs a doctrine that shifts away from point defense—a posture that awaits and responds to a catastrophe. Instead, it must move to one that defines a cyberattack and the consequences for those who launch such an attack on the U.S. critical infrastructure, be that in times of peace, crisis or war.

“The military relies too much on technology,” said Gen. James Mattis, USMC, in a lecture to an AFCEA audience. We need to practice with the “radios turned off” and officers must become comfortable with uncertainty rather than keep grasping for more certainty. “While we have the most robust communications, we also want to make sure we can operate with none of it,” the general declared.

Through a flurry of recent speeches and revised directives, defense officials have recognized there are limits to cyberdefense and have concluded that advantage on any battlefield—albeit episodic and ephemeral—will favor the commanders who best manage what they cannot master.

Col. Alan D. Campen, USAF (Ret.), is a SIGNAL Magazine contributing editor and contributing editor to four books on cyberwar. His website is www.cyberinfowar.com.