YHOMIT Only
FALL 2012 FALL 2012 Vol. 6, No. 3 Commentaries America’s Air Force: Strong, Indispensable, and Ready for the Twenty-First Century Gen Norton A. Schwartz, USAF, Retired Lt Col Teera Tony Tunyavongs, USAF Claiming the Lost Cyber Heritage Jason Healey Depleted Trust in the Cyber Commons Roger Hurwitz Escalation Dynamics and Conict Termination in Cyberspace Herbert Lin Sharing the Cyber Journey Maj Gen Suzanne M. Vautrinot, USAF The Specter of Non-Obvious Warfare Martin C. Libicki Internet Governance and National Security Panayotis A. Yannakogeorgos The Customary International Law of Cyberspace Col Gary Brown, USAF Maj Keira Poellet, USAF Strategic Studies Quarterly An Air Force–Sponsored Strategic Forum on National and International Security VOLUME 6 FALL 2012 NUMBER 3 Commentaries America’s Air Force: Strong, Indispensable, and Ready for the Twenty-First Century 3 Gen Norton A Schwartz, USAF, Retired Lt Col Teera Tony Tunyavongs, USAF Claiming the Lost Cyber Heritage 11 Jason Healey Part I Feature Article Depleted Trust in the Cyber Commons 20 Roger Hurwitz Perspectives Escalation Dynamics and Conict Termination in Cyberspace 46 Herbert Lin Sharing the Cyber Journey 71 Maj Gen Suzanne M Vautrinot, USAF e Specter of Non-Obvious Warfare 88 Martin C Libicki Internet Governance and National Security 102 Panayotis A Yannakogeorgos e Customary International Law of Cyberspace 126 Col Gary Brown, USAF Maj Keira Poellet, USAF Book Reviews Critical Code: Software Producibility for Defense National Research Council 146 Reviewed by: Lt Col Deborah Dusek, USAF Airpower for Strategic Eect Colin S Gray Reviewed by: Benjamin S Lambeth, PhD 147 Chinese Aerospace Power: Evolving Maritime Roles Edited by: Andrew S Erickson and Lyle J Goldstein Reviewed by: Capt Paul A Stempel, USAF 149 Part II (online only) Cyber Power, National Security, and Collective Action in Cyberspace, 10-11 October 2012 AFRI Cyber Power Conference Proceedings—Online Topics Include: How can strategists more eectively confront the challenges of the cyber environment to understand the key principles of the domain?
What is the relationship between cyberspace, its usage, and adaptation for national security purposes and the socioeconomic forces shaping its character that could impact the Air Force/national security community mission over the next ve years?
What are the best cyberspace approaches for using to inuence percep tions of international actors for global and regional stability?
How can we reduce the stigmatization of cyber weapons and cyber attack?
Available early 2013 at http://www auafmil/au/ssq/ For conference registration, see page 152. America’s Air Force Strong, Indispensable, and Ready for the Twenty-First Century After examining every aspect of the American eort in World War II, President Harry S. Truman and his military leadership team were con vinced that the nation needed an independent military service to operate exclusively in the air domain. e legendary exploits of the US Army Air Forces in World War II demonstrated that airpower, through gaining and sustaining air superiority and providing close air support to ground forces, was a sine qua non for success in major land operations. Moreover, the Army Air Forces’ achievements established that air forces, through pro viding airlift, reconnaissance-based intelligence, and strategic bombing, could create important eects that were largely independent of tactical support and, in fact, could aect all levels of conict, oftentimes simulta neously. ese Army Air Forces contributions that were so valuable to the Allied victory are the very ones that today, seven decades after the end of World War II, still provide a shared identity and sense of purpose for Air men, and make the US Air Force critical to the national defense. Raison d’être—Then, Now, and Tomorrow As it was then, the ability of airpower today to produce signicant oper ational outcomes requires its comprehensive and integrated employment.
e US Air Force is able to employ airpower in this fashion—to strategic eect—because Airmen comprehend and appreciate airpower’s rapidity, global range, versatility to conduct a variety of missions, and exibility to produce outcomes at multiple levels. 1 Over the past 65 years, Airmen have rened their understanding of these attributes and therefore of their role as the nation’s principal airpower provider. Today, only the US Air Force leverages globally scaled yet regionally tailorable air, space, and cyber capabilities specically to aect outcomes that are distinct from only the eective tactical support of surface forces.
To be sure, Army aviation continues to support ground maneuvers, Navy aviation remains critical to the security of our maritime eets on the open seas and in littoral operations, and Marine aviation continues to be Strategic Studies Quar ter ly ♦ Fall 2012 [ 3 ] integral to expeditionary amphibious and Marine air-ground task force operations in support of littoral campaigns. And most certainly, Air Force airpower remains ever dependable in providing tactical support whenever and wherever it is needed.
But strategically oriented airpower—that which provides Global Vigi lance, Global Reach, and Global Power with unrivaled speed, versatility, and exibility—is nearly exclusive to the US Air Force, and will remain in decidedly high demand, as the latest defense strategic guidance predicts in enumerating the 10 primary mission areas of the US armed forces. 2 Many of these areas emphasize Air Force capabilities—for example: deterring and defeating aggression, projecting power in anti-access and area denial environments, conducting space and cyber operations, and maintaining the preponderance of our nation’s nuclear deterrent. To fulll these airpower-intensive mission areas, and to ensure requisite access to increasingly contested air and space domains, the nation will continue to need an air force—the US Air Force—that, in addition to ensuring continued timely, precise, and reliable support to its surface force teammates, is singularly dedicated to fullling the nation’s full-spectrum airpower needs. Steeped in a mindset that views the battlespace in all three dimensions, Airmen are conceptually unbounded by topographical features.
e Air Force will continue to leverage the inherent characteristics of the entire expanse above the earth’s surface in order to provide the full spec trum of airborne capabilities, from close air support to air mobility to global strike. It is with this perspective that Airmen instinctively unfurl the entire map of the battlespace, to gain greater situational awareness over a broader expanse of distance and time. To every Airman, emphasizing approaches that traverse “over” or “around” rather than “through” is the prevailing modus operandi. e Air Force is a service that operates with a holistic view of air and space, providing harmonized, seamless capabilities across the full spectrum of operations, even as surface activities necessarily transi tion between terra rma and the maritime. However, to the casual observer, it would appear that the Air Force has been less involved, or possibly less relevant, in the nation’s post 9/11 pursuit of its adversaries. Perhaps this is understandable, given the ground-centric nature of the conict and the sterling professionalism and performance of our supremely skilled Army, Marine Corps, and special [ 4 ] Strategic Studies Quar ter ly ♦ Fall 2012 operations teammates during sustained operations in Iraq and Afghani stan. However, as we demonstrate below, this is not the complete story.
Still others have come to believe, mistakenly, that the adaptations that the Air Force prudently made during the past decade—adjustments that were necessary given the wartime challenges that we faced—have dis tracted Airmen from their enduring and core contributions.3 Quite the contrary, we Airmen in fact have focused on our enduring airpower con tributions, even as we tended to a few noteworthy but nontraditional as signments, such as convoy and base security, and Provincial Reconstruc tion Team command opportunities. Other than addressing these and a few other exigencies, we Airmen have concentrated on what a rst-rate independent air force is expected to provide for the nation that it serves.
In the case of the US Air Force, it is those enduring contributions—control of the air and space domains; global intelligence, surveillance, and recon naissance (ISR); rapid global mobility; and global strike—that Airmen have provided proudly and reliably since the establishment of the nation’s independent air service. In so doing, the Air Force not only has demonstrated its ecacy. It also has made the case that support roles and independent roles are not mutually exclusive, but rather reciprocally supportive. is is true particularly in modern warfare, which is becoming ever more interdependent across the various domains. For example, prior to Operation Desert Storm, artillery was arguably the most destructive force on the battleeld. ereafter, sur face forces have depended largely on airpower to destroy opposing forces, while air forces often count on ground forces to compel adversaries to abandon hardened or otherwise safer positions and to hazard into areas where they subsequently are more vulnerable to attack from above. In this vein of increased interoperation, Air Force contributions in the last decade have been critical to enhanced and more meaningful integra tion across the military services and their primary operational domains—a point that is even more noteworthy considering that budgets of late have encouraged parochial retrenchment and protection of narrower institu tional imperatives. Notable examples of contributions that have enhanced our integration and interoperation include Strategic Studies Quar ter ly ♦ Fall 2012 [ 5 ] Strategic Studies Quar ter ly ♦ Fall 2012 not obviate the continued demand for strategically oriented and globally postured Air Force airpower. Indeed, this need will come into greater focus as the nation rebalances its strategic emphasis and eort toward the Asia- and Indo-Pacic. Accompanying this recalibration is the immedi ate challenge of substantially increased distance and time, both from the homeland and within the region itself, which covers 13 times zones and more than 100 million square miles.
It therefore is entirely clear that the nation will continue to depend on inherent airpower characteristics and unique Air Force contributions.
Domain control, ISR, rapid global mobility, and global strike, as well as the additional distinctive ability to conduct high-volume, cross-domain command and control of air, space, and cyber capabilities, will remain essential to the nation’s strategic interests. Essentially, this “four-plus-one” construct represents, most fundamentally, those capabilities and contribu tions that are at the core of the world’s preeminent air force. But Air Force contributions are valuable not only to the portfolio of US armed forces capabilities alone. e assured access to international airspace that the US Air Force provides is of tremendous importance to civil and commercial aviation as well. e United States, by many mea sures, is still the world’s only genuine air and space nation, with strategic interests across its many dimensions—commercial, nancial, diplomatic, legal, military, and others—that remain undeniably connected to aviation and aerospace. For example, the nation’s economic health and prosperity are tied to the more than two billion passengers and some 35 percent of international trade (by value) that transit via international airspace annu ally. And, according to Federal Aviation Administration forecasts, air system capacity in “available seat miles”—the overall measure of com mercial airline activity level, both domestically and internationally—will increase around 4.5 percent this year, and is anticipated to grow through 2031 at an average annual rate of 3.6 percent. 6 ese are but a few high- level statistics that presage a continuing upward trend in aviation and air power’s importance to our Nation’s strategic interests. e US Air Force is prepared to maintain its place among the elite of the aerospace com munity, which has underpinned America’s global awareness and inuence since the early 20th century, and which will continue to leverage the ad vantages of air and space power for national eect in the 21st. However, with the proliferation of advanced technologies and high-speed comput ing that enable nonstate actors to exert inuence in what formerly was the Strategic Studies Quar ter ly ♦ Fall 2012 [ 7 ] exclusive domain of well-resourced nation-states, we must contend with a broader array of threats, including to the global commons. Among these threats are burgeoning anti-access and area denial challenges to our nation’s ability to project global power, and competition in vital air and sea lanes of communication and transit that could turn unimpeded thoroughfares into crippled chokepoints. e US Air Force stands ready to meet these wide-ranging security challenges. 7 e Air Force is prepared as well to continue providing our national leaders with strategic options that otherwise might not be available. Ex emplifying this strategic versatility, exibility, and readiness are the simul taneous operations of March 2011, when the Air Force, along with joint and coalition partners, spanned both intercontinental distances and the full continuum of operations to provide humanitarian relief in Japan and combat airpower and air support in Libya, all the while sustaining opera tions in Afghanistan and Iraq. Conclusion e four distinct Air Force contributions of control of the air and space domains; global intelligence, surveillance, and reconnaissance; rapid global mobility; and global strike represent not only our traditional core mission areas, but also those unique capabilities that will endure for the foreseeable future. ey also serve as an anchor point around which all Airmen can rally with a core identity and a shared sense of purpose. Leveraging the inherent characteristics of air, space, and cyberspace into our unique and enduring contributions will be vital to our national interests in the future security environment. From potential higher-end conict with near-peer competitors, to insurgencies and other localized and geographically dis tributed crises, to natural disasters and humanitarian crises—the need for airpower and its distinct advantages will endure. e US Air Force is a proud and reliable member of the joint team. To face a future that will present wide-ranging challenges, we will have to lever age each unique strength within each of the military services. Every care fully tailored and considered contribution, bringing the capabilities of each and every military branch, is indispensable to the success of the joint team.
Without the US Air Force working with its joint team members, there would not be a US armed force as we currently know it—certainly not one that can maintain its place as the most respected military in the world.
[ 8 ] Strategic Studies Quar ter ly ♦ Fall 2012 It therefore is ever more important that Airmen rearm and recommit to the core Air Force identity that gave rise to the nation’s independent air service. For a service that has a heritage so closely tied to the advancement of technology, a deep appreciation for the key and enduring Air Force contri butions is particularly important. is awareness strengthens us and allows us to adapt accordingly, as technologies advance, operational requirements emerge, and methods of warfare evolve. What once was primarily the do main of aviators is now necessarily trending toward greater prominence for operations other than manned ight—to name a few: space, remotely- piloted, and cyber operations—as well as the vital functions that battle eld Airmen perform “outside the wire,” shoulder-to-shoulder with their ground-force teammates. As the Air Force evolves according to changing domestic circumstances and dynamic global complexities, Airmen will nd such diversity to be critical to the vitality of the Air Force. But we will re main as Airmen who have a clear appreciation for the core and enduring contributions, and the raison d’être, of the US Air Force.
Gen Norton A. Schwartz, USAF, Retired Nineteenth USAF Chief of Sta Lt Col Teera Tony Tunyavongs, USAF USAF Chief of Sta PhD Fellow, Fletcher School of Law and Diplomacy, Tufts University Notes Strategic Studies Quar ter ly ♦ Fall 2012 [ 9 ] Strategic Studies Quar ter ly ♦ Fall 2012 Claiming the Lost Cyber Heritage e Air Force ensures that newer generations of Airmen learn through the vicarious experiences of those who have gone before them. ey are taught to admire Eddie Rickenbacker and Billy Mitchell, and cadets and ocers are tested to ensure they understand the lessons from Big Week, MiG Alley, and Rolling under to Iraqi Freedom. Understanding this history and heritage is the primary way to turn the vicarious experiences of past generations into cumulative knowledge to educate Airmen of the future. According to the ocial Air Force website, heritage is “dedicated to the former Airmen who developed the independent Air Force and con tinue its evolution into cyberspace. . . . e people, events and equipment of the past are integral to understanding the future.” 1 Yet there is a par ticular heritage that has been forgotten and ignored as irrelevant. A recent search for “cyber” on ocial historical sites of the Air Force led to only four documents, no images, and a single video from 2012. 2 Indeed, a ghter pilot that had never heard of the “hat in the ring”— who in fact spurned the history of airpower—would be an outcast. Yet this is not far from how the Air Force, and indeed the entire Department of Defense, treats the history of cyber conict. Few, if any, Airmen in volved in cyber operations today are likely to remember the major cyber conicts, pioneering cyber leaders, doctrine, or units of the past. How many of today’s Air Force cyber warriors know they can trace their lineage to AF cyber operations in the mid 1980s? Nearly 25 years ago a lone special agent in the Oce of Special Investigations was intrigued by a call from an astronomer turned system administrator who found intruders in his networks at a national laboratory. e Air Force helped unravel an international espionage ring, nicknamed the Cuckoo’s Egg, where German hackers sought classied material on the Strategic Defense Initiative, which they sold to the Soviet KGB. Special Agent Jim Christy, the rst cyber “ace,” is now retired but still delivering for the Air Force at the Defense Cyber Crime Center. How many of today’s Air Force cyber warriors know when the Air Force declared cyberspace a new domain for military operations? e answer is not 2011 when the Department of Defense declared that the military would “treat cyberspace as an operational domain,” nor even in 2005 when the Air Force added cyberspace to its mission statement as a Strategic Studies Quar ter ly ♦ F all 2012 [ 11 ] domain in which to “y, ght, and win,” but a decade earlier. In 1995 the secretary and chief of sta jointly signed the Foundations of Infor mation Warfare which laid out basic denitions and principals for how the Air Force would work in cyberspace.
Before the Wright Brothers, air (while it obviously existed) was not a realm suitable for practical, widespread military operations. Similarly, in formation existed before the information age, but the information age changed the information realm’s characteristics so that widespread opera tions became practical. 3 is statement is at least as good as anything written since by any military anywhere. How many of today’s Air Force cyber warriors have even heard of the world’s rst combat cyber unit? In 1996, the Air Force established the 609th Information Warfare Squadron (motto: “Anticipate or Perish”) at Shaw AFB to support CENTAF with combined oensive and defensive cyber missions “to fully operationalize information warfare on behalf of the JFACC [joint force air component commander] and the ghting forces.” 4 is unit, the rst such unit in the Air Force, is likely the rst anywhere in the US military and the world. 5 e unit invented the rst INFOCON, now a standard defensive alert condition. It exercised heavily with CEN TAF and “had control of the blue force air tasking order. ey gave us a two-hour window to play in, and we got it within two hours,” according to the unit’s commander, then-lieutenant colonel Walter “Dusty” Rhoads, another Air Force cyber pioneer who had roles in every major joint cyber war-ghting organization for the next 10 years. 6 ese eorts at the 609th were just one part of using cyber to support the war ghter. As Maj Gen John Casciano, then head of AF intelligence put it in 1996, Anything we do in the Air Force has to be consistent with a . . . JTF commander’s requirements and must meet those objectives. We believe that IW is absolutely critical and integral to Air Force operations at the JFACC level and below. We have some things to oer other communities, but our focus is on the operational and tactical levels of warfare. A lot of the targets and a lot of the things we would want to aect—command and control nodes and the adversary’s integrated air defense system (IADS)—are things the Air Force worries about on the battleeld.
How many of today’s Air Force cyber warriors know the rst joint cyber commander was from the Air Force? It was not GEN Keith Alexander, USA, who took charge of US Cyber Command in 2010, but Maj Gen John “Soup” Campbell, USAF, the founding commander of the Joint Task [ 12 ] Strategic Studies Quar ter ly ♦ Fall 2012 Force–Computer Network Defense in 1998. His approach to cyber opera tions was rooted deeply in his Air Force identity, “I grew up as a ghter pilot. My job was to blow things up, make smoking holes . . . so I always took it in that direction.” 7 ese are not empty facts or trivia for cyber operators to play on a long nightshift. 8 ey are emblematic of the rich heritage of the Air Force in cyberspace and illustrate the importance of learning the lessons of history.
e Air Force is not responsible for all the problems of the Department of Defense in cyberspace. But it can x those that it controls. If the Air Force is going to become the premiere force to y, ght, and win in cyberspace, it must reclaim its proud cyber heritage and build “cyber-mindedness,” just as it has a tradition of air-mindedness. If it can succeed in this, the Air Force can again be seen as the cyber thought leaders in the military service and show the way for the other services, the Department of Defense, and the intelligence community. If not, the service is likely to continue to re learn old lessons and struggle under misperceptions with little relation to past experience. Over two decades, the Air Force, and the Department of Defense in general, have made little progress on important policy and operational issues, but few realize just how little progress because few know how far back the story goes. For example, the sentiment behind the next two para graphs should be familiar to many of today’s AF cyber professionals: Nobody knew what a “cyber warrior” was by denition. It was a combination of past war ghters, J-3 types, a lot of communications people and a smattering of intelligence and planning people. . . .
e unfortunate part . . . was that the oensive side was still classied. You couldn’t even discuss it in an open forum. . . . But behind the scenes [we were] getting it integrated into the war ghters’ mentality, understanding the air tasking orders. . . .
[We were] an Air Force unit and we had to understand how to get cyber introduced into the thinking of the commanders.
Unfortunately these quotes resemble those of today, but they are actually from Rhoads speaking about the 609th IWS in 1995. Likewise, consider the following quotes. One is from Rhoads, circa 1996, the other from Maj Gen Richard Webber of Twenty-fourth Air Force in 2009. Why can’t we even tell the dierence?
I liken it to the very rst aero squadron when they started with biplanes. We’re at the threshold of a new era. . . . We are not exactly sure how combat in this new dimension of cyberspace will unfold. We only know that we are the beginning. 9 Strategic Studies Quar ter ly ♦ F all 2012 [ 13 ] I almost feel like it’s the early days of ight with the Wright Brothers. First of all you need to kind of gure out that domain, and how are we going to operate and maintain within that domain. So I think it will take a period of time and it’s going to be growing.10 American Airmen learned how to dominate the aerial domain and de liver integrated combat eects in just 15 years between the rst ight of the Wright Brothers and the Battle of Saint-Mihiel. Yet in the same amount of time since the rst AF combat cyber unit, we have made so little progress in the cyber domain that quotes from key commanders a decade apart are indistinguishable. is blindness to history has immediate operational implications. Much of what is treated as received wisdom is in fact not rooted at all in the his tory of cyber conicts. Many of today’s cyber warriors will tell you with all condence that (1) cyber conict is new and ever changing, (2) mas sive surprise attacks can easily prostrate nations, and (3) everything that is important happens at the speed of light. In fact, a study of cyber conict history by the Atlantic Council and the Cyber Conict Studies Associa tion has shown that all three of these are incorrect or misleading. ere has been no essential discontinuity between cyber conicts of 20 years ago and those of today. Of course, there are dierences: adver saries have become more capable, underlying technologies (oensive and defensive) have changed, and corporations are now feeling the brunt of major espionage attacks. Yet, despite these developments, the dynamics of today’s conict would be familiar to the Airmen that fought them at the 609th Information Warfare Squadron in 1995. Likewise, disruptive cyber attacks have so far tended to have eects that are either widespread but eeting or persistent but narrowly focused. Few, if any, attacks so far have been both widespread and persistent. As with airpower, cyber attacks can easily take down many targets, but keeping many down over time has so far been out of the range of all but the most dangerous adversaries. 11 And strategically meaningful cyber conicts rarely occur at the “speed of light” or at “network speed.” True, individual tactical engagements can happen as quickly as our adversaries can click the Enter key, but cyber conicts, such as Estonia, Georgia, Stuxnet, and the Concker worm, are campaigns that take weeks, months, or even years of hostile contact between adversaries.
[ 14 ] Strategic Studies Quar ter ly ♦ Fall 2012 At least once before, the Air Force suered similar “doctrinal lock in,” ignoring the emerging lessons from experiences in a new domain. In the 1930s, as all Airmen know, bomber enthusiasts preached that “the bomber would always get through,” across international borders and distances, and that hitting 154 known targets would quickly knock Germany out of the ght in six months.12 eir exercises reected this view, which left them completely unprepared for the lengthy attrition battles of World War II. e Army Air Corps lost nearly 10,000 bombers and took years to achieve strategic eects, having entered the war lacking appropriate doc trine, defensive repower, and intelligence for targeting and bomb dam age assessment. Airmen learned that nding the right target for strategic eect is dif cult, and there is a tremendous dierence between temporarily disabling a target and permanently destroying it. Even with strategic attack in its DNA and a decades-long history of cyber conict, the Air Force is still not recognizing the right lessons, much less learning them. It should be natural for the Air Force to realize that the “speed of light” of cyber opera tions is deceptive. ere is no reason why Airmen should be fooled on this point, because they understand even though a dogght can be over before the losing pilot even knows it has begun, an air campaign is rarely decided by a single tactical engagement. By thinking only of conict at the speed of light, the Air Force will overinvest in capabilities and doctrine to automatically counterattack and will be unprepared for the long cyber campaign most of our adversaries seem to expect and appreciate. If speed is mistakenly seen as the most important factor, then rules of engagement will allow ever lower levels to shoot back without seeking authorization––a relaxation of the rules, which may not be in the long-term economic or military interest of the United States. e Air Force will continue to dogght blindly, ying from tactical engagement to tactical engagement without having thought about tomorrow’s battle or the one a year from now. Similarly, Airmen should be the rst to doubt it will be easy to have a prolonged strategic eect, even in cyberspace. If Flying Fortresses and Lancasters had diculty achieving a strategic eect after dropping mil lions of tons of high explosives, we should never believe the fallacy that a few young hackers might take down the United States from their base ment. is might be true in the movies or an espionage novel, but not in real life. Strategic Studies Quar ter ly ♦ F all 2012 [ 15 ] Yet basement-originated strategic warfare is a common theme from some who feel deterrence is dicult, since “cyberspace is fundamentally dierent. For someone with the right brainpower and the right cyber abili ties, a cheap laptop and Internet connection is all it takes to be a major player in the domain.” 13 ese tools might help an adversary steal data or identities—even conduct a major intrusion like Solar Sunrise—but they are not sucient to create a strategic eect requiring Air Force deter rent power. is has been well known by Airmen since at least 1998 when Maj Gregory Rattray wrote his doctoral thesis, later published as Strategic Warfare in Cyberspace , with an extended comparison of how the early Army Air Corps struggles to learn how to ght in a new domain were directly comparable to what the Air Force was, and sadly still is, going through for cyberspace. 14 ese are all common misconceptions, but they are not supported by either the facts of cyber history or the experiences of Airmen. Perhaps soon, the world will see these kinds of attacks, but that is still no reason to ignore the past. By developing cyber-mindedness—a collective sense of the history, dynamics, possibilities, and limitations of cyber conict— the Air Force can learn these and other critical lessons and prepare for the conicts of the future. e US Air Force has a longer, more distinguished heritage in the cyber domain than any other military in the world, but it is just one of the mili tary services and should not be the only cyber service. As Major General Cascaino put it in 1996 when he ran the AF cyber units, “We don’t claim [cyber] exclusively. We think we’ve got good ideas. We think we’ve got good capabilities. And we are reaching out to the other services and the joint community to oer what we have.” 15 Fifteen years ago, this mind- set helped the Air Force to be the world’s preeminent cyber force, but not anymore. “For a brief period,” as described by Lt Gen Bob Elder, retired, another AF cyber commander, “the AF was recognized as the thought leader on cyberspace, but when we narrowed our view, we undercut the basis for our leadership role.” 16 Now retired, Major General Casciano echoes this sentiment, believing that “we have attempted to solve things organizationally and politically, not operationally.” 17 To reclaim this heritage, there are a number of entirely practical steps the Air Force must take.
• Commission the Air Force Historical Research Agency to conduct oral histories of the pioneers of the Air Force cyber mission and collect [ 16 ] Strategic Studies Quar ter ly ♦ Fall 2012 the ocial unit histories. is material should be the basis of a major study with appropriate lessons. Strategic Studies Quar ter ly ♦ F all 2012 [ 17 ] Strategic Studies Quar ter ly ♦ Fall 2012 Strategic Studies Quar ter ly ♦ F all 2012 [ 19 ] Depleted Trust in the Cyber Commons Roger Hurwitz Policymakers increasingly recognize the need for agreements to regulate cyber behaviors at the international level. In 2010, the United Nations Group of Governmental Experts on Developments in the Field of Infor mation and Telecommunications in the Context of International Secu rity recommended “dialogue among States to discuss norms pertaining to State use of ICTs [information and communications technology], to reduce collective risk and protect critical national and international in frastructure.” 1 Since then, the United States, Russia, China, and several other cyber powers have proposed norms for discussion, and in November 2011, the United Kingdom convened an intergovernmental conference to discuss cyber “rules of the road.” 2 ese activities are a positive change from the rst decade of this century, when the United States and Russia could not agree on what should be discussed and the one existing inter national agreement for cyberspace—the Budapest Convention on Cyber crime—gained little traction. Nevertheless, the search for agreement has a long way to go. Homeland Security secretary Janet Napolitano noted in summer 2011 that eorts for “a comprehensive international frame work” to govern cyber behaviors are still at “a nascent stage.” 3 at search may well be disappointing. Council on Foreign Relations fellows Adam Segal and Matthew Waxman caution that “the idea of ultimately negotiat ing a worldwide, comprehensive cybersecurity treaty is a pipe dream.” In their views, dierences in ideologies and strategic priorities will keep the United States, Russia, and China from reaching meaningful agreements:
“With the United States and European democracies at one end and China Roger Hurwitz, PhD, is a research scientist at MIT’s Computer Science and Articial Intelligence Laboratory (CSAIL), a senior fellow at the Canada Centre for Global Security Studies at the University of Toronto, and a founder of Explorations in Cyber International Relations (ECIR), a Minerva Research Initiative program at Harvard and MIT. His current work includes the investigation of international cyber norms, the development of computational systems for cyber events data and ontologies, and modeling the complexities of high-prole cyber incidents. Dr. Hurwitz’s work is funded by the Oce of Naval Research. Any opinions, ndings, and conclusions or recommendations expressed herein are those of the author and do not necessarily reect the views of the Oce of Naval Research.
[20 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons and Russia at another, states disagree sharply over such issues as whether international laws of war and self-defense should apply to cyber attacks, the right to block information from citizens, and the roles that private or quasi-private actors should play in Internet governance.” 4 is essay joins that pessimism on the basis of a more extensive model of the emerging crisis in cyberspace. e essential argument is that main taining a secure cyberspace amounts to sustaining a commons which benets all users, but its overexploitation by individual users results in the well-known “tragedy of the commons.” 5 Here the depletable common resource is trust, while the users are nations, organizations, and individuals whose behaviors in cyberspace are not subject to a central authority. eir actions, which harm the well-being of other users, diminish trust and amount to overexploitation of a common resource. e tragedy of the commons is used repeatedly as an argument for privatization and in retro spect to justify the enclosure movement by English agricultural capitalists in the seventeenth and eighteenth centuries. However, such a tragedy is not inevitable, even when users of a commons are assumed rational in the sense of maximizing self-interest. e late political scientist Elinor Ostrom received the Nobel Prize in economics for determining cases and conditions where, in the absence of government control, users success fully self-organized for sustainable use of a commons. 6 Unfortunately, as argued below, the current state of cyberspace and its users does not meet most conditions that encourage such self-organization. Both the aordances of the cyber technologies—that is, the way the technologies enable their use—and the mentalities of the users contribute to the unfavorable result. Embedding the obstacles to international agreements within this wider perspective will highlight the challenging multilayered, complex, and transformative processes that cyberspace presents to states and other enti ties that would manage it. It is not a passive domain where states can pur sue preexisting competitive or conicting interests, but one whose rapidly changing technologies and applications create opportunities for conict.
It also reasons for cooperation. Accordingly, the next section develops the model of cyberspace as a social system based on a commons—a “socio ecological system” (SES) and a “common pool resource” (CPR) to use Os trom’s terminology—that can be sustained but also depleted. e identi cation of trust as this “resource” and the implications of its depletion will receive particular attention. e third section reviews the variables which Ostrom and her associates have found to encourage self-organization and Strategic Studies Quar ter ly ♦ F all 2012 [21 ] Roger Hurwitz evaluates them with regard to cyberspace. e last section considers which of the model variables that currently discourage self-organization could be changed in a more encouraging direction through feasible actions by agents, thus removing some obstacles to reaching international agree ments. It also considers how states, absent these changes, might unilater ally respond to cybersecurity crises. Challenges of the Cyber Commons Governing a commonly accessible resource, or CPR, is a collective ac tion problem, whether the goal is sustainable exploitation of a shery or the secure, benecial use of cyberspace. For natural CPRs, where regen eration of the stock occurs, some limits on individuals’ use by amount or kind are needed, lest aggregate use exceed the “carrying capacity.” is depletes the resource below the level at which natural processes can sus tain it for protable exploitation. As discussed below, this need for limit ing exploitation can also hold for man-made or articial resources like cyberspace. Limiting or regulating use usually requires a preexisting state or other authority with coercive power, in whose territory the CPR is found—with good reasons. Although the users might recognize the need for limits, individual users are tempted to exceed them in the belief that the added strain on the resource is negligible with regard to its sustain- ability. Also, individuals who notice their neighbors’ violations might be unwilling to punish them for fear of retribution. Nevertheless, Ostrom found many cases where people successfully managed a CPR without the need for state intervention or privatization. In analyzing these, she con ceptualizes the CPR as existing within a context of its users’ socioeconomic and cultural practices. ese practices aect both individual users’ choices about exploiting the CPR and the possibility of their collective regulation to sustain it. e CPR and the social context taken together constitute the socioecological system. One might wonder how a domain can be a commons when every bit of its physical substrate is owned by some organization or a state in contrast, say, to oceans, international airspace, and outer space. Several answers are useful to rening our notion of a cyber commons and any international agreements that would protect it. Lawrence Lessig referred to a model of Internet communication transport that includes layers for the physical substrate, the electronic packets or envelopes for the information, and the [22 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons information content itself. He identied the commons with the packet layer, which everyone has a right to access and to which everyone can con tribute, so any blocks to the free ow of packets closes the commons. 7 On this view, the cyber commons is similar to the oceans or international air space, with its users’ primary concern being right of passage. 8 Lessig and others ultimately grounded this idea of the cyber commons in the human right to access information and express one’s opinion. It also resonated with notions of freedom of mobility, global innovation for the Internet, and an evolving worldwide information sphere in which everyone could participate—with the resonance captured in a word: “open.” Endeavors like Wikipedia, the Creative Commons, MIT’s free courseware, and the emergent blogosphere could create a second commons—one of content.
At the turn of the millennium, Lessig saw such eorts threatened by media content companies, with their broad interpretations of copyright at the expense of fair use and their enlistment of state authorities for draconian treatment of alleged copyright violations. He discounted the argument for a need to protect the intellectual resources from depletion by invok ing omas Jeerson’s image of the candle whose light is undiminished in lighting another candle—a trope for the Enlightenment that encapsu lates the promise of the Internet. e unfolding drama was rather that of greedy organizations using the possible misdeeds of a few individuals as a pretext to privatize common intellectual property and undermine the ac cess needed to sustain an Internet culture. 9 is idea of a “cyber commons” appeared more than a decade ago, when the online population was a tenth of its present size and concentrated in North America and Western Europe, where the Internet was easily seen as another venue in an already rich, lightly regulated, information and com munication ecology. It ignored, however, that the Internet was already used by groups in violent struggle against some states—Chechen separat ists against Russia—and even liberal states were already proscribing access and distribution of certain information, such as child pornography. Since then, the use of cyberspace, now spilled well beyond the Internet, has be come so ubiquitous a national security issue (“securitization”) or a threat to regime stability, that many governments now lter or block certain packet ows, thus replacing the primary cyber commons with their own “safe” enclosures. 10 Nevertheless, the vision of a cyber commons informs signicant parts of the cyber policies of the United States and many of its allies and the positions they take with regard to international regula- Strategic Studies Quar ter ly ♦ F all 2012 [23 ] Roger Hurwitz tion of cyberspace. Most notable is the State Department’s embrace of Internet freedom—the rights of cyber enablement of civic activism—but also signicant is the emphasis on global interoperability, noninterference by states with packets passing through their territories, and decisions on Internet technology being made by technologists rather than by political authorities. 11 A more identiable CPR, in keeping with the Ostrom SES model, however, is bandwidth, which can be depleted by spam—an overexploita tion of the resource—resulting in degraded delivery of more-valued com munications. Spammers have been compared to industrial polluters of natural resource commons because they also pass along to a general public the negative externalities of their actions, whether in the form of users’ wait times in a saturated network or added costs for more bandwidth, spam lters, and so forth. 12 e spam phenomenon can be generalized to the consequences of depletion in the general public’s “sense of security”; as a by-product of online scams and identity thefts at the individual level; industrial espionage at the organizational level; and infrastructure attacks, like Stuxnet, at the national level. ese spur broad demands for cyber- security measures, which are expenses. e provision of these measures, which usually have little eect in stemming the threats, decreases the eco nomic eciency of cyber-based communications and control. Since the Internet’s capability of lowering transaction costs is considered one of its primary benets for economic and social development, the possible high costs of cyber security are challenging for many states and organizations, perhaps as challenging as the consequences of attacks in the absence of adequate security. 13 Cyberspace as a Social System Closely associated with such insecurity is the decline in public or social trust, which might be identied as the ultimate common pool resource in the cyber SES. Jacques Bus follows sociologist Nicolas Luhmann in explaining trust as “a mechanism that reduces complexity and enables people to cope with the high levels of uncertainty and complexity of (con temporary) life.” He adds, Trust expands people’s capacity to relate successfully to a real world whose com plexity and unpredictability is far greater than we are capable of taking in. In this sense, it is a necessary mechanism for people to live their lives: to communicate, [24 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons cooperate, do economic transactions, etc. It enriches the individual’s life by en couraging activity, boldness, adventure and creativity, and by enriching the scope of the individual’s relationships with others. 14 e notion of public trust, as used here, also includes people’s con dence in the institutions, laws, government, and infrastructures of their societies. Public trust with regard to cyberspace encourages individuals and organizations to access and be accessed by one another online, and that in turn enables the network eect in cyberspace; that is, the positive externalities created as more people participate in the network and more interactions occur. is is consistent with ndings by social scientists of strong positive correlations between public trust and economic growth. 15 Public trust in cyberspace involves both condence in the people and organizations individuals deal with through the digital technologies and the trustworthiness of the technologies themselves. Condence in others online is problematic because those others might be anonymous or only partly identied, and the context of interactions with them is opaque or confusing. It can be buttressed by assumptions about others’ concerns for reputation and commitments to roles and by online mechanisms, like certicates and ratings, which can conrm claims made by others. Of late, however, trust in cyberspace may be strained by the publicity for the vari ous cyber threats noted above, organizations’ and governments’ failures in deterring them, and the compromise of online security mechanisms, like stolen certicates. In addition, public trust suers from many users’ awareness that their online activities are being monitored, whether for commercial exploitation in the West or identication of political dissi dents in authoritarian countries. ese abuses may lower or deplete public trust—that is, the aggregate willingness of users to go online—much like overexploitation by some of its users depletes a CPR. On this view, public trust is a rival good whose consumption by a user decreases the amount available for consumption by others. By analogy, continuing abuses against a diminishing public trust could lead to unsatisfactory provision of the online benets which public trust enables. In concrete terms, individuals and organizations fear ing cyber crime, invasions of privacy, and so forth would greatly decrease their use of digital networks for economic transactions, information ex changes, and social interactions. But unlike the usual commons resources, such as forests and sheries, public trust in cyberspace is not always a rival good. Mutually benecial online interactions will sustain and increase, Strategic Studies Quar ter ly ♦ F all 2012 [25 ] Roger Hurwitz and these are so plentiful at the individual and organizational levels that the abuses are often ignored or quickly forgotten. Consequently, there is little evidence of people exiting cyberspace or avoiding popular sites with controversial privacy policies. Still, in some democratic countries, relevant publics have demanded that service and search providers restrain tracking; some governments have already responded with regulatory poli cies, which will force adjustments by data aggregators and analysts. ese actions can be read as instances of users defending a CPR by turning to existing authority for leadership and norm setting. ey show that in addition to security technologies, sustaining trust in cyberspace requires rules, transparent practices, accountability standards, and means of redress acceptable to users. International eorts for agreements to protect and sustain cyberspace will therefore need to take such concerns into account, to some degree. at might not be a formidable challenge. Because cyber “apps” have become indispensable for so many users, they are likely to be reassured, at least momentarily, by small, facile steps by providers or regulators, including policy announcements, opt-out buttons, and new, if unintelligible, service agreements. Put another way, cyberspace is no longer a domain apart from its users, a place to visit at one’s choosing, like a tourist resort, but has penetrated and rewoven the fabric of our lives. 16 Arguably, the spammers, hackers, data collectors, criminal gangs, cyber activists, and state agencies which threaten public trust are not seeking to destroy the Internet or freeze cyberspace—no more than peasants who allegedly overgrazed the commons wanted to degrade it. Ostrom’s work implies two types of agents damage the CPR: poachers from outside the group that maintains the SES and members of the group who exceed their rights to the CPR. By this reckoning, the spammers, cyber criminals, ter rorists, and certain activists—for example Lulzsec—would be the poach ers in cyberspace. In popular imagination, and sometimes in their own imaginations, they ll the traditional image of pirates—individuals and groups outside nations and beyond the laws of nations. 17 Indeed, some analysts believe that international cooperation to suppress such groups can be easily realized and comprise a rst step toward more comprehen sive agreements on cyberspace. Of course, as poachers or parasites, these groups are not seeking the demise of cyberspace, since that would put them “out of work.” e second type includes governments, online service providers, multi national corporations, and others—the so-called stakeholders—who recog [26 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons nize the need for limits but will frequently aunt such limits in the pursuit of individual interests. Even states that develop cyber weapons to damage cyber-based infrastructures and governments that spy on their online citi zens value their own use of cyberspace while planning to constrain its use by others. e resulting ambivalence of many governments is perhaps best captured in a recent Chinese white paper, which celebrates the Internet for enabling economic and social development, notes its use in propa gandizing the public and in campaigns against provincial corruption, but stipulates that no organization or individual may produce, duplicate, announce or disseminate information [on the Internet] having the following contents: being against the cardinal principles set forth in the Constitution; endangering state security, di vulging state secrets, subverting state power and jeopardizing national unication; damaging state honor and interests; instigating ethnic hatred or discrimination and jeopardizing ethnic unity; jeopardizing state religious policy, propagating heretical or superstitious ideas; spreading rumors, disrupting social order and stability; disseminating obscenity, pornography, gambling, violence, brutality and terror or abetting crime; humiliating or slandering others, trespassing on the lawful rights and interests of others; and other contents forbidden by laws and adminis trative regulations. 18 On this view, the strategic problem with the Internet is not its dual use but its many uses. So many, in fact, that unilateral eorts like deep packet inspections to contain the “unwanted uses” themselves threaten the stability and sustainability of cyberspace. Sophisticated actors who threaten public trust in cyberspace might fore see the adverse consequences of their acts. ey might also calculate that whatever the damage they do, the depletion of public trust will be modest or the gains in using the Internet still so great that public trust and mu tual accessibility will remain above some minimum threshold. As noted, recent trends support that calculation. Yet, to the point that their conduct cannot be generalized or continue indenitely—without devastating con sequences, that is—to the question, “What if everyone always acted like you?” they must still answer, like Yossarian, “I would be a damned fool not to.” e alternative is for all the Yossarians to act together to change the situation. Is that possible in cyberspace under current conditions? Can a signicant number of relevant actors abandon practices that threaten it and commit to rules that sustain it? Strategic Studies Quar ter ly ♦ F all 2012 [27 ] Roger Hurwitz Self-Organizing Variables Ostrom and her associates have identied 10 variables critical for self- organization in a socioecological system—that is, eective and enforced rules of use for a common pool resource in the absence of state authority. 19 Each variable is explained below, sometimes introduced with direct quota tions from Ostrom (either italicized or in quotation marks), while manifesta tion in cyberspace is described and evaluated with regard to its eect on self- organization. Encouraging, discouraging, and neutral eects are indicated by +, –, or 0, respectively. e variables concern properties of the resources being exploited in the SES and characteristics of the user population. In keeping with the observation that public trust in cyberspace depends on the trustworthiness of its hardware and software, as well as the behavior of their users, their properties are considered in evaluating the relevant variables. As will be seen, Ostrom’s explanations of the variables’ eects on the possibility for self-organization are consistent with a rational actor model:
the probability of self-organization increases the more its contribution to sustaining the common resource exceeds the costs of bringing agents to agreements and enforcing those agreements. Hence, the lower these costs, the greater the probability of self-organization. e assumption with re gard to its process is that states through multilateral agreements would set rules and regulations for cyberspace; they would either enforce these directly or empower an international agency to do so.
Size of Resource (–) Large resources with ill-dened boundaries discourage self-organization because of the high costs of dening the boundaries, monitoring use, and tracing the consequences of malfeasance. e size of cyberspace, as measured by the several billion devices con nected to the Internet, discourages dening its boundaries and monitor ing behaviors in it. As a thought experiment, suppose “boundaries” for a trustworthy cyberspace were dened by a centrally maintained giant list of several billion veried safe devices, with “safe” designating malware-free or not having been involved in spying or other penetration operations.
is list would require continual updating to accommodate devices be ing added to the Internet and recurrent verication of the safe devices, because anyone could be vulnerable to attack from a host spoong a safe device. is approach would be very expensive and only partly eective in [28 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons inspiring users’ trust; some attacks are so stealthy as to be discovered only well after they have occurred, if at all. Mapping boundaries and monitoring behavior can be more feasible, aordable, and convincing if national governments assume responsibility for the devices and users in their territories by certifying the machines and credentialing the users. Unilateral and multilateral means could then protect the dened national cyberspaces. Such means include implemen tations of “national rewalls” and the reduction of national portals, cyber passports for users, and assignment of consecutive IP addresses to specic territories. ese steps would not stop all external attacks and exploits within a national cyberspace, but they would facilitate determining the origin of attacks and holding responsible authorities in the state where an attack originated. 20 e resulting system would extend the principle of national sovereignty— the cornerstone of contemporary international relations—into cyber space 21 and increase a state’s control over its residents’ online activities.
Some states, including a few liberal democracies in the West, have already adopted or advocated some of these measures to deal with cyber security threats. However, many governments, organizations, and individual users will oppose full-blown development of the system for several reasons. First, it would sanction the fragmentation of the Internet into many an “in ternet in one country” with an attendant constriction of global commu nications. at process, already foreshadowed in China, Iran, and other authoritarian countries, would set back eorts to build a commons for discussion of items like climate change, scientic knowledge, and medical research on a global agenda. Second, multinational corporations and other agents of globalization, including economic managers in authoritarian coun tries, will consider this system an obstacle to a global economy in which businesses anywhere can have suppliers and customers everywhere. For them, a particularly threatening aspect of the projection of national sov ereignty into cyberspace is the potential restriction in movement of infor mation resources. ird, human rights advocates will oppose conceding the right to dene a cyber attack to national governments, since their de nitions can include a broad swath of content, as noted above in regard to China, as well as malicious code. Fourth, policymakers are likely to doubt whether governments will accept responsibility for cyber attacks originat ing in their territories under this system. ese doubts can be grounded in Strategic Studies Quar ter ly ♦ F all 2012 [29 ] Roger Hurwitz current practices of government claiming ignorance of the attack origins or that they do not have the means to suppress all of them.
Finally, national boundaries in cyberspace are a way of dissecting the commons and privatizing the pieces. Because this commons is a network, its dismantling involves a loss of value. at is, the sum of the values of the parts will be less than the value of the original whole. e loss will be de ned in dierent ways, but its anticipation will motivate broad resistance to the idea of national cyber borders. Nevertheless, the idea brings into relief questions about the character of the cyber commons: whether it is a thin communications overlay on, and ultimately reduced to, diverse geo physical entities and jurisdictions, or does it provide sets of experiences— a mode of being—in which users might acquire new identities transcend ing national identity. Jacques Bus considers the question, thankfully free of the usual panegyrics about the Internet attening the world: Globalization, driven clearly by new ICTs and the Web, creates understanding hence more trust through spreading information on history and reputation of societies, char acteristics of societies and the lives of persons living in certain societies, and allowing easy worldwide communication. is may indeed lead to further erosion of the con cept of “the human animal is best o at home.” It may well lead to the need for a com pletely new view on societies and their cohesion and the role trust must play in this. 22 Number of Users (–) e more users of a CPR, the greater the transaction costs of getting them together and agreeing to change. So group size discourages self- organization, but “its eect on self-organization depends on other SES variables and the types of management tasks envisioned.” e two billion people who already access the Internet constitute the largest users group in human history. ey should have opportunity to express their concerns in any international negotiations on the uses of cyberspace, since in many cases these are likely to be dierent from those of governments and other powerful stakeholders. For example, users in struggles against their own governments would certainly reject those gov ernments’ representation of their interests regarding anonymity, online tracking, and permitted content. On the other hand, recent world meet ings on climate change and on cyberspace itself have demonstrated that processes which are open to groups claiming to represent individual citi zens’ interests can rapidly become unmanageable, time consuming, and unproductive. For that reason, an interpretation of national sovereignty, [30 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons per which states rightfully represent their citizens’ interests, is expedient if not just. Unfortunately, even this stratagem will not reduce the relevant stake holders to a manageable number. Negotiations will need to include repre sentation of industrial sectors, especially ICT, and international organiza tions represented, as well as the states, since these can provide the technical knowledge to inform proposals but can also block implementations of any agreements reached without them. As Ostrom suggests, the number of parties involved might not itself determine the diculty in reaching an agreement. Rather when more parties are involved, especially when the is sues are complex, there will be a greater number of competing claims that take time to reconcile, if they can be reconciled at all. Negotiations for the UN Convention on the Law of the Sea (UNCLOS), which regulates an other commons, lasted a decade despite building on centuries of admiralty law and being more conned to issues of state sovereignty. ere is much less legal tradition for cyber and, so far, no concerted eorts to harmo nize state-level cyber laws. us, the very limited and regionally oriented Budapest Convention on Cybercrime has been slow in gaining adher ence, with many of its signatories listing numerous reservations. 23 Perhaps some relief from these bleak prospects might be provided by cyberspace itself, in that aggregation of opinions, consultations, and negotiations can themselves now be conducted virtually as well as in person. By organizing information, lowering transaction costs, and speeding communications, cyber tools might permit decision making about their own futures.
Resource Unit Mobility (–) Due to the costs of observing and managing a system, self-organization is less likely with mobile resource units . . . than with stationary units, such as trees and plants or water in a lake.
ree types of mobility of devices make their eective, actionable moni toring dicult and costly. First, as already noted, the status of a device can change rapidly from “safe” to “compromised,” frequently without the change being discovered until later, if at all. Second, over their course, wide-scale cyber attacks and exploitations will typically deploy dier ent machines located at dierent IP addresses and geophysical locations.
For example, during the massive July 2009 distributed denial of service (DDoS) attack on US government sites, the command and control (C2) Strategic Studies Quar ter ly ♦ F all 2012 [31 ] Roger Hurwitz sites reportedly migrated from computers in South Korea to some in Chi cago and Berlin. erefore, any monitoring or defense specic to an at tack, like blockading potential C2 sites, will probably involve multiple jurisdictions with consequent problems of coordination. Later investiga tions will be similarly complicated and attribution inevitably uncertain.
As a result, parties to an agreement barring such attacks cannot rely on monitoring to verify that they are complying with the agreement or to identify violators. ird, the rise of mobile computing in the form of lap- tops, smart phones, and tablets has greatly increased the attack surface of cyberspace and the chore of any future monitoring program. e physical mobility of these devices also means they are exposed over their lifetimes to a variety of cyber threats and surveillance environments and to changes in their own security status. ey will be more vulnerable than a machine tethered to a single server within an organization setting that has com petent cyber security. ey are more liable to penetration, theft of their information, and compromise. Once compromised, they can be turned into carriers for compromising networks to which they later connect, like corporate intranets. 24 Importance of Resource to Users (+) In successful cases of self-organization, users are either dependent on the [resource] for a substantial part of their livelihoods or attach high value to the sustainability of the resource.
An increasing amount of activity throughout the world involves the creation, collection, packaging, use, and distribution of information. e Internet and other parts of cyberspace are vital to these activities. Various government position papers on cybersecurity are clear in recognizing the economic, social, cultural, and scientic importance of cyberspace. In call ing for the “creation of a global culture of cybersecurity,” the UN General Assembly recognized that the increasing contribution made by networked information technologies to many of the essential functions of daily life, commerce and the provision of goods and services, research, innovation and entrepreneurship, and to the free ow of information among individuals and organizations, Governments, business and civil society. 25 Even authoritarian regimes in Iran, Egypt, and elsewhere, which con fronted massive protests organized by cyber means, have hesitated shutting [32 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons down the Internet in their countries because of their economies’ depen dence on it.
Governments and diplomats, however, have been less clear in recogniz ing how foundational public trust is for cyberspace. In calling for discus sions of international norms for cyberspace, the UN group of govern mental experts took mainly a national security perspective: Cyber crime and other cyber threats are disruptive to government, economic, and so cial functions; lack of a common understanding of the intents behind certain behaviors in cyberspace can lead to conicts which might escalate to threaten international security. 26 Productivity of System (+) If [a resource] is aready exhausted or very abundant, users will not see a need to manage for the future. Users need to observe some scarcity before they invest in self-organization.
e growth of cyber crime, the incidence of attacks and exploits, the proliferation of malware, and threats to critical cyber infrastructure have raised questions whether the benets of cyberspace can be sustained under present security practices. ese questions clearly motivate the various calls for international agreements on cyberspace behavior. Jacques Bus notes that the possibility of states being behind many cyber threats “proves the urgency to come to international agreements on restraints in and de fense against cyber attacks and for international cooperation to bring it under control.” 27 Having identied public trust as the depletable resource in cyberspace, Bus continues, “Public and private sector must work to gether at the international level to build a well balanced infrastructure of technology and law/regulation that will give citizens trust to use the opportunities of the new digital world.” 28 In a speech to the 2011 Munich Security Conference, British foreign minister William Hague made simi lar connections: We are working with the private sector, to ensure secure and resilient critical in frastructure and the strong skills base needed to seize the economic opportunities of cyber space, and to raise awareness of online threats among members of the public. But being global, cyber threats also call for a collective response. In Britain we believe that the time has come to start seeking international agreement about norms in cyberspace. 29 Strategic Studies Quar ter ly ♦ F all 2012 [33 ] Roger Hurwitz Predictability of System Dynamics (0) System dynamics need to be suciently predictable that users can estimate what would happen if they were to establish particular . . . rules or no-entry territories.
e consequences of a continuing lack of international regulation are more predictable than the eect of agreement and monitoring for some standards of behavior. With deterioration of public trust in cyberspace, the expansion of use—in terms of time spent, applications, and dependencies— will decelerate, and that will be accompanied by lower growth or drop in the incentives for development. Some users may have already reduced their use of public networks for critical data transmission; some organiza tions have reduced the number of access points or portals to themselves.
ese steps might grow toward widespread delinking and fragmentation— phenomena which devalue cyberspace. Projecting the loss in value of a vulnerable cyberspace compared to a safe one is problematic because of dierent models for evaluating the socio economic value of cyber networks. However, it seems reasonable to sup pose that as new users are drawn more from lower economic strata and less-developed countries, the economic value of the networks will increase at a lower rate than in earlier stages of their growth. 30 Such a trend has mixed implications for self-organization. First, providers will have little incentive to increase their investments in cyber security—especially if se curity costs are a linear function of the number of users. But inaction by the providers could put more pressure on governments to work for agree ments that reduce threats. On the other hand, the trend also suggests that any exit of users will not initially diminish network value. So, until the situation is deemed intolerable and not just bad, governments, mindful of the costs of agreements, could resist pressure and delay self-organizing, despite their public calls for action.
Leadership (0) When some users of any type of resource system have entrepreneurial skill and are respected as local leaders as a result of prior organization for other purposes, self-organization is more likely.
Leadership is lacking for potentially productive, state-level negotia tions, but not for want of actors that have had roles in organizing cyber [34 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons space. Over the past decade, the Internet Corporation for Assigned Names and Numbers (ICANN) has provided competent, although frequently criticized, administration of domain allocations and oversight of registra tion. It has accommodated the spectacular growth of the Internet and accompanying commercial demands with a redesign of policies for top- level domains. While it has not been particularly open to the grassroots participation specied in its multistakeholder model, it has retained the condence of service providers and the respect of most states, as evidenced by the UN’s restraint from seeking involvement in administration of the Internet. But the ICANN is no norms entrepreneur and lacks the political skills and leverage to reconcile competing interests among states over cyber behaviors and security. Additionally, it is seen by many states as a tool of US policy. e Internet Engineering Task Force (IETF) has exercised leadership in Internet protocols, mostly as the endorser of standards. Its own history exemplies self-organizing among stakeholders for management of a com mons, but its amorphous decision-making process is an awkward model for negotiations on constraining human activities. In any case, it is un qualied to lead in such negotiations, its ambit is limited to the technical realm, its centrality in that realm has diminished as concerns now focus more on mobile computing apps and other layers beyond its purview, and its membership is still heavily American and European. 31 e International Telecommunications Union (ITU), the UN agency responsible for ICT, has the ambition to lead policymaking and adminis tration of cyberspace, and it led in organizing the World Summits on the Information Society (WSIS), which focused on soft issues: development- oriented uses of cyberspace, Internet governance, bridging digital divides.
Seen in the West as a tool for Russian and Chinese policy interests, it lacks the political credibility to assume leadership on hard issues like cyber espionage, information rights, and so forth. It probably also lacks the technological competence; the cybersecurity standards it developed and promoted in collaboration with the International Organization for Stan dardization (ISO) have proved expensive and unworkable.
Norms/Social Capital (+) If users share norms of reciprocity and suciently trust one another to keep agreements, they will face lower transaction costs in reaching agree ments and monitoring. Continued economic globalization and the ab- Strategic Studies Quar ter ly ♦ F all 2012 [35 ] Roger Hurwitz sence of major interstate wars could suggest that the major powers are developing adequate reciprocity structures and conict avoidance mecha nisms. Indeed, this assessment is supported by the fears expressed in the calls for cyber norms that misunderstandings about cyberspace behaviors could trigger unwanted conicts. Nevertheless, the failure of negotiations on environmental regulations raises doubts that negotiations over cyber space can fare any better, especially since the major powers have ideo logical dierences regarding cyberspace, as great as the dierences among economic interests that block resolutions of environmental issues. Broadly speaking, the Russian and Chinese policymakers seek to ex tend the principle of national sovereignty to cyberspace by establishing a norm of the state being the nal arbiter of matters relating to cyberspace in its territory. 32 From a Western perspective, their motives are to con trol the ideational space that cyber networks aord their populations and to prevent inquiry into use of cyber by their governments or proxies for military campaigns, political espionage, industrial espionage, and crime.
Recall, however, that the political traditions in Russia and China, even in the pre-Communist days, empowered state authorities to decide what their citizens should think, and that the principle of national sovereignty bars outsiders from interfering with the exercise of that power. Further more, Russian ocials are keenly aware that Chechen insurgents or ter rorists have used cyber technologies in their violent struggles against Rus sia. So an uncontrolled Internet can be politically threatening and easily exploited by external rivals, in particular the United States. For example, when cyber-fueled protests occurred in Russia, premier, presidential can didate, and target of the protests, Vladimir Putin, branded these protests the work of “foreign enemies.” 33 On this view, outsiders enabling dissent within a country is no contribution to public debate; it is “information warfare” conducted to weaken regimes to the point of greater accom modation with the outsiders or even collapse. Already, in 2008, Russia, China, and other members of the Shanghai Coordination Organization (SCO) have agreed to outlaw supporting or hosting the dissemination of potentially disruptive information. In September 2011, in seeming re sponse to foreign governments’ and Diasporas’ support for cyber activism in the Arab world, Russia proposed that countries log the online activities of their residents suspected of such disseminations. In contrast, the United States and its NATO allies tend in their pro nouncements to view cyberspace as a central institution for a global [36 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons economy, a means for worldwide scientic and cultural exchange, a com mons for political debate and development, and a social medium. Given this variety of functions, there follows a multistakeholder model for con trol and defense of cyberspace, with states being one type of stakeholder, along with nongovernmental organizations, service providers, ICT com panies, critical infrastructure entities, corporate users, and individual us ers. But because cyberspace, particularly the Internet, is prey to attacks and exploits by criminals, terrorists, and even states, by virtue of their authority and capabilities, states have primary responsibility to provide the needed security without harming the interests of other stakeholders.
e diusion of norms and treaties, such as the Budapest Convention on Cybercrime, are instruments for fullling such responsibility, as are the nurturing of a cyber-security culture and capabilities around the globe. 34 is view, wedded to a decade-old vision of the Internet, ignores the demographic and technological changes that are remaking cyberspace and expectations for it: the change from hundreds of millions of users concen trated in North America and Europe connected to the Internet through computers to billions of users with the bulk in south and east Asia con nected through mobile devices and the rise of an Internet of things. As a result, practices that might have once seemed in the interest of all are now controversial and contested. 35 India, Brazil, and South America— leading voices on cyber issues among “nonaligned” countries—want these changes to be acknowledged as conceded major parts in any negotiations.
ey consequently favor transfer of authority away from technologi cally oriented agencies, reecting the multistakeholder model, including ICANN and IETF, to a more policy-oriented agency, possibly under the UN, though not necessarily the ITU, that gives every state an equal voice.
Knowledge of the Socioeconomic System (+) When users share common knowledge of relevant SES attributes, how their actions aect each other and rules used in other SESs, they will perceive lower costs of organizing.
e various calls for cyber rules reect policymakers’ knowledge that cer tain behaviors disrupt normal activities, sow public distrust, and threaten the sustainability of cyberspace. eir willingness to discuss issues beyond cyber crime acknowledges that those misbehaving may include their own governments and citizens. So, less time and money are needed to raise Strategic Studies Quar ter ly ♦ F all 2012 [37 ] Roger Hurwitz consciousness or convince skeptics that a problem exists and international cooperation can help solve it. Choosing what to do requires more know ledge of the dependencies among various processes in cyberspace, particu larly how the technological aordances aect social (agents’) behaviors.
e eorts at environmental regulation show that broad, comprehensive solutions will be opposed even when those who feel threatened by the proposal are oered side payments. So the problem space has to be de composed with selection of some target whose proposed solution could gain traction, help reduce the overall level of cyber insecurity, and build condence among the various agents, thus enabling pursuit of other tar gets. One frequent suggestion is that states cooperate to suppress cyber criminal gangs by denying their means to monetize their thefts. is sug gestion understands (a) the gangs’ dependency on particular banks and (b) that cyber crime serves as a development lab and testing ground for mal ware that might later be used by intelligence agencies in some states. Less known is how strongly these agencies depend on the gangs and, therefore, the incentives their states need to cooperate on the proposal.
Collective Choice Rules (0) When users have full autonomy at the collective-choice level to craft and enforce some of their own rules, they have lower transaction costs as well as lower costs in defending the resource against invasion by others.
is variable implies that the more people can see themselves as authors of the rules they are expected to follow, the more they will follow those rules. is result is important for cyber security and public trust in cyber space, because good “computer hygiene” at the organizational and in dividual levels can blunt a considerable amount of computer crime and exploits, perhaps as much as 80 percent. 36 Unfortunately, the number of users and the diuseness of their representation would seem to pre clude public participation in making rules, as mentioned before. Con sequently, users will be less able to see their rule following as part of a global interdependent eort to sustain cyberspace and therefore their own benet from it. e top-down directives they receive will more likely justify the rules only in terms of protecting the individual or organization. [38 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons Changing Variables and Crisis Response e values of the Ostrom variables, summarized in the table below, do not favor self-organization in the cyber SES. Conditions are not ripe for productive, enforceable agreements under which stakeholders, espe cially states, limit their trust-eroding cyber behaviors. As indicated by the positive values for the “importance of the resource” and “productivity of the system” variables, the widespread expressions of fear for the future of cyberspace has sparked interest in such agreements. However, nothing beyond that should be expected until the values of some technological and other social variables change. Arguably, the pursuit now of a com prehensive global agreement or fallback to agreements among the “like minded” will be counterproductive. It will likely deepen distrust among major cyber powers and discourage the sharing of useful knowledge of the cyber SES. at seems to be the primary outcome of the recent London conference on cyber “rules of the road.” 37 Variable Value Size of resource – Number of users – Resource unit mobility – Importance of resource + Productivity of system + Predictability of system dynamics 0 Leadership 0 Norms/social capital + Knowledge of SES + Collective choice rules 0 Several feasible measures could improve prospects for eective agreements and/or sustain public trust in cyberspace. Consider the following changes.
Develop Global Identity Management Jacques Bus recommends the development of a “globally interoperable trustworthy system for Identication and Authentication” as essential for Strategic Studies Quar ter ly ♦ F all 2012 [39 ] Roger Hurwitz trust among Internet users. 38 States, including some liberal democracies, are already requiring veried identication from Internet users. Inter operability of local standards would facilitate, if needed, the identication of a user of an Internet-linked device anywhere. Users could retain some anonymity or privacy under this regime, since dierent sites and transac tions would demand dierent degrees of disclosure. Authoritarian regimes could more easily identify people in cyber networks of resistance, but they might nd they are better o not identifying nonviolent resistors, while trying to identify and suppress violent ones. at strategy could channel opponents toward the nonviolent networks and give the regimes more breathing room. eir restraint in this regard could enable states that sup port their opponents to cooperate in the identication system. In terms of the Ostrom variables, identity management reduces some of the deleterious eects of resource mobility.
Increase Public Participation on Cyber Security Discussions of cyber security policies in informed, relevant publics can have the double eect of putting pressure on respective national govern ments and involving these publics in rule-making processes. e UN reso lution for the “creation of a global culture of cybersecurity” anticipates that national cyber security eorts will have broad societal involvement, including that of the private sector, civil society, academia, and private in dividuals, but it is silent regarding rule-making roles for nongovernmental actors. e public-private partnerships that have already emerged in Eu rope and North America appear focused on coordinating organization- level eorts and sharing information, without critiquing or innovating policies. But nongovernmental members, particularly any transnational corporation (TNC) and international nongovernmental agency (INGO), for example Freedom House, should be encouraged to suggest rules. Many have experienced cyber attacks in a variety of legal and technological envi ronments and probably know better than observers or governments what cyber laws and practices need to be harmonized across countries as part of international agreements. e Internet Governance Forum (IGF), a consultative body established by the UN and based on a multistakeholder model, might also be used for public input into global-level conversations on rules for cyberspace. Its meetings have discussed cyber security issues but have so far deferred to national governments and specialized agencies for policy proposals. But [40 ] Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons the IGF could use cyber tools and techniques, such as online surveying and crowd sourcing to collect and aggregate public opinion about rules and regulations needed in any future agreements.
Condence Building through International Cooperation on an “Easy” Task Although comprehensive agreements on cyberspace behaviors might be unattainable, international cooperation on some cyber threats and emer gencies can be strong and eective, for example, the worldwide response to the Concker worm or the working alliance of the Japan, China, and South Korea CERTs. In these cases, the cooperation builds upon “invisible norms” or commitments shared among cyber technologists, but it can give onlooking policymakers some condence about their countries’ working together on cyber problems. So, their condence could grow with more cases where a challenge triggers a widely shared professional commitment and the ensuing cooperation achieves some success. Some cyber crimes seem suitable candidates for the challenge, notably child pornography, low-level fraud, and identity theft. ere is, however, a need for some agency to take the lead in promoting the urgency of suppressing the chosen crime. is essay has used economic reductionism to argue that conditions are not ripe for reaching and enforcing international agreements on the uses of cyberspace. e argument holds that if people who exploit a commons know that overexploitation will degrade that commons they can agree to limit their behavior, providing the costs of coming to agreement and en forcing it are aordable. In this argument, self-limitation is in service to self-interest—to sustain one’s benets from the commons. As far as the actor, whether individual, organization, or nation is concerned, cyberspace is just another domain where it pursues its self-interest. Cyberspace is, of course, much richer. It has become the basis and means for reorganizing much of contemporary social, economic, cultural, and intellectual life in developed countries. It provides a principal means for a global conversa tion about shared issues. To the extent it retains public trust, cyberspace cultivates new social bonds and identities that augment preexisting ones, like nationality. For all that, it commands some allegiance. Even its advocates do not think an international cyber treaty would suciently protect states, organizations, and individuals from the various attacks arising in cyberspace. Although a treaty would be a restraint on its Strategic Studies Quar ter ly ♦ F all 2012 [41 ] Roger Hurwitz signatories and facilitate sanctions of its violators, adequate cyber defense at the state level would still require resistance (hardening) of digital net works, especially those supporting critical infrastructure; resilience of or ganizations likely to be attacked; and reasonable deterrence with respect to nonsignatories. In the absence of international agreement(s), reliance on these other components would increase moderately. Furthermore, because digital networks are necessary for economic globalization, states will con tinue to cooperate on the technical plane and with regard to Internet gov ernance at least to the point of assuring interoperability at the global level.
Such cooperation will not extend to control industrial espionage, protect critical information infrastructures or assure information freedom, three issues which have recently emerged as foci of distrust among states. ese and other cyber issues at the international level will likely be addressed in the midterm future in disjointed and incremental fashion—the strategy of muddling through. ese are not necessarily bad results, and few users will experience any loss of benets from cyberspace. On the other hand, the insecurity there will persist, and the opportunity to build public trust on a global level will have passed.
Notes Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons Strategic Studies Quar ter ly ♦ F all 2012 [43 ] Roger Hurwitz of Eighteenth-Century Naples,” in Trust: Making and Breaking Cooperative Relations, ed. Diego Gambetta (London: Basil Blackwell, 1988), 127–41. Strategic Studies Quar ter ly ♦ F all 2012 Depleted Trust in the Cyber Commons Strategic Studies Q uar ter ly ♦ Fall 2012 [ 45 ] 29. Foreign Secretary William Hague, “Security and Freedom in the Cyber Age—Seeking the Rules of the Road,” speech to the Munich Security Conference, 4 February 2011, http:// www.fco.gov.uk/en/news/latest-news/?view=Speech&id=544853682. 30. According to the well-known Metcalfe’s law, the value of a network is proportional to the number of cross connections among its N users, that is N 2. The growth (or decline) in value with each user who joins (leaves) the network is proportional to 2N. The more extreme Leek’s law equates network value with the number of distinct audiences that can be formed from the number of users, i.e., the number of subsets less the null set of N or 2 N -1. So the value of the network would incredibly double (or be halved) with each user joining (or leaving). A more reasonable evaluation, especially for large networks, assumes differential use by those in the network. Consis - tent with power laws (long-tail phenomena), usage is assumed to decline exponentially with delay in joining the network. Usage or transactions over the N users describes a hyperbole, with the first joiners the heaviest users. The cumulative benefit, hence value of the network, is then proportional to the area under the curve or natural log of N (lnN). The increase (decrease) in network value with each person joining (leaving) is significantly less than estimated by Metcalfe’s law, and the change is decreasing rather than increasing. Thus, if the network provider’s cost of acquiring an additional user is fixed, a point of diminishing returns on value will be reached. 31. My thanks to Phillip Hallam-Baker for discussion of this point.
32. Ekaterinburg draft. (see note 20).
33. Michael Bohm, “Putin Chasing Imaginary American Ghosts,” Moscow Times, 9 Febru- ary 2012, http://www.themoscowtimes.com/opinion/article/putin-chasing-imaginary-american -ghosts/452802.htmlhttp://www.themoscowtimes.com/opinion/article/putin-chasing-imaginary -american-ghosts/452802.html. 34. See UN General Assembly Resolution 64/211: “Creation of a global culture of cyber - security and taking stock of national efforts to protect critical information infrastructures,” adopted 17 March 2010. 35. Ronald Deibert and Rafal Rohozinski, “Contesting Cyberspace and the Coming Crisis of Authority,” in Deibert et al., Access Contested, 21–41. 36. Brenner, America the Vulnerable, 239–44; and Brenner, personal communication, 2010.
37. Apps, “Disagreements on Cyber Risk East-West ‘Cold War.’ ” 38. Bus, “Societal Dependencies and Trust,” 24. Escalation Dynamics and Conict Termination in Cyberspace Herbert Lin US national security planners have become concerned in recent years that this country might become engaged in various kinds of conict in cyberspace. Such engagement could entail the United States as the target of hostile cyber operations, the initiator of cyber operations against adver saries, or some combination of the two. To date, most serious analytical work related to cyber conict focuses primarily on the initial transition from a preconict environment to that of conict. Little work has been done on three key issues: (1) how the initial stages of conict in cyberspace might evolve or escalate (and what might be done to prevent or deter such escalation), (2) how cyber conict at any given level might be deescalated or terminated (and what might be done to facilitate deescalation or termination), and (3) how cyber conict might escalate into kinetic conict (and what might be done to prevent kinetic escalation). Each of these issues is important to policymakers, both in preparing for and managing a crisis. Before beginning that discussion, it is instructive to consider some relevant terminology and concepts. Terminology and Basic Concepts e term oensive cyber operations as used here refers collectively to actions taken against an adversary’s computer systems or networks that harm the adversary’s interests. In general, an oensive cyber operation Dr. Herbert Lin is chief scientist at the Computer Science and Telecommunications Board, National Research Council of the National Academies, where he has been study director of major projects on public policy and information technology. Of particular note is his role as editor of a 2009 NRC study on cyber attack as an instrument of national policy and a 2010 study on cyber deterrence. He previously served as sta scientist for the House Armed Services Committee (1986–90), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT. is article is largely based on chapter 9 of Technology, Policy, Law, and Ethics Regarding U.S. Acquisi tion and Use of Cyberattack Capabilities by William Owens, Kenneth Dam, and Herbert Lin (Washington:
National Academies Press, 2009). e author is solely responsible for any deviation from the conclusions of that report. is article does not necessarily reect the views of the research sponsors, the MacArthur Foundation or the Microsoft Corporation.
[46 ] Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace gains access to an adversary’s computer system or network and takes ad vantage of a vulnerability in that system or network to deliver a payload.
In a non-cyber analogy, access might be any available path for reaching a le in a le cabinet. A vulnerability might be an easy-to-pick lock on the le cabinet—and note that ease of picking the lock is irrelevant to an Earth-bound intruder if the le cabinet is located on the International Space Station where access to the le cabinet would be dicult. e pay load describes what is to be done once the intruder has picked the lock. For example, the intruder can destroy the papers inside, alter some of the in formation on those papers, or change the signature on selected documents. Access is “easy” when a path to the target can be found without much diculty; a computer connected to the Internet may well be such a target.
Access is “dicult” when nding a path to the target is possible only at great eort or may not be possible for any practical purposes. An example of such a target may be the onboard avionics of an enemy ghter plane, which is not likely to be connected to the Internet for the foreseeable future.
In general, access to an adversary’s important and sensitive computer systems or networks should be expected to be dicult. Furthermore, access paths to a target may be intermittent—a submarine’s on-board administrative local area network would necessarily be disconnected from the Internet while underwater at sea but might be connected while in port. If the administrative network is ever connected to the on-board operational net work (controlling weapons and propulsion) at sea, an eective access path may be present for an adversary. A vulnerability is a security weakness in the system or network that is introduced by accident (by some party that has a legitimate reason to ac cess the system) or on purpose (by a would-be intruder). An accidentally introduced weakness (a “security bug”) may open the door for opportunistic use of the vulnerability by an adversary. Many vulnerabilities are widely pub licized after they are discovered and may be used by anyone with moderate technical skills until a patch can be disseminated and installed. 1 Adversaries with the time and resources may also discover unintentional defects that they protect as valuable secrets—also known as zero-day vulnerability. 2 A deliberately introduced vulnerability occurs because the intruder takes an action to create one where one did not previously exist. For example, an intruder might deceive a legitimate user of the targeted system or network to disable a security feature (e.g., reveal a password). Both kinds of vul- Strategic Studies Quar ter ly ♦ F all 2012 [47 ] Herbert Lin nerability are useful to intruders as long as the weaknesses introduced remain unaddressed. Payload is the term used to describe the things that can be done once a vulnerability has been exploited. For example, once a software agent (such as a virus) has entered a given computer, it can be programmed to do many things—reproduce and retransmit itself, destroy les on the system, or alter les. Payloads can have multiple capabilities when inserted into an adversary system or network—that is, they can be programmed to do more than one thing. e timing of these actions can also be varied. Depending on the intent of the intruder, an oensive cyber operation can be classied as cyber attack or cyber exploitation. Cyber attack is the use of deliberate information technology (IT)–related actions—perhaps over an extended period of time—to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the data and/or pro grams resident in or transiting these systems or networks. 3 Such eects on adversary systems and networks may also have indirect eects on entities coupled to or reliant on them. A cyber attack seeks to cause adversary computer systems and networks to be unavailable or untrustworthy and therefore less useful to the adversary. Because so many dierent kinds of cyber attack are possible, the term cyber attack should be understood as a statement about a methodology for action—and that alone—rather than as a statement about the scale of the eect of that action. Cyber exploita tion is the use of deliberate IT-related actions—perhaps over an extended period of time—to support the goals and missions of the party conduct ing the exploitation, usually for the purpose of obtaining information resi dent on or transiting through an adversary’s computer system or network.
Cyber exploitations do not seek to disturb the normal functioning of a computer system or network from the user’s point of view—indeed, the best cyber exploitation is one that goes undetected. e similarity between these two concepts and the exploitation channel are the most important characteristics of oensive cyber operations. Cyber attack and cyber exploitation are very similar from a technical point of view. ey use the same access paths and take advantage of the same vulnerabilities; the only dierence is the payload they carry. ese similarities often mean that the targeted party may not be able to distinguish easily between cyber exploitation and cyber attack—a fact that may result in that party’s mak ing incorrect or misinformed decisions. e primary technical require ment of cyber exploitation is that delivery and execution of its payload be [48 ] Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace accomplished quietly and undetectably. Secrecy is often far less important when cyber attack is the mission, because in many cases the eects of the attack will be immediately apparent to the target. All exploitation opera tions require a channel for reporting the information they collect. If the channel happens to be two-way, payloads can be remotely updated. us, the functionality of the operation may be dierent today than it was yesterday— most signicantly, it may be an exploitation payload today and an attack payload tomorrow. In some cases, the initial payload consists of nothing more than a mechanism for scanning the system to determine its techni cal characteristics and an update mechanism to retrieve the best packages to further the compromise.
Attribution Attribution is the task of identifying the party that should be held politi cally responsible for an oensive cyber operation. 4 Technical attribution is the ability to associate an attack with a responsible party through technical means based on information made available by the cyber operation itself— that is, technical attribution is based on clues available at the scene (or scenes) of the operation. All-source attribution is a process that integrates information from all sources, not just technical sources at the scene of the attack, to arrive at a judgment (rather than a denitive and certain proof ) concerning the identity of the intruder. As a general rule, attribution is a dicult matter. It becomes more dif cult as more of the following factors are present: Strategic Studies Quar ter ly ♦ F all 2012 [49 ] Herbert Lin Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace such information will result in large uncertainties about the direct and indirect eects of an operation and make it dicult to develop accurate estimates of likely collateral damage.
Active Defense Defensive measures in cyber security seek to frustrate oensive opera tions taken against systems or networks. Passive defensive measures, such as hardening systems against penetration, facilitating recovery in the event of a successful oensive operation, making security more usable and ubiq uitous, and educating users to behave properly in a threat environment, are important elements of a strong defensive posture. 5 Nevertheless, for the defense to be successful, these measures must succeed every time an adversary attacks. e oensive operation need only succeed once, and an adversary who pays no penalty for a failed operation can continue with follow-on operations until it succeeds or chooses to stop. is places a heavy and asymmetric burden on a defensive posture that employs only passive defense. If passive defense is insucient to ensure security, what other ap proaches might help to strengthen one’s defensive posture? One possibility is to eliminate or degrade an adversary’s ability to successfully conduct oensive cyber operations. In that case, the operation is ultimately less successful than it might otherwise have been because the defender has been able to neutralize the operation in progress or perhaps even before it was launched. A second possibility is to impose other costs on the adversary, and such a strategy is based on two premises. First, imposition of these costs reduces the adversary’s willingness and/or ability to initiate or to continue an oensive operation. Second, knowledge that an operation will prove costly to one adversary deters others from attempting to conduct similar operations— and advance knowledge of such a possibility may deter the original adversary from conducting the oensive operation in the rst place. ere are many options for imposing costs on an adversary, including economic penalties such as sanctions, diplomatic penalties such as breaking of diplomatic rela tions, and even kinetic military actions such as cruise missile strikes. In-kind military action—a counteroensive cyber operation—is also a possibility. Both of these possible reactions—neutralization of an adversary’s oen sive operation and imposition of costs to the adversary for the operation— are often captured under the rubric of active defense. But note well—the Strategic Studies Quar ter ly ♦ F all 2012 [51 ] Herbert Lin attempt to impose costs on an adversary that conducts oensive cyber operations might well be seen by that adversary as an oensive act itself.
is may be especially true in the fog of cyber conict, where who is actu ally doing what may be uncertain. Evolving or Escalating Conict e phenomenon of escalation is a change in the level of conict (where level is dened in terms of scope, intensity, or both) from a lower (perhaps nonexistent) to a higher level. Escalation is a fundamentally interactive concept in which actions by one party trigger other actions by another party to the conict. Of particular concern is a chain reaction in which these actions feed o one another, thus raising the level of conict to a level not initially contemplated by any party to the conict. Escalation can occur through a number of mechanisms which may or may not be operative simultaneously in any instance. 6 It includes four basic types:
deliberate, inadvertent, accidental, and catalytic. Deliberate escalation is carried out with specic purposes in mind. For example, a party may deliberately escalate a conict from some initial level (which may be zero) to gain advantage, to preempt, to avoid defeat, to signal an adversary about its own intentions and motivations, or to penalize an adversary for some previous action. Oensive cyber operations— specically, cyber attacks—are one of many possible military options for deliberate escalation. Inadvertent escalation occurs when one party deliberately takes actions that it does not believe are escalatory but which are interpreted as escala tory by another party to the conict. Such misinterpretation may occur because of incomplete information, lack of shared reference frames, or one party’s thresholds or “lines in the sand” of which other parties are not aware. Communicating to an adversary the nature of any such thresholds regarding activity in cyberspace may be particularly problematic, even under normal peacetime circumstances. For example, Nation A does X, expecting Nation B to do Y in response.
But in fact, Nation B unexpectedly does Z, where Z is a much more escala tory action than Y. Or Nation A may do X, expecting it to be seen as a minor action intended only to show mild displeasure and that Nation B will do Y in response, where Y is also a relatively mild action. However, due to a variety of circumstances, Nation B sees X as a major escalatory action [52 ] Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace and responds accordingly with Z, an action that is much more signicant than Y. Nation A perceives Z as being way out of proportion and, in turn, escalates accordingly. Accidental escalation occurs when some operational action has direct eects that are unintended by those who ordered them. A weapon may go astray to hit the wrong target; rules of engagement are sometimes unclear; a unit may take unauthorized actions; or a high-level command decision may not be received properly by all relevant units. It is especially relevant here that there is often greater uncertainty of outcome due to a lack of adequate intelligence on various targets when certain kinds of oensive cyber operations are employed. Catalytic escalation occurs when some third party succeeds in provoking two parties to engage in conict. For example, Party C takes action against Party A that is not traced to Party C and appears to come from Party B.
Party A reacts against Party B, which then believes it is the target of an un provoked action by Party A. e inherent anonymity of cyber operations may make “false-ag” operations easier to undertake in cyberspace than with kinetic operations. rough such mechanisms, the escalatory dynamics of conict show how a conict, once started, might evolve. Of interest are issues such as what activi ties or events might set a cyber conict into motion, what the responses to those activities or events might be, how each side might observe and under stand those responses, whether responses would necessarily be “in-kind,” or how dierent kinds of states might respond dierently. eories of escalation dynamics have been elaborated in the nuclear do main. But the deep and profound dierences between the nuclear and cyber domains suggest that any theory of escalation dynamics in the latter would require far more than small perturbations in nuclear escalation dynamics theories, though such theories might be useful points of departure for devel oping new ones applicable to cyberspace. Some of these dierences include the greater uncertainties in attribution of cyber actors, the broad proliferation of signicant capabilities for cyber operations to a multitude of states and a variety of nonstate actors as well, and the inherent ambiguities of cyber opera tions compared to the very distinct threshold of nuclear weapons explosions. To suggest some of the diculties involved, consider the following scenarios: Strategic Studies Quar ter ly ♦ F all 2012 [53 ] Herbert Lin nature of various attack-like activities (e.g., hacking and other intru sions) against the computer systems and networks of most nations, Blue’s conclusion that its computer systems are being attacked is certainly true. Attribution of such an attack is a dierent matter, and because hard evidence for attribution is dicult to obtain, Blue’s government may make inferences about the likelihood of Red’s involvement by giving more weight to a general understanding of Red’s policy and posture toward it than might be warranted by the specic facts and circumstances of the situation. Evidence that appears to conrm Red’s involvement will be easy to nd, whether or not Red is actually involved. If Red is a technologically sophisticated nation (such as the United States), the lack of “ngerprints” specic to Red can easily be attributed to its technological superiority in conducting such attacks. Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace ordinary scans, and yet discovery of these agents may well prompt fears that an attack is pending. Strategic Studies Quar ter ly ♦ F all 2012 [55 ] Herbert Lin Crisis Stability Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace to imagine circumstances in which Red would realize that Blue were plan ning an attack, as preparations for launching a cyber attack are likely to be invisible for the most part. A second relevant scenario is one in which Blue is planning a kinetic attack on Red. Intelligence information, such as photographs of troop movements, indicates preparations for such an attack. Under these cir cumstances, Red might well choose to launch a preemptive cyber attack with the intent of delaying and disrupting Blue’s preparations for its own.
Signaling Intentions in Cyber Conict Nothing in the set of options above is specic to cyber conict—such issues have been an important part of crisis management for a long time.
But managing such issues may well be more dicult for cyber conict than for other kinds of conict. One reason is the constant background of cyber-attack activity. Reports arrive constantly of cyber attacks of one kind or another on US computer systems and networks, and the vast majority of these attacks do not have the signicance of a serious cyber attack launched by a party determined to do harm to the United States.
Indeed, the intent underlying a given cyber attack may not have a military or a strategic character at all. Organized crime may launch a cyber attack for prot-making purposes. A teenage hacking club may launch a cyber attack out of curiosity or for vandalism purposes. us, if one nation wishes to send a signal to its cyber adversary, how is the latter to recognize that signal? Overtly taking credit for such an attack goes only so far, especially given uncertain communications in times of tension or war and the near certainty of less-than-responsible behavior on the part of one or both sides. A dearth of historical experience with the use of serious oensive cyber operations further complicates eorts at understanding what an adversary might hope to gain by launching a cyber attack. In the absence of direct contact with those conducting such operations—sometimes even in the presence of such contact—determining intent is likely to be dicult and may rest heavily on inferences made on the basis of whatever attribution is possible. us, attempts to send signals to an adversary through limited and constrained military actions—problematic even in kinetic warfare— are likely to be even more problematic when cyber attacks are involved. Strategic Studies Quar ter ly ♦ F all 2012 [57 ] Herbert Lin Determining the Impact and Magnitude of Cyber Response If an adversary conducts a cyber attack against the United States, the rst questions for US decision makers will relate to impact and magni tude. Such knowledge is necessary to inform an appropriate response. If, for example, the United States wishes to make a commensurate response, it needs to know what parameters of the incoming attack would characterize a commensurate response. In many kinds of cyber attack, the magnitude of the impact of the rst attack will be uncertain at rst and may remain so for a consider able period of time. Decision makers may then be caught between two challenges—a policy need to respond quickly and the technical fact that it may be necessary to wait until more information about impact and damage can be obtained. ese tensions are especially challenging in the context of active defense and active threat neutralization. Decision makers often feel intense pressure to “do something” immedi ately after the onset of a crisis, and sometimes such pressure is warranted by the facts and circumstances of the situation. On the other hand, the lack of immediate information may prompt decision makers to take a worst-case view of the attack and, thus, to assume that the worst that might happen was indeed what actually happened. Such a situation has obvious potential for inappropriate and unintended escalation or kinetic response.
Transparency and Condence-Building Measures Where kinetic weapons are concerned, transparency and condence- building measures such as adherence to mutually agreed “rules of the road” for naval ships at sea, prenotication of large troop movements, and noninterference with national technical means of verication have been used to promote stability and mutual understanding about a potential adversary’s intent. Translating traditional transparency and condence-building measures into cyberspace presents many problems. For example, generating forces in prepara tion for oensive cyber operations can be done essentially behind closed doors and with a small footprint, so evidence suggesting impending hostile action will never be evident, except with advance public notice. us, there is no rea sonable analog for “notication of movement or massing of forces.” Because the success of oensive cyber operations is largely dependent on stealth and deception, reassurances of Nation Blue regarding the benign nature of any cyber activity observed, assuming it can be seen and attributed, ring hollow [58 ] Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace to any parties that have a competitive or politically tense relationship with Blue. Traditional kinetic operations—those military operations on land, sea, and air—are easily distinguishable from most nonmilitary movements. By contrast, it is often dicult to distinguish between military and nonmilitary cyber operations, particularly between cyber attack and cyber exploitation.
During a crisis, Blue may consider collecting intelligence on Red as stabilizing and thus lower the likelihood of mistaken escalation. Red may well interpret this as Blue preparing the battleeld as a prelude to attack.
ese comments are not meant to suggest that all transparency or con dence-building measures for cyberspace are futile—only that applying tradi tional measures to cyberspace will be dicult, and new forms of conduct and behavior may be needed to promote transparency and build condence.
Catalytic Cyber Conict Catalytic conict as mentioned earlier refers to the phenomenon in which a third party instigates or seeks to escalate conict between two other parties. ese could be nation-states or subnational organizations such as terrorist groups. To increase condence in the success of initiating a catalytic war, the instigator might attack both parties, seeking to fool each into thinking the other is responsible. Because high-condence attribution of cyber attacks under all cir cumstances is highly problematic, an instigator would nd it relatively easy to deceive each party about the instigator’s identity; thus, a double- sided catalytic attack may be plausible. Also, if a state of tension already exists between the two parties involved, leaders in each nation will be predisposed toward thinking the worst about the other, making them less likely to exercise due diligence in carefully attributing an attack.
An instigator might consequently choose just such a time to conduct a catalytic cyber attack.
Complications Introduced by Patriotic Hackers When traditional kinetic military operations are involved, it is generally presumed that the forces involved engage in armed conict only at the direction of the cognizant government, only by its authorized military agents, and specically, not by private groups or individuals. at is, governments maintain their armed forces to participate in armed con ict under the government’s direction. Strategic Studies Quar ter ly ♦ F all 2012 [59 ] Herbert Lin But in the Internet era, it is necessary to consider that nonstate actors may become involved in conict. During times of conict (or even tension) with another nation, some citizens may be motivated to support their country’s war eort or political stance by taking direct action in cyberspace (see g. 2). Such individuals—often known as hacktivists or patriotic hackers—are private citi zens with some skills in the use of cyber attack weapons, and they may well launch cyber attacks on the adversary nation on their own initiative; that is, without the blessing and not under the direction or control of the government of that nation.
A number of incidents of privately undertaken cyber attacks have been publicized: Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace e actions of these patriotic hackers may greatly complicate escalation management. Such actions may be seen by an adversary as being performed under the direction, blessing, tacit concurrence, or tolerance of the state and therefore are likely to be factored into the adversary’s assessment of the state’s motives and intent. e state’s eorts to suppress patriotic hackers may be seen as insincere and are likely to be at least partially unsuccessful as well. In a worst-case scenario, actions of patriotic hackers during times of tension may be seen as an ocially sanctioned cyber rst strike, even if they have not acted with government approval or under government direction. Yet another complication involving patriotic hackers is the possibility that they might be directed by, inspired by, or tolerated by their govern ment but in ways in which the government’s hand is not easily visible. Un der such circumstances, hostile acts with damaging consequences could continue to occur with corresponding benets to the nation responsible despite ocial denials. At the very least, the possibility that patriotic hackers may be operating could act as a plausible cover for government-sponsored cyber attacks, even if there were in fact no patriotic hackers doing anything.
Incentives for Self-Restraint in Escalation One set of incentives is based on concerns about an adversary’s response to escalation. Understanding this set of incentives is necessarily based on a sense of what kinds of oensive cyber actions—whether cyber attack or cyber exploitation—might be mistaken for cyber attack and might lead to what kinds of adversary responses, either in cyberspace or in physical space. In this regard, an essential dierence between cyber attack and the use of a nuclear, chemical, biological, or space weapon is readily apparent—the initial use of any nuclear, chemical, biological, or space weapon, regardless of how it is used, would constitute an escalation of a conict under almost any circumstances. By contrast, whether a given cyber attack, or conven tional kinetic attack for that matter, would be regarded as an escalation depends on the nature of the operation—the nature of the target(s), their geographical locations, or their strategic signicance. A second set of incentives is based on concerns about blowback—the possibility that a cyber attack launched by the United States against Nation B’s computers might somehow aect US computers at a later time.
Understanding the likelihood of blowback will require a complex mix of technical insight and intelligence information.
Strategic Studies Quar ter ly ♦ F all 2012 [61 ] Herbert Lin Deescalation and Conict Termination Conict termination presumes the existence of an ongoing conict to which the participants desire an end. It requires several elements, including: Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace these means operate from outside territory controlled by an adversary and provide information that is generally regarded as reliable. But because the footprint of cyber forces is so small, movement of adversary forces can take place without signatures that can be externally observed. Based on precedents in kinetic conict, it is plausible that nations seeking a cease-re in a cyber conict would ask for the deactivation of these hostile agents. To comply with such a request (not an unreasonable one in the context of a cease-re), these nations will need to maintain cyber “demin ing” capabilities regarding the oensive software and/or hardware agents they implant into adversary systems, networks, and infrastructure. For example, they will need to keep track of where these agents are implanted or be able to communicate with them to disarm them—a capability that may rule out oensive agents that operate in a fully autonomous manner. Each party will naturally have concerns about its adversary’s commit ment to adhere to the terms of a cyber cease-re, especially in the after math of a conict. On what basis would Blue’s government believe a claim by Red that it was indeed complying with the terms of a cease-re? How much would Red tell Blue about system and network penetrations it had made, knowing such information might be used to prosecute an attack or defend more eectively against Red? e availability of eective ways to address the issues described above is almost certainly one aspect of being able to manage conict termination in cyberspace. Analysts sometimes raise the issue of how the United States might deter escalation when it has more at stake in cyberspace than its adversaries. e rst point to consider is that deterrence of cyber attack does not neces sarily entail a threat to respond through cyberspace against an adversary’s cyber assets, and when non-cyber threats against an adversary’s non-cyber assets are considered, the calculus of deterrence may well be dierent. For example, kinetic weapons can, in principle, be employed against valuable physical military targets. Although the threshold for such a response may well be higher, an adversary would still have to consider the possibility of a non-cyber response to any attack. Consistent with this point, US policymakers have always noted that the United States reserves the right to respond appropriately in a time, place, and manner of its own choos ing. In addition, concerns over blowback may deter an adversary. If an adversary’s interests are entangled with those of the United States, it may be deterred from taking actions that might harm US interests because of concerns that one ultimate eect of such actions would be to harm the Strategic Studies Quar ter ly ♦ F all 2012 [63 ] Herbert Lin adversary’s interests. For example, a nation that is owed a great deal of money by the United States might well be unlikely to conduct an attack that undermines its nancial stability. Lastly, many analysts note that deterrence is a psychological phenom enon and that threats of retaliation must be focused on assets that an ad versary holds dear and values highly. In principle, what an adversary—or more precisely, an adversary decision maker—holds dear can span a wide range, from personal to national (e.g., tools of national power). In the category of personal assets are nancial entities (e.g., a leader’s bank ac counts could be drained), reputation (e.g., a scandal in a policymaker’s past might be revealed), and close friends and relatives (e.g., the interests of such individuals could be compromised). Such assets are not typically con sidered in a traditional military context—but nontraditional approaches to deterrence may well be needed to deal with the nontraditional threats that cyber attacks pose. e approaches described above may be most useful in deterring hostile cyber operations intended to achieve large-scale eects. ey are unlikely to be useful in deterring operations intended to achieve smaller eects, be cause smaller eects by denition do not cause maximum pain for either side. Put dierently, the argument that the United States has more at risk in cyberspace than its adversaries is simply not relevant when the amount of damage that can be done (by denition) is small.
Kinetic Escalation Issues of escalation and conict termination in cyberspace are compli cated by the fact there may be cross-domain linkages. Although conict might, in principle, be limited to hostile operations in cyberspace alone, there is no reason this is necessarily so, and policymakers must contem plate the possibility that conict in cyberspace might spill over into physical space, and might even lead to kinetic actions. For example, if national command authorities decide to retaliate in response to a cyber attack, an important question is whether retaliation must be based on a “tit-for-tat” response. Assuming the perpetrator of a cyber attack is known to be a hostile nation, there is no reason in principle the retaliation could not be a kinetic attack against the interests of that hostile nation. Allowing a kinetic response to a cyber attack expands the range of options available to the victim. An extreme case is, in the event of a cyber attack of sucient scale and duration that it threatens the nation’s [64 ] Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace ability to function as a modern society, the attacked nation might choose to respond with kinetic force. On the other hand, the use of kinetic opera tions during an ostensibly cyber-only conict is an important threshold.
Nations involved in a cyber-only conict may have an interest in re fraining from a kinetic response—for example, they may believe kinetic operations would be too provocative and might result in an undesired escalation of the conict. In addition, the logic of oensive cyber operations suggests that such operations are likely to be most successful when the initiator of these op erations has the time to gather intelligence on likely targets—such in telligence gathering is obviously time-limited once overt kinetic conict breaks out. If understanding the dynamics of cyber-only conict is dicult, under standing the dynamics of cyber conict when kinetic operations may be in volved is doubly so. To the extent national decision makers have incentives to refrain from conducting oensive operations that might induce a strong kinetic reaction, the obvious approach would be to conduct cyber attacks that are in some sense smaller, modest in result, targeted selectively against less-provocative targets, and perhaps more reversible. e similarity of such an approach to escalation control in other kinds of conict is not accidental, and it has all of the corresponding complexities and uncertainties. In keeping a cyber conict from escalating into physical space, it is im portant to think about “lines in the sand” beyond which one side warns another not to cross. For example, it is reported that during the rst Gulf War, the United States regarded Iraqi use of chemical weapons against US forces as one such threshold of unacceptable activity, one that might well provoke the use of US nuclear weapons against Iraq. When only tra ditional kinetic forces are involved, lines in the sand might be the use of certain weapons, attacks on or damage to certain targets, movement or placement of armed forces beyond certain geographical lines, and so on.
Cyber analogs to these thresholds are hard to construct. Describing a class of cyber weapon whose mere use would be wholly unacceptable is hard to imagine, since there are no real cyber analogs to true weapons of mass destruction where even a single use of a WMD qualitatively changes the landscape of kinetic conict. And in cyberspace, what is the analog of a geographical border beyond which cyber weapons may not be placed? Perhaps the most promising analog is the notion of specic targets that might be placed o limits—cyber attacks on such targets could, in principle, Strategic Studies Quar ter ly ♦ F all 2012 [65 ] Herbert Lin be deemed unacceptable. One class of o-limits targets might be cyber assets associated with truly critical infrastructure, such as the bulk power grid or the banking and nancial system. But as any bank executive will conrm, some of these targets are under attack quite frequently—so at tacks that do not cause large amounts of damage or loss probably should not qualify as crossing the threshold of unacceptability. ere is also the question of being able to assign political responsibility to some perpetrator for the conduct of a successful large-scale attack on some o-limits target—a question whose answer may be in doubt, given the diculties of rapid at tribution of a cyber attack. Finally, one might well ask how a cyber asset would be positively identied as being associated with the bulk power grid or the banking and nancial system. Would we provide a computer- readable identication tag on every such computer? Such a tag might make these targets obvious to other parties wishing to do us harm. Even presuming that the United States could identify specic thresholds, such information would need to be communicated clearly to an adversary.
Such communication is dicult even in scenarios of traditional military conict, and all of these diculties obtain in the cyber context. But it is worth observing that because cyber conict is fundamentally based on deception, persuading an adversary to believe any US statement about what is o-limits may be particularly challenging. The Political Side of Escalation Despite the focus of the discussion above on escalation dynamics from a primarily military standpoint, escalation dynamics inevitably have a political and psychological component that must not be overlooked. For example, the discussion of active defense above pointed out that US cyber attacks undertaken under the rubric of active defense may not be per ceived by others as innocent acts of self-defense, even if they are intended as such. While both sides in most conicts claim they are acting in self- defense, cyber conicts are a particularly messy domain in which to air and judge such claims. Another possible misperception may arise from intelligence-collection activities that might involve cyber-attack techniques. e discussion above noted the problems of misperceiving exploitation as a prelude to con tinuing cyber operations during a cease-re. But the problem is broader than that—during conict or in the tense times that often precede con [66 ] Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace ict, the needs for current intelligence on the adversary are particularly acute. Knowing what the adversary is doing and the scope and nature of its future intentions are very important to decision makers, and the need to collect such intelligence will almost certainly result in greater pressures to use the entire array of available intelligence-gathering techniques— including techniques of cyber exploitation. If the adversary is unable to distinguish between an oensive operation for exploitation and one for attack—an outcome that seems all too likely—a cyber exploitation may run the risk of being perceived as part of an imminent attack, even if this is not the intent of decision makers. Finally, it seems likely that escalation issues would play out dierently if the other nation(s) involved are or are not near-peer competitors. Es calation to physical conict is less of a concern to the United States if the nation has weak conventional forces and/or is a nonnuclear state. But a nation with nuclear weapons, or even strong conventional forces in a posi tion to inict signicant damage on US allies, is another matter entirely.
Relationships with such states may well need to be explicitly managed, paying special attention to how escalation may be viewed, managed, and controlled, and most importantly, how miscalculation, misperception, or outright error may aect an adversary’s response. Dynamics such as these suggest that factors other than the ones dictated by military or legal necessity play important roles in escalation dynamics, if only because they can strongly aect the perceptions of decision makers on either side. The Future of Escalation Dynamics e issues of escalation dynamics, conict termination, and cross- domain linkages in cyberspace play out against a rapidly changing techno logical, policy, and geopolitical environment. e substrate of cyberspace— computing and communications technology—is characterized by change on a timescale much shorter than the planning horizon for traditional military acquisitions and planning. Upgrades notwithstanding, major weapons platforms are expected to serve for decades, while the informa tion technology environment changes rapidly in a few years. e growing use of cloud computing is a further—and potentially disruptive—change in possible computing platforms and may require new concepts for as signing responsibility for cyber operations. Mobile computing may present Strategic Studies Quar ter ly ♦ F all 2012 [67 ] Herbert Lin opportunities for determining device location as well as being the enabling technology for many new users of cyberspace. IT will be increasingly em bedded, ubiquitous, and connected within all elements of modern society, potentially increasing vulnerabilities to all manner of societal functions. e result is that operational concepts for escalation management must take into account a rapidly evolving set of targets and oensive and defensive capabilities. In most traditional domains of conict, US military doctrine has been based on the establishing dominance—that state in which friendly forces have maximum freedom of action and adversary forces have minimal free dom of action. But in the cyber domain, this presumption is not sustainable— and senior US military leaders are beginning to speak publicly about this point. 13 Much of the traditional US approach to escalation control is based on the ability of friendly forces to establish dominance at any level of conict on the premise that an adversary would not choose to escalate if, at the higher level of conict, it could not hope to prevail. Nation-states are increasingly concerned about the risks inherent in in volvement in cyberspace. Even apart from the protection of critical national infrastructure and military assets, various nations express deep ening worries about traditional criminal activity in cyberspace, protection of intellectual property, and increased connectedness for political move ments that may pose a threat to government interests and stability. Nonstate actors are increasingly important players in cyberspace. Multi national corporations and organized crime syndicates, for example, all have some nontrivial capability to conduct oensive operations in cyber space to further their interests, and even small groups of individuals can have a large impact by exploiting certain characteristics of cyberspace (e.g., WikiLeaks). Although existing theories of escalation dynamics and conict termi nation may serve as useful points of departure, what is understood very poorly today is how these theories may apply in cyberspace. In the future, nding ways to manage cyber conict will be even more intellectually challenging than it was for traditional conict. Notes 1. e lag time between dissemination of a security x to the public and its installation on a specic computer system may be considerable, and it is not always due to unawareness on the part of the system administrator. It sometimes happens that the installation of a x will cause an application running on the system to cease working, and administrators may have to weigh [68 ] Strategic Studies Quar ter ly ♦ F all 2012 Escalation Dynamics and Conict Termination in Cyberspace the potential benet of installing a security x against the potential cost of rendering a critical application nonfunctional. Adversaries take advantage of this lag time to exploit vulnerabilities. Strategic Studies Quar ter ly ♦ F all 2012 [69 ] Herbert Lin Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey Suzanne M. Vautrinot, Major General, USAF 0620 ZULU (1120 PDT): Based on remotely piloted aircraft (RPA) surveillance, special operations forces prepare to enter a vil lage that contains a high-value target (HVT).
0630 ZULU: e mission commander in the joint operations center monitors the HVT and surrounding village activity via real- time video feed from the Predator aircraft.
0632 ZULU: e mission commander loses visual surveillance of the current operation. Strategic Studies Quar ter ly ♦ F all 2012 [71 ] Suzanne M. Vautrinot While the operations center sta check their equipment, computer maintainers in dozens of locations check for indicators of hardware or software system failure; civil engineers evaluate power, chillers, and HVAC systems operation; network operators across the globe search for dropped ber connections; satellite operators work to verify communication and data feeds; spectrum analysts look for jamming indications; intelligence analysts dive into indications of potential adversary action; weather experts evaluate scintillation—all while mission commanders check their watches. One operation, one mission, yet it requires a myriad of extraordinary experts—each unique and each integral to an RPA operation that depends on well over a hundred individual commercial and military network con nections, dozens of integrated hardware systems, miles of ber-optic cable, signicant satellite bandwidth, and millions of lines of software code.
Welcome to the cyber domain: an environment of intellect, integration, and, for good as well as ill, complex interdependency. e scenario described above could aect equally any military weapon system or mission. In the vast majority of cases, these network dependencies are not well documented, the real-time status of network systems is not automated or transmitted, the supporting infrastructure is diverse and aging, the investigation remains essentially manual, and the ngers generally point to the “distant end,” located in the vicinity of Valhalla.
One might conclude poor performance, inadequate resourcing, or perhaps poor design, but the dynamics simply reect the way cyber has rapidly emerged—in our equipment and in our collective psyche. Historically, technology was leveraged to improve performance of each weapon system relative to the environment in which it must operate.
at environment was governed by Mother Nature, and our ability to y through, dive beneath, breathe without, orbit above, or move undetected was achieved by creating systems that overcame environmental limita tions. Each new technology was ingeniously integrated into our ground, sea, air, and space systems to gain capability. By leveraging communica tions, computers, networks, and information technology, we improved the capabilities of each existing system while also making them dependent on a new environment—a man-made cyber environment. e acute de pendency was unintentional, and like our legacy networks, it grew with the best of intentions and a dearth of strategic design. A strategic discussion on cyber has become more than a DoD activity; it is now a national imperative. As Malcolm Gladwell might say, we are at [72 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey a tipping point. Relative to cyber technologies, do we continue to bolt on or should we bake in? Regarding cyberspace as a man-made environment, do we simply respond to changes or work with our civil sector counter parts to alter the environment to our collective advantage? As we leverage the technologies associated with cyberspace, we have an opportunity to constantly create and re-create our environment—to design the future. Leveraging the Past, Innovating the Future Every generation stands on the many shoulders of greatness that pre ceded it. For military leaders and as part of our Air Force heritage, ying faster, turning tighter, launching further, viewing in more detail, and arriving with greater precision all align with a tradition of innovating beyond the heritage left by revered forefathers. e world we face today is signi cantly dierent from that of our predecessors. From a military perspective, the most formidable changes do not just involve enhancing the physical attributes of our weapon systems or incrementally adjusting the tradi tional methods of employing those weapon systems. e distinction is that now we can leverage the virtual, and the implications are boundless. We did not arrive at this point overnight. For decades, leaders in engi neering, cryptology, computer science, information technology, and many other contributing disciplines expanded and then integrated these tech nologies. Yet, although the technical disciplines were varied, the applica tion of cyber now follows a path similar to air, sea, and space in their early stages. Akin to the Wright Flyer’s relationship to the F-35, mainframes, and eventually personal computers, were the harbingers of our cyber capa bilities. Continued platform development led to aircraft being used as a ground force and intelligence enabler during Army Air Corps opera tions. Similarly, integrated networks enabled the rapid dissemination of information for defense and intelligence operations. Code-breaking and cryptology applied to secure communications foreshadowed today’s cyber information assurance and exploitation capabilities. Airpower eventually emerged as both a supporting element and a for midable alternative to traditional land and sea forces. e application of cyber capability to enable ground, sea, air, and space operations continues to accelerate, but as with airpower, we should similarly expect cyber to emerge as a strategic alternative. Strategic Studies Quar ter ly ♦ F all 2012 [73 ] Suzanne M. Vautrinot To advance cyber toward this strategic alternative, Twenty-fourth Air Force (24 AF) was established as a war-ghting numbered air force focused on full-spectrum cyberspace operations. It operates under three distinct roles: Air Forces Cyber (AFCYBER), the USAF cyber component force provider to combatant commanders (COCOM) through US Cyber Com mand; AF Network Operations (AFNetOps), the operator and defender of the Air Force portion of the DoD network; and 24 AF, the organize, train, and equip lead for USAF cyber personnel. Since both the AFNetOps and 24 AF functions oversee USAF-specic mission areas, they report to Air Force Space Command (AFSPC); in the AFCYBER role, they report directly to US Cyber Command and provide capabilities at the operational level to the joint war ghter. Currently, we have a reactive defense posture that is outdated and man power intensive. Our heterogeneous architecture, composed of legacy infrastructures, is dicult to maintain and provides limited situational awareness across the networks. With a steady topline cyber funding amount, as depicted in gure 1, every dollar spent toward protecting our networks needs to move us toward a more homogeneous and centralized CYBERSPACE SUPERIORITY PORTFOLIO STEADY TOPLINE CAPACITY (NUMBER OF SORTIES) COMBAT EFFECTIVENESS (TYPE OF SORTIE) PROACTIVEDEFENSE REACTIVEDEFENSE OFFENSIVE AUTOMATION HOMOGENEOUS / RESILIENTS CONFIG CONTROLLED ARCHITECTURE MANPOWER - INTENSIVE HETEROGENEOUS NETWORK LEGACY STRUCTURES NASCENT CAPABILITY NICHE CAPACITY EMERGING ISP FOCUS / ACCESS OPLAN - LEVEL SUPPORT GREATER CAPACITY RECON / COUNTERRECON NATION OPLAN - NICHE TARGETS RECON / COUNTERECON AF & DOD $$ AFTER POLICY CHANGES Figure 1. Cyberspace investment challenge [74 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey architecture that can reap the benets of automation. Future investments must reect advancement toward automation and resilient architectures so the eciencies gained in manpower can increase the capacity of a skilled technical workforce. We are at a nexus regarding future cyberspace operations providing for the national defense. For the Air Force to fulll its commitment to pro viding global reach, global power, and global vigilance, it must do what Airmen have always done—innovate. To accomplish these goals, we have developed three integrated strategies: deliver a robust, defensible, trusted network; operationally leverage cyberspace capabilities; and build and deliver combat power. e remainder of this article is organized around an Air Force leadership dialog and Airmen’s fulllment of these strategies. Deliver a Robust, Defensible,Trusted Network e RPA exemplar applies equally to every military service member’s ground, sea, air, or space operations; to their civilian counterparts’ corporate business; and to local, state, or federal government activities. Each requires assurance that the networks, the multifaceted environment on which they are now so dependent, can be trusted to enable mission success. Cyberspace is not simply the Internet; rather, it is a network of inter dependent information technologies including the Internet, telecommuni cations networks, computer systems, and embedded processors. Its use has become ubiquitous within every public, industrial, academic, and military organization. Individually and collectively, we have increased pro ductivity, interaction, performance, and eciency by use of and by reliance on cyberspace. We “face-time” with friends and family, we pay bills via bank websites, parents monitor home security while away, and troops use social media to stay connected to home. Most importantly for this con versation, the nation and the Air Force have increased weapon system performance, extended operational capabilities, and enhanced command and control by leveraging cyberspace. Yet, as with all things yin, there is a yang. e dark side leverages this common ground to steal, compromise, degrade, or destroy information; disrupt networks or communications; or deny service. In military terms, cyberspace is a contested environment.
Hactivists, cyber criminals, terrorists, and adversarial nations are active in cyberspace networks across the globe; our military networks are no excep tion. DoD networks are probed millions of times per day. In a typical Strategic Studies Quar ter ly ♦ F all 2012 [75 ] Suzanne M. Vautrinot week, the Air Force blocks roughly two billion potential threats and denies two million phishing or spam e-mails. Armed with an understanding of the growing threat to and our dependency on the network, Air Force leaders directed a service-wide migration to a more defensible network—creating the AFNet migration and facilitating a “defense-in-depth” alignment. Help ing create this defensible construct, AFSPC, through its subordinate units at 24 AF and the Air Force Network Integration Center, is reorganizing and reequipping to address the limitations resident in current Air Force heterogeneous network architecture and the underlying technologies.
What is meant by “heterogeneous” network? We have many variances in hardware, conguration, and software licensing. As the network expands, updating and maintaining various systems becomes problematic. Inevitably, devices are not properly or consistently congured, and vulnerabilities arise. Moreover, the ability to discern the “root cause” of network issues requires signicant time and resources to rst understand the congura tion, then nd and address the underlying problems. e process of moving from this dispersed, installation-managed net work architecture to a single, homogeneous, and centrally managed Air Force network, called the AFNet, is the number one cyberspace initiative in the Air Force. Originally, the AFNet migration consisted only of con solidation of individual base active directory “trees” into a single Air Force active directory tree. Now the term has evolved into a broader concept involving all the necessary steps to move to a single Air Force network.
Industry counterparts like AT&T preceded us in this endeavor, applying signicant up-front capital and draconian change management. eir conclusion, and ours, is that without the initial homogeny, we cannot implement the necessary sensors and automation to strengthen and de fend network operations at the scale required for a global industry or military operations. e rst step was to realign AF network interfaces through a small number of gateways, thereby increasing visibility of network trac as it moved into and among various organizations. is allows Air Force operators to observe patterns of (network) behavior and respond to anomalous activity. at response can include notication of other service and DoD-level opera tions centers (notably the joint operations center for US Cyber Command), implementing passive defenses within the AFNet, conducting forensics, reverse-engineering software, and supporting law enforcement and/or in telligence professionals in tracing the sources and potential implication of [76 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey intrusions. e vast majority of this work remains appropriately invisible to network users; nevertheless, it is foundational to a defensible network. e second step of migration involves consolidation of each individual base’s active directory structure into a single Air Force active directory tree. Simply put, active directory enables a centralized approach for net work management and security. It provides services that authenticate and authorize users, assigns and enforces cyber policies, and simplies updat ing computers. is will enable a simpler, more automated approach to managing the Air Force’s e-mail and SharePoint applications. In addition, it will allow shutdown of the legacy systems at each base. Airmen at all levels and every base continue to rise to the challenge, and to date, roughly a quarter of all locations have migrated, with a targeted completion in FY-13.
Migrating the entire Air Force population of roughly 850,000 person nel at over 400 locations will result in a much more defensible construct that aligns the Air Force leadership vision with the guidance and in tent of US Cyber Command: to provide a more secure and, ultimately, operational platform. ere are many advantages to this AFNet migration, the most impor tant being the opportunity to now increase sensing, automation, and situa tional awareness. In the Central Command Combined Air Operations Center, walls are lled with screens depicting operational status and battle eld video feeds for real-time analysis and decision making. e corre sponding cyber information to depict network operational status and enable real-time analysis does not currently exist, nor was it possible prior to the rearchitecting of the AFNet. Operators in the 624th Operations Center, 24 AF’s command and control unit, manually perform the task of data synthesis after distant-end units enter status information into the system. ere is no common operating picture of activity across our net works, making it more dicult to assess and respond to the threat envi ronment. Yet, there are innovators: cyber professionals from many career elds who daily apply capabilities and leverage new tactics, techniques, and procedures to successfully provide mission assurance, threat detection and response, and network operations and defense. e capabilities for sensing the status and automating operational activities will continue to expand, and so must the capacity elements necessary to reach and execute full-spectrum cyber operations globally. Migration to a single architec ture provides the opportunity for Air Force–wide network situational Strategic Studies Quar ter ly ♦ F all 2012 [77 ] Suzanne M. Vautrinot awareness—an awareness that enables robust, defensible, and trusted air, space, and cyber operations.
When designers of major weapon systems build cyber technologies into their programs, they fail to integrate them with the Air Force net work. Frequently, these systems introduce cyber vulnerabilities into the network that cannot be patched or updated using established capabili ties and processes. Networks cannot just be the domain of cyber folks; they must be central in the development and operation of every weapon system for design and connection interfaces. is requires application and enforcement of network standards for any weapon system that uses the Air Force network. In that pursuit we are striving to increase awareness of rapid techno logical advances and best practices through partnerships with academia, industry, sister services, and government agencies. General Alexander out lined in his recent remarks to the Senate Armed Services Committee that, in his view, there are three key players that make up a cross-government team to mature and implement an eective cyber strategy for the nation:
the Department of Homeland Security, the Federal Bureau of Investiga tion, and the DoD/intelligence community/National Security Agency/ USCYBERCOM. rough USCYBERCOM, we have teamed with cyber space law enforcement counterparts: leaders like Steve Shirley at the DoD Cyber Crime Center, and the OSI to share information on current threats and tactics as well as leverage their unique forensics expertise. Via 24 AF and the Air Force Computer Emergency Response Team (CERT), the USAF participates in the Defense Industrial Base Initiative, an agreement with over 30 industry partners, including many of the larger corpora tions in this country, to collaborate with the Departments of Defense and Homeland Security to share sensitive threat information and thereby im prove the collective cyberspace defense. Moving forward, we will continue to leverage the great capacity and unique capabilities of not only 24 AF and Air Force Space Command but also the expertise of Airmen in our in telligence, law enforcement, and engineering development communities. e Air Force utilized partnerships with Department of Energy and uni versity national laboratories, like Lawrence Livermore National Laboratory, to deliver a network defense system in the early 1990s. We continue to develop and expand those core relationships today. We are working with Lawrence Livermore to eld a network situational awareness capability that is being used by other government organizations. ese channels for coop [78 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey eration increase the ow of information and create a higher level of aware ness across all levels of academia, industry, and government. Improving our defensive network posture is not just about changing equipment and infrastructure; it is also about adopting a proactive defense mind-set. Instead of waiting until an adversary penetrates our networks to assess our vulnerabilities, we have created a specialized team that searches our networks and seeks out those vulnerabilities before they are exploited.
is mobile precision capability demonstrates the viability to identify, pur sue, and mitigate threats impacting critical links and nodes and provides an additional tool in protecting mission networks. However, we cannot seek or defend everything, so identifying and defending those interfaces that are essential to mission success are crucial. A key facet of this mission is identifying and focusing on a COCOM’s prioritized “defended asset list,” those critical areas that must be able to operate through an attack. In creating this team, we partnered with the US Transportation Command, as tanker information, logistics tracking, and airlift movements are some of our adversaries’ highest-valued targets. As yet a nascent capability, this team may represent one of the most viable missions for expansion. Proactive defense also reduces the need for human in-the-loop pro cesses; it is far superior to the current reactive process. When we detect an intrusion attempt, the Air Force CERT identies the characteristics of that attack and updates active sensors, located at multiple defensive levels within the network, with the “learned” information so they can deter existing threats and repel the next attack using the same method. We share information with our academia, industry, and government partners so similar methods of attack can be thwarted across the domain. Our goal is to move away from this reactive process and develop a heuristic capability.
Rather than operators having to inform the sensors about each new attack attribute, the sensors themselves will recognize and repel similar attack patterns. Automating this process would further allow us to devote capacity to expanding defensive or mission assurance operations. Previously, we did things for the sake of the network itself, as if it were the end objective. is resulted in defending every part of the network essentially the same. Our defensive architecture was deployed to defend critical mission systems, core services, and business systems equally. Our primary defensive organization, the Air Force CERT, could not easily dis tinguish critical mission systems from routine business systems at a base.
Today, this is changing. Emphasis is on supporting operational missions Strategic Studies Quar ter ly ♦ F all 2012 [79 ] Suzanne M. Vautrinot dependent on cyberspace. e focus is on the mission, not the network.
is fundamental shift in perspective has driven both how AFSPC crafted the AF Cyber Core Function Master Plan and how AFCYBER refocused its operational activities. Operationally Leverage Cyberspace Capabilities Cyberspace operations encompass more than the management and con guration of hardware and software. e Air Force can leverage cyberspace to create integrated eects to respond to crises and conduct uninterrupted operations. As mentioned earlier, instead of responding to the cyberspace environment, we can leverage it to our advantage and our enemies’ disad vantage. is provides myriad opportunities to develop and provide new capabilities to the war ghter while oering our adversaries new avenues of attack if we do not fully understand the environment we have created.
e repercussions of this new environment must be considered when de veloping tools and extending the domain to austere locations. We have come a long way in changing our priority from network assur ance to mission assurance. Airmen have begun to distance themselves from a “service provider” maintenance mentality and transition to a “complete the mission” focus. A great example of eorts in this area is support to RPA missions and the objective of operating through a cyberspace attack or outage and accomplishing the mission. Providing mission assurance re quired extensive front-end mapping to understand the various links from the United States to the overseas ight. e system was designed with over 100 touch points, many of which are not military-controlled, across several dierent networks, making it critical to establish relationships with commercial organizations. e forward commander of joint air assets pri oritizes the most critical RPA missions, and then our operations center identies and takes proactive steps to ensure the availability of key nodes and failure points along the network infrastructure. While we cannot as sure every RPA, we can focus our resources on the highest-priority mis sions to deliver the greatest downrange advantage. is provides a stark contrast to previous net-focused priorities that resulted in equal defense across the network. In addition to mission assurance, we are engaged in global operations as the Air Force cyber force provider to US Cyber Command. Over the past two years, our operational units have conducted 17,000 computer net [80 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey work operations in support of combatant command and national agency taskings. Our Airmen executed pursuit of an HVT through computer network exploitation that enabled special operations forces to eliminate the target. We have directly supported objectives to disrupt terrorist com mand and propaganda eorts. Cyber represents an alternative; it can pro vide kinetic eects while using nonkinetic capabilities. COCOMs are beginning to recognize these alternative capabilities and incorporate cyber early in the campaign planning process. Lt Gen Michael Basla, while Air Force Space Command vice-commander, said senior com manders had asked him for the “menu of nonkinetic cyberspace capabili ties so they can integrate those into their planning processes.” Cyber capa bilities are driving a change in the way we plan, and they require exibility and a focused, detailed understanding of the cyber environment. We are leveraging the Air Force intelligence community to achieve full-spectrum mission objectives. To support theater planning for operations in and from cyberspace, target development plays a key role in application of capabilities, especially with respect to industrial control systems (ICS). Rail yards, ports, and power plants are generally built in the same manner worldwide, whether in Ten nessee or Ukraine. e initial 80 percent of system understanding can be performed with industry research; the last 20 percent of interface with a particular system requires substantive eort to establish the connections necessary for eective capability employment. Similar to our defensive discussion in gure 1, we currently provide a niche capacity and nascent capability to the war ghter. With constant cyber funding and resources gained from proactive defense, OPLAN-level niche targets, such as ICS infrastructure, oer opportunities to expand combat eectiveness in a resource-constrained environment. ere is a lot of angst on the issue of authorities, and most of it stems from a lack of understanding of how to leverage the necessary authorities to accomplish the mission. Flexibility within the law allows leveraging all the authorities necessary to accomplish the mission without necessarily hav ing a position that bestows the authority on 24 AF. War ghters routinely operate within their inherent Title 10 roles while leveraging the NSA’s SIGINT authorities (Title 50) to support planning and targeting require ments at the tactical, operational, and strategic levels. War-ghter require ments are submitted to the NSA via the national SIGINT requirements process (NSRP) and are vetted and serviced based on national and theater Strategic Studies Quar ter ly ♦ F all 2012 [81 ] Suzanne M. Vautrinot priorities. is system works well and has been tested in the crucible of war many times. Likewise, 24 AF has units assigned, which are Title 10 units but have a US Signals Intelligence Directive (USSID) that denes the limits and processes they use to collect signals intelligence under the oversight of the Air Force Intelligence, Surveillance, and Reconnaissance Agency and the authority of the NSA. ese units routinely move between conducting missions under both their Title 10 and Title 50 hats. Title 32 authorities dene how National Guard units support their respec tive state. Oft time Air National Guard forces can rapidly transition from Title 32 to support Title 10, all the while exercising caution to ensure Guard members are not put in positions exceeding their authority. For example, when an Air National Guard F-16 is on alert supporting NORTHCOM’s air sovereignty mission, it can be training under Title 32, but when it is scrambled, it immediately transitions to a Title 10 role. Conversely, when a natural disaster strikes a state, active duty forces are limited in what they can do under Title 10, but National Guard forces from that state, under the direction of their governor, have more exibility. is is important when we look at operations in the cyber domain, especially associated with the nation’s cyber infrastructure. Industrial control systems are becoming ubiquitous and operate everything from power, water, and fuel systems to building alarms and environmental systems. Title 10 forces assigned to 24 AF have the authority to assess and defend the ICS on a military base.
However, they have no authority to deal with systems o base that are essential to military operations. is is a Department of Homeland Secu rity (DHS) responsibility. ough, under certain circumstances, National Guard units, when invited by the civilian entity or acting under the authority of their governor under a declared state of emergency, can be called up to defend of these systems. Interagency policy must continue to evolve and enable these units to synchronize eorts between National Guard and active duty forces to ensure the mission is not interrupted by attacks on the ICS infrastructure o base. Sharing of intelligence and vulner abilities must also be improved. Today, the national ICS CERT at Idaho National Laboratory performs this function under the authority of the DHS. Synchronizing the ICS CERT eorts with military ICS defensive measures must continue to improve if we are to provide a comprehensive defense of our critical national infrastructure. Twenty-fourth Air Force can also leverage law enforcement authorities (Title 18) when necessary through our embedded Oce of Special In [82 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey vestigations (OSI) support. e OSI works with other law enforcement agencies to investigate cyber crime impacting Air Force networks.
Protecting our information lines of communication and understand ing the adversary’s key information lines of communication are within the 24 AF’s set of responsibilities. We must consider information our key center of gravity and understand what particular information is mission critical to our success. is is not as easy as it may rst seem. Are preci sion navigation and timing our most valuable information, or are timely communications with our airborne assets, including control links to our remotely piloted aircraft? We could expand this list considerably, but the point is made. e diculty comes when we map the information ows to the supporting infrastructure. Without this level of detail, we cannot adequately defend mission-critical information. We must also analyze the information centers of gravity of our adver sary. is obviously includes those information lines of communication essential to its military operations, but it also includes other information lines of communication that impact the adversary’s populace, allies, and supporting entities (including nonstate actors). Similarly, it is critical to understand the information lines of communication that support the adversary’s infrastructure, including machine-to-machine communica tions. By understanding these essential information pathways and systems, we can produce strategic eects without ever staging our forces near an adversary’s weapon systems. Build and Deliver Combat Power A proper foundation is critical to building a strong structure. It starts with early exposure to science, technology, engineering, and mathematics (STEM). e Air Force supplements the foundation with formal training to create the skilled technical workforce required to manage and protect its cyber resources and facilitate mission users. A successful STEM program requires collaboration and partnerships with local and national academic and civic leaders. At the high school level, CyberPatriot is the premier national cyber defense competition. It inspires students toward careers in cyber security and other STEM disci plines. At the college level, students compete at the National Collegiate Cyber Defense Competition, and future cyber defenders test their acumen in the National Security Agency’s Cyber Defense Exercise. For Reserve Strategic Studies Quar ter ly ♦ F all 2012 [83 ] Suzanne M. Vautrinot Ocer Training Corps cadets, the Advanced Course in Engineering sum mer program consists of an instructional component and cyber war games, hands-on internships, and cyber ocer development that focuses on the study of cyber and its unique leadership challenges. e Air Force Academy’s rst cyber competition team won the 2012 Cyber Defense Exercise while competing against other service academy cadets, DoD postgraduate students, and the Royal Military College of Canada. In the same week, the team traveled to San Antonio, Texas, and placed second in the National Collegiate Cyber Defense Competition out of 136 teams. In such a dynamic environment, relying only on a STEM background is insucient for con tinued success. at is why the AF has established deliberate processes for training and certication of its cyberspace professionals. Undergraduate cyber training (UCT) is a rigorous six-month program to provide founda tional training for new cyber ocers and enlisted personnel. Intermediate network warfare training builds on UCT and delivers qualied operators prepared to serve in a wide range of positions. Mission qualication training provides unit and position-essential instruction. Similar to the Space 200 and 300 programs, cyber professionals attend Cyber 200 or 300 taught by the Air Force Institute of Technology. ese courses provide the career force with continuing education. Last month, we borrowed a page out of our air and space domains by graduating the rst weapons instructor course class at the Air Force Warfare Center at Nellis AFB, Nevada. is course teaches professionals to integrate capabilities across air, space, and cyberspace to deliver precise eects. In an eort to increase joint capacity, our sister services are invited to participate in future classes. DoD training and certication standardization, to include the Guard and Reserve, is key to the nation’s success in cyberspace. To emphasize the need for the same training and certications, the organized Reserve Corps was formally established in 1948 by the Truman administration, but it was not until 1973 when Secretary of Defense James Schlesinger declared the Total Force policy. e Air Force Reserve was held to the same readiness standards and inspections; mobilization planning, operational evaluation, and participation in exercises enhanced Air Reserve Component (ARC) capabilities. In cyber, we can incorporate that same readiness standard, but we must leverage the ARC dierently than we have traditionally. We require associations, with exible drilling, that allow Guard and Reserve members to perform active missions, not merely training scenarios. In the dynamic cyberspace environment, continued engagement is the best way [84 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey for the ARC to both support our substantial steady-state mission require ments and be optimally trained and prepared to mobilize, if needed, for a more robust cyber defense of our nation. at continued engagement by our citizen Airmen also enables us to leverage private-sector skills while at the same time providing knowledge gained from bona de mission experi ence that should be benecial to civilian cyber roles in local communities and improve the defenses of industry and government, bringing mainstays of cyber to Main Street. is fuels collaboration between the DoD and the private sector and raises the overall level of national cyber security. Within the strategy document titled Sustaining U.S. Global Leader ship: Priorities for 21st Century Defense, Secretary of Defense Leon Panetta makes clear that cyberspace forces are a key component to the nation’s ability to project combat power. Specically, “Modern armed forces can not conduct high-tempo, eective operations without reliable informa tion and communication networks and assured access to cyberspace and space.” To provide resilient, cost-eective cyberspace capabilities for the joint war ghter, an innovative, rapid, tool development process must be accompanied by an acquisition program that reects an immediate-, medium-, and long-term systems approach. A factor that hinders the development of cyber capability is the out moded practices, policies, and rules that guide cyber acquisition from the top down. e current acquisition system was constructed and optimized to support the acquisition of large-scale weapon and training systems. It is based on the ve-year Program Objective Memorandum (POM) cycle, which starts two years out from the beginning of the planned acquisition.
is drives us to develop large acquisition programs that can survive the vetting process within the Air Force and the Oce of the Secretary of De fense. ese programs are built from requirements that are dened years in advance and remain relatively static throughout the POM process. e end result is acquisition of outdated equipment and inexibility that pre vents adapting leading-edge technology while it is still leading edge. One example is the modernization of the Air Force boundary. Prior to 2010, the Air Force boundary was dened by more than 140 Internet points of presence, one at each base. But since 2003, we have been consolidating these Internet gateways into 16 regional gateways that now dene the boundary to the Air Force network. While the benet of consolidating the boundaries is indisputable, the “controls” on program execution illustrates the challenge with applying traditional acquisition methodology to cyber Strategic Studies Quar ter ly ♦ F all 2012 [85 ] Suzanne M. Vautrinot modernization and domain design. Planning for the program began in 2003, and the nal gateway was elded in 2010. By the time the last gate way was elded, the equipment was obsolete. Although certainly willing to innovate, the process prevented alternatives which kept pace with an intensely dynamic man-made, necessitating modernization of the gate ways as soon as they were elded. Complicating things further, acquisition programs often eld capabili ties without a clear understanding of their operational impact on the defensibility, operability, and sustainment of the domain (on behalf of all who use it). Standard acquisition practices often resulted in the elding of multiple brands and/or standards of network components such as routers and rewalls, adding to the operational burden for the units maintaining and operating the equipment. For example, the Air Force network infra structure from DISA to the base boundaries includes 1,800 same-brand network routers and switches. Personnel trained on that standard brand are very skilled at operating and conguring those routers. However, a subset of bases deviated with four dierent brands or variants of routers and switches…without interface testing or a standard for conguration. A small communications team on a base can be trained to eciently operate nonstandard gear, but as operations are consolidated at network operations units that have enterprise-wide responsibilities, it places undue strain on signicantly reduced resources. In theory, these dissimilar infrastructure devices should all communicate with little diculty, and conguration should be similar. But it does not work that way. While this adds diver sity to the network, the ultimate result is a highly heterogeneous network architecture that signicantly complicates updating and maintaining these devices. Central management becomes dicult if not impossible, and in evitably, some of the devices do not get properly congured and thereby create vulnerabilities. In addition, training and manpower requirements to maintain such a heterogeneous network cause an unacceptable bur den on the already limited cyber manpower resources. is creates a huge workload for Air Force network operations units and adversely impacts the reliability of service to some bases. is problem will be exacerbated as the Air Force continues to ooad work from the shrinking base com munications units to the network operations units. One additional innovation involves Air Force Material Command (AFMC) working with AFSPC to establish a Cyber Solutions Center in San Antonio. is center of cyber innovation primarily supports rapid [86 ] Strategic Studies Quar ter ly ♦ F all 2012 Sharing the Cyber Journey acquisition providing cutting-edge capabilities for the joint war ghter. It has acquisition professionals from AFMC, science and technology exper tise from Air Force Research Laboratory, and is integrated with the cyber development expertise resident in the 24 AF. is team of acquisition, technical, and operational experts is integrated with the daily operations of 24 AF and becomes a powerful engine for innovation that greatly in creases the Air Force’s ability to create and integrate new and innovative technology. is type of collaboration, along with DoD standardization, increases the capacity of a skilled technical workforce to leverage full- spectrum capabilities to meet the Air Force vision of global reach, global power, and global vigilance.
One opportunity 24 AF is working, in close coordination with AFSPC leadership, is revamping the current program for increasing bandwidth and connectivity at the bases. e legacy program is primarily focused on older, wired technology and fails to leverage the capabilities available with today’s wireless technology. By leveraging new technology, we will provide ubiquitous connectivity to base users, reduce infrastructure, increase relia bility and resilience, and enable control of government-owned devices to enhance productivity. Conclusion Twenty-fourth Air Force is extremely proud of the part its Airmen play in defending the nation in cyberspace at the “speed of cyber,” that is, Mach 880,000. e Air Force core contribution to specic joint opera tions and to the nation’s defense is its ability to command, control, and precisely apply forces to provide inherent reach, power, and vigilance— globally. We have eectively leveraged the cyber domain to enhance these core capabilities and to expand operational eectiveness in every engage ment. However, this drives a dependency on the networks that directly exchange critical information, often with little human involvement. is trend is only going to increase, as is the trend for adversaries to under mine or contest our ability to leverage the domain. We cannot revert to the days when we, and our platforms, operated without reliable, near- instantaneous access to information—time marches on, and innovators surge forward.
Strategic Studies Quar ter ly ♦ F all 2012 [87 ] The Specter of Non-Obvious Warfare Martin C. Libicki Innovations, both technological and organizational, over the last few decades have created a potential for non-obvious warfare, 1 in which the identity of the warring side and even the very fact of warfare are com pletely ambiguous. e Stuxnet computer worm is only the most recent widely publicized example. is worm is believed to have inltrated Iran’s Natanz centri fuge facility, causing equipment to destroy itself over a period of weeks and leading to the premature retirement of 10 percent of Iran’s uranium enrichment capability. Within several months of the worm’s public disclo sure (September 2010), Western intelligence sources announced that the earliest date Iran could build a bomb had been pushed back several years.
Until the worm was discovered and dissected, the Iranians were uncertain why their equipment wore out so fast. Indeed, when confronted publicly with the possibility, they rst denied that any such attack had happened, only to reverse themselves obliquely two months later. Although non-obvious warfare can be epitomized by cyber warfare, 2 states can attack one another in many ways without the victim being certain exactly who did it or even what was done. Some, like electronic warfare (against nonmilitary targets) and space warfare, have yet to materialize in any strategically signicant way. Others, such as naval/ land mining or sabotage, have long historical antecedents. What they share is ambiguity. A short list of warfare types that could plausibly be conducted in a non-obvious manner includes Strategic Studies Quar ter ly ♦ F all 2012 e Specter of Non-Obvious Warfare Strategic Studies Quar ter ly ♦ F all 2012 [89 ] Martin C. Libicki Non-obviousness is enhanced if the events in question can themselves be questioned. Some could be accidents or utter mysteries, for example, the unexplained failure of a satellite. Others could be crimes, such as bank robberies by politically inclined groups, or acts of espionage—many events labeled as cyber attacks are really attempts to steal information.
Nevertheless, some non-obvious warfare incidents would clearly be acts of war if they were obvious—in which case, the key ambiguity is the actor not the act. Some forms of warfare are non-obvious because the relationship between the attacker and a state is unclear; for instance, to what extent is Hezbollah working for its own ends, and to what extent is it a puppet manipulated by Tehran? In some cases the perpetrators may be state employees that are not necessarily, or at least not provably, working under the command and control of the state itself. Does the fact that someone close to the Russian political structure claimed credit for having organized attacks on Estonian institutions in Russia mean it was an attack by Russia? 3 Pakistan’s ISI intelligence agency has been accused of shielding Taliban warlords; so, is Pakistan at war with Afghanistan? If both questions can be answered “yes,” then these are two examples of non-obvious warfare. Finally, many forms of non-obvious warfare present no personal risk to war ghters—which it would have to, almost by denition, since the capture or identication of the perpetrator may make the source of the attack obvious. But one cannot conclude that states that employ such war ghters are o the hook just because their war ghters are. A no-ngerprints approach to warfare may be a logical next step after a no-footprints ap proach, but the two are still quite dierent. Non-obviousness is not an absolute, and the actionable response threshold for the victimized state will vary greatly. e primary criterion is how condently the victim feels a particular state carried out an attack—if, indeed, what happened really was an attack. is perceived likelihood is almost always going to be nonzero. Few states truly believe that no other state wants to harm them. Even what later prove to be accidents (e.g., the explosion in the USS Maine) is often blamed on other states (e.g., Spain).
If there is a crisis (e.g., Spain’s attempt to quell a Cuban insurgency), the tendency to believe that any harmful and unusual occurrence was an attack will be that much higher. So the attacker who would strike with impunity must ask whether or not the condence with which the victim believes that it carried out the attack [90 ] Strategic Studies Quar ter ly ♦ F all 2012 e Specter of Non-Obvious Warfare is likely to be greater or less than the condence that the victim requires to respond to the attack. Everything depends on what the threshold of response is, and there may be many types of responses. Evidence sucient to gain a criminal conviction in a US court “beyond reasonable doubt” is rarely the issue, although similarly high levels of condence may, in fact, be required before the victim decides to go to war. On the other hand, mere suspicion may suce to curtail active or disapprove prospective cooperative arrangements such as mutual military exercises, joint research, or network peering relationships. With some forms of non-obvious warfare, the target may be uncertain of state sponsorship but may convince itself that such a state has to shoulder some blame if it reasonably could have detected and stopped or hindered such an attack and refused to do so. Exactly how the target state acquires the condence that another specic state carried out an attack will also vary, but one cannot go very far wrong by considering means, motives, and opportunity. Opportunity—in the form of some traceable delivery vehicle—often best distinguishes obvious from non-obvious warfare. But opportunity is only one leg of the triad.
Consider, for example, how the United States would react to the deto nation of a so-called suitcase nuclear weapon circa, say, 1962. e suitcase would be incinerated, leaving little forensic evidence. But at that time, only three other states had the means to carry out a nuclear attack, and of those three, only one, the USSR, had a motive to do so. In such circum stances, the lack of a visible delivery vehicle would have little dented US condence in the belief that the USSR had done it. Similarly, for many types of non-obvious warfare, such as attacks on spacecraft, the list of suspects would be fairly short since the number of space-faring nations is limited (although, in that case, the victim must also credibly distinguish accidents from attacks). Types of Non-Obvious Warfare What makes various forms of non-obvious warfare, in fact, non-obvious?
We examine them individually.
Cyber Warfare Hackers can sit anywhere and attack systems around the world, dis rupting their functioning, corrupting the information they hold and the algorithms they run, and, as Stuxnet showed, even breaking machines by Strategic Studies Quar ter ly ♦ F all 2012 [91 ] Martin C. Libicki feeding them harmful commands from hacked systems. Attribution is particularly dicult for a cyber attack. e ones and zeroes that constitute the attack do not bear the physical residues of their operators (especially if these ones and zeroes are copied from others’ tools). Successfully at tacked systems, almost by denition, cannot distinguish an attack from completely benign inputs at the time (with a distributed denial-of-service attack, it is volume, not content, that matters; the attacking bytes generally come from “innocent” machines that have been tricked into spamming the victim). Forensic methods such as tracing the attack back to its sources can be easily frustrated by bouncing the attack through enough portals, using the services of an innocent machine, or jumping on a third-party Wi-Fi connection. Diculties in attribution may well be inherent to the medium and unlikely to be improved upon in coming years. States wanting to guess who attacked them nd they must rely on means and motive.
Means oer only a little help for an unsophisticated attack, since over 100 countries have investigated oensive cyber war and the list of hackers includes organized crime groups, nonstate actors, and individuals. It is generally believed that only a state could have pulled o a sophisticated attack such as Stuxnet, with its four zero-day exploits and two stolen cer ticates. Iran may have gured, once it realized that it had been attacked, only Israel and the United States would have both the reason and the talent to carry out such an attack. But it is not entirely impossible that either Russia or China may have wanted to retard Iran’s rush to nuclear weapons. No one yet knows whether cyber attacks carried out in a non-obvious manner will prove advantageous to those who carry them out. It is by no means clear that Russia’s (or Russian) attacks on Estonia or Georgia did it that much good. If Israel attacked Iran in cyberspace, what looks like suc cess may be viewed as the beginning of a new set of military operations, or, alternatively, a very special case that no one else can or need duplicate.
Space Warfare Satellites normally lose capability from time to time in the depths and darkness of space. An attack on a satellite without the attack vehicle being discovered may come close to the perfect crime. States may want to know what happened, but de-orbiting a satellite may not necessarily be some thing the satellite was designed to do, may be rendered impossible by the nature of the attack, and will require the expenditure of a substantial amount of fuel. Although post-recovery analysis would likely indicate [92 ] Strategic Studies Quar ter ly ♦ F all 2012 e Specter of Non-Obvious Warfare what happened, it still may not answer who did it. at noted, getting away with “satellite murder” presents diculties. e United States has the capability to nd every suciently large ground-based missile launch and tracks space objects supposedly the size of wrenches (the exact details are undoubtedly classied). Because it has a fairly good idea what every satellite is supposed to be doing, those otherwise employed necessarily get noticed, but the advent of microsats, nanosats, and picosats may com plicate detection by subtraction in years to come. Ground-based systems might blind satellites, but the satellites have to be looking at whatever it is that is doing the blinding (hence, indicating where the laser is coming from). e number of states that can buy a launch is much larger than the few that can launch objects into space.
Electronic Warfare As our wired world becomes increasing wireless, the potential for elec tronic jamming grows apace. Small generic radiating devices surrepti tiously emplaced or scattered about can block GPS signals (at least for commercial receivers) and wreak havoc with communications, ranging from cell phone and emergency communications to machine controllers.
Such devices can sometimes be quite dicult to nd but not hard to characterize (deliberate jamming is unlikely to be confused with natural causes or accidents for very long). Using generic devices can frustrate trace-back, but the real trick in anonymity is to not get caught emplacing such devices. Once the devices start operating, their lifespan is limited, either because they are discovered or because their batteries die.
Drones Under some relatively narrow set of circumstances, an attack by drones may be carried out without rm attribution. e requirements are many.
e drone has to avoid crashing (or must be recovered if it does); other wise, there is a fair chance of tracing even a generic drone back to its last buyer. e targeted country either has to have relatively poor radar cover age or abut territory or oceans where there is no radar coverage. If the drone comes from the ocean, the list of possible attackers can be limited to those with ships in the area at the time. e drone itself has to be fairly generic—so that its prole at a distance is consistent with the inventory of many dierent countries—or else stealthy. Finally, the possibility that a drone attack can be a non-obvious attack by the United States must Strategic Studies Quar ter ly ♦ F all 2012 [93 ] Martin C. Libicki await the development of attack drones by countries other than the United States—failing that, any such drone will be assumed to be American. For states on the outs with the United States, the combination of motive and means may suce.
Special Operators, Saboteurs, and Assassins As with drones, the key to maintaining anonymity in special opera tions is to avoid getting caught. Ironically, the ability to carry out many special operations without getting caught requires so much organizational and professional skill that the number of countries capable of doing this is few—making accusations that much more credible. Hence, perfection may be its own undoing, unless the attacker shows considerable restraint.
is category includes mine-laying by stealthy conveyance (e.g., submarines), which gives it a historic resonance, if nothing else, but also contemporary resonance, as in the mysterious—and disputed—damage to an Irish vessel primed to run Gaza’s blockade. 4 Proxy Attacks is broad category includes terrorists, insurgents, militias, and priva teers. Attribution becomes dicult because it generally requires the per petrators be caught (or use a recognizable modus operandus) but mostly because it requires tying the perpetrator to a major actor. In practice, how ever, the link between insurgent groups and states really is ambiguous, and not necessarily by design; empowering individuals with organization, ideology, and weaponry tends to make them believe that their goals are important in and of themselves. e Vietcong, for instance, may have been established and sustained by North Vietnam but had somewhat dif ferent priorities. 5 Africa provides a more apropos case in which various countries that sponsored insurgencies against their neighbors managed to nd themselves under siege by insurgents of their own, similarly backed.
Attacks Using Weapons of Mass Destruction e so-called suitcase bomb of the Cold War era has been joined by the use of biological and chemical agents—of which there are many types— all of which oer, at least in theory, a method of killing people without a state necessarily getting caught doing it. Because weapons of mass de struction, as a general rule, are relatively small, their use may not require forcible insertion, and modern electronics allow them to be detonated [94 ] Strategic Studies Quar ter ly ♦ F all 2012 e Specter of Non-Obvious Warfare remotely. However, such attacks are considered particularly heinous, and nearly every state has signed one or more international treaties against doing so. For that reason, more such attacks may well be traced to their ulti mate source than a similarly stealthy attack by high explosives. Granted, infectious agents, particularly those that may yet be invented by DNA recombination techniques, can be delivered in a very stealthy manner.
But unless a state’s own citizens are somehow immune to their eects, it is unclear what that state would gain from using them or, if used in a “doomsday machine” mode, why a state would want to be non-obvious about the matter.
Intelligence Support to Combat Operations Although technically not warfare, a state with a sophisticated stand-o intelligence collection and processing/distribution mechanism can provide data that can be a great help for its friends. If the assistance is not directly intercepted and its distribution is limited, then others would have dif culty discerning the origin for certain (although states may suspect that opponents punching over their weight may have gotten some help, only a handful of countries could and would supply it). Unlike other forms of non-obvious warfare, helping out with information is not particularly heinous, and denials—or at least “neither conrm nor deny”—are par for the course in the intelligence world. Nevertheless the supplying state may not want to show its hand in the conict lest it be accused of being a belligerent or if it has a rival that can then justify its own assistance to the other side. It merits repetition that unless the attack looks like a complete accident— and the target is completely credulous—there is no such thing as a com pletely unattributable attack. Every state has its enemies or untrustworthy friends, and if anything untoward happens, the usual suspects will be trotted out for examination. Conversely, plausible deniability matters only if the victimized state really does need something close to judicial proof to take action or is relieved that the authorship of the attack is not so obvious that its unwillingness to respond is not seen as cowardice. Perpetrators do not have to be caught red-handed to suer reprisal in the hands of those who can put means, motives, and opportunity together to form a suciently robust basis for action. Strategic Studies Quar ter ly ♦ F all 2012 [95 ] Martin C. Libicki The Uses of Non-Obvious Warfare It is often easier to state what cannot be done with non-obvious war fare. Its inapplicability for conquest and specic coercion has already been noted. Furthermore, any purpose that requires a sustained series of attacks cannot use a non-obvious warfare technique if the probability of ascrip tion for each attack is nonzero and the probability of ascribing one event is at least somewhat independent of the probability of ascribing another.
is rules out space warfare, electronic warfare, drones, and special opera tions. It may also rule out cyber warfare but is less likely to rule out proxy warfare—where attribution has to be inferred rather than discovered— and intelligence support to warfare. So what can be done with non-obvious warfare? One use is general co ercion or dissuasion. Instead of signaling, “if you do this we will do that,” the signal is, “if you do this then bad things will happen to you.” Because the act of signaling itself may implicate the attacker, it helps if the signals come from someone else. Others may be willing to help if there are mul tiple states with a common interest, such as Vietnam, Indonesia, and the Philippines all opposing Chinese bumptiousness in the South China Sea.
ese others may also be co-religionists or co-ideologues (e.g., “disrespect our religion and bad things happen to you”). e use of non-obvious war fare for compellance is trickier to pull o insofar as it is easier for disparate entities to agree on what can be condemned than to agree on what should be done. Another fairly obvious use is sabotage, à la Stuxnet, carried out to deny its target some capability. e diculty is that sabotage is rather pointless unless it takes place on a very large scale or is somehow associated with an operation (if it is a combat operation, the target might assume that the saboteurs work for the combatants). Even if the damage is permanent, states can generally recover. e attack on the Iranian centrifuges made sense because of the strong desire felt by some countries to hobble Iran’s nuclear program and buy time. Another rationale for sabotage is to push a target past a nearby tipping point, even if this tends to be visible only in retrospect. Otherwise, the consequences of carrying out what could be an act of war may outweigh the gains, even if getting caught is unlikely. An untraceable attack of sucient magnitude may also weaken the tar get prefatory to an armed attack or at least so distract the target that it cannot assign the resources, such as sensors, in-place weapons, or manage ment attention, required to foresee and prepare for what turns out to be [96 ] Strategic Studies Quar ter ly ♦ F all 2012 e Specter of Non-Obvious Warfare an imminent overt attack. Clearly, if an attack does come, the precursor will cease being a non-obvious attack in retrospect (unless the target has multiple eager enemies, each looking for signs of weakness, in which case, what looks obvious may still be wrong). e advantages of starting in a non-obvious mode are twofold. First, if the initial attack were obvious the target might countermove in ways that would make the attack harder to pull o. It may know where to point its defenses, so to speak; it could rally others to pressure the attacker; or it could even counterattack. Second, if the attack falls short of its objectives, the attacker may cancel the overt at tack and remain obscure in hopes of eluding punishment. Correspondingly, a non-obvious attack may be a test to see if the particular technique works, what the target’s defenses are, and where im provements should be sought. It would be an expensive test if the target itself should learn something about its vulnerabilities and thereby have cause to work them and evidence on how to do so. Non-obvious operations can also help win the wars of third parties.
Such help can be non-obvious either if the fact of help is not obvious or if the source of help could be any of several countries or entities such as in surgent or mercenary groups. is raises the question of why such a state would want not to leave ngerprints. One reason is that the attacks take place in a country other than the one that wanted help (e.g., Syria attacks Iraq, and the United States attacks targets in Syria), thereby becoming an act of war in its own right and an excuse for the attacked country to call on its friends to help (e.g., attack Iraq). More likely, however, the assistance supports operations within the state under attack, either by another state or by insurgents, so these factors do not come into play. What does matter, however, is the appearance of commitment and how it prevents assuming a commitment to pursue victory or lose face. Intervening and then with drawing prematurely raises doubts about the state’s seriousness of purpose and even trustworthiness, even if such a state never made an explicit com mitment to stay the course. Non-obvious warfare can also be carried out for narrative eect. Nor mally, in warfare the attacker and the target are both part of the narrative, and unless the attacker’s actions are totally baseless, the contest over narra tives is likely to be two-handed with each side’s fans supporting their own side. However, if the attacker is unknown, or at least unclear, then the focus of the story is necessarily on the target, and the theme is likely to focus on why the target was attacked—and may well dwell on what the target did Strategic Studies Quar ter ly ♦ F all 2012 [97 ] Martin C. Libicki that merited the attack or why the target could not secure itself. at, in fact, may be the attacker’s motive: to create a crisis of condence in the target state, either weakening it outright, creating ssures in its body politic, or at least making it more amenable to concession. Finally, if an attacker can persuade the target that it was hit by a third party, it may catalyze conict that will be to the attacker’s advantage. A non-obvious Taiwanese cyber attack on the United States during a crisis with China, for instance, might put the United States at odds with China and thus more likely to support Taiwan. An attacker that instigates a war between two former trading partners could force both to purchase from the remaining relevant neutral, the attacker. Of course, if attribution follows, the attacker will have made one enemy it did not need and per haps a second enemy as well—the country that the attacker hoped would be ngered. The Target’s Response Options In some cases, ambiguity works to the target’s advantage by giving it an excuse to avoid responding; it can claim uncertainty about who per petrated the attack or what, in fact, was done. Not knowing helps the targeted nation ward o popular calls to ght and redeem its honor. In some cases the attacker itself may not necessarily think the worse of the target’s honor if no response ensues; in other cases, it will convince itself the target knew but was lying to avoid a confrontation. Consider, analo gously, the phantom Israeli nuclear arsenal. Once other powerful Middle Eastern states acknowledge that Israel has nuclear arms, they must answer as to why they do not. No polity is fooled, but neither must it be taunted by the prospect. Mostly, though, targets would simply want such attacks to stop—but how? Defense is clearly an option and one that would logically assume greater importance the less it can lean on not hitting back because it is unsure about who committed the oense. Another option is to help create pressure from the world community to end the possession of the requisite attack technology, but most of these cannot be eectively banned. Cyber weapons are largely the obverse of system vulnerabilities, the attack code is trivial to hide, and the underlying technologies of oense are required for cyber defense. Electronic jamming is inherent in the ability to generate radio frequency energy. Intelligence support for third parties is identical [98 ] Strategic Studies Quar ter ly ♦ F all 2012 e Specter of Non-Obvious Warfare to intelligence support for military operations in general. e weapons of sabotage, special operations, and insurgencies are small arms. Conversely, weapons of mass destruction and land mines (but not naval mines) are already banned by treaty. e only weapons not covered by treaties that could conceivably be banned are antisatellite weapons and drones; both have legitimate (overt) military purposes. More broadly, it is how such weapons are used rather than the weapons themselves that determines the characteristics of non-obvious warfare. A variant on the second approach is to develop a global consensus that the covert use of warfare is far more heinous than its overt use. us, if such weapons are used—something that may not always be apparent— the world community would support eorts to pressure potential users into allowing investigations that would clarify which state was at fault.
After all, most forms of warfare are universally held to be crimes if carried out by those outside the military; thus, even the accused state should have an interest in nding and rooting out its dangerous criminals, assuming it would wish to shift the blame. Where states use proxies and such acts are crimes, they may be pressured to cooperate with international police in vestigations. Satisfaction for the aggrieved party, however, assumes police actions can establish reasonable levels of certainty. More problematically, the closer the trail of investigation comes to the doors of military or intel ligence establishments, the greater the reluctance of states to allow matters to proceed. Such reluctance would not be unfounded—if purported acts of non-obvious warfare allow investigators to peer into covert operations, states may go to great lengths to interpret the need for evidence in ways that would also allow them to uncover the secrets of their rivals. e last recourse is for victimized states and their allies to respond to suspected warring states as if certain they did it. In doing so, they must factor in how certain others are that the accusation is correct and, to some extent, whether the purported attacking state believes it is guilty. Many non-obvious warfare techniques can be carried out by rogue elements. As noted, some responses, such as chilling relations between the target and the purported attacker, do not require anything close to conclusive proof; mere uneasiness suces. Other responses, such as retaliation, normally require high levels of condence. In the end, the victimized state has to weigh the risks associated with false negatives (doing nothing in the face of aggression) and false positives (retaliating against the innocent). Note further that “plausible deniability” is hardly an absolute in this case. Unless the Strategic Studies Quar ter ly ♦ F all 2012 [99 ] Martin C. Libicki victimized state can only respond through the court system—and states cannot go on trial, only their leaders—the balance between responding and not responding may tip well before the condence meter hits 100 percent. A relatively pacist state surrounded on all sides by friends (e.g., Belgium) and embraced by alliances may want near certainty and may not react even then; an anxious, well-armed state surrounded on all sides by potential adversaries (e.g., Israel) may be less fussy. Or the victim could retaliate by using non-obvious warfare itself. Osten sibly, the mutual commitment of both sides to modulate their responses to one another might limit the potential for open and, hence, more destruc tive warfare—as long as both sides are careful not to reveal themselves.
is may create a set of strange incentives wherein both sides’ non-obvious warfare communities take pains not to reveal the activities of their counter parts lest power and inuence on both sides shift to communities whose warfare methods are quite obvious. Conversely, the perception that it is acceptable to escalate in a non-obvious manner rather than call out the other side may allow the destructive cost of non-obvious warfare to rise to its limits. If matters then become obvious, the warfare level that forms the foundation for the next set of threats starts at the much higher level. Assessment and Conclusions Would the spread of non-obvious warfare be a good thing? Even if wielded solely in pursuit of good aims, such techniques corrode both military values and diplomatic norms. Non-obvious warfare, almost by denition, has to be the work of small teams that must isolate themselves from the larger community, much like intelligence operatives, lest word of their adventures leak out. e eorts of the small non-obvious warfare teams would leave the mass of the national security establishment quite uncertain about what exactly was going on and who exactly was behind all the activity (only some of which would appear to be accidental). Non-obvious warfare is also a poor t for democratic states and a far better t for authoritarian or failing states in which the intelligence com munity has become decoupled from its legitimate governance structure.
States with long-term reputations to manage are likely to see the downside from having to lie about their warfare activities when so confronted. Universal or even wide adoption of non-obvious warfare would likely yield a more suspicious world. Once attacks are shaped to look like accidents, [100 ] Strategic Studies Quar ter ly ♦ F all 2012 SSQ e Specter of Non-Obvious Warfare many accidents will start to smell like attacks. Nations would react (even more than they do now) to suspicions rather than actual substance; at tackers might be credited/blamed for far more than they actually merit. In too many countries, anything that seems askew is blamed on the United States (or Israel) and their ubiquitous and omnipotent intelligence agen cies. Part of their polities’ maturity entails improvements in their ability to distinguish fact from fantasy; evidence that such fantasy had a kernel of truth behind it would hardly facilitate the maturation process. In deed, under crisis circumstances, it is conceivable a conict could start even though the accused did nothing. And of course, a crisis could start when a state used such techniques thinking it would never be caught— and was.
Notes Strategic Studies Quar ter ly ♦ F all 2012 [101 ] Internet Governance and National Security Panayotis A. Yannakogeorgos e debate over network protocols illustrates how standards can be politics by other means. —Janet Abbate, Inventing the Internet (1999) e organizing ethos of the Internet founders was that of a boundless space enabling everyone to connect with everything, everywhere. is gov erning principle did not reect laws or national borders. Indeed, everyone was equal. A brave new world emerged where the meek are powerful enough to challenge the strong. Perhaps the best articulation of these sentiments is found in “A Declaration of Independence of Cyberspace.” Addressing world governments and corporations online, John Perry Barlow proclaimed, “Your legal concepts of property, expression, identity, movement, and context do not apply to us. ey are all based on matter, and there is no matter here.” 1 Romanticized anarchic visions of the Internet came to be synonymized with cyberspace writ large. e dynamics of stakeholders involved with the in puts and processes that govern this global telecommunications experiment were not taken into account by the utopian vision that came to frame the policy questions of the early twenty-rst century. Juxtapose this view with that of some Internet stakeholders who view the project as a “rational regime of access and ow of information, acknowledging that the network is not some renewable natural resource but a man-made structure that exists only owing to decades of infrastructure building at great cost to great com panies, entities that believe they ultimately are entitled to a say.” 2 Dr. Pano Yannakogeorgos is a research professor of cyber policy and global aairs at the Air Force Research Institute of Air University. His research interests include the intersection of cyberspace and global security, cyber norms, cyber arms control, violent nonstate actors, and Balkan and Eastern Mediterranean studies. He formerly held appointments as senior program coordinator at the Rutgers University Division of Global Aairs and was an adviser to the UN Security Council. He holds PhD and MS degrees in global aairs from Rutgers University and an ALB degree in philosophy from Harvard University.
[102 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security e sole purpose of cyberspace is to create eects in the real world, and the US high-tech sector leads the world in innovating and developing hardware, software, and content services. 3 American companies provide technologies that allow more and better digital information to ow across borders, thereby enhancing socioeconomic development worldwide.
When markets and Internet connections are open, America’s information technology (IT) companies shape the world and prosper. Leveraging the benets of the Internet cannot occur, however, if condence in networked digital information and communications technologies is lacking. In cyber space, security is the cornerstone of the condence that leads to openness and prosperity. While the most potent manifestation of cyberspace, the Internet, works seamlessly, the protocols and standards that allow com puters to interoperate are what have permitted this technological wonder to catalyze innovation and prosperity globally. e power of the current Internet governance model strengthens the global power of the Ameri can example and facilitates democratization and development abroad by permitting the free ow of information to create economic growth and global innovation. 4 Today, this Internet is at risk from infrastructure and protocol design, development, and standardization by corporate entities of nondemocratic states. Cyber security discussions largely focus on the conict created by headline- grabbing exploits of ad hoc hacker networks or nation-state-inspired cor porate espionage. 5 Malicious actors add to the conict and are indeed ex ploiting vulnerabilities in information systems. But there is a dierent side of cyber conict that presents a perhaps graver national security challenge:
that is the “friendly” side of cyber conquest, as Martin Libicki once termed it. 6 e friendly side of cyber conquest of the Internet entails dominance of the technical and public policy issues that govern how the Internet operates.
Current US cyber security strategies do not adequately address the increas ing activity of authoritarian states and their corporations within the technical bodies responsible for developing the protocols and standards on which cur rent and next-generation digital networks function. Internet governance can be dened as a wide eld including infra structure, standardization, legal, sociocultural, economic, and develop ment issues. But the issues related to governance of critical Internet re sources and their impact on US national security are often overlooked.
Foreign eorts to alter the technical management of the Internet and the design of technical standards may undermine US national interests in the Strategic Studies Quar ter ly ♦ F all 2012 [103 ] Panayotis A. Yannakogeorgos long term. is article discusses the US national security policy context and presents the concept of friendly conquest and the multistakeholder format of Internet governance which allows for the free ow of informa tion. ere are many global challenges to the status quo, including the rise of alternative computer networks in cyberspace, that beg for recommen dations to address those challenges.
Internet Governance and US National Cyber Strategy Technical standards and protocols do not elicit the same attention as more visible threats to national cyber security. In a human capital and resource-constrained environment, attention has focused on crime, espio nage, and other forms of cyber conict rather than on the issues related to governance of critical Internet resources, development of technical stan dards, and design of new telecommunications equipment. In a domain that is already confusing to policy wonks, the complexity of Internet governance makes it even harder for policymakers to commit resources to a eld that has no analogy in the physical world. In the nuclear age, there was no debate as to whether one could redesign the physical properties of uranium and apply them universally to eliminate the element’s potential for weaponization. e underlying language of nuclear conict was con strained by the laws of physics (e.g., nuclear ssion, gravity). Physical limits in cyberspace exist as well by constraining information ows to the laws of physics—the wave-particle duality of radiation which, when modulated with bits, creates an information ow. However, the “logic” elements of cyber that permit information to ow across networks and appear within applications to create eects in the real world are bound only by the limits of human innovation. is aects the character of cyberspace. Its current form is free and open, but that does not necessarily mean it always will be.
Understanding the strategic-level issues of Internet governance are thus just as critical as understanding the impact of vulnerabilities that attackers may exploit to cause incidents of national security concern. In the national security context, the technical management of the Internet matters be cause it may allow authoritarian states to exert power and inuence over the underlying infrastructure. In the global security context, maintaining the values of free-owing information within Internet governance bodies will continue to foster innovation and economic prosperity in both developed and developing states.
[104 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security Several current national strategies articulate nationwide responses to cyber threats. 7 ey tend to focus on catastrophic national security inci dents rather than on the battles within the organizations that set technical standards or manage the day-to-day operation of the Internet. e White House does highlight the importance of current multistakeholder forums for design and standardization of the technical standards via “ collaborative development of consensus-based international standards for information and communication technology . . . a key part of preserving openness and interoperability, growing our digital economies, and moving our societies forward. ” 8 Furthermore, the challenges we face in international standards- setting bodies are recognized in that “in designing the next generation of these systems, we must advance the common interest by supporting the soundest technical standards and governance structures, rather than those that will simply enhance national prestige or political control.” 9 However, these issues are drowned out by more-sensational, hypothetical situations of a cyber doomsday. Security demands that the language of the Internet—the underlying technical standards and protocols—continue to sustain free-owing in formation. If “code is law” in cyberspace, as some posit, 10 then the stan dards and protocols are the fabric of cyber reality that give code meaning.
In policy circles, cyberspace is already considered the “invisible domain.” Technical standards and protocols are thus, “invisible” squared. However, these protocols dene the character of the Internet and its underlying critical infrastructures. As noted elsewhere, “e underlying protocols to which software and hardware design conforms represent a more embedded and more invisible form of level architecture to constrain behavior, estab lish public policy. . . . [I]n this sense protocols have political agency—not a disembodied agency but one derived from protocol designers and imple menters.” 11 In the past it was the United States that led the world in the development of protocols and standards. As a result, the values of freedom were embedded in the Internet’s design and character, which incubated innovation that continues to spur socioeconomic development globally. Within the DoD context, a single, connected, open Internet is critical to assuring its missions by facilitating collaboration within the agency and with its mission partners. Today, the department lists in its Strategy for Operating in Cyberspace its concerns about “external threat actors, insider threats, supply chain vulnerabilities, and threats to DoD’s operational ability.” 12 Other elements from the DoD’s Information Enterprise Strategic Strategic Studies Quar ter ly ♦ F all 2012 [105 ] Panayotis A. Yannakogeorgos Plan that articulate concerns with Internet governance and advocate for “DoD equities at international technical and governance meetings” should be added to the list. 13 However, the sheer political nature of the docu ments does not adequately address broader US foreign policy goals within global Internet governance bodies as much as intended. us, DoD com puter scientists and engineers risk taking the backseat in an area where they once pioneered. Creating the Internet and maintaining the technical edge are two very dierent problems. The Friendly Side of Cyber Conict Looming battles in Internet standards and governance bodies will determine the future character of the Internet. e advanced deploy ment of IPv6 in Russia and China and development of new standards by near-peer-competitor countries are creating new technical standards and deploying them into the global marketplace, thus enabling friendly cyber conict. Friendly conquest occurs when a noncore operator of a system enters into partnership with a core operator in exchange for access to a desired information system. Cyber theorist Martin Libicki notes, One who controls a system may let others access it so that they may enjoy its content, services and connections. With time, if such access is useful . . . users may nd themselves not only growing dependent on it, but [also] deepening their dependence on it by adopting standards and protocols for their own systems and making investments in order to better use the content, services or connections they enjoy. 14 e core partner in such a coalition emerges to dominate noncore members who have come to depend on the service oered, though not without some vulnerability to the core partner’s network. Fears exist “that the full dependence that pervades one’s internal systems may leave one open for manipulation. . . . e source of such vulnerability could range from one partner’s general knowledge of how the infrastructure is secure, to privi leged access to the infrastructure that can permit an attack to be boot- strapped more easily.” 15 Libicki operates with relational mechanisms to explain how coalitions leading to friendly conquest occur. Friendly conquest in cyberspace can be surmised as the willing participation of X in Y’s information system.
X willingly enters into a coalition with Y in cyberspace. Y’s friendly [106 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security conquest of X occurs when X becomes dependent on Y’s system. is is not to say that X merely entering the coalition will cause the conquest.
X’s perceived need for access to Y’s cyberspace (or inability to construct its own) causes it to willingly enter into a coalition with Y. X adopts Y’s stan dards and protocols making up the information system architecture of Y’s cyberspace in a way that allows it to interoperate within X’s cyberspace.
X adopts Y’s cyberspace architecture and thus the necessary condition for Y’s friendly conquest. It is a facilitating condition for X’s hostile conquest.
X might begin to use the standards and protocols of Y’s cyberspace as a model for its own cyberspace. Since Y is an expert in its own standards and protocols, X’s modeling of these standards in its own systems is another vulnerability, which can facilitate X’s hostile conquest by Y. X does not have to be a friend. It can be a neutral or a possible future enemy of Y. ere is utility in Y opening its cyberspace to X only if Y sees some benet to itself, although Libicki does argue that Y will open its cyber space regardless. Once friendly conquest is accomplished, Libicki argues, it can facilitate hostile conquest in cyberspace. Friendly conquest of X by Y may thus facilitate hostile conquest in cyberspace conducted by Y against X.
e Internet and its underlying technical infrastructure is a potent manifestation of how the United States, as core operator of an infor mation system, extended friendly dominance over allies and adversaries alike through creation of the technology and setting the rules for its opera tion. e Internet relies on products designed and operated by US-based entities such as the Domain Name System (DNS) and Internet Corpora tion for Assigned Names and Numbers (ICANN), Microsoft, and Cisco.
Users around the world, such as Google and Facebook, have come to rely on services oered over this platform. e dominant position that US- based entities currently have is not permanent. e Estonian-developed Skype is indicative that services may be non-US in origin. Yet, even when an Internet-based service is created by foreign entities, most of the infor mation owing through the said application passes through hardware in the United States. When vulnerabilities are perceived, other nations may try to exit our information system to preserve their cyber sovereignty and expand their inuence by attracting customers toward their own indig enous systems and away from the Internet. 16 us, our strategic advantage in cyberspace is not timeless and is being contested in varying degrees by near-peer competitors. Hence, we should understand their current Strategic Studies Quar ter ly ♦ F all 2012 [107 ] Panayotis A. Yannakogeorgos responses to US technological dominance to rene our cyber strategy within the context of friendly cyber conquest. US Air Force doctrine recognizes one aspect of friendly conquest: supply- side infrastructure vulnerabilities. “Many of the COTS [commercial o the shelf ] technologies (hardware and software) the Air Force purchases are developed, manufactured, or have components manufactured by foreign countries. ese manufacturers, vendors, service providers, and developers can be inuenced by adversaries to provide altered products that have built-in vulnerabilities, such as modied chips.” 17 Friendly con quest goes beyond adversaries merely being able to inltrate the supply chain and create backdoors on servers of national security signicance before they enter the United States. 18 e threat also comes from the emergence of new technologies in which the United States is not the core operator but may become dependent. With the focus on malicious cyber attacks, not enough attention is being paid to the soft underbelly of the cyber world—the technologies and standards that have allowed cyber space to emerge from the electromagnetic spectrum. China is making a great leap forward in terms of sowing the seeds for global friendly conquest in cyberspace. As reported by the US-China Eco nomic and Security Review Commission, “If current trends continue, China (combined with proxy interests) will eectively become the prin cipal market driver in many sectors, including telecom, on the basis of consumption, production, and innovation.” 19 US reliance on China as a manufacturer of computer chips and other information and commu nications technology (ICT) hardware has allowed viruses and backdoors in equipment used by US-based entities, including the military. Extra ordinarily low-priced Chinese-made computer hardware is a lucrative buy in Asia and the developing world. 20 Furthermore, Chinese entities, such as Huawei, are on the leading edge of developing the standards of next- generation mobile 4G LTE networks.
21 One example of how eorts at friendly conquest can backre and make the United States vulnerable to cyber attack was demonstrated in Micro soft’s experience with China. In 2003, China received access to the source code for Microsoft Windows in a partnership with Microsoft to cooperate on the discovery and resolution of Windows security issues. e China In formation Technology Security Certication Center (CNITSEC) Source Code Review Lab, described as “the only national certication center in China to adopt the international GB/T 18336, the ISO 15408 standard [108 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security to test, evaluate and certify information security products, systems and Web services,” was the focal point of this collaboration. 22 Undeterred by International Organization of Standards (ISO) criteria, and unanticipated by many experts in the eld, Chinese computer scientists reverse-engineered the code. is allowed them to develop malicious code, including viruses, Trojan horses, and backdoors, that exploited software vulnerabilities in the operating system. ese eorts resulted in the shutting down of the US Pacic Command Headquarters after a Chinese-based attack. 23 Chinese entities are also making great strides in developing core information systems upon which others will come to rely. Virtual reality (VR) technologies are one example of an emerging tool that could become as ubiquitous for social and commercial interactions as the Internet is today. Globally, people are increasingly using VR technology fused with the Internet to socially inter act. 24 Experts have noted that any country that succeeds in dominating the VR market may also set the technical standards for the rest of the world, and may also own and operate the VR servers that give them unique access to information about future global nancial trans actions, transportation, shipping, and business communications that may rely on virtual worlds. . . .
Global commerce is expected to “come to rely heavily on VR.” Banking, transpor tation control, communications are all types of global commerce occurring in a virtual reality. 25 While current strategies do address the supply-chain risks posed by foreign manufacturing, the trend of China taking the lead in the protocols that will come to underlie VR and other technologies, as well as standard setting within international bodies, is a challenge that current cyber strategies insuciently address. is may be due in part to the cultural dierences in the relations between US-headquartered multinational corporations (MNC) and the US government (USG) versus the MNCs in foreign countries that at times have very close relations to their own governments. Multistakeholders and Internet Governance Business entities such as multinational corporations contribute to the formation of policies regulating international communications formally within the International Telecommunications Union (ITU) and informally through the personal contributions of their employees within the ICANN, the Internet Engineering Task Force (IETF), and other organizations.
Strategic Studies Quar ter ly ♦ F all 2012 [109 ] Panayotis A. Yannakogeorgos Within the United States, telecommunications service providers (dating back to the era of electrical telegraph systems) were never part of a state- owned monopoly. is was not the case in the rest of the world. 26 British Telecom and Deutche Telekom, for example, were state-owned entities be fore being privatized in the 1990s. Granted, although there is no direct state control within the United States, telecommunications companies are regu lated by the state. In international telecommunications negotiations, a state and its ICT rms have a symbiotic relationship. 27 is has been the case since the International Telegraph Union, predecessor of the International Telecommunications Union, began meeting in the mid nineteenth century to regulate telegraphy policies. 28 us, the view in the developing world is that “at present, it is . . . U.S. law which applies globally by default as most monopoly Internet companies are U.S.-based.” 29 If trade is a political activity, then rms are political actors. States can utilize rms to distribute or reward power to meet their own political objec tives. 30 Since states and rms both cause eects on the behavior of the other, a dynamic bidirectional interaction exists between the state and the MNC. Important policy tools that aect the behavior of MNCs include export controls, protectionism, and strategic trade policy. Export controls tend to have a political purpose since, as one expert notes, “they are designed to prevent rival states from gaining access to key resources and technologies,” or to punish a state. 31 Firms manufacturing strategic goods rely on govern ments to adopt trade policies that will support the rm’s competitive stance in the global market, 32 but states do place restrictions on what may be exported, even if it is to the detriment of a rm’s competitiveness in foreign markets. 33 In the United States, the federal government lost the so-called encryption wars of the 1990s, when private industry protested policies pro hibiting the export of strong encryption software for strategic reasons. 34 In an eort to prevent criminals from communicating using unbreak able codes, some rms implement law enforcement intercept (LEI) mech anisms so national security agencies can monitor suspected criminal and terrorist communications. 35 US rms and persons associated with them, who develop, maintain, and revise the core standards and technological infrastructures, are stigmatized by such allegations which depict a rogue national security apparatus and private sector in collusion capturing all of the world’s data. is does not reect the fact that, unlike in authoritarian states, careful compliance with US laws designed to protect user privacy maintains a separation between government and the private sector. 36 Media [110 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security preferring headline-grabbing allegations decrease global trust in the Ameri can private sector and validate the narratives that the Internet governance mechanisms must be internationalized. us, the close relationship between governments and rms in the area of strategic trade policy aects both how rms operate and how governments counteract the misuse of cyberspace. 37 e global perception that the US government has de facto control of critical Internet resources is largely shaped by other nations’ experiences of the close relationship between telecommunications companies and their national governments. Uniquely, the US government has never owned or operated any telecommunications companies. As the rest of the world shifted to the US privatized telecom model, prior experience of govern ment control of the sector did not leave their cognitive balance. Today these experiences cast a shadow of suspicion over the special agreement between the ICANN and the US Department of Commerce.
Critical Internet Resources and Infrastructure Technical management of the Domain Name System, invented by the DoD and governed by it in its formative years, was assumed by the De partment of Commerce in 1998 and subsequently evolved into its cur rent nongovernmental multistakeholder model. 38 e description here will not delve into the tactical- and operational-level functioning of each organization that has a role in Internet governance.
39 It will instead oer a brief recap of the underlying technology and the organizations that have a role in setting the standards which allow for technical functioning of the Internet. It is thus the purpose of this section to provide an account of Internet governance as a source of national security concern. With discus sions focusing on malicious activities, there has been little consideration to the implications of the peaceful work of designing and maintaining the Internet and the implications these activities have on US interests. Critical Internet resources (CIR) “in the context of Internet governance usually refers to Internet unique logical resources rather than physical in frastructural components or virtual resources not exclusive to the Internet.
CIRs must provide a technical requirement of global uniqueness requiring some central coordination: Internet address, DNS, Autonomous System Numbers.” 40 Unlike the popular conception of a limitless Internet, the underlying address space is limited. Indeed, IP address space has nearly run out. Foreseeing this Internet protocol, engineers developed IPv6, which among other improvements increased the total number of potential Strategic Studies Quar ter ly ♦ F all 2012 [111 ] Panayotis A. Yannakogeorgos IP addresses from 4,294,967,296 in IPv4 to 2 128 in IPv6. It is recognized today that “deploying IPv6 is the only perennial way to ease pressure on the public IPv4 address pool.” 41 As the world begins a transition from using IPv4 to IPv6 as the dominant communications protocol for the global Internet, the United States is not leading its deployment. Russia currently enjoys the greatest deployment in terms of market penetration, and China enjoys the greatest deployment in sheer numbers. 42 e con sequences of delayed deployment are related to both Internet governance and the more traditional security threats. On the latter point the National Institute for Standards notes that the “prevention of unauthorized access to IPv6 networks will likely be more dicult in the early years of IPv6 deployments.” 43 us, competitor nations that have more experience in national-level deployments of IPv6 have greater technical understanding of its real-world operations. e Air Force NIPRNet will not be entirely enabled for IPv6 until 2014. Even then, it has been noted that the plan is to use both IPv4 and IPv6 in parallel for the next 10–15 years. 44 As deployment of IPv6 as the backbone of the Internet continues, Russia and China may have the perceived legitimacy as IPv6 leads and take advantage of that opportunity to shift control of these scarce address spaces from the ICANN toward the control of an intergovernmental body, such as the United Nations.
e ICANN and the Current Internet Governance Structure Because cyberspace is a man-made domain, infrastructure and stan dardization are critically important. Global bodies of computer scientists and engineers create the standards and rules on which the Internet—the most potent manifestation of cyberspace—operates. Indeed, many of these global bodies began as DISA, DARPA, or other USG programs that were privatized in the mid 1990s. us, the development of the next-generation Internet does not have the United States as the prime mover. 45 Instead, standards and processes are being developed by Russian, Chinese, and other foreign scientists and engineers. Today’s machines speak a form of the English language to each other. If US scientic excellence continues its degenerative path, future networks may come to rely on machines speaking foreign languages. Furthermore, governance of the DNS and IP address allocation is being challenged to migrate from the current multistake holder approach to an intergovernmental mechanism within the ITU.
is is the friendly side of cyber conict. [112 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security e DNS allows people to use Uniform Resource Locators (URL) to communicate with other machines on the Internet. Instead of having to type in the IP address of a website—a string of numbers—a person can type a natural language URL, such as www.af.mil, into a web browser to connect with the desired corresponding IP address. is makes the web user-friendly, and to the common user, might as well be the work of a wizard that allows information to be piped onto someone’s computer.
However, IP addresses are scarce, especially in IPv4. e processes for as signing scarce IP addresses and allowing the Internet to serve as a global platform are complex, both technically and, increasingly, politically. e allocation of IPv4 address space to various registries is provided by ICANN via the Internet Assigned Numbers Authority (IANA). 46 Glob ally routable IP addresses reside in DNS databases on root zone databases that allow for the translation of URLs into IP addresses. 47 (see gure next page). e top-level domain names, such as .com or .org, are maintained and updated by the ICANN, which was once under the Department of Commerce (DoC). Now operating under a memorandum of understand ing with the DoC, the ICANN continues to be the sole source of IP address allocation to specic DNSs and regional Internet registries to assure a uni form Internet experience for all. By governing and maintaining the DNS central root zone databases and backing them up on DNS servers world wide, the ICANN assures that if a domain name is available, someone can buy it and link it with an IP address to create an online presence. 48 Internet Engineering Task Force: Stewards of TCP/IP Internationally standardized communications protocol stack, called Transmission Control Protocol and Internet Protocol (TCP/IP), allows for the ow of data packets and information across computer networks, including the Internet. TCP/IP is standardized by the International Orga nization of Standards for the Open Systems Interconnection (OSI) model as the basis of Internet networking. A brief description of how informa tion is sent across networks is necessary to better understand the signi cance of TCP/IP. Data packets are the basic units of network trac. ey are the standard means of dividing information into smaller units when sending it over a network. A signicant component of computer networks is the IP header, which contains information pertaining to the source and destination addresses. Machines require these strings of numbers to connect with other computers on the Internet or other networks. 49 All Strategic Studies Quar ter ly ♦ F all 2012 [113 ] Panayotis A. Yannakogeorgos DNS Root Zone File DNS Server ICANN IP Addresses Regional Internet Registries North America Europe Latin America Asia Pacic Africa networked hardware must have a valid IP address to function on a net work. Data packets are recreated by the receiving machine based on infor mation within a header of each packet that tells the receiving computer how to recreate information from the packet data. Without internation ally standardized protocols such as TCP/IP, there would be no assurance that packets could be read by a receiving machine. 50 e most esoteric of all critical Internet resources are the autonomous system numbers (ASN). ese numbers are used by network providers at “peering points” to allow information to ow from, say, Verizon to ATT, among other uses. Border gateway protocols are one aspect of ASNs. Internet policy debates have proven the ineectualness of multilater alism as the United States strives to lead and others fail to follow. Ameri can technological innovation in the development and maintenance of the Internet’s backbone is unquestioned. But global eorts to promote regulatory reform, such as including institutions of global governance like the ITU as entities responsible for overseeing the ICANN, are a tense political issue closely linked with the national cyber security concerns of democratic and autocratic regimes alike. In sum, American “leadership” as rst among equals has led to a succession of dead ends. We are witnessing [114 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security countermoves by friends and competitors alike that may gain momentum during the 2012 World Conference on International Telecommunication. 51 Global Challenges to the Status Quo Global information owing through open elements of cyberspace, such as the Internet, is regulated by national and regional bodies coordinating their policies internationally. Standards that have been created for elements of cyberspace have required lengthy processes at various bodies, such as the International Organization for Standardization and ITU, to assure sucient technical and political cooperation among nation-states. While US-based entities have traditionally set the standards for Internet technology, China- based entities, such as the ZTE Corporation, are increasingly taking on roles within the ITU to draft important international standards that will shape the world’s next-generation networks. is is not a recent development. As early as 2004, Chinese personnel working in senior ITU Telecommunica tion Standardization Sector positions began to discuss using the transition to IPv6 as a way to correct a perceived imbalance in address allocation between the United States and the developing world: “e early allocation of IPv4 addresses resulted in geographic imbalances and an excessive possession of the address space by early adopters. is situation was recognized and ad dressed by the Regional Internet Registries (RIR). . . . Some developing countries have raised issues regarding IP address allocation. It is important to ensure that similar concerns do not arise with respect to IPv6.” 52 is is indicative of a desire by some states to perhaps shift the governance of IPv6 address allocation into a global institution such as the ITU. From the perspective of maintaining US national interests, the current multistakeholder framework governing critical Internet resources continues to be a good mechanism for regulating the day-to-day technical opera tions of the Internet. However, momentum related to Internet governance within the United Nations is gaining within political forums. Led by Russian and Chinese initiatives, competitors and partners alike have been working toward internationalizing the Internet’s technical governance.
China and Russia, along with India, South Africa, and Brazil, have led initiatives against US dominance of the ICANN. ese eorts have been in the works for nearly a decade. 53 As the DoD ARPANET experiment emerged to become a signicant component of global socioeconomic development and governments increasingly came to realize its importance, Strategic Studies Quar ter ly ♦ F all 2012 [115 ] Panayotis A. Yannakogeorgos the momentum for internationalizing its backbone, the ICANN, became greater. Recall that these pushes for internationalization are due in part to the perception of US government control over ICANN via the DoC and NTIA, shaped by the history of special relationships between state tele communication corporations existing in other countries. The (Potential) Tyranny of the ITU over Critical Internet Resources One battleground for debates over internationalizing the ICANN was observed during preparations for the World Summit for the Information Society (WSIS), 54 when signicant opposition to the current Internet governance began to emerge. 55 For instance, in March 2004 during a UN- hosted Global Forum on Internet Governance. 56 Brazilian delegate Maria Luiza Viotti claimed that Internet governance needed reform, since it is not inclusive of developing countries and instead appears to be under the ownership of one group of countries or stakeholders. 57 Lyndall Shope- Mafole, chair of South Africa’s National Commission, spoke on similar lines, arguing that the legitimacy of the ICANN’s processes, rather than its functioning, was of most concern for developing countries. 58 us, after rigorous talks, delegates concluded on the basis of concerns from the developing world that the ICANN required further reform. roughout the WSIS process, and continuing in other forums discussing Internet governance and global cyber security, Brazil has continued to be a vocal proponent against the US position in the ICANN. In 2011, India joined South Africa and Brazil in proposing to “operationalize the Tunis man date” by bearing in mind the need for a transparent, democratic, and multilateral mecha nism that enables all stakeholders to participate in their respective roles, to address the many cross-cutting international public policy issues that require attention and are not adequately addressed by current mechanisms and the need for enhanced cooperation to enable governments, on an equal footing, to carry out their roles and responsibilities in international public policy issues pertaining to the Internet, India proposes the establishment of a new institutional mechanism in the United Nations for global Internet related policies, to be called the United Nations Committee for Internet-Related Policies (CIRP). 59 e CIRP idea has gained momentum within the developing world as a counter to the current technical management of the Internet. Indeed, it echoes closely Chinese concerns voiced by the China Organizational [116 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security Name Administration Center (CONAC) that “the U.S. government has the sovereign power to control the Internet resources. We therefore sug gest making the computer security plan available for comment by all multistakeholders, for maintaining the security of cyber space is not a mission only for the U.S. government, and it cannot be accomplished by any single nation.” 60 From Russia, then prime minister Vladimir Putin stated, e International Telecommunication Union is one of the oldest international or ganisations; it’s twice as old as the United Nations. Russia was one of its co-founders and intends to be an active member. We are thankful to you for the ideas that you have proposed for discussion. One of them is establishing international control over the Internet using the monitoring and supervisory capabilities of the International Telecommunication Union (ITU). 61 us, the United States faces a signicant challenge within the ITU from autocratic regimes leading the developing world to move control of critical Internet resources toward a multilateral body. e underlying danger is a shift away from an Internet whose dening characteristic is the free ow of information toward a model in which the political agendas of non- democracies attempt to exert control over the ow of information. Hence, the United States and like-minded nations must surge diplomatically to ensure the character of the Internet remains free from the political control of a multilateral institution. is diplomatic struggle for control of the Internet has also been occur ring within various other forums, like the UN Commission on Science and Technology for Development. Suggestions being made on the issue include: Establishment of an ad hoc working group under the Commission on Science and Technology for Development with a view to the development of an institutional design and road map to enhance cooperation on Internet-related public policy issues with the support of the Secretary-General . . .
Creation of a more permanent committee on international public policy issues per taining to the Internet within the United Nations system, possibly modeled on the Committee on Information, Communications and Computer Policy of the Organi zation for Economic Cooperation and Development . . .
And more concretely, global policy questions should be addressed by an entity with global representation, such as the United Nations, and regional questions by en tities with regional representation, such as the Council of Europe . . . [and] the participation of relevant organizations in discussions on Internet governance at the quadrennial ITU Plenipotentiary Conference, and the public review process and Governmental Advisory Committee of ICANN. 62 Strategic Studies Quar ter ly ♦ F all 2012 [117 ] Panayotis A. Yannakogeorgos With the upcoming World Conference on Telecommunications in December 2012, such statements indicate that these ideas will resurface as part of the ITU eort to revise International Telecommunications Regulations (ITR) to include governance of next-generation critical Internet resources within the ITU’s mandate and assume a greater role in Internet governance. 63 Making Internet governance open to intergovernmental processes could put US national security at risk, given the potential for less-than-responsible state actors to take the current privatized laissez-faire approach to governing the Internet and have nation-states and their corporate entities take control of governing critical Internet resources. is would not ensure DoD equities are protected in an environment where critical decisions on underlying technical standards and Internet operation would be left to national govern ments that are competing with the United States.
Shadow “DNS” Rising As described above, the critical Internet resources that allow for univer sally resolvable URLs and global Internet communications are possible due to the root system that is managed by the ICANN and protocols designed, developed, and debated within the IETF (among other orga nizations). Although this allows for a free and open Internet to function, the standards and protocols that the ICANN uses to maintain the domain name registries can be used by individuals, ad hoc networks, and nation- states to design and deploy an alternative DNS system that can either be independent of or “ride on top” of the Internet. A corporate LAN, such as “.company–name” for internal company use, is an example of the rst.
When a group wishes to ride over the global DNS root but incorporate its own pseudo top-level domain, core operators of the pseudo domains can use specic software resources to resolve domains that are globally accessible within their alternative DNS system. American audiences can experience what it is like to enter an alternative DNS universe via the Onion router (TOR) network. Downloading the Onion router package and navigating to websites one would prefer to visit anonymously (the typical use of TOR), one may point the TOR browser to websites on the “.onion” domain and mingle where the cyber underworld has started shifting the management of its business operations these days to avoid law enforcement and to add another layer of protection to their personas. 64 Should signicant usage of such shadow Internets occur, this could lead to the loss of condence and utility of the Internet itself. e greatest risk [118 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security comes when nation-states develop and deploy their own alternate domain- naming systems for internal use, thereby separating themselves from the global Internet. is is dierent from controlling access points and actu ally develops country-level intranets that may or may not be connected to the global Internet. 65 e discussion herein focuses on Russia and China as far as their successes in deploying potentially new intranets for in-coun try use. Other countries, such as Iran, are following suit. US involvement in openly promoting and organizing “digital activists” by issuing up to $30 million in grant funding to increase open access to the Internet, support digital activists, and push back against Internet repres sion wherever it occurs in the ght for free ows of information, generates international friction that is counterproductive to promoting international cooperation on cyber security issues.” 66 e “Internet Freedom Agenda” is one example of this phenomenon. 67 Such technology eectively allows citizen-activists to hack past government digital sentries to spread forbid den information. Other tools allow activists to don digital disguises and organize themselves into social movements designed to topple regimes.
e result has been the emergence of alternative national networks that es sentially create alternate domain name systems for in-country use, allow ing for censorship of content and stiing the productivity of the current Internet topology. China is one country that has implemented this on a national scale, and Iran is closely following suit. 68 Others are sure to fol low these attempts. e rise of a splintered Internet will certainly change the character of the current Internet, with negative consequences for free dom and prosperity worldwide. ose who wish the Internet to remain free and open will benet, and draw a sharp, moral contrast with those wishing to control the master switch. us, maintaining the current Internet governance model, while addressing legitimate concerns of friends and allies, will help assure the Internet continues to serve as a robust platform for human economic development. Conclusion Failure to pay attention to our vulnerabilities from Internet gover nance and friendly conquest may provide our adversaries with a strategic advantage in cyber conict. Our own cyber-attack eorts will also become complicated as networks that are not based on protocols and standards developed by US-based entities are deployed by our competitors. To aid Strategic Studies Quar ter ly ♦ F all 2012 [119 ] Panayotis A. Yannakogeorgos how we conceive of cyberspace, as well as adjust to change within the cyber environment, there must be a broad dialogue on these issues. Despite the Internet’s historic roots within the Department of Defense, there has not been a well-organized eort to inuence the development of technical standards and policies aecting Internet governance. Currently, the DoD has remained in a reactive mode, coordinating and commenting on the various global norms and standards being considered within the USG processes related to Internet governance. Because of this approach, the DoD and the USAF may be perceived as not having the legal expertise or technical reputation in Internet governance. e DoD, and the US Air Force in particular, should exercise leadership and take a more active role in the development of information technology infrastructure standards as it once did. Furthermore, it should more carefully document its role and provide metrics on its participation and position with Internet gover nance bodies. e Air Force should play a leading role within the DoD and the whole of government by explicitly focusing on a broader concept of friendly conquest that implicitly exists in policies, strategies, and doc trines. e 2012 World Telecommunications Conference in December 2012 may be the right place to commence this eort.
As the hardware and software on which the global Internet is based evolve and non-US entities begin to invent new hardware, standards, and protocols, potentially taking market share away from US entities, the US position as core cyber infrastructure operator will diminish. e United States currently enjoys technological dominance through its posi tion of developer and core provider of Internet services made possible by the ICANN and the top-level Domain Name System. But our national cyber security strategies do not adequately address threats that may stem from other countries developing the protocols, standards, and technologies on which the next generation of networks will be based. e Air Force has a key role to play given the wealth of technical excellence that resides within its community of scientists and engineers. It cannot act alone, however, and the DoD will need to focus some of its already limited cyber resources toward Internet governance. Not doing so risks allowing foreign-designed technical standards and protocols to form the back bone of next-generation IT and potentially puts DoD operations at risk by reversing what is now an Internet characterized by the free ow of information on which the DoD depends. e USAF remains the leading [120 ] Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security US military service impacting cyberspace, and thus its actions or inactions in Internet governance debates matter.
Notes 1. John Perry Barlow, “A Declaration of Independence of Cyberspace,” published online 8 February 1996. 2. Tim Wu, e Master Switch: e Rise and Fall of Information Empires (New York: Alfred A. Knopf, 2010), 290. Strategic Studies Quar ter ly ♦ F all 2012 [121 ] Panayotis A. Yannakogeorgos tained in the plan include the Internet Engineering Task Force, ICANN, Internet Governance Fo rum, Réseaux IP Européens, and American Registry for Internet Numbers/North American Network Operators’ Group. Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security Strategic Studies Quar ter ly ♦ F all 2012 [123 ] Panayotis A. Yannakogeorgos Strategic Studies Quar ter ly ♦ F all 2012 Internet Governance and National Security Assembly on October 26, 2011,” http://content.ibnlive.in.com/article/21-May-2012documents/full -text-indias-un-proposal-to-control-the-internet-259971-53.html. 60. Yang Yu, Chinese response to “Further Notice of Inquiry on the Internet Assigned Numbers Authority Functions,” China Organizational Name Administration Center (CONAC), http:// www.ntia.doc.gov/les/ntia/conac_response_to_fnoi.pdf. CONAC is a nonprot organization established in 2008. With the authorization of the State Commission Oce for Public Sector Reform (SCPSR) and the Ministry of Industry and Information Technology (MIIT), CONAC runs the registry for “.政务.cn” (Government Aairs) and “.公益.cn” (Public Interest). CONAC also actively participates in the global Internet community. Strategic Studies Quar ter ly ♦ F all 2012 [125 ] The Customary International Law of Cyberspace Gary Brown, Colonel, USAF Keira Poellet, Major, USAF e rst thing to know about international law is that it bears only a passing resemblance to the kind of law with which most people are familiar.
Domestic laws in most countries are passed by some sort of sovereign body (like Congress) after due consideration. Statutes are carefully crafted so the law has a precise eect. International law is nothing like that. Con trary to popular belief, treaties are not the primary means of establishing international law. e body of international law is a jumble of historic practice and tradition as well as signed agreements between nations. Within this patchwork of guidance, customary international law oc cupies a position of preeminence in developing areas of the law—ahead of treaties and conventions. 1 Customary international law develops from the general and consistent practice of states if the practice is followed out of a sense of legal obligation.
2 When this occurs, customary law is con sidered legally binding on nation-states. In situations not addressed by es tablished consensus on what constitutes lawful behavior, nations may take actions they deem appropriate.
3 is is the heart of the well-established Lotus principle, so named for the International Court of Justice decision in which it was established. 4 Only a handful of actions are considered peremptory norms of inter national law; that is, things that are universally held to be wrong and impermissible. 5 ese are exceptional areas, including piracy, human traf cking, and hijacking. One reason there are so few universally accepted norms is the very nature of the international legal regime. It is established Col Gary Brown has been the sta judge advocate (SJA) at US Cyber Command, Fort Meade, Maryland, since its establishment in 2010. Previously, he was the SJA at Joint Functional Component Command—Network Warfare. He is a graduate of the University of Nebraska College of Law. Maj Keira Poellet is an operations law attorney at US Cyber Command. Her previous assignment was deputy SJA at Lajes Field, Azores, Portugal. She received her LLM in space and telecommunications law from the University of Nebraska College of Law and her JD from Whittier Law School.
[126 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace by what nations do and believe they are bound to do, making consensus dicult to reach. Without consensus, there is no law, even in what seem to be straightforward cases, such as torture. “Torture or cruel, inhuman, or degrading treatment or punishment” is recognized by most states as violating human rights principles that have attained the status of customary international law. Yet, actions amounting to torture continue, and states sponsoring those actions are not often condemned, so it cannot be said there is complete international agreement on the issue. 6 Although the few prohibitions accepted as peremptory norms do not deal with war, that is not to say armed conict is completely ungoverned.
ere is a body of customary law reecting the extensive and virtually uniform conduct of nation-states during traditional warfare that is widely accepted and well understood—the law of war. Unfortunately, the appli cation of the law of war to cyberspace is problematic because the actions and eects available to nations and nonstate actors in cyberspace do not necessarily match up neatly with the principles governing armed conict.
Cyberspace gives nation-states new options, enabling them to take non- kinetic actions that may not have been available previously. Actions that may have required the use of military force in previous conicts now can be done with cyber techniques without the use of force. States can also take actions in cyberspace that would be consistent with the use of armed force but more easily avoid taking responsibility for the actions—they can take cyber action “without attribution.” In the absence of a specic legal regime for cyberspace, the logical approach is to take what guidance exists to govern more conventional warfare and determine whether it can be applied to cyberspace activities.
e subsequent brief discussion is a general examination of how national practices become customs binding on the body of nations as customary international law. Following the general discussion is a more detailed dis cussion of how customary international law might apply to nation-state cyber actions.
The Development of Customary International Law It is common for states to disagree about what constitutes a general practice accepted as law. e easiest form of proof is found in state actions, published government materials, ocial government statements, domestic Strategic Studies Quar ter ly ♦ F all 2012 [127 ] Gary Brown and Keira Poellet laws, and court decisions that detail actual practice. 7 Over time, specic instances of state practice may develop into a general custom. 8 e second part of the equation is more dicult. For a custom to be binding, states not only need to act in a certain way; they have to act that way because they think they are legally obligated to do so. 9 Acceptance of general practice as an obligation, that it is “accepted by law,” is referred to as opinio juris. 10 Evidence of opinio juris is primarily shown through statements of belief, as opposed to statements about state practice, such as treaties or declarations. 11 ere is no mathematical formula governing how many states must accept a practice or for how long it needs to be practiced for it to be come binding custom. 12 For the most part, the more states that practice a custom, the more likely it is to evolve into law, but not even that simple rule holds completely true. e practice of politically powerful and active states carries more weight than that of smaller nations, especially ones not actively engaged in the area under consideration. For example, actions of the United States or Great Britain will have more bearing on the development of international law governing naval operations than those of Switzerland. As noted, the length of time to develop customary international law can vary greatly. e law of war is a good example. e customary law of war has developed over thousands of years, but the practice of limiting conict (e.g., to protect noncombatants) evolved primarily in the last 150 years. For example, the Greeks began developing the concept of jus ad bellum, or just war, in the fourth century BC. 13 By contrast, while the principles governing the way in which combatants engage in warfare (jus in bello) also have historical ties to that era, they did not begin to assume their current form until the 1860s during the Franco-Prussian War and the American Civil War. Documented atrocities during those wars led to rapid development of the modern law of war regime, beginning with the rst Hague Convention in 1899. An example of customary law that developed quickly is space law. 14 In 1958, just one year after the launch of Sputnik, the UN General Assembly created a committee to settle on the peaceful uses of outer space. By 1963, the United Nations had put forth the Declaration of Legal Principles Govern ing the Activities of States in the Exploration and Use of Outer Space, formally recognizing what had become customary law applicable to space activities.
Since then, most space law has been generated through international agree ments, beginning with the rst outer space treaty signed in 1967. [128 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace Sometimes even state inaction can establish practice. For example, when one state engages in conduct harmful to another, the ocial silence of the “victim” state can be evidence that the conduct in question does not constitute a violation of international law. is passiveness and inaction can produce a binding eect under what is called the doctrine of acquies cence. 15 e more times a state permits an action to occur without mean ingful protest, the more likely it is the action will be accepted as lawful state practice.
Development of Cyber Law through Custom e increasing use of computers and computer networks through the 1970s and 1980s was followed swiftly by the rise of the “network of net works” known as the Internet in the mid-1990s. 16 Ultimately, the Inter net spawned an entirely new domain of operations referred to as cyberspace.
It is in and through this virtual space that cyber activities occur. So, not only are the activities in cyber new, where cyber actions take place is a unique location. 17 Because it has existed for such a short time, there is not a robust body of law governing state conduct in cyberspace. 18 ere are documented instances of state cyber practice, however, and these have begun to lay a pattern for establishing customary cyber law. As noted above, custom ary law does not instantly appear but is developed through state practice and rationale. e cyber practices of states and the thought behind those actions over the past 30 years must be examined to determine if there is customary law in cyberspace. If no principles have developed, as earlier discussed, cyberspace remains unconstrained under the default customary international regime. Although opinio juris is a critical element, it is easiest to analyze the development of custom beginning with an examination of state action, which is more visible and easily documented than motivation. Compli cating the analysis is the secrecy surrounding most cyber operations. e US Department of Defense (DoD), for example, claims it suers millions of scans and thousands of probes into its networks each day. 19 With rare exceptions, no states or individuals come forward to take credit for these actions, so assessing the motivation of these unknown cyber actors is dif cult. Albeit complicated and dicult, a few examples of state practice in cyber are available for examination. Strategic Studies Quar ter ly ♦ F all 2012 [129 ] Gary Brown and Keira Poellet Arguably, the rst cyber attack occurred in the Soviet Union. In 1982, a trans-Siberian pipeline exploded. e explosion was recorded by US satel lites, and it was referred to by one US ocial as “the most monumental nonnuclear explosion and re ever seen from space.” 20 It has been reported the explosion was caused by computer malware the Central Intelligence Agency implanted in Canadian software, apparently knowing the software would be illegally acquired by Soviet agents. Because the explosion hap pened in remote Siberia, it resulted in no casualties. It also embarrassed the Russian Committee for State Security (the KGB), who thought they had stolen the most recent software technology from the United States.
As a result, the facts behind the explosion were concealed, and the USSR never publicly accused the United States of causing the incident. 21 Multiple “soft” computer attacks occurred against US systems as the Internet grew exponentially over the next 25 years. Many of these involved at tempts to copy sensitive information or relatively simple but potentially devastating denial of service attacks. 22 Some of the more infamous include Moonlight Maze (1998–2001), which probed government and academic computer systems in the United States; Code Red (2001), which launched a worm intended to conduct a denial of service attack against White House computers; and Mountain View (2001), a number of intrusions into US municipal computer systems to collect information on utilities, govern ment oces, and emergency systems.
23 Although there was speculation about the origins, none of these incidents could be denitively attributed to a state actor. In contrast to the, until recently, little-known Siberian incident, it was a very public series of cyber events considered by many to have heralded the advent of cyber warfare. In April 2007, following the removal of a Rus sian statue in Estonia’s capital of Tallinn, a widespread denial of service attack aected its websites. As a result Estonia, one of the world’s most wired countries, was forced to cut o international Internet access. Russia denied involvement in the incident, but experts speculate the Russian Federal Security Service (FSB) was behind the distributed denial of service event. 24 e following year, Russian troops invaded the Republic of Georgia during a dispute over territory in South Ossetia. In August 2008, prior to Russian forces crossing the border, Georgian government websites were subjected to denial of service attacks and defacement. While there is wide spread belief the incident was “coordinated and instructed” by elements [130 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace of the Russian government, no one has been able to attribute these actions denitively to Russia. 25 e wakeup call for the US military occurred in 2008, although the details did not become public until two years later. Operation Buckshot Yankee was the DoD’s response to a computer worm known as “agent.btz” inltrating the US military’s classied computer networks. 26 e worm was placed on a ash drive by a foreign intelligence agency, from where it ultimately made its way to a classied network. e purpose of the mal ware was to transfer sensitive US defense information to foreign computer servers. 27 In what qualies as bureaucratic lightning speed, US Cyber Com mand was established less than two years later, with a mission to, among other things, direct the operations and defense of DoD computer net works. 28 In addition to unmasking the extent of network vulnerabilities, the event highlighted the lack of clarity in international law as it relates to cyber events. Two recent incidents merit attention before discussing the law in depth.
In 2010, Google reported Chinese hackers had inltrated its systems and stolen intellectual property. rough its investigation, Google learned the exltration of its information was not the only nefarious activity; at least 20 other companies had been targeted by Chinese hackers as well. ese companies covered a wide range of Google users, including the computer, nance, media, and chemical sectors. e Chinese had also attempted to hack into G-mail accounts of human rights activists and were successful in accessing some accounts through malware and phishing scams. Google released a statement explaining what it discovered through its investiga tion and what steps it was taking in response to China’s action, including limiting its business in and with China. 29 Also in 2010, a computer worm named Stuxnet was detected on com puter systems worldwide. Stuxnet resided on and replicated from computers using Microsoft’s Windows operating system but targeted a supervisory control and data acquisition (SCADA) system manufactured by Siemens.
Cyber experts determined the worm was designed to aect the automated processes of industrial control systems and speculated that either Iran’s Bushehr nuclear power plant or its uranium enrichment facility at Natanz was the intended target. 30 After Stuxnet became public, Iran issued a state ment that the delay in the Bushehr plant becoming operational was based on “technical reasons” but did not indicate it was because of Stuxnet. 31 e deputy director of the Atomic Energy Organization of Iran stated, Strategic Studies Quar ter ly ♦ F all 2012 [131 ] Gary Brown and Keira Poellet “Most of the claims made by [foreign] media outlets about Stuxnet are ef forts meant to cause concern among Iranians and people of the region and delay the launch of the Bushehr nuclear power plant.” 32 Iranian president Ahmadinejad stated at a news conference that malicious software code damaged the centrifuge facilities, although he did not specically state it was Stuxnet or the Natanz facility. 33 Even disregarding the Siberian pipeline incident and considering Moon light Maze the rst major state-on-state cyber incident, there have been about 12 years of general practice to consider when determining what constitutes customary law in cyberspace. Incidents that have occurred during this period have set precedent for what states consider acceptable cyber behavior. What is remarkable is the lack of protest from nations whose systems have been degraded in some way by obnoxious cyber activity.
Iran seemed reluctant even to admit its nuclear plant’s computers had been aected and still does not claim to have been cyber attacked. 34 If the damage caused by the Stuxnet malware had instead been caused by a traditional kinetic attack, such as a cruise missile, it is likely Iran would have vigorously responded. For one thing, in more-traditional at tacks it is easier to determine the origin of attack. ere are a variety of reasons Iran may have refrained from public complaint over the Stuxnet event; one possibility is that it believes the action was not prohibited under international law. Whatever the reason for Iran’s silence, it remains true that no state has declared another to have violated international law by a cyber use of force or an armed attack through cyberspace. Aside from the Stuxnet event, those in Estonia and Georgia came closest. e situation in Georgia can be distinguished because the cyber action was taken in concert with Russian troops crossing the Georgian border—a clear use of force. Cyber activity against Georgian websites did not start until after Georgia made its surprise attack on the separatist movement in South Ossetia on 7 August 2008. e cyber activity commenced later that same day, on the eve of Russia launching airplanes to bomb inside Georgian territory. It appears as though it was a military tactic to sever Georgia’s ability to communicate during the attack. It was not until 9 August 2008 that Georgia declared a “state of war” for the armed attack occurring inside its territory. It did not declare the cyber activity itself an attack or use of force. 35 A case has also been made that the 2007 massive distributed denial of service activity in Estonia was a cyber attack. However, after deliberation, [132 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace even the Estonian government concluded it was a criminal act as opposed to a use of force by another state. at may be because they were not able to attribute it with certainty to the Russian government (or any other govern ment), but the precedent remains. Attribution problems will continue to plague this area of law. It is more dicult for custom to develop if the source of the action is unknown. e actions of criminal gangs or recreational hackers do not set precedent for international law, and as long as the actor remains unknown, the events have no precedential value. Cyber Activity and Espionage Much of what has occurred in cyberspace between states can be viewed as merely espionage—simply intrusions onto computer systems for the collection of intelligence. If these actions are equivalent to espionage, however, this creates a dilemma in the analysis of cyber law. Spying has been around even longer than customary international law.
Despite the famous statement, “Gentlemen do not read other gentlemen’s mail,” espionage has existed since the earliest days of armed conict. 36 Al though the law of war addresses wartime espionage and the treatment of captured spies, customary international law is notably silent on the prac tice of spying during peacetime. States have domestic laws prohibiting espionage—including the United States, where spying is punishable by death—but there is no international law prohibiting espionage or insist ing it violates sovereignty. 37 Despite the absence of specic guidance, it is generally not argued that espionage is actually legal under international law. Most international lawyers contend espionage is “not illegal” internationally. Presumably, this is because it would be unseemly for countries to openly note that it is acceptable to undertake as much espionage as they can get away with.
Despite the “ungentlemanly” nature of espionage, it is an open secret that countries spy on friends and foes alike. Most of the time, when spies are caught, the result is a declaration of “PNG” (persona non grata) and de portation or an exchange for other spies. 38 e practice of nations with regard to espionage amounts to a tacit acceptance of spying. e activity is not overtly endorsed but rather oc cupies an ill-dened policy space that permits it to occur without violating international law. ere is a general prohibition against violating territo rial sovereignty, but as an exception to the rule, state practice does not Strategic Studies Quar ter ly ♦ F all 2012 [133 ] Gary Brown and Keira Poellet prohibit spying that might involve crossing international borders without permission. Reecting this general view, one author summarized, “e law of espionage is, therefore, unique in that it consists of a norm (territo rial integrity), the violation of which may be punished by oended states, but states have persistently violated the norm, accepting the risk of sanc tions if discovered.” 39 is assertion aptly illustrates the bizarre position espionage holds in the international community. Years of state practice accepting violations of territorial sovereignty for the purpose of espionage have apparently led to the establishment of an exception to traditional rules of sovereignty—a new norm seems to have been created. As cyber activities are frequently akin to espionage, even if conducted for another purpose, perhaps it is not too much of a leap to assert that most cyber activities can also occur without violating territorial sovereignty. As states have begun to use the Internet and other computer capabilities to store, process, and communicate information, the use of cyber capa bilities by intelligence agencies around the world has similarly increased.
“Motives for spying [have not] changed in decades. What has changed are the means by which people spy. Cyber spying has accelerated due to increased network speeds and sophisticated chip processing capabilities.” 40 One might think this would mean all nonkinetic national cyberspace operations would be governed by the loose international standards of espionage. Unfortunately, it is not quite so simple. Manipulating cyberspace in the interest of national security began with espionage, but the continuing development of cyber capabilities means it could be used in military operations independent from espionage. Perhaps for this reason, policies and practices governing cyber espionage are more fully developed than those governing ocial cyber activities undertaken for other reasons. Objectively, there is little rationale for this disconnect, as most military actions in cyber would fall short of a use of force. In fact, many military actions in cyber would be indistinguishable from cyber espionage. On the other hand, in some cases there are important dierences between cyber espionage and more traditional means of spying. Surreptitiously enter ing a foreign country and leaving behind a sensor to collect and transmit intelligence data is one thing. But what if that sensor also contained a powerful explosive that could be detonated from a distance, causing grave destruction? If a government discovered such a device, it would be clas sied as a weapon of war; that would subsume any thought that it might [134 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace have been placed during an espionage activity. is second scenario is perhaps more akin to some current cyber espionage techniques. Network accesses and cyber spying capabilities may be just as capable of being used for disruption of systems or deletion of data. e cyber victim may be left to wonder whether the rogue code it discovers on its network is a tool meant for espionage or attack.
A nation on the receiving end of espionage-like cyber activity (such as illicitly gaining access to a government computer network) has no sure method of discerning the intent of an intrusion and may have little no tion of who is behind it. Whatever unauthorized access is gained through nefarious means could be used to collect data, destroy data, or even damage or destroy equipment. “e dierence between cybercrime, cyber-espionage and cyberwar is a couple of keystrokes. e same technique that gets you in to steal money, patented blueprint information, or chemical formulas is the same technique that a nation-state would use to get in and destroy things.” 41 Once illegitimate users have access to a network, they can con duct whatever mischief they like, and the software tools used by spies might well be the same as those used by criminals and saboteurs. So, even if the target government could eectively attribute the activity to a certain state, it would not know the “why” of the activity. e nature of cyberspace does not allow for a clear distinction between intrusions for collection means and those of a more nefarious nature. For this reason, it might follow that cyberspace operations that fall be low the use of force should be covered by the same broad international law umbrella of “not illegal” that governs espionage. After all, most military cyber activities are more similar to espionage than they are to traditional military action. 42 Conceptually, there is little dierence between tip-toeing into an oce and stealing a sheaf of papers from a le cabinet and elec tronically sneaking into a computer to steal a le. ere is a signicant dierence, however, between destroying something and a reversible action temporarily rendering something less functional. In the kinetic realm, few minimally invasive options are available. In cyber, options range from tweaking a single digit to crashing a national power grid. To treat all cyber activity equally as “attacks” is unreasonable. To facilitate the collection of intelligence, computer code (malware) is planted in government systems. at code, in some cases, can either be used in intelligence gathering or in destructive ways, for example, to hard- break a computer system controlling e-mail at a military headquarters. Strategic Studies Quar ter ly ♦ F all 2012 [135 ] Gary Brown and Keira Poellet e system access created for intelligence purposes may also be used to disrupt computer systems at a level well below what would be considered a use of force under international law. Although it might be argued that the intent of the actor controls how a cyber action should be analyzed under international law, this line of argument tends to mix international and national standards of behavior. 43 A person’s intent is key to many criminal charges under national law, yet in the law of war, a nation that feels threat ened or as though it is under attack may not be especially concerned with the intent of the oending nation. ere is no international legal body to which states can turn to col lect evidence and carefully analyze it to determine the intent behind another state’s cyber activity. Neither the International Court of Justice nor other international courts can ll this role. Any evidence that existed would be classied as secret by the actor nation and would be politically sensitive as well. Witnesses would mostly be intelligence ocials and politicians. In short, the system bears little resemblance to a national court system, where police ocers, ocial reports, and witnesses may be scrutinized fully over the course of many months to determine intent.
When a state becomes aware of a cyber intrusion, it must decide quickly whether it is a prelude to an attack or “merely” espionage. Even if the victim state were of a mind to inquire about intent, it might not be able to determine the source of the intrusion. Further, it might not want to disclose that it detected the intrusion. e issue of international intent has not been much discussed as it applies under the law of war. at may be because, in the case of kinetic attacks, the intent of the attacking state is generally unambiguous. 44 is sets up an interesting conundrum. If intent does not matter in cyber operations, and only a few keystrokes determine whether a cyber activity will con stitute espionage or attack, then any intrusion for collection purposes is potentially a threat or use of force. If that is the case, the UN Security Council could be set for a big increase in business. 45 e international legal system operates under its own rules, which are established by consensus and are fundamentally dierent than domestic law. e law of war is driven almost entirely by the eect of actions rather than by some sort of “national mens rea.” 46 e intent of an actor taking an action against another state that could be interpreted as hostile is, for practical purposes, irrelevant to the international law analysis. [136 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace All this leads back to the current international legal regime govern ing cyber activities. e question is whether state practice coincides with these norms and whether states are complying out of a sense of legal ob ligation. Otherwise, it is still the “Wild West” when it comes to behavior in cyberspace. In general, cyberspace is a permissive regime, analogous to the espio nage rule set—little is prohibited, but states can still do their best to pre vent others from playing in the arena. ere is also nothing to prevent states from prohibiting cyber behavior with national laws. Specically, as long as cyber activity remains below the level of a use of force and does not otherwise interfere with the target nation’s sovereignty, it would not be prohibited by international law, regardless of the actor’s intent. One important caveat is that aggressive cyber activities resulting in kinetic eects (i.e., physical destruction, damage, or injury) are covered by the law regarding the use of force and armed attack. ey are kinetic events, governed by the traditional law of war just like kinetic eects caused by more traditional means of warfare. So, for example, a cyber event resulting in the physical destruction of a power plant turbine would be a military attack subject to the same international law governing any other kinetic attack. 47 Although determining exactly what constitutes a kinetic eect is not always simple, this line is as clear as others governing the murky cor ners of customary law and is clear enough eectively to distinguish cyber attacks from something less. One example of the gray area is a cyber action against an electric power grid that causes it to temporarily cease function ing. Although no actual kinetic event may occur, the reliance of modern societies on electricity for health care, communications, and the delivery of essential services makes it clear this would qualify as a kinetic-like eect and would therefore constitute a military attack if the disruption were for a signicant period of time. 48 Turning to areas of cyber operations that do not rise to the level of a military attack, there are few rules. But few is dierent than none, and some markers appear to have been set on the table to guide international attorneys in assessing the state of aairs. In 2003, during the months leading up to the invasion of Iraq, the United States planned a cyber operation that would have greatly aected Iraq’s nancial system and frozen billions of dollars during the opening stages of the war. 49 Ultimately, US ocials chose to forego this option.
Reportedly, this was because they were concerned an attack on one nation’s Strategic Studies Quar ter ly ♦ F all 2012 [137 ] Gary Brown and Keira Poellet nancial system would aect international condence in the global nancial system, harming the United States and its allies as well as Iraq. So, there is some question about whether they refrained due to opinio juris or out of mere self-interest. In the end, it makes little dierence. e nancial systems of modern states are inextricably intertwined, more now than in 2003. If any nation’s action would most likely damage the nancial systems of many other nations, it seems this type of action would be a violation of customary international law. If for no other reason, these actions would be question able, as they would be indiscriminate. Financial systems include banking and stock markets, essentially any “high nance” connected to the inter national nancial system. e worldwide recession of 2007–08 demon strated again how when one of the world’s large economies sneezes, the rest are likely to catch cold. 50 ere is some potential counterevidence to this conclusion. In 2011, the NASDAQ reported an intrusion into its computer systems. 51 NASDAQ is an important nancial entity, and if shut down, would certainly qualify under our denition as a cyber attack; that is, a cyber activity that is im permissible under international law. In this case, however, it appears the intrusion was detected before any harm was done, and the United States may have decided it was criminal activity not meriting a diplomatic brouhaha, or NASDAQ may have been unable to determine the source of the penetration. is does not aect the conclusion here: large-scale disruption, or destruction, of a nation’s nancial institutions qualies as cyber attack. It also appears penetration or disruption of nuclear command and control systems is a violation of customary international law. is assertion is sup ported by the absence of state practice to the contrary and the abundance of opinio juris regarding the nonproliferation and the monitoring and control of nuclear weapons. 52 Other than these two areas, state cyber activity that falls below the level of a use of force is not prohibited under international law. It may be under taken, just as espionage is, without sanction from the international com munity. Some examples of permissible behavior, as demonstrated by state practice, are penetrating and maintaining a cyber presence on government computer systems (including SCADA systems), exltration of government data (including the most sensitive military secrets), and denial of service or similar activities that decrease bandwidth available for government websites.
[138 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace e above is premised on the thought that countries would react if they were attacked. Because all of these things have occurred but not elicited signicant recriminations or a self-defense response, the conclusion is they are not attacks. However, those who take these actions in government systems run the risk of misperception that their cyber espionage is a cyber attack.
If they are not armed attacks or uses of force under international law, they are not governed by the customary law of war. As a result, these disrup tive cyber activities are governed by the overall customary law regime. As earlier discussed, the customary regime is permissive in the absence of norms, as is the case here. e closest existing analogy is to the rule set governing espionage. Under either the permissive or the espionage regime, disruptive cyber activities undertaken by states are permissible as a matter of customary international law, with the two exceptions (nancial systems and nuclear command and control systems) noted here. Shaping US Strategy for International Cyber Law Because of its reliance on cyberspace, the United States should con sciously craft a strategy to inuence the development of customary inter national cyber law rather than merely observing the development. e best method to do so is through acknowledged state practice. Because of the secrecy involved in many cyberspace activities, few actually inuence the development of norms. A prudent examination of US actions—and public disclosure of some—would help establish a baseline for accept able behavior. After the United States determines what actions it believes it is autho rized to take in cyberspace, it should openly share at least examples of actions it has taken. Further, it should certainly look to the possibility of disclosing actions taken against it. By proposing certain of its own actions as acceptable and recognizing those taken against it as either acceptable or unacceptable, the United States could lead a dialogue on cyber norms, driving toward conclusions that would be benecial for its national security. In addition to state practice, the United States should provide releasable government materials stating what it believes are cyber norms. In May 2011 the president released the International Strategy for Cyberspace. is strategy recognizes that “the development of norms for state conduct in cyberspace does not require a reinvention of customary international law, Strategic Studies Quar ter ly ♦ F all 2012 [139 ] Gary Brown and Keira Poellet nor does it render existing international norms obsolete. Long-standing international norms guiding state behavior—in times of peace and conict—also apply in cyberspace.” 53 In recognizing that certain principles apply to cyberspace activities just as they apply to more traditional activities, the United States pro vides a basic framework for the cyber norms it expects will develop:
upholding fundamental freedoms, respect for property, valuing privacy, protection from crime, and the right of self-defense. Although at this point, the list is more aspirational than actual, it can serve as a frame work on which the United States can hang future examples of real cyber behavior by itself and others. It is important to note that the norms set out in the International Strategy for Cyberspace are not universally recognized as customary international law (except for the right of self-defense). For example, although the strategy discusses fundamental freedoms such as free speech and privacy, it is apparent that particular norm is not followed worldwide. Twitter, which has been an important communications tool for government protestors in many countries, announced that it will restrict certain speech and freedom of expression if it appears to violate a local law by “reactively withhold[ing] content from users in a specic country while keeping it available to the rest of the world.” 54 So, even if the United States does not, Twitter recognizes that not all these things are accepted as norms of behavior worldwide at this point. e Department of Defense Strategy for Operating in Cyberspace (DSOC) recognizes the same principles and encourages the development and pro motion of international cyberspace norms. e DSOC reiterates the Inter national Strategy’s defense objective to “oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors, and reserving the right to defend these vital national assets as necessary and appropriate.” 55 Neither strategy document includes actual examples of what would be necessary and appropriate and leaves it open to interpre tation. While it is helpful to provide the statement that the United States has the right to defend its vital national assets, for the purpose of customary international law it would also be helpful to know what the United States considers as a threat to those assets. On the other hand, the United States may have intentionally left this ambiguity in its international strategy to allow for the exibility of a relevant response. [140 ] Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace Conclusion In the absence of formal international agreements, cyber custom is be ginning to develop through the practice of states. e custom permits most cyber activity that falls below the level of a use of force, with serious actions against major nancial institutions and disruptive actions to nuclear command and control systems being notable exceptions. While there has been some movement toward declarations, agreements, treaties, and inter national norms in the area, the hopeful statements most often heard do not coincide with current state practice. In a practical demonstration of realpolitik, states generally would like to prohibit others from undertaking the same cyber activity in which they are already engaging. e discon nect between practice and public statements creates a poor environment for negotiating international agreements and infertile soil for positive customary law—norms—to ourish. In this case, for better or worse, the default—permissive international law regime—governs. Unless states positively determine that disruptive cyber actions should be treated dif ferently than espionage, this area will continue to be a competitive intel lectual battleeld, where the cyber savvy do what they will and the cyber naïve suer what they must. is is not necessarily a bad-news story. Recognizing the permissive nature of cyber custom will encourage states to negotiate agreements that moderate behavior in cyberspace. To negotiate agreements, states will have to address critical cyber issues of attribution and state responsibility. In the long run, negotiated and enforceable agreements governing cyberspace may be a better option than waiting for the necessarily languid develop ment of custom in an area that changes at the speed of thought. Notes Strategic Studies Quar ter ly ♦ F all 2012 [141 ] Gary Brown and Keira Poellet national Law 95 (2001): 757–91. While it is possible that the Lotus principle could prompt states to attempt to regulate on any matter that could aect them negatively, international law expects that states “may not exercise jurisdiction to prescribe law with respect to a person or activity having connections with another state when the exercise of such jurisdiction is unreasonable.” Restatement of the Law, ird, Foreign Relations Law of the United States , §403, 1987 [hereinafter Restatement]. Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace Strategic Studies Quar ter ly ♦ F all 2012 [143 ] Gary Brown and Keira Poellet thousands of years. Egypt had an organized intelligence service 5,000 years ago, and espionage is one of the dominant themes in Sun Tzu’s Art of War 2,500 years ago. Kurt D. Singer, ree ousand Years of Espionage (New York: Books for Libraries Press, 1948), vii. Strategic Studies Quar ter ly ♦ F all 2012 e Customary International Law of Cyberspace of cyber actions makes swift decision making critical, and it is unlikely nations will have the in formation or the time to consider these factors in the heat of potential battle. Professor Schmitt’s test could be very useful in determining whether a cyber action violated an international norm not predicated on a use of force, such as the principle of nonintervention. See Michael N.
Schmitt, “Computer Network Attack and the Use of Force in International Law: oughts on a Normative Framework,” Columbia Journal of Transnational Law 37 (1998–99): 885; and e Principle of Non-Intervention in Contemporary International Law: Non-Interference in a State’s In ternal Aairs Used to Be a Rule of International Law: Is It Still?, Chatham House discussion group summary, http://www.chathamhouse.org.uk/les/6567_il280207.pdf. Strategic Studies Quar ter ly ♦ F all 2012 [145 ] Book Reviews Critical Code: Software Producibility for Defense by the National Research Council. National Academies Press, 2010, 160 pp., $34.75.
As the title implies, computer software is critical to the mission of the Depart ment of Defense. Hence, the National Research Council (NRC) was tasked by the Oce of the Secretary of Defense in 2006 to analyze and make recommendation on all aspects of software development and sustainability pertaining to the DoD.
Specically, the NRC’s Committee for Advancing Software Intensive Systems Pro ducibility delved into current DoD processes for building or buying software for the vast number of systems—both weapon-related and administrative—used by the military. e research group, comprised of 14 recognized software gurus from corpo rate America and renowned American universities, complied with the OSD’s direction to analyze current software producibility in the military and to debunk myths surrounding defense software. Software producibility, as dened by the NRC, is “the capacity to design, produce, assure, and evolve innovative software- intensive systems in a predictable manner while eectively managing risk, cost, schedule, and complexity.” e committee outlined its ndings associated with eight software producibility myths and made salient recommendations on what the DoD should do to x the problems. ese myths range from software producibility challenges associated with management and processes to the one that “ere is sucient software research already underway, sponsored primarily by NSF [National Science Foundation] and other basic science agencies to meet the DoD’s software needs.” In the rst chapter, the committee denes the role of software in the defense industry and how the DoD addresses the software needs of the military. One sta tistic in this chapter readily denes the salient issue of the study—“the percentage of system functions performed by software has risen from 8 percent in the F-4 in 1960, to 45 percent of the F-16 in 1982, to 80 percent of the F-22 in 2000.” is is the fundamental reason why the DoD must examine its current way of handling military software to ensure it is properly designed and implemented. According to the study, the DoD has actually decreased its software producibility in recent years by contracting out production or purchasing “o the shelf ” from Microsoft and other software companies, both US and foreign. Chapter 2 addresses a common belief in the military that commercial o-the shelf (COTS) software avoids the huge costs of training military members to write software and produce it in-house. It also discusses risks associated with software and how the DoD can manage such risks. e DoD cannot aord to lag behind in this area because its adversaries are constantly looking at new ways to hack into [ 146 ] Strategic Studies Quar ter ly ♦ Fall l 2012 Book Reviews computer systems and writing counter-cyber programs to protect their own IT in frastructures. e only way to beat the threat and accept risks is to “engage experts outside the DoD” to be eective and stay ahead in software producibility. Another issue identied by the NRC is that software is not at a plateau but is growing along with the technology surrounding it. Moore’s Law is alive and well in the software realm and not just relevant to rmware or hardware. e NRC study stresses the importance of leaders getting involved in the archi tecture side of software. According to the committee, “Architecture is an important enabler of reuse and the key to system evolution, enabling management of fu ture uncertainty.” It is something that must be managed not only during the rst phases of development and employment, but all the way through the life of the system using that software. e DoD must learn from corporate America and use those lessons to aid in mitigating the risks in architecture systems. Chapter 4 discusses the importance of quality assurance in software, both the defense and civilian systems that the DoD uses. Without quality assurance, all the systems that use millions of lines of code could put the operator in harm’s way and/or cost billions of dollars to x. Weak software is also a breeding ground for cyber attacks and inltration by the enemy. Studies suggest that “overall software assurance costs account for 30 to 50 percent of the total project costs for most software projects.” Software assurance is not an inexpensive endeavor but one that must be incorporated at the start of the software life cycle. e nal chapter “summarizes and recommends technology research areas as critical to the advancement of defense software producibility.” e laundry list varies from DoD inuence on academic research and development; to the impact of past investments, challenges, and opportunities for investment; to areas for future research investment. Overall, the message in Critical Code is very pertinent to today’s interest in cyber security and the software that the DoD uses in ensuring national security.
e text is rather technical and a bit hard to follow at times. However, it is a good read for cyber ocers and leaders (both military and civilian) to ensure nothing slips through the cracks and causes catastrophic issues with the myriad of systems in the DoD. Lt Col Deborah Dusek, USAF Outt AFB, Nebraska Airpower for Strategic Eect by Colin S. Gray. Air University Press, Air Force Research Institute, 2012, 367 pp., available free at http://aupress.au.af.mil /digital/pdf/book/b_122_Airpower.pdf. Commercial version published by Columbia/Hurst, 2012, 288 pp., $55.00.
In this expansive assessment of airpower’s steady rise in salience from its edg ling days to today’s combat involvements, Colin Gray, a prolic strategist of long- standing scholarly repute, has produced an outstanding tutorial for Airmen by addressing the air weapon in the context of what he calls its abiding “strategic Strategic Studies Quar ter ly ♦ Fall 2012 [ 147 ] Book Reviews narrative” (p. 1). His book is not about the tangibles of airpower—the plat forms, munitions, and associated support systems—that make up its hardware ingredients. Rather, it is about how one should think about airpower’s larger meaning and signicance.
is important new book begs to be read by airpower’s doers as well as its thinkers—and at all rank and command levels. In explaining why, Gray notes that his intent in writing it was “to contribute to a better strategic under standing of airpower to improve the practice of airpower” (p. 2; emphasis added). Toward that end, he stresses that his purpose was not to indulge in debate over air doctrine but “to help sharpen the ability of readers them selves to engage in such debate” (p. 4)—most notably in the all-important policy arena in which the most intractable cross-service disagreements over roles and resources get adjudicated. Gray’s central theme is that airpower generates strategic eect. More to the point, he maintains, it is a tactical equity that operates—ideally—with strategic consequences. To him, “strategic” does not inhere in the equity’s physical char acteristics, such as an aircraft’s range or payload, but in what it can do by way of producing desired results. From his perspective, a strategic eect is, rst and foremost, that which enables outcome-determining results. And producing such results is quintessentially the stock in trade of American airpower as it has progres sively evolved since Vietnam. With this unifying principle as his point of departure, Gray improves on Brig Gen William “Billy” Mitchell’s denition of airpower by characterizing it more helpfully as “the ability to do something [ strategically useful] in the air” (p. 9; em phasis in original). He further stresses—as his book’s title well reects—that only by producing desired eects can airpower’s use in warfare be deemed successful.
In addressing the predominance of today’s low-intensity insurgent challenges, in which kinetic air attacks have largely been overshadowed by ground forces in the starring role, Gray takes a long view of airpower’s relevance and potential by appraising the air weapon in the broader context in which its payo will ultimately be registered. His survey of airpower’s combat use over time shows convincingly how the relative importance of the air weapon is neither universal nor unchanging but totally dependent on the circumstances of a confrontation. More to the point here, when viewed operationally, airpower can be everything from single-handedly decisive to wholly supportive of a combatant commander’s needs. Because its relative import, like that of all other force elements, hinges directly on how its comparative advantages relate to a commander’s most immedi ate concerns, Gray reminds us that airpower need not disappoint when it is not the main producer of desired outcomes. Indeed, he rightly notes, the notion that airpower should be able to perform eectively in all forms of combat unaided by other force elements is both an absurd measure of its value and a baseless arguing point. By misguidedly espousing this point over many decades, airpower’s most outspoken advocates have done their cause a major disservice. [ 148 ] Strategic Studies Quar ter ly ♦ Fall 2012 Book Reviews It naturally follows from this, Gray adds, that whenever airpower has been said to have “failed,” it has only been because more was expected of it than it could deliver. After all, any tool can appear decient if used unwisely or irresponsibly.
In this regard, Gray notes how a long history of overpromising on the part of air power’s most vocal proponents has needlessly sold the air weapon short for what it is actually able to deliver to joint force commanders today—and not just in high-intensity combat but in all forms of operations across the conict spectrum.
To be sure, Airmen of action may nd it trying at times to remain patient with Gray’s always purposeful but also often discursive walk through the intellectual thickets of airpower theory. In a frank admission of his own appreciation of those readers who will be all too eager for him to get to his point, Gray freely concedes how “theory and theorists often are regarded with disdain by the people ‘out there, doing it,’ when in truth the purpose of the theory enterprise is both to reduce the risks to the warriors and to help make their eorts more useful vis-à-vis the opera tional goals that are set” (p. 41). Yet were there ever an instance in which patience should have its rewards for mission-oriented Airmen of action, it is plainly here, for Airpower for Strategic Eect oers an uncommonly thoughtful application of informed intellect to an expla nation of how modern air warfare capabilities should be understood. In his last chapter, Gray underscores in this regard the important truth that “airpower theory helps educate airpower strategists,” rightly calling it “theory for practice” (p. 275).
Furthermore, he instructively adds, it “educates those who write airpower doctrine and serves as a lter against dangerous viruses” (p. 276). At bottom, the purpose of Gray’s treatise is not to extol airpower but to make coherent sense of it by providing informed insights into it and about it that are timeless. For Airmen of all ranks, the greatest value that its appreciation of the air weapon can oer is to help them think more reectively about their calling and to articulate its foundational principles more eectively in the councils of war plan ning. For woven throughout the book is a compelling explication of what modern airpower entails in its most inner strategic essence. e ultimate aim of that ex plication is to improve the real-world practice of airpower by operators at all levels most responsible for its eective use. Benjamin S. Lambeth, PhD Senior Fellow, Center for Strategic and Budgetary Assessments Washington, DC Chinese Aerospace Power: Evolving Maritime Roles edited by Andrew S. Erickson and Lyle J. Goldstein. Naval Institute Press, 2011, 544 pp., $52.95.
Andrew Erickson and Lyle Goldstein, two prominent China scholars at the Naval War College, ll an important interdisciplinary niche with this book by bringing together an all-star team of authors from both the Air Force and the Navy communities. By no means a light read, Chinese Aerospace Power is in fact a com pendium, a compilation of 27 essays authored by an illustrious group including Strategic Studies Quar ter ly ♦ Fall 2012 [ 149 ] Book Reviews admirals, intelligence analysts, private-sector experts, and former defense attachés.
e fth volume in a series on Chinese military developments in the maritime arena, the book stands as a stark reminder that China’s rise, while impressive to date, can only be expected to accelerate in coming decades. Due to the diversity of authors and the range of topics covered, the book does not support any single, overarching thesis. If there is one recurring theme, how ever, it might be this: Chinese military power is rapidly increasing, and American primacy in the Pacic is threatened as a result. Changes in the balance of aerospace power over China’s littoral waters have far-reaching strategic consequences for American policymakers. is book explains both how and why—in dense detail. While overall a fascinating read for anyone with a strong interest and/or back ground in Chinese military aairs, one diculty with the book stems from the sheer scale of the undertaking. At times the reader is left in something of a fog, having to piece together enormous amounts of highly technical information—a bit like being shown a sky full of stars but no constellations. Admittedly, this is a diculty common to multiple-author works, whereas authors writing alone or in small teams have the ability to lace a clear thesis throughout even the most com plex subject matter. As a result, some information is repeated in Chinese Aerospace Power a bit more than one would like.
Nevertheless, for those who nd the technical, even obscure details interest ing (this reviewer included), this book is a real treasure trove. e work spans six broad subject areas, each of which has been the subject of considerable literature in recent years: the emerging roles of Chinese aerospace power; the intelligence, surveillance, and reconnaissance (ISR) and counter-ISR capabilities of the People’s Liberation Army (PLA); PLA aerospace strategy; air-launched cruise missiles; bal listic missiles; and the implications of Chinese aerospace power for the US mili tary. Strategic studies acionados will nd the chapters on strategy and missile development particularly worthwhile. Several authors explain how, properly coordinated, Chinese aerospace power has the potential to vastly enhance antiaccess capacity, pushing foreign forces away from Chinese shores and aording the PLA the strategic depth to turn its energies toward other concerns, such as the “active” side of its doctrine of “active defense.” Paul Giarra, Andrew Erickson, and David Yang excel in addressing one of the key components of China’s emerging antiaccess capacity: antiship ballistic missiles (ASBM), which RADM Eric McVadon, USN, retired, has elsewhere argued could have implications similar to those of China’s rst successful nuclear test in 1964 (he reasserts this position in the book’s nal chapter). As several authors persuasively argue, if the PLA can deploy ASBMs capable of hitting moving carrier strike groups (CSG), US Navy power projection calculations in the region could be “upended.” For decades, the heart and soul of US Navy power Forward . . . From the Sea has been the aircraft carrier, in large part because it could move with relative impunity on the high seas. American carriers, for example, deployed to the Taiwan Strait in 1995 and 1996 as a show of force in defense of Taiwanese democracy; until now, [ 150 ] Strategic Studies Quar ter ly ♦ Fall 2012 Book Reviews the Chinese government has been unable to counter such a threat. Several authors make a compelling case that this could change in a matter of just years. Discussion of PLA aircraft development likewise gives one cause for concern.
Pushing the US Navy away from Chinese shores could give the PLA the opera tional breathing room needed to achieve air superiority over Taiwan. Chapters on PLA Air Force (PLAAF) power share a theme with the ASBM chapters discussed above: the balance is tilting in China’s favor. Fourth-generation ghters now make up approximately 20–25 percent of the 2,000-plus combat aircraft in the PLA arsenal, and that ratio is expected to approach 50 percent in the coming decade.
Backed by the bristling missile defense of the Chinese Second Artillery Corps, Chinese air superiority over Taiwan could be achieved in short order. One of the more concerning takeaways from this book is the limited set of options available to American policymakers. To preserve the balance in America’s favor would be enormously—even prohibitively—expensive. Maintaining a safe distance o China’s coast could soon mean short-range aircraft in US Navy air wings could have little real utility, cruise missiles could lose their ecacy, and Marine Corps amphibious landings “would not be realistic.” Retting the US eet would come at enormous cost, which is why in the nal chapter, Admiral McVadon argues that the benets of Sino-American cooperation could soon outweigh the costs. e ultimate takeaway might therefore be this: the era of “rising China” may fast be coming to an end—China is on the verge of being fully risen. Imagine a world 10 years from now. China’s growing battery of nuclear ICBMs has the capacity to reach all corners of the continental United States. American Pacic island bases and CSGs once oering protection to Taiwan now sit within range of a devastatingly large stockpile of missiles in mainland China. Kadena AFB in Japan begins each day confronted by the bleak fact that it could be grounded for a week or more by a Chinese rst strike. Fourth-generation PLAAF ghters are on standby, ready to disrupt US eorts to gain air superiority should armed combat erupt near Chinese shores. Any eort to deploy American fourth- and fth-generation ghters over the Chinese mainland means subjecting them to the world’s most fearsome surface-to-air missile force. In short, Americans are vulner able at home, the ability of the US military to assert control of the Pacic theater is greatly compromised, and American retaliatory options are limited mostly to long-range missile and bomber strikes. China is now a fortress. At this point, China announces its new grand strategy: the deployment of carrier groups capable of circling the globe. China’s power surge accelerates. Anyone who nds such a future dicult to imagine would benet from reading this book. Not only is such a future imaginable, those who read Chinese Aerospace Power may very well come to expect it. Capt Paul A. Stempel, USAF Joint Base Andrews, Maryland Strategic Studies Quar ter ly ♦ Fall 2012 [ 151 ] FALL 2012Vol. 6, No. 3 Escalation Dynamics and Conict Termination in Cyberspace Herbert Lin Sharing the Cyber Journey Maj Gen Suzanne M. Vautrinot, USAF The Specter of Non-Obvious Warfare Martin C. Libicki Internet Governance and National Security Panayotis A. Yannakogeorgos The Customary International Law of Cyberspace Col Gary Brown, USAF Maj Keira Poellet, USAF Depleted Trust in the Cyber Commons Roger Hurwitz Commentaries America’s Air Force: Strong, Indispensable, and Ready for the Twenty-First Century Gen Norton A. Schwartz, USAF, Retired Lt Col Teera Tony Tunyavongs, USAF Claiming the Lost Cyber Heritage Jason Healey FALL 2012
