High-end cyber weapons and espionage platforms such as Stuxnet and Flame are to cyber power what the Navy SEALs are to the U.S. military — exceptional yet singular. Just as a focus on special operations direct action ignores the bombers, fleets and tanks that give our military its devastating punch, cyber weapons and intelligence collection platforms are only one part of a larger matrix of military cyber power.
In order to create effective policy and strategy, policymakers must first acknowledge that cyber power is part of an ongoing strategic military competition between the United States and nations such as Russia and China. Militarized malware is but one part of a larger cyber power complex that other powers seek to imitate and counter. Only by considering the whole of military cyber power will the United States formulate responses to the expansion of military competition in and over cyberspace.
Beginnings of a Strategic Competition
If we take professor Daniel Kuehl’s definition of cyberspace — in short, a domain “framed by the use of electronics and the electromagnetic spectrum to create, store, exchange and exploit information” — then militaries have been conducting cyberwar since the invention of the telegraph.
Large-scale land warfare in the late 19th century was rooted in the strategic use of telegraph communication to connect large military bureaucracies to operational commanders, and was part of a matrix that enabled distributed campaigns and integration of respective fronts into a common strategic whole. The naval idea of network-centric warfare, as analyst Norman Friedman argues, originated not in the Information Age but in early 20th-century command-and-control technologies that allowed the British Navy to take a common operating picture-based approach. In the late Cold War, the United States, aiming to build military systems to “expand the battlefield” and counter the Soviet quantitative conventional advantage, invested in a set of military technologies that would make conventional weapons approach the destructiveness of tactical nuclear weapons.
But cyberspace is not just a method of enabling military force. One can also exert military power through cyberspace as well. Electronic warfare and computer network operations both target, in different ways, a military force’s ability to employ cyber power on the battlefield. Countervalue targeting — taking aim at assets that are not strictly military threats — through computer network operations is also possible as a means of political coercion. Very little about these methods is new. Electronic countermeasures have been routinely used in a host of military missions and episodes of civilian hacking date back to the 1970s.
Though supposed information superiority did not do away with the fog of war or make victory inevitable, American use of cyberspace for military operations and information attacks on enemy platforms helped the United States intervene in regional crises across the globe with relatively small military forces. Trading mass for information superiority is a peculiarly American tendency rooted in elements of U.S. strategic culture, just as the umbrella term “blitzkrieg” simply denotes technological and doctrinal enhancements to existing Prusso-German ideas about war, strategy and command.
Network-centric warfare is a paramount example of how cyber-enabled military operations merged with mainstream tenets of American strategic culture. Adm. Arthur K. Cebrowski and his collaborators married technology with an expansive geopolitical vision of American ability to determine “rule sets” in an international system that he judged to be imperiled by information-technology-enabled regional actors. Network-enabled force and flexible logistics would help the United States contain the damage from such actors, spread globalization’s connectivity to disconnected regions and deter new conflicts. These geopolitical ideas, while wrapped in metaphors from systems science and economics, are at their core very much rooted in a traditionally American brand of liberal internationalism. The United States does not trust a balance-of-power system abroad to create national security, and thus has historically sought the military capability to create favorable regional, national-level and substate political outcomes.
American military hegemony, coupled with a penchant for cyber-enabled regional intervention, is what is driving adversaries’ search for countermeasures. A military competition is underway over military cyber power.
Structure of Military Competition
Military competitions are an analytical tool developed by Andrew Marshall and others associated with the Office of Net Assessment for examining a long-run peacetime conflict between two states to master a specific area of military importance. Military competitions have occurred over nuclear forces, precision strikes, space, warships and other important aspects of military operations. Crucial to understanding the dynamics of military competition is a holistic analysis that incorporates doctrine, socio-bureaucratic dynamics and other “soft” factors, as well as technical considerations. Military competitions are not necessarily won or lost, but states can gain an ability to compete in a manner that is not only efficient but also achieves desired strategic effects.
Military competitions are informed by war plans but aim to achieve peacetime objectives. A military competition can dissuade a state from certain regional defense strategies if they are made tactically or operationally untenable. Successfully competing in a military competition in one area can have second- and third-order effects on the other. For example, a recent Center for Strategic and Budgetary Assessments paper has looked at the American development of the B-1 bomber as a means of pushing unsustainable costs on Soviet air defense networks.
In 1991, the rapidity and perceived ease with which the United States demolished the Iraqi Army shocked Russia and China. To counter the United States, other states are investing in information warfare capabilities — electronic warfare and computer network operations — to try to retard the American ability to use cyberspace for military operations. These strategies mesh with existing usage of anti-access and area denial weapons and counterspace capabilities, the employment of special operations and airborne units, and other similar low-cost/high-value tools. Unlike many in the U.S., Russia and China do not see cyberwarfare tactics and operations as standalone strategic methods.
China’s information warfare theory and doctrine is well-known, although disputes remain in military circles as to the extent of Chinese preparations and doctrinal purity. Chinese strategists contemplate attacks on military and civilian infrastructure in concert with deception operations and conventional weapons. The Russians have developed a similar set of ideas and doctrine rooted around concepts of reflexive control, which employs integrated deception and cyber operations. Both states maintain military and intelligence structures for employing information warfare but also have a murky relationship with patriotic hackers and cyber criminals who engage in espionage and political subversion.
Espionage, rather than cyberwarfare, is a more near-term concern for the Defense Department. Foreign hackers routinely compromise civilian and defense networks, although their connection to state organizations often is less than perfectly clear. While one might be tempted to dismiss these developments as unrelated to kinetic cyberwarfare activities, a closer look reveals a more solid connection. Timothy L. Thomas and others have pointed out that “long-range cyber reconnaissance” can be used to gain crucial military information and possible target intelligence for employment of cyber weapons either during geopolitical crises or the initial period of war. Some cyber tools such as the Flame virus are also dual-use, programmed to both degrade systems and collect intelligence information.
Chinese and Russian exploitation of cyberspace, however, is not solely limited to information warfare. Rather, both states have also attempted to “informatize” their own armed services. Informatization in Chinese and Russian military doctrine should be understood as a structural integration of modern information technology with existing and future military platforms. Chinese military writings in particular portray “informatization” as the digital equivalent of motorizing land armies in the interwar period.
Having witnessed U.S. military operations routed through sophisticated command-and-control systems and U.S. weapons guided by space operations, Russian and Chinese military forces have sought to mimic American organizational, technological and doctrinal methods. Whether they will achieve such innovations is another matter entirely. The Russians seek defense reforms to enable a smaller and more agile military, but face formidable institutional opposition. The Chinese have developed battle networks for joint operations, although command-and-control problems persist and many of their most fearsome weapons are either mostly aspirational or have never been tested in wartime conditions.
Other states and nonstate actors pursue information warfare capabilities and means of exploiting cyberspace for powerful conventional weapons. North Korea and Iran are building up hacking and electronic warfare capabilities to counter the West and target their neighbors. North Korea has executed cyber attacks against South Korean civilian targets and jammed air traffic communication, and Iran claims to have used electronic warfare to down an American spy drone in December. Nonstate actors are engaging in what former Israeli Defense Forces commander Itai Brun judges “The Other Revolution in Military Affairs,” using cyberspace as a medium for distributed operational command-and-control, communications, sensor networks and propaganda. The proliferation of precision-strike weapons predicted by many military analysts may add a kind of primitive nonstate reconnaissance-strike complex to this mixture of cyber-enabled tactics and operations.
Against the backdrop of adversarial efforts to exploit and attack through cyberspace, the U.S. aims to lock in its existing advantages. Despite periodic calls for cyber cooperation and norms, the U.S. has elected to avoid placing significant restraints on itself and resists attempts to limit its freedom of action.
But while the U.S. currently exercises substantial cyber power, it also has extensive weaknesses. American critical infrastructure, operated mostly by the private sector, suffers from known flaws and, in all likelihood, unknown zero-day exploits. While the government has created initiatives over the last 15 years to secure its infrastructure, it has also strongly indicated that it would reserve the right to respond both in and out of cyberspace. The U.S. has always leveraged multiple operational domains, and a cyber attack judged to be an “act of war” would be no exception. What began in cyberspace certainly would not stay in cyberspace.
Cybersecurity, while overlapping with cyberwarfare, should not be unnecessarily conflated with military efforts. As Samuel P. Liles has argued, information hygiene issues are important but differ substantially from military efforts in the way that the Navy SEALs cannot really be compared to Wackenhut private security guards. But should adversaries execute countervalue attacks, the first responders will be civilians instead of the military. The private sector will be an extensive — if not the dominant — civilian target, and the Stuxnet malware that targeted Iran’s uranium enrichment facility has demonstrated that infrastructure attacks will be a regular part of cyber conflict. But the purpose of these attacks is not simply to watch America burn. Rather, they will be part of integrated strategies to achieve political goals. At a certain level of severity, attribution could be overrated. Attackers may have an interest in letting the U.S. know precisely who has hit them in order to coerce American policymakers, and policymakers may regardless make decisions based on imperfect information rather than agonizing over perfect attribution.
Dynamics of Competition
At first glance, U.S. investment in cyber weapons may be disruptive to international order. Such opinions have been frequently voiced in the aftermath of New York Times reporter David Sanger’s revelations about alleged U.S. and Israeli authorship of Stuxnet. But this point of view ignores the threat assessments of adversarial nation-states and substate actors that see the whole of U.S. military cyber power as a threat. American computer network operations have not killed anyone, but American military cyber power enables destructive conventional weapons. Schemes to create stability in cyberspace through treaties that focus exclusively on computer network operations — presuming they would be enforceable — would not remove the real factors driving military competition.
From the American perspective, investment in cyber weapons helps sustain an already powerful American lead in military cyber power and deters other states with military forces targetable either through cyberspace or by cyber-enabled force. In addition to the military dimension, cyber power also provides new means of covert action, espionage and statecraft. Finally, the history of U.S. military operations in operational domains and American policy surrounding international protection of commons — including cyberspace — suggests that the U.S. will not readily allow other powers to restrict its freedom of action.
The United States does not want adversaries to achieve parity in the employment of military cyber power, but it will have to create a strategy for efficient competition if it seeks to continue its present course. A strategy for competition would have several components: knowing what operational “markets” are important to invest in, minimizing costs and understanding the components of adversary power. The U.S. should begin any competition with realistic expectations. No one is going to be able to achieve “information superiority” in cyberspace. Barriers to entry, whether in the form of computer network operations or “informatized” conventional battle networks and precision-guided weapons, are falling. Rather, the United States can use military power — and not just military power — to influence how other states employ the operational domain of cyberspace to create tactical, operational or strategic effects or attack through cyberspace.
For example, the United States substantially invested in network-enabled operations over the last few decades. Other powers can use a variety of means — from computer network operations to targeting orbital intelligence systems — to deny or degrade the use of cyberspace to U.S. military forces. American critical infrastructure can also be attacked through cyberspace. But complete control over state use of cyberspace is impossible. Take spying, a perennial concern of American cyber policymakers. Networks can be hardened and counterintelligence can be used, but stopping cyber spies is just as much of a lost cause as totally foiling more traditional forms of espionage.
Cyber power strategy also must be based on holistic comparison between U.S. and adversary capabilities for cyber-enabled operations, computer network attacks, and general potential for translating state and commercial information technology into military power. Focusing on any one element of military cyber power at the expense of the others will give a false picture of a state’s strengths and weaknesses in cyberspace. The use of cyber attacks for covert operations can provide a test bed for thinking about cyber operations, but it is important not to draw the wrong lessons. Covert operations and espionage are meant to be kept secret and occur over long timeframes. Operational cyberwarfare will likely be much more fast-paced and used to coerce adversaries, not steal from them or covertly attack their infrastructure. Policymakers also may be tempted to use computer network operations for brinksmanship and coercive diplomacy, adding a digital component to the escalation ladder.
With Stuxnet and Flame now exposed to coders, we are likely to see a process of reverse-engineering that mirrors the general process of military adaptation and diffusion sparked by the global information technology revolution in military affairs. But in order to create effective policy and strategy, it is first necessary for policymakers to acknowledge that a competition exists and goes far beyond militarized malware. Only by considering the whole of military cyber power will the United States formulate responses to the expansion of military competition in and over cyberspace. AFJ