James Torrence
Cyberspace is the newest domain of warfare.[1] In cyberspace, the attacker has the advantage over the defender.[2] Cyberspace is unique because it “offers state and non-state actors the ability to wage campaigns against American political, economic, and security interests” without requiring a physical presence.[3] The 2017 United States National Security Strategy says that “America’s response to the challenges and opportunities of the cyber era will determine our future prosperity and security.”[4] However, in the 2006 United States National Security Strategy, the word “cyber” is mentioned one time in parentheses.[5] The rapid rise of cyber from not being a part of the National Security Strategy to a determinant of American prosperity and security means that policymakers have little or no experience developing cybersecurity strategy. To develop an effective foundation for the creation of cybersecurity strategy, cyber policymakers must learn from a historical example when a new domain of warfare, rapidly evolving technology, and an environment dominated by the offense presented challenges to conventional defense.
The air domain following World War I and World War II (with the advent of nuclear weapons) serves as an example of a new domain with evolving technology that did not have any precedent from which policymakers could learn. Like cyberspace, the air domain represents an area impossible for the defender to completely cover which creates opportunities for the attacker and difficulty for the defender. Italian air power theorist Gilulio Douhet’s work was the foundation of air power theory following World War I, and American military strategist Bernard Brodie developed the foundation of nuclear air power strategy during the Cold War. Analysis of Command of the Air by Douhet andStrategy in the Missile Age by Brodie can inform the cyber policymaker about offensive and defensive strategy in a new domain with an environment favoring the offense.
Command of the Air and Lessons for Cyber Policymakers
Douhet argued that it was impossible for “a determined aerial defense” to reduce “the force of eventual aero-chemical offensives against our country to a point where they would be unimportant and not dangerous to its safety.”[6] According to Douhet, effective aerial defense was not “practically possible to bring into existence.”[7]Douhet vehemently asserted the ineffectiveness of aerial defense because of the finite amount of money and resources available to guard against the near-infinite amount of space in the sky the attacker could occupy.[8] The aerial advantage, in Douhet’s theory, was with the attacker who could always find a weakness in a defender’s aerial defense. When two nations compete for air supremacy, Douhet said:
If two nations, A and B, have equal aerial resources, and A uses all of them offensively while B uses all of them defensively, B automatically and gratuitously ensures A against any aerial offensive but does not ensure itself against an offensive from A. Consequently, B plays into the hands of A, and does not defend itself either.[9]
Douhet’s argument about equal aerial resources favoring the attacker mirrors the current situation in cyberspace where “if both the attacker and defender are given equal resources, the attacker will prevail” and that a defender trying to “defeat all attacks” will invest more resources than an attacker.[10] Douhet’s conclusions regarding how a country should approach the allocation of aerial resources in an offense-dominated environment with emerging technology create learning opportunities for cyber policymakers.
Douhet claimed that “much larger forces are needed for defense in the air than for offense”[11] and that “the sky cannot be cut up into sections just to please an aerial defense or an auxiliary aviation.”[12] Because he regarded aerial defense as impossible, Douhet argued that “the most practical and realistic way of preventing enemy planes from coming over and bombing us is to destroy them.”[13] Furthermore, Douhet claimed that the destruction of enemy aviation assets must occur in enemy territory before they can get into the air.[14] Douhet argued for proactive offensive measures in enemy territory to effectively defend against an aerial offensive. A proactive offensive attack that must occur in enemy territory directly correlates to Defensive Cyber Operations – Response Actions (DCO-RA). In the United States Army War College’s 2016 Strategic Operations Cyber Guide, there is a definition of DCO-RA that involves defense measures external to the Department of Defense Information Networks (DODIN):
DCO-RA are those deliberate, authorized defensive actions which are taken external to the DODIN to defeat ongoing or imminent threats to defend DOD cyberspace capabilities or other designated systems. DCO-RA must be authorized in accordance with (IAW) the standing rules of engagement and any applicable supplemental rules of engagement and may rise to the level of use of force. In some cases, countermeasures are all that is required, but as in the physical domains, the effects of countermeasures are limited and will typically only degrade, not defeat, an adversary's activities.[15]
Douhet’s airpower theory advocated pre-emptive strikes to defeat the enemy force in a resource-constrained environment with a domain impossible to defend completely. Cyber policymakers must learn, when appropriate, how to defeat adversary cyber capability at its point of origin so that a cyberattack does not make its way into cyberspace where it is nearly impossible to defend. Douhet’s airpower theory only helps cyber policymakers with understanding potential opportunities for the offense but does not provide any solutions for defense in an offensive-dominated domain. With legal and ethical constraints, pre-emptive attacks are not always possible and thus necessitate that the cyber policymaker understand how to approach the defense in an environment advantageous to the attacker. Bernard Brodie’s Strategy in the Missile Age focuses more on defense and reveals more lessons for the cyber policymaker.
Brodie’s Strategy in the Missile Age & Lessons for the Defense in Cyberspace
Unlike Douhet, Brodie advocated for a defensive strategy in the air domain. Brodie claimed that military officers (like Douhet) “are trained to be biased in favor of the offensive, much as ordinary persons are trained to be biased in favor of virtue.”[16] Furthermore, Brodie said: “the bias toward the offensive creates special problems in any technologically new situation where there is little or no relevant war experience to help one to reach a balanced judgment. ”[17] Brodie’s analysis of the air domain with the inclusion of nuclear weapons directly applies to cyberspace where there is no relevant war experience to help cyber policymakers reach a balanced judgment. Brodie cautioned that “in considering the problem of strategic air defense, then, we must be prepared to find the military selling the defense short.”[18] Brodie reinforced the merits of the defense and argued that “the value of armor has been proved in naval engagements over the previous eighty years, especially at the Battle of Jutland in World War I, but that of antiaircraft guns on ships had not been similarly demonstrated.”[19] The argument Brodie made about armor proving effective in the past is a direct criticism of Douhet meant to reinforce Brodie’s point that defense can be effective in an offense-dominated environment.
Brodie argued that policymakers should never lose sight of the “importance of the security of the retaliatory force.”[20] In Brodie’s work, he claimed that the first attack is not the most important piece of defense strategy, but rather the health of the retaliatory force; if the attacker knows that he cannot effectively eliminate all the defender’s nuclear weapons, it will deter him from attacking for fear of suffering a retaliatory strike.[21] Cyber policymakers must also take into account the importance of a cyber retaliatory force. A United States decision to launch an offensive cyberattack (with no or little focus on defense) could leave the United States susceptible to a retaliatory attack if the attack does not successfully defeat all adversary cyber capabilities. But, if the United States can develop defensive measures that ensure a cyberattack against its infrastructure would not render it incapable of retaliation, then it could deter malicious actors from attacking in the first place. Brodie’s final point on the defense was that:
Americans have to face the fact that if total war comes for any reason other than our deliberately choosing it in advance of special provocation (obviously an unlikely eventuality), the chances are high that we will receive rather than deliver the first blow.[22]
Though Brodie was writing about nuclear war, his argument still holds with cyberattacks; because of legal restrictions and moral considerations, it is likely that the United States will receive rather than deliver the first blow in a cyber war which necessitates a focus on defense. Cyber policymakers must learn from Brodie and think through defensive cyber measures instead of dogmatically adhering to an attack-first doctrine.
Conclusion
Both Brodie and Douhet make points from which the cyber policymaker can learn. Douhet emphasizes the need to defeat aerial attacks at the point of origin which necessitates striking in enemy territory. There are times when the United States will need to pre-emptively attack in cyberspace to defend itself. But, pre-emptive attacks are not the only part of a cyber strategy. Brodie cautions that the bias towards the offensive can blind strategists to merits of a defensive strategy focused on protecting a retaliatory force. Cyber strategists must also account for defense of infrastructure that will afford the United States the ability to survive a cyberattack and have enough operational systems to retaliate. Cyberspace is a new, borderless domain with constantly evolving technology. Cyber policymakers must learn from analogous historical examples and thinkers like Douhet and Brodie to develop a foundation from which they can create a more secure cyber environment.
End Notes
[1] Christos Athanasiadis & Rizwan, Ali, Cyber as NATO’s Newest Operational Domain: The Pathway to Implementation, Cybersecurity: A Peer-Reviewed Journal, 1(1), Summer 2017, 48-60, accessed January 26, 2018,http://www.ingentaconnect.com/content/hsp/jcs/2017/00000001/00000001/art00006 .
[2] Department of Defense, “The Department of Defense Cyber Strategy,” defense.gov, April 2015, accessed September 1, 2017, https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf , 10.
[3] United States, and Donald Trump, National Security Strategy of the United States, accessed December 30, 2017,https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf , 12.
[4] Ibid.
[5] United States, and George W. Bush, National Security Strategy of the United States, accessed December 30, 2017, https://www.state.gov/documents/organization/64884.pdf .
[6] Douhet, Giulio, and Dino Ferrari, The Command of the Air, (Washington, D.C.: Air Force History and Museums Program, 1998), 239.
[7] Ibid., 239
[8] Ibid., 237.
[9] Ibid., 241
[10] Andrew Krepenivich, (2012, August 24). Cyberwarfare: A Nuclear Option?, csbaonline.org (Online Monograph published August 24, 2012) accessed August 27, 2017. http://csbaonline.org/research/publications/cyber-warfare-a-nuclear-option/publication , 84
[11] Douhet, Giulio, and Dino Ferrari, The Command of the Air, 239.
[12] Ibid., 241
[13] Ibid.
[14] Ibid., 239.
[15]United States Army War College, Strategic Cyberspace Operations Guide, accessed December 7, 2017,
https://www.csl.army.mil/usacsl/Publications/Strategic_Cyberspace_Operations_Guide_1_June_2016.pdf , 17
[16] Bernard Brodie, Strategy in the Missile Age (New Jersey: Princeton University Press, 1959).
[17] Ibid., 175
[18] Ibid., 176
[19] Ibid., 176
[20] Ibid., 285.
[21] Ibid.
[22] Ibid., 176
No comments:
Post a Comment