By Krisjand Rothweiler
It seems a common idea in current thinking that the challenges we must deal with in today’s security environment, particularly those related to information and cyber warfare, are somehow new and different from challenges in the past.[1] A single actor can have an outsized impact through digital technology, and state-sponsored information warfare appears nearly unstoppable. However, while the tools and impacts are perhaps novel, the theme of these challenges appear to have a familiar ring. In reading the thoughts and words of General Thomas S. Power, third commander of Strategic Air Command and successor of General Curtis LeMay, on deterrence, nuclear warfare, and strategic planning, I began to realize the adversaries of today are still human, and the threats of today may not be so conceptually different from those of the Cold War. By looking back at how a previous generation of strategists considered and communicated their strategic challenges in context, we may be able to gain insights into how to address these modern threats. 21st Century Power: Strategic Superiority for the Modern Era, a contribution to the 21st Century Foundations series from the U.S. Naval Institute Press edited by Brent D. Ziarnick, is a useful resource toward that end.
During the Cold War, two theories about the mechanics of nuclear deterrence dominated and also seem appropriate when discussing cyber: the theory of mutual assured destruction, in which both/all parties attack in hopes of surviving but neither side truly benefits due to the amount of devastation, and the theory of escalation control, which requires that rational actors weigh the use of a particular weapon against the anticipated benefits and each side attempt to make the benefit for the other as small as possible.[2] While developed for nuclear warfare, mutual assured destruction may translate to cyber warfare with the same assumptions (though different targets); if a state were to attempt widespread destruction of another, the retaliation could be equally as damaging, so any engagement in nuclear war would result in destruction of both the adversary and the initiating state. However, unlike nuclear warfare, cyber-attacks of the same caliber as nuclear attacks are difficult to conduct, have uncertain probability of success, and in certain situations harm the attacker or bystanders as much as the target (such as in a broad attack on financial systems or the consequences of STUXNET).[3,4,5] For these reasons, while MAD may have some applicability to cyber, it is not a comfortable fit.
On the other hand, the escalation control/dominance theory championed by Herman Kahn, in which a nation may engage in nuclear war if the benefit outweighs the cost, translates much more easily to the context of cyber warfare.[6] Moreover, just as with nuclear warfare, escalation control theory appears to have greater practical application when it comes to actual strategic planning. Unlike MAD, escalation control/dominance has both offensive elements (to cause destruction of the adversary) and defensive elements (to limit the amount of destruction the adversary can cause, thus reducing the benefit).[7] At the time General Power was the commander of Strategic Air Command in the 1960s, escalation control theory was the least popular within government, though the one most closely subscribed to by Power in practical application.[8] For Power, having the best offense and defense in the contest equated overwhelming superiority and the ability to control the playing field of nuclear warfare, a point emphasized in Chapter Three of 21st Century Power in General Power’s testimony before congress against ratifying the 1963 Limited Test Ban Treaty. As the editor states, “This requires today’s strategists to return to a consideration of the operational elements, how to conduct nuclear and strategic bombing, as opposed to the purely theoretical elements of deterrence that have been studied for decades.”[9] The same point, that the U.S. government needs a combination of offense, defense, and messaging (to the U.S. population and the adversary) is true for cyber warfare.
Herman Kahn (Thomas J. O'Halloran/U.S. News and World Report/Wikimedia)
Khan’s ideas of escalation control, embodied in Power’s word and actions as outlined in chapters one and two of 21st Century Power, are instructive for making policy and military strategy for cyber warfare.[10] Pairing a highly capable and ready offense with a deliberate defensive posture, both of which can be selectively demonstrated, to provide deterrence against adversaries and reassurance to the population is a formula for controlling escalation.[11] From 1946 to 1992, Strategic Air Command was responsible for the offensive and certain passive defensive portions of nuclear war. By placing both attack and passive defenses (or protection measures) under one umbrella, Strategic Air Command was able to coordinate the attack planning and survivability of their assets and optimize the force to conduct an effective battle. As the proponent for strategic offensive nuclear capability (minus the submarine force and tactical Army capabilities), Strategic Air Command ensured its crews were operationally ready, highly proficient, and survivable in the event of attack. This was done through training, drills, and testing; all of these were observable by potential adversaries, leading, in theory, to a deterrence effect.[12] On the defensive side, Strategic Air Command had control of facilities and basing for its missile and bomber forces. In an article for Air University Quarterly, General Power described how bases were protected actively through local security (anti-missile air defense was the purview of the Army) as well as the passive defensive measures of dispersal and hardening: “The primary purpose of dispersal is to extend the enemy’s target system to the point where it exceeds capacity for destroying our...force.” This is a classic example of escalation control where the U.S. control of dispersion is used to offset the Soviet control of volume of fire/warhead size.[13]
“OUR MILITARY FORCES REPRESENT DETERRENT CAPABILITY ONLY TO THE EXTENT TO WHICH THEY ARE USED FOR THAT PURPOSE BY THE CIVILIAN AUTHORITIES.”
To put this same level of central control into cyber is simultaneously more challenging and also a requirement to be effective. With cyber warfare, the segment of a society actively engaged in either offense or defense is much broader than in a nuclear war. Networks are owned and maintained by private and foreign entities. Potential targets include non-military sectors such as banking, infrastructure control (such as the New York dam controls attacked by Iran in 2013), and other decentralized items of critical necessity to daily American life.[14] By this reasoning, specific cyber targets already enjoy a sort of passive defense through disaggregation, yet this also complicates the control and active defense of critical capabilities that keep the nation running.[15] Despite the establishment of U.S. Cyber Command in 2009, the United States has wrestled with how to integrate military cyber activities in the larger context of signals intelligence and operations, previously the sole responsibility of the National Security Agency.[16] in 2018, U.S. Cyber Command became its own unified command, led by the same military officer who heads the National Security Agency. This elevation and dual-hatted leadership may help ensure seamless operation, but only among military efforts. However, as General Power wrote in 1960, “Our military forces represent deterrent capability only to the extent to which they are used for that purpose by the civilian authorities.”[17] In the current day, when cyber threats extend beyond military or even government targets to public and private civilian targets, we must even go further to include “civilian forces” as so many U.S. entities have their own defensive capabilities against threats in cyberspace. Therefore, the civilian authorities General Power refers to, the U.S. federal government, must find a way to bring together public, private, civilian, and military capabilities to deter, confront, and counter threat actors.
President John F. Kennedy at the Command Post during a tour of Strategic Air Command Headquarters, Offut Air Force Base, Nebraska, December 1962. (John F. Kennedy Presidential Library.)
This requirement to bring public and private sectors together relates to another salient point from 21st Century Power: communicating strategy and policy in terms that can be understood by the citizenry. As commander of Strategic Air Command, Power felt it was his duty to speak not only to his Airmen and to Congress, but also to the citizens of the country as the premier advocate for deterrence. In seven years leading Strategic Air Command, General Power is recorded as having been invited to speak to over a thousand civic groups from around the country in an effort to inform the population on, as he saw it, a vitally important mission they should be aware of as participants in society. Furthermore, he did not simply brief the visitors, but “offered his visitors a very down-to-earth and plainspoken discussion on what he saw as SAC’s mission and importance to the country and the free world.”[18]
Who, in our current struggle with cyber security, is openly engaging the population for the U.S. military or any other strategic area? Strategic commanders are aware of the media outlets for informing the public, particularly social media, but these come across to me as canned and tend to be particularly single-direction information sharing. In Chapter Four of 21st Century Power, Ziarnick describes General Power’s exchanges with the citizen groups he invited to visit the Strategic Air Command headquarters as candid, engaging, and distinctly more relaxed than the carefully scripted testimony provided to the Senate.[19] The lack of publicity regarding invitational visits by average citizens to engage with and understand strategic cyber issues (or any other strategic issue) both misses an opportunity to inform the citizenry and suggests the U.S. government’s strategies in the realms of cyber and information are not refined enough to explain plainly. This final leg of the chair--a clear and relatable strategy championed by engaging leaders speaking directly to the people it is meant to protect--is probably the most salient element of security leadership that we can learn from General Power and his experience leading during the Cold War.
For the modern strategist, including those looking at newer strategic challenges such as cyber security, 21st Century Power: Strategic Superiority for the Modern Era provides several points to consider drawn from complex problems of the past. How to conceive the struggle for a domain, the inclusion and balance of offense and defense, unity of control/commonality of purpose, and the importance of civic engagement in relating strategic messages to a larger population are areas which are informed by the experiences of General Power. These are also areas in which the policy and military strategy could improve, though particularly in the area of cyberspace as civil society has a greater stake in ensuring its security as compared to the government, than any other domain which the U.S. is threatened.
Krisjand Rothweiler is a U.S. Army officer assigned to the U.S. Army War College. The views expressed in this article are the author's and do not reflect the official position of the U.S. Army, the Department of Defense, or the U.S Government.
No comments:
Post a Comment