Can Lessons from the Nuclear Experience Provide Answers in Cyberspace?
CYBER WEAPONS AND NUCLEAR OPTIONS: CAN LESSONS FROM THE NUCLEAR EXPERIENCE PROVIDE ANSWERS IN CYBERSPACE?
GEORGETOWN UNIVERSITY
A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE AWARD OF HONORS IN SCIENCE, TECHNOLOGY, & INTERNATIONAL AFFAIRS, EDMUND A. WALSH SCHOOL OF FOREIGN SERVICE, GEORGETOWN UNIVERSITY, SPRING 2013.
JAYANT GANDHI – CLASS OF 2013
THESIS ADVISOR: PROFESSOR MATTHEW KROENIG
1
2
ABSTRACT
Cyber security is one of the latest hot button issues to affect the national security of states across the world. The new technology has yet to be readily placed in any established military doctrine, but there has been a clear preference of how strategists and policy makers desire to treat cyber weapons.
Nuclear weapons, and more specifically nuclear deterrence, represent one of the greatest policy issues of the 20 th century with regards to international security. The success of deterrence in preventing not only the use of nuclear weapons, but also the outbreak of war between the major nuclear powers is seen as a major triumph. Modern policy makers look at this success and seek to emulate it in the cyber realm. This has caused the necessary comparison of cyber weapons to nuclear weapons to be made over and over. Arguments have been made on both sides as to whether or not cyber deterrence is possible, but little time has been spent looking at the basis of this discussion: are cyber and nuclear technologies comparable?
This paper goes through the early histories of each technology and explores their technical characteristics in order to fully understand the foundations of this analogy. From that analysis of the comparison a coherent portrait of what cyber deterrence really means begins to appear. Cyber and nuclear weapons share more similarities than one would expect; some are expected and some are surprising. Their differences, while fewer in number, are not trivial and this paper seeks to highlight the importance of understanding these differences when utilizing an analytical tool like analogy.
Historical analogies can be dangerous traps that tempt policy makers into incorrect judgments. Analysis of the analogy itself is the only way to be sure that logic being used in this discussion of cyber deterrence is sound. In the end, this paper concludes that the analogy is a useful one and that there is a possibility for cyber deterrence, even if it may prove difficult.
3
TABLE OF CONTENTS
1. Introduction ...... p. 5
2. Historical Analogies: Useful Tool or Dangerous Trap?...... p. 15
3. A Brief History of Nuclear Diplomacy and Strategy ...... p. 21
4. A Brief History of Cyber Diplomacy and Strategy ...... p. 45
5. The Similarities of Cyber and Nuclear ...... p. 67
6. The Differences of Cyber and Nuclear ...... p. 86
7. Cyber Deterrence? ...... p. 93
8. Conclusions ...... p. 111
9. Appendix A: Cyber Timeline ...... p. 115
10. Appendix B: Glossary of Terms ...... p. 119
11. Works Cited ...... p. 122
4
INTRODUCTION
For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled. -Richard Feynman The above quote from renowned physicist Richard Feynman very aptly explains the relationship between technology and the way we think about it. Nowhere does this aphorism ring truer than in the realm of cyber technology and thought. The current thought on cyber strategy attempts to draw many parallels between it and nuclear strategy at the advent of nuclear weapons. But we cannot let public thought take precedence over reality.
It took a long time for cyber security to be taken as a serious threat to national security in the United States. 1 This was not caused by lack of knowledge of the threat, but because it was not perceived to be a pressing issue. There were many who pointed out the impending cyber threat, but the lack of any major cyber-attack created a “boy-who-cried-wolf” effect, creating a sense of distance and false security. But as Richard Clarke and Robert Knake point out in their book Cyber War: the Next Threat to National Security and What to Do About It , this does not
invalidate the realities:
Sometimes the boy who cries wolf can see the wolf coming from a lot farther away than everyone else. The Joint Security Commission of 1994, the Marsh Commission of 1997, the Center for Strategic and International Studies (CSIS) commission of 2008, the National Academy of Science commission of 2009, and many more in between have all spoken of a major cyber security or cyber war risk. They have been criticized by many as Cassandras, the type of people who are always predicting disaster... It is worth remembering that, despite the bad rap she gets, Cassandra was not wrong about her predictions; she was simply cursed by Apollo never to be believed. 2
1 I will take this time to issue the disclaimer that the author of this paper (myself) is an American writing at an American University and therefore the contents of this paper will be somewhat skewed towards the American story due to more information being readily available. I have done my best to cover all the relevant sides, but I feel it is important the reader is aware of this.
2 Richard Clarke & Robert Knake, Cyber War: the Next Threat to National Security and What to Do About It, HarperCollins 2010, p.135-6
5
Now cyber security has become a major talking point of heads of state and those in charge of national defense across the globe. The US cyber doctrine since 2003 has stated that
“the Nation will seek to prevent, deter , and significantly reduce cyber-attacks by ensuring the
identification of actual or attempted perpetrators followed by an appropriate government response ”. 3 Strategists are eager to place cyber within the preexisting strategy of deterrence developed during the Cold War.
It is not an unreasonable goal to try and figure out if a cyber deterrence strategy can be developed. The avoidance of war is always preferable to the fighting of it. But will a strategy that was thought up of and tailored to a specific technology translate to a new one so easily?
There has been a lot of debate back and forth about whether or not cyber deterrence is feasible, but the majority of the discussion has taken a retroactive approach: taking the ideas of nuclear strategy and attempting to adapt them to cyber. This paper seeks to reverse that thinking a look first at what were the exact characteristics of nuclear technology that allowed the
formulation of those specific strategies and then figuring out what lessons (if any) can be taken and adapted to cyber.
It is only by comparing the two technologies for what they are (their realities) that we can begin to understand the correct strategy to using them (their nature). A side by side comparison will reveal that, indeed, cyber technologies and nuclear technologies share a lot of similarities
(their speed, their targets, their capability for destruction), which give hope towards an adaptation of nuclear strategy. But there are also several key differences that will influence a successful strategy.
3 The United State Government, National Strategy to Secure Cyberspace , 2003, http://www.whitehouse.gove/pcipb
6
Cyber deterrence is possible, but it is constrained in its effectiveness and comes at a cost.
Whether or not it should be the dominant strategy over other options is beyond the scope of this paper. The goal of this paper is to evaluate the relatively unsupported comparison of two important technologies in order to maximize our learning from the past.
THE GROUND RULES
Before we continue it is important to establish a unified framework with which to tackle the analysis. The key concept at the center of the debate is the idea of cyber war. In this paper I use the definition of cyber war given by Richard Clarke (a former adviser to the US President on
Terrorism and Cyber Security). Cyber war is “actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption”. 4
This immediately eliminates cybercrime and cyber-terrorism as concerns as we formulate our strategy. Occasionally these two topics will be brought up (as they are relevant and important issues), but it will always be in an ancillary capacity and often used to emphasize the difference of cyber war itself from these concepts. Nuclear deterrence strategy was not developed to deter attacks from criminal organizations or terrorist groups so it would not be a fruitful endeavor to try and expand it thusly.
The reason this is not a huge issue while developing a cyber strategy is that these two areas already have set doctrines to fall back on. Cybercrime is no different from regular crime and cyber-terrorism has all the same trappings of good old fashion physical terrorism. The cyber element, in these cases, does not present a dilemma to policy makers.
4 Clarke & Knake, op. cit., p. 6
7
Cybercrime can and should be dealt with by law enforcement agencies (the FBI has a dedicated cybercrime unit, as do many other state law enforcement agencies). The prosecution of criminals has always been handled in this matter and has only ever required military involvement in the most extreme cases. Believing that just because these criminals are operating in a different medium is grounds or a wholly different approach (i.e. military involvement) undermines the need for crime fighting units to adapt to the new landscape.
Cyber-terrorism may be a little more interesting of a case. Terrorist acts, traditionally, have evoked national responses, so it is not a far leap to say that a cyber-terrorist attack should call for the same kind of response. This is true. But just as it is difficult to declare war on a non- state actor (apart from the all-encompassing ‘war on terror’) it is likewise difficult to declare cyber war on a non-state cyber actor. Traditional counterterrorism tactics should be employed in these situations as well. All that it requires is that counterterrorist agencies develop their cyber literacy so they can function as efficiently in cyberspace as they do in realspace.
This brings up the term ‘realspace’, which I will use often in the paper to refer to the physical world we inhabit every day and are very familiar with. I use this as the opposite of cyberspace in order to make clear that there is a very real distinction between these two spaces.
There are areas of overlap (computers and other hardware being the realspace manifestations of cyberspace), but the separate nature of these spaces is what makes this matter interesting.
I would also like to familiarize the reader with the term ‘informatization’. It is derived from the labeling of the current era as the Information Age and refers to the increasing adoption of information technologies by societies to further economic growth and development. In this paper I see it as the next step after industrialization and it will play an important role on the ultimate efficacy of cyber deterrence.
8
I have included a glossary of terms (mainly relating to cyberspace) for those who may not know or be comfortable with all the terms thrown around when talking about cyber security.
That being said, it is not the intention of this paper to get too technical as the main focus is on policy and strategy, but the technical realities cannot be completely ignored. For the uninitiated I have also included a brief primer (what follows) on how cyber-attacks work.
THE TOOLS OF THE CYBER WARRIOR
So how do hackers threaten the security of the Internet? They use malware. Short for malicious software, malware is the principle tool for anyone wishing to execute an effective cyber-attack. This ‘bad’ software finds its way onto a victim’s computer and then executes its programmed directive. The results can be as benign as causing unwanted advertisements to open up in one’s web browser, or they can cause a complete system failure, forcing the user to wipe their hard drive.
These pieces of coding are readily available online for a price and recent advancements in programming are making them more and more user friendly, so the world of malware is no longer restricted to veteran programmers. Malware also comes in many varieties, enabling hackers to pick and choose the specific characteristics of the malware they need to meet their needs. 5
Of these types, the most common are viruses, worms, and Trojan horses. Each of these has its own strengths and weaknesses and has the potential to inflict considerable damage. All
5 “Malicious Software (Malware): A Security Threat to the Internet Economy”; Organization for Economic Cooperation and Development (OECD); 17-18 June 2008; Seoul, Korea; p. 11 http://www.oecd.org/dataoecd/53/34/40724457.pdf
9 three are designed to make their way onto a victim’s computer undetected and then complete their mission.
Viruses are perhaps the most well-known of the different types of malware; this is because they are usually the most obvious. Viruses are not standalone programs. They require a complete piece of software to ‘piggy-back’ on and user interaction to allow them access to the computer (usually inadvertently). A user can download viruses from fake emails sent by the virus that trick the user into opening them or from websites that are hosting them. In a 2008 analysis of 4.5 million URLs, Google found that 700,000 of them were possible hosts for malware. Another study added that only about 20% of these websites were intentional hosts. 6
Once infected, the original software now becomes a tool for the virus; every time it is activated the virus runs as well. When the virus runs it not only causes whatever damage it was intended to do, but also attaches itself to other programs in order to replicate, making it that much harder to find and stop. It will then seek to spread to other computers. Normally this is achieved by hijacking a user’s email account or any other program that uses network access.
The other most common form of malware is the worm. The Stuxnet worm is a famous recent example of a worm and a good example of the nature of worms. Unlike viruses, worms are independent pieces of software. They do not attach themselves to programs within the victim’s computer, but rather locate specific security holes in a network and copy itself from computer to computer. For this reason worms are considered self-replicating rather than self- propagating.
6 Ibid p. 12
10
Worms can spread incredibly fast once they have gained access to a network. In 2001, a worm called Code Red infected over 250,000 systems in just 9 hours. 7 Once dispersed, a worm
then unleashes its payload. In the 2010 Stuxnet attack, this meant executing a program overrode
the previous program that monitored the frequency of the Iranian centrifuges and caused them to
rotate at modulating frequencies. Because of their fast rate of diffusion and efficiency at
executing their directive, worms are often used to create large botnets 8 that are then used in
Distributed Denial of Service attacks (DDoS). However, it is this fast expansion that reveals one
of a worm’s weaknesses. In the process of replication, it uses a large portion of the computer’s
processing power and the networks bandwidth, briefly exposing itself to a vigilant network
administrator. 9
While viruses and worms sneak onto a computer by exploiting security holes in software
and networks, Trojans horses take the more direct approach. This type of malware claims to be a
useful piece of software. An unsuspecting user would then download or install the Trojan horse
thinking it is a desired piece of software. Unfortunately, once activated the Trojan horse reveals
itself as malware and causes the intended damage (e.g. wiping the victim’s hard drive).
The major drawback of Trojan horses (from the hacker’s perspective) is that they rely
completely on user interaction and have no way to replicate themselves. This limits their
applications tremendously and requires greater creativity to entice users to download the Trojan
horse. Conversely, they are harder to detect until they have already caused significant damage
over a number of systems making them more visible.
7 “Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measure”; Keith A. Rhodes; United States General Accounting Office; August 29 2009; p. 4 http://www.gao.gov/new.items/d011073t.pdf
8 Botnets are hidden networks of computers that can be controlled by the hacker that creates them. Once a computer becomes part of a botnet it will follow any commands issued by the master computer.
9 “How Computer Viruses Work”; Michael Brian; http://computer.howstuffworks.com/virus5.htm
11
No matter how a computer becomes infected by malware the intended goals usually fall into three categories. (1) They can damage the computer by erasing information or inserting faulty code. This can lead to a fatal error, forcing the victim to erase their hard drive. (2) They can gather information from the computer and send it to another location. This is normally done in preparation for a larger attack to check for the weakest spots in the computer’s security. (3)
They can give commands directly to the computer, which could lead to physical and/or economic damage or turn the computer into a zombie 10 . All three have the potential to inflict great harm not
only to individual users, as was formerly the case, but also to large companies and even
government networks.
All of these tools exploit the fundamental flaws in software and networks like the
Internet. The central issue is that there is a gap between what they are designed to do and what
they actually do. This disconnect is caused by increasing complexity in systems and the inability
of code (the language that determines exactly what a device does) to convey all of the desires of
its writers and operators. Anyone who has ever written even the most basic computer code can
tell you that no matter how well thought your design is there are always unexpected results (or at
least the possibility).
People create software and design networks and people make mistakes. These mistakes
increase with the level of complexity and it becomes harder and harder to find and fix them
before a product is in use. Mistakes do not account for all the problems in software and
hardware.
Most of the time companies place extra coding and functionality into their equipment.
This may seem like wasted effort, but the reason they do this is so that the people who need those
10 A zombie is the term used for a computer that is a part of a botnet.
12 extra functions can just unlock it without the need to create an entirely new product. It save companies money and increases efficiency of a product, but those dormant functions can sometimes be awakened by those with less than noble intentions. For example devices that are not supposed to be connecting to the public Internet sometimes find themselves connected without the knowledge of their owner because of these added functions.
There is also the built in obfuscation of identity the Internet allows. IP addresses 11 were not meant to be used to locate specific people, they were only meant to facilitate communication between two computers by giving them a way to identify each other in networks with multiple computers. Since the introduction of malware into widespread use, security firms have been working with Internet Service Providers (ISPs) to trace attacks back to an individual by way of
IP address.
At first this seemed like a promising method for bringing cyber-criminals to justice, however, hackers were one step ahead and learned how to spoof IP addresses. There are many websites that allow for CGI proxies (or Common Gateway Interface proxies) that allow users to access websites from a server other than the one provided by their ISP. Hackers can also now use programs that hide their IP address by creating an encrypted network of relays between the user and the target computer. 12 Darknets are another way to avoid IP address tracing. Darknets are private networks formed by using the peer to peer (P2P) communication system between computers effectively circumnavigating the need for IP address sharing. A hacker using a darknet will display an IP address that does not appear in the ISP’s lists making it impossible to trace using regular IP address tracing.
11 An IP address (short for Internet Protocol Address) is the numerical label assigned to any device connecting to the internet used to identify that device and enable online applications to interact with it by giving it a virtual location (address).
12 “TOR: Overview”; https://www.torproject.org/about/overview
13
Peer-to-Peer (P2P) networks have also proven useful to hackers. These networks were originally developed to facilitate file-sharing between peers. There is no need to connect with a server as each member equally sends and receives data. Unlike in a server-client system, a P2P network will not fail if one member does. It increases in capacity as more devices join and is much cheaper to run as it does not require a system administrator like a server-client network.
The problem with this feature of the Internet arises when extra overlay networks are added. A
P2P network functions as an overlay network on top of the regular IP network, but, when more of these networks are created and information is routed through them in such a way as to obscure the identities of the members, a darknet is created.
MOVING FORWARD
The technical aspects of cyber, being less known than the basic knowledge of how nuclear tech works, are important to keep in the back of one’s mind as we explore the relationship between cyber and nuclear. The policy and strategy outlined in this paper will take a far less technical approach in its details, but the appreciation of these subtleties will be prevalent throughout. But before we can begin the comparison, let us take a moment to reflect on exactly what it is we are doing here: the creation of analogies.
14
HISTORICAL ANALOGIES: USEFUL TOOL OR DANGEROUS TRAP?
Though analogy is often misleading, it is the least misleading thing we have. -Samuel Butler Before beginning the discussion of whether the lessons of nuclear-era policy makers can be of use to the current era of cyber policy makers it is necessary to examine the very nature of making such a comparison in the first place. This will help to explain not only why the comparison between nuclear and cyber has seemed to come so easily, but also why such a comparison is useful.
Whenever we are confronted by an issue or event it is very appealing to employ analogies to help us understand exactly what is happening. Analogies help us think about a new matter in terms of something we are more familiar with. This is a very alluring trait, so it is no wonder analogies are so pervasive. In the world of policy makers, historical analogies have become common rhetorical devices, but they have also worked their way into the decision making process and as an analytical tool. But should analogies be used as analytical tools and are these
comparisons actually useful?
INSIDE AN ANALOGY
Historical analogies are all based on the same fundamental inference: “if two or more events separated in time agree in one respect, then they may also agree in another.” 13 It is a very simple logical reasoning that gets complicated by the number of unique characteristics that history brings with it. Once you throw in the element of time, it is very difficult to find analogies whose similarities are strong and numerous enough that they can counter the differences that pile
13 Yuen Foong Khong, Analogies at War , pp. 6-7
15 up with the ages. Add to this the fact that the strength of an analogy cannot be judged by numbers alone (it could be that one small difference between two events in time that makes all the difference) and analogical reasoning seems to be fraught with peril.
Analogies are not meant to be perfect and, indeed, their usefulness is often measured by
having a large ratio of similarities to dissimilarities, so a perfect analogy would be the original
thing itself. Bad analogies can be very misleading and result in unfortunate consequences.
However, good analogies can be very useful at predicting the outcome of future events. The
predicament arises when choosing a good analogy as the best analogy is not always the first to
come to mind.
The problem, according to Richard Neustadt and Ernest May in their book Thinking in
Time: The Uses of History for Decision Makers , is that we categorize our analogies not
necessarily based on true similarity (and thus usefulness), but rather based on allure. All too
often we tend towards using the most interesting and captivating analogies instead of the less
flashy, but more appropriate ones. Neustadt and May offer the example of policy makers in the
1950s drawing parallels between North Korea’s invasion of South Korea with Japan’s Invasion
of Manchuria and Germany’s invasion of the Rhineland, but none mentioned the similarities to
the Spanish Civil War (which may have had more in common with the events unfurling). 14
14 Richard Neustadt & Ernest May, Thinking in Time: The Uses of History for Decision Makers , pp. 46-48
16
SELECTING AN ANALOGY
These analogies immediately leapt to the minds of policy makers, which made it that much more enticing to utilize them in their reasoning. The events of the 1930s were recent enough and demonstrated clearly enough the risks of expansionist behavior left unchecked, but, as Neustadt and May point out, were only similar to the events in Korea in that they involved armed aggression between dictatorships and democracies. 15 Many things had changed in just 20 years: the US was no longer interested in isolationist policies, nuclear weapons had been invented, and conventional forces were readily stationed in the area (unlike when Japan invaded
Manchuria). Since analogies are only as strong as their proportion of similarities to differences, it is alarming, albeit understandable, that such weak analogies would be used by policy makers.
Judging analogies based on their allure instead of their actual use as analogies is a dangerous trap to fall into. Too many times people draw connections between separate events simply because the analogy came to mind, but they fail to, as Neustadt and May put it, “ask why the analogues...came so irresistibly to mind”. 16 In the case stated above the reason is that, in the postwar period, the emphasis placed on the events leading up to WWII created a “no more
Munichs” syndrome. 17 Policy makers so eager to put the lessons of history to use clung to one of
the most infamous events of the recent past.
In some cases, historical analogues are used less as analytical tools than as rhetorical
devices to induce a certain sentiment in the speaker’s audience. John K. Fairbank claimed that
15 Ibid p. 42
16 Ibid p. 36
17 Yuen Foong Khong, Analogies at War , p. 6
17 policy makers exploit history as a “grab-bag from which each advocate pulls out a ‘lesson’ to prove his point”. 18 The mistakes of the Napoleonic wars were used in 1919 to help justify the
harsh surrender conditions on Germany at the Treaty of Versailles; a goal that French and British
policy makers already wanted to achieve. As rhetorical tools, analogies can be quite powerful, no
one wants another Napoleon or WWII, but such a skeptical view of analogical thinking
completely ignores the value of analogies in the decision making process.
WHY USE ANALOGIES AT ALL?
Yuen Foong Khong outlines exactly how analogies are beneficial to a policy maker.
Analogies are intellectual tools used to perform a set of diagnostic tasks on the policy in question. They help define the nature of the problem by allowing the policy maker to compare it to an issue they are more familiar with (there is always more solid information on historical events than future events). The comparison also helps give a sense of the political stakes and the possible solutions. By looking to past events, one can then evaluate the implied solution based on its past success and analyze the dangers that may have been associated with it. This diagnostic process can lead to a “choice propensity” towards or against the action(s) taken in the analogy and cause the policy maker to forgo alternatives. 19
So are analogies dangerous traps that cause policy makers to adhere to a certain thinking
regardless of realities? Well, yes if the analogy is not properly analyzed itself, but if it is it can
become a powerful tool. According to Richard E. Nisbett and Lee Ross in their book Human
18 John K. Fairbank, “How to Deal with the Chinese Revolution”, New York Review of Books, February 17, 1966, p. 10
19 Yuen Foong Khong, Analogies at War , pp. 20-22
18
Inference: Strategies and Shortcomings of Social Judgement , “objects and events in the phenomenal world are almost never approached as if they were sui generis configurations, but rather are assimilated into preexisting structures in the mind of the perceiver”. 20 As humans we naturally try and fit new occurrences into our past experiences, therefore analogical reasoning is one of our most natural impulses. The problem arises when this natural instinct is not looked at closely enough.
EXAMINING THE ANALOGY
In order to properly examine an analogy it is necessary to divide the subjects into likenesses and differences. Neustadt and May recommend that this be done for all analogies in order to refine exactly what is meant to be gained by the comparison itself. 21 This not only gives
an immediate sense of how similar the two objects of the comparison are (and thus how strong
the analogy is), but it also makes it easier to identify important differences that may provide
crucial insight as to why a former policy may not work in this instance.
The discussion on analogies I have given thus far has concerned itself only with historical events and there has yet been no mention of technologies. Historical analogies are just as potent when trying to understand emerging fields in technology. A single technology itself may not benefit from analogical reasoning, but when a whole field develops around it (for example nuclear technology and information technology) it becomes more relevant to look at the developments in an historical perspective.
20 Richard E. Nisbett and Lee Ross, Human Inference: Strategies and Shortcomings of Social Judgement , p. 36
21 Richard Neustadt & Ernest May, Thinking in Time: The Uses of History for Decision Makers , pp. 43
19
In a very interesting article, W. Patrick McCray, a historian of science and technology, looks at the use of historical analogies in technology over the past 60 years. His article mainly deals with comparing emerging Nano-technology to the space program of the mid-20 th century.
While on a technological level these two fields are incredibly different, McCray argues that they both developed in similar political atmospheres of international competition and both as a facet of American manifest destiny. Just like with any other analogical reasoning, McCray even outlines why other analogies fall short (in this case comparing Nano to GMOs) and why his suggestion fits better. 22
Analogies are good at defining general trends, but start to fall apart as the reasoning narrows. In the case of analyzing an emerging technological issue such as Cybersecurity, historical analogies can be very useful at defining the context and goals of cyber-policy. The last few years have seen Cybersecurity dilemmas compared often to the nuclear security dilemmas of the past. Such a comparison can lead to many interesting insights into what course of action policy-makers should pursue, but it is important to first examine the analogy itself and follow its implications to their full extent.
22 W. Patrick McCray, “It’s Just Like That Except Different”, May 7 th , 2008, http://scienceprogress.org/2008/05/its- just-like-that-except-different/
20
A BRIEF HISTORY OF NUCLEAR DIPLOMACY AND STRATEGY
The atomic bomb made the prospect of future war unendurable. It has led us up those last few steps to the mountain pass; and beyond there is a different country. -J. Robert Oppenheimer The use of atomic weaponry on Hiroshima and Nagasaki at the end of WWII is perhaps one of the most dramatic events in recent history. Never before had humans brought so much destruction upon each other so quickly. Conventional weapons could indeed cause comparable damage (if not more in the case of fire bombings), but not with the same singularity and finality that the atomic bomb had. The near future of the bomb was surrounded with so much hype (some real, most exaggerated) that imaginations ran wild with all the apocalyptic scenarios that would befall humankind. It was clear to all at the time that this new weapon would play a major role in the conflicts of the future.
INITIAL THOUGHTS ON THE BOMB
In the immediate aftermath of the war it was believed by many that the United States’ monopoly of the bomb would keep the US and the world safe from their use for the near future.
Preliminary estimates placed a Soviet bomb being developed no sooner than five years from the end of the war. 23 This estimate (while historically more or less accurate – the first successful
Soviet test was conducted on August 29 th 1949) was dismissed just two years later. In 1947 the
War Department estimated that: “For a number of years, perhaps as many as 8 to 15, only the US
will possess atomic bombs.” 24 According to William Fox (coiner of the term ‘Super Power’) the
Soviet Union would not have the bomb until well into the 50s and possibly even the 60s. Perhaps
23 Caryl P. Haskins, “Atomic Energy and American Foreign Policy”, Foreign Affairs , 1945-1946, p. 597
24 Lawrence Freedmen, The Evolution of Nuclear Strategy , p. 27
21 the most surprising estimation came from Vannevar Bush who, in a book published right as the first Soviet test was being announced, claimed:
They [the Russians] lack men of special skill, plant adapted to making special products, and possibly materials... [T]hey lack the resourcefulness of free men, and regimentation is ill-adapted to unconventional efforts. [Before the time when] a war would be primarily an atomic war, many things may happen. We may be living by then in a different sort of world. 25
Of course, this opinion was not shared by all. Bernard Brodie, one of the chief architects of American nuclear strategy, responded to such claims:
We cannot assume that what took us two and one-half years to accomplish, without the certainty that success was possible, should take another great nation twenty to thirty years to duplicate with the full knowledge that the thing has been done. To do so would be to exhibit an extreme form of ethnocentric smugness. 26
Even though estimates varied wildly based on whom you asked at the time, one thing was constant: atomic weapons were leading towards a new type of warfare and diplomacy. The destructive power of atomic weaponry is indeed awesome and during the early days of nuclear strategy it was thought that it was this power to destroy humanity that made nuclear weapons so unique. In his book The Age of Overkill , Max Lerner put it succinctly: “For the first time in
human history, men have bottled up a power...which they have thus far not dared to use”. 27 This view of nuclear weapons, while appealing to the dramatist in us all, did not reflect the realities of the new technology and the key architects of nuclear strategy realized this.
What made nuclear weapons so terrifying was not their ability to destroy an entire city – it has been pointed out many times that the fire bombings used in WWII were far more destructive than both atomic bombs put together – but the fact that it compressed the destruction
25 Vannevar Bush, Modern Arms and Free Men , pp. 104, 139
26 Bernard Brodie, Frederick S. Dunn, Arnold Wolfers, Percy E. Corbett, William T.R. Fox, The Absolute Weapon: Atomic Power and World Order , pp. 66-67
27 Max Lerner, The Age of Overkill , Simon and Schuster, 1962, p. 47
22 into a significantly smaller time frame. It is not the first time, as both Brodie and Thomas
Schelling point out, humankind has possessed the ability to destroy large portions of itself through war. One can look as far back as the classical era to see how the Romans methodically eliminated the Carthaginian civilization. Similarly, the Mongols’ complete destruction of
Baghdad, one of the richest and most powerful cities at the time, left the city in ruins for centuries. 28 As Schelling rather sardonically said, “Against defenseless people there is not much
that nuclear weapons can do that cannot be done with an ice pick. And it would not have strained
our Gross National Product to do it with ice picks.” 29
The old ‘conventional’ methods of inflicting such high levels of violence took time and extensive coordination between many people. Carthage could not be leveled until after many years of brutal struggle, nor could the firebombing of German and Japanese cities begin until each had been pushed back far enough through conventional war. Atomic weapons do not need to wait for ‘military victory’ to be achieved. “A world accustomed to thinking it horrible that wars should last four or five years”, Brodie writes, “is now appalled at the prospect that future wars may last only a few days”. 30
28 In fact, in his book The Pursuit of Power , William McNeill argues that Mongol horsemen were one of the more successful iteration of military technology that acted on this principle of compressing the amount of violence and destruction over time. They were a vast improvement over the chariots of antiquity and were capable of conquering peoples with such speed that many cities would surrender before the hordes even arrived. The next iteration of technology that relied on speed would not come until mechanized units and the blitzkrieg.
29 Thomas Schelling, Arms and Influence , p. 19
30 Bernard Brodie, Frederick S. Dunn, Arnold Wolfers, Percy E. Corbett, William T.R. Fox, The Absolute Weapon: Atomic Power and World Order , p. 71
23
LOOKING TOWARDS THE FUTURE USE OF NUCLEAR WEAPONS
Compressing the violence of several years of gruesome warfare into a timespan that a person can stay awake for is indeed a terrifying thing; not only because of the intensity of the violence implied, but also because of the implications for decision making. Editor of the New
York Times Hanson Baldwin noted that in the future “the first line of defense...will be the
directors of ‘push-button’ war – the men who fling gigantic missiles across the seas”. 31 The ease with which destruction would come in this new era is exemplified in the use of the phrase ‘push- button war’. All it took was the simple press of a button and the destructive capabilities of an entire war would be unleashed. In this simple statement we also see that the marriage of two different technologies (nuclear warheads and missile technology) were predicted from the beginning and seen as the inevitable trend.
While some strategists, like Brodie, believed the unification of the bomb and the missile technology of the German V1 and V2 rockets was inevitable there were many skeptics in the early days. Others envisioned secret agents planting suitcase sized bombs in major cities in order to circumvent any air defense they may have. 32 General Arnold, the Chief of Air Staff to the US, stated that the “only known effective means of delivering atomic bombs in their present state of development is the very heavy bomber”. 33
This was true for the immediate period following the creation of the bomb. Heavy
bombers were the only effective means of delivering an atomic bomb to a specific target with the
31 Freedmen op. cit. p. 24
32 Brodie op. cit. p. 49
33 Ibid p. 23
24 current technology. The current generation of rockets could have as much as a 60 mile error in their targeting. 34 Nor could a bomb small enough to fit in a suitcase be constructed. However, within just ten years on the end of WWII, inter-continental ballistic missiles (ICBMs) capable of delivering a nuclear payload to a city across the globe were developed. It would not be long after that miniaturization would make suitcase bombs a possibility as well.
THE OFFENSIVE BOMB
Besides the apparent ease and rapidity of nuclear warfare, all those who had worked on or closely with the bomb realized it was an offensive weapon. Few worked more closely on the bomb than J. Robert Oppenheimer and few spoke more forcibly of the bomb’s aggressive nature:
The pattern of the use of atomic weapons was set at Hiroshima. They are weapons of aggression, of surprise, and of thousands, or perhaps by the tens of thousands; their method of delivery may well be different, and may reflect new possibilities of interception, and the strategy of their use may well be different from what it was against an essentially defeated enemy. But it is a weapon for aggressors, and the elements of surprise and of terror are as intrinsic to it as are the fissionable nuclei. 35
The aggressive nature of nuclear weapons led many in the early days to envision a bleak future where entire cities would be exchanged in a blink of the eye by two atomic combatants.
To make matters worse, nukes were relatively cheap when compared to the cost of traditional warfare. According to Caryl Haskins the bomb was “from ten to possible one hundred times cheaper for the aggressor, in proportion to damage done, than any weapon hitherto available.” 36
In the early days, it was unclear whether or not a viable defense against the atomic bomb
would be developed. There were those who were hopeful that technological progress would
34 This figure is extrapolation based on the error of German V-2 rockets.
35 J. Robert Oppenheimer, “Atomic Weapons and the Crisis in Science”, Saturday Review of Literature, November 24, 1945, p.10
36 Haskins op. cit. p. 599
25 eventually bring a counter. President Truman told Congress in 1945 that “every new weapon will eventually bring some counter defense to it”, and that same month Fleet Admiral Nimitz stated that “there has never yet been a weapon against which man has been unable to devise a counter- weapon or a defense”. 37
Perhaps there was a way to jam the internal workings of the bomb. If that was unattainable then surely conventional defense against its delivery methods would become the priority. The US Navy in particular seemed optimistic in their thinking. Not only was Nimitz’s claim that time would develop a counter to any weapon, but also developments in missilery and radar seemed to favor defense. Vannevar Bush envisioned “jet pursuit ships...aided by effective ground radar, and equipped with rockets or guided air-to-air missiles armed with proximity fuses.” 38 Unfortunately it was general consensus among the scientific community that there was no way to jam the innards of an atomic bomb and the optimistic view of technological progress, as Brodie points out, results from a casual reading of history: “After five centuries of the use of hand arms with fire-propelled missiles, the large numbers of men killed by comparable arms in recent war indicates that no adequate answer has yet been found for the bullet”. 39
As nuclear technology developed alongside its delivery mechanisms it would become
apparent that no viable defense could ever be effectively mounted. The introduction of
thermonuclear warheads, far more powerful than the bombs dropped on Hiroshima and
Nagasaki, meant that the accuracy of the weapon was less of an issue and that even if a
significant portion of the weapon’s damage was absorbed, the remaining damage would still be
horrific. Higher altitude bombers meant that they could deliver nuclear payloads far above the
37 Freedmen op. cit. p. 30
38 Bush op. cit . p. 59
39 Brodie op. cit. p. 31
26 reach of the jet fighters meant to intercept them. Miniaturization not only opened up the possibility of smuggling in a bomb through use of secret agents and subterfuge, but also meant more warheads could be delivered by a single missile (eventually leading to MIRVs whose payload consisted of multiple warheads designed to hit a group of targets).
So with no viable defense and a weapon meant to be used by an aggressor what was to keep the world from destroying itself in a giant fireball? There were many grim predictions made. One of the more vivid and evocative predictions was made by British Major-General J. F.
C. Fuller:
Miles above the surface of the earth, noiseless battles will be fought between blast and counterblast. Now and again an invader will get through, and up will go London, Paris, or New York in a 40,000 foot high mushroom of smoke and dust; and as nobody will know what is happening above or beyond or be certain who is fighting whom – let alone what for – the war will be a kind of bellicose perpetual motion until the last laboratory blows up. 40
FROM RETALIATION TO DETERRENCE
The fear that the victim of a nuclear attack would not know the origin of their attack and would, therefore, be unable to retaliate was a real technical threat. Because of the delivery method of nuclear weaponry (either from high above or through secretive smuggling) it would be impossible to determine where an attack came from based on the attack alone. However, Brodie once again cut through the hype:
The fear that one’s country might suddenly be attacked in the midst of apparently profound peace has often been voiced, but, at least in the last century and a half, it has never been realized. As advancing technology
40 Major-General J. F. S. Fuller, ‘The atomic bomb and warfare of the future’, Army Ordnance , January-February 1946, p. 34
27
makes war more horrible, it also makes the decision to resort to it more dependent on an elaborate psychological preparation. 41
In reality, it is very difficult to separate an attack of nuclear magnitude from the landscape of international politics. If, at some point during the 50s or 60s, the US suffered a nuclear attack on one of their cities it would be a reasonably safe assumption that the act was carried out by the USSR. One could argue that it is impossible to know for certain, but as that is the way with most things in war (Clausewitz’s ‘fog of uncertainty’) it would still be obvious to any casual observer that the most likely candidate would be the nuclear capable nation with which the US is at odds. No technical method could tell you where the bomb came from (unless there was a flag painted on the side), but reason could.
With retaliation possible it quickly became the center of any discussion surrounding nuclear weapons. If there was no way to prevent a nuclear device from causing its damage then the only solution was to ensure that the aggressor suffered as well. A cursory review of this policy paints it in a vengeful rather than strategic light, but the threat of retaliation became incredibly important in nuclear strategy. Without a credible threat, the bomb’s use as an aggressive weapon would be encouraged. A nation would stand to lose little and gain much from the use of a nuclear device. But if the aggressor must fear retaliation then there exists a hesitation to use a weapon whose destructive force could be unleashed against them as well. This would become the cornerstone of deterrence theory in nuclear strategy. 42
Deterrence is not a new idea nor is it unique to nuclear weapons. Before the onset of
WWII Churchill made a speech in front of the House of Commons in which he outlines the basic nature of the theory:
41 Brodie op. cit. p. 74
42 Brodie op. cit. p. 75
28
The fact remains that when all is said and done as regards defensive methods, pending some new discovery the only direct measure of defense upon a great scale is the certainty of being able to inflict simultaneously upon the enemy as great damage as he can inflict upon ourselves. 43
In the 1950s, the strategy of Massive Retaliation took hold. Instead of using nuclear weapons in conjunction with conventional war (such as tactical nuclear weapons) the idea was that the US would respond indiscriminately to any communist inspired aggression by means of a massive nuclear strike against major centers in the USSR and China. This strategy was developed as a way to prevent the West from having to fight on communist terms as had happened in Korea. Then Secretary of State, John Foster Dulles, in a speech before the Council on Foreign Relations, outlined how the US would avoid being dragged into local conflicts with the new policy of Massive Retaliation:
The way to deter aggression is for the free community to be willing and able to respond vigorously at places and with means of its own choosing...If an enemy could pick his time and place and method of warfare - and if our policy was to remain the traditional one of meeting aggression by direct and local opposition - then we needed to be ready to fight in the Arctic and in the Tropics; in Asia, the Near East, and in Europe; by sea, by land, and by air; with old weapons and with new weapons… The basic decision was to depend primarily upon a great capacity to retaliate, instantly, by means and at places of our choosing. 44
It is important to recognize that this speech was given at a time when the US was afraid of Chinese intervention on behalf of the Viet Minh against France in Indo-China. The
Eisenhower administration wanted to appear more aggressive than the Truman era containment and while the rhetoric was strong, the realities did not permit the ‘roll-back’ policy the
Republicans of the time desperately wanted. The major contributing factor was that the
American monopoly on Nuclear weapons had ended and their relative advantage was closing rapidly as the Soviet Union built up their own arsenal. The capacity of another nation to use the
43 Winston Churchill, speech in front of the House of Commons, November 1934
44 John Foster Dulles, speech in front of the Council on Foreign Relations ‘The Strategy of Massive Retaliation’, January 12 th , 1954
29
Massive Retaliation strategy would cause many thinkers to step away from this ideology in the ensuing years. 45
Once the focus of the nuclear strategy debate had shifted to retaliation (there were those who still proposed defensive solutions, but the proposed solutions were generally viewed as long shots at best) the question became how much retaliation was necessary. Throughout the 1950s the US grappled with the idea of limited war and limitations on nuclear capabilities. Thinkers could be broadly categorized into two camps: those who saw the need for massive retaliation capabilities, and those who thought a more measured approach was more appropriate.
LIMITED NUCLEAR WAR
Captain Basil Liddell Hart, the father of contemporary limited war theory, developed his ideas on limited war before the development of atomic weapons. His reasoning (roughly stated) was that wars were really just an unpleasant interruption in the relations of nations and that limited war should be preferred to total war since an enemy in the present may very well be needed as a friend in the future. Liddell Hart saw advances like airpower not as technologies that made war easier to win, but as means of attrition that added to the agony of war. The introduction of the atomic bomb seemed to confirm his worst fears:
When both sides possess atomic power, ‘total warfare’ makes nonsense. Total warfare implies that the aim, the effort, and the degree of violence are unlimited. Victory is pursued without regard to the consequences... Any unlimited war waged with atomic power would be worse than nonsense; it would be mutually suicidal. 46
45 Freedman op. cit. pp.89-90
46 Basil Liddell Hart, The Revolution in Warfare , pp. 99-102
30
Liddell Hart’s views on this new type of restrained war were not widely accepted in the
1940s when he published his theories. It seemed as if such a war could never be arranged because it required trust or the ability to show restraint from taking an opportunity to bring about a favorable conclusion by using these distasteful methods. 47 Total war was seen as inevitable in a conflict between two societies. American strategist Edward Mead Earle accused Liddell Hart of being ‘nostalgic’ and ‘out of touch’ stating that: “No nation possessed of sea power has ever abandoned the blockade; it is unlikely that any nation possessed of air power will abandon bombing as a means of immobilizing the enemy.” 48
After the introduction of thermonuclear warheads, however, Liddell Hart’s theories began to gain traction among strategists. Massive Retaliation no longer seemed like a viable strategy.
Liddell Hart reasserted his claim stating that “the value of strategic bombing forces has largely disappeared – except as the last resort.” 49 Brodie would join Liddell Hart in arguing that the
devastating power of thermonuclear weapons would “be increasingly limited to only the most
outrageous kind of direct aggression”. 50
Other strategists saw the need for limited war not because of the horrors brought upon by thermonuclear war, but because it was an issue of credibility. Past experience with the US in
Korea and Indo-China meant that the Soviets would not take a threat of nuclear action as seriously as it would be out of character for the nation. Strategist William Kaufmann pointed out that so far history would suggest “rather strongly that the United States is willing – and, it should be added, able – to meet [Soviet efforts at expansion] successfully on the grounds and according
47 Freedmen op. cit . p.99
48 Edward Mead Earle, “The influence of air power upon history”, The Yale Review , xxxv:4 (June 1946), pp. 577-93
49 Liddell Hart, Deterrent or Defense , London: Stevens & Sons, 1960, p. 23 [reprint of original writing made in 1954]
50 Brodie, “Unlimited Weapons and Limited War’, The Reporter , November 1 st , 1954
31 to the rules set by the opponent”. This meant that in the event of communist provocation in the face of the threat of massive retaliation the US would have to either “put up” and be plunged into an atomic war or “shut up” and lose the ability to deter further Soviet expansion. 51
Limited war was also seen to be much more advantageous to policy makers than total war was. Robert Osgood, in his book Limited War: The Challenge to American Strategy , claimed that the “principle justification of limited war lies in the fact that it maximizes the opportunities for the effective use of military force as a rational instrument of policy”. He went on to describe how the adaptation of limited war theory had been underway since the end of WWII, but it had been done in an ad hoc manner. This was why the Korean War, while fought according to limited war principles, was so traumatic: the strategy was not successfully explained and was realized in a clumsy manner. Osgood then turned his eye towards deterrence theory and showed how limited war was crucial to the establishment of credibility: “credibility...requires that the means of deterrence be proportionate to the objectives at stake”. 52
Perhaps what brought the idea of limited war to the forefront of public discussion was
Henry Kissinger’s book Nuclear Weapons and Foreign Policy . In this book Kissinger attacked the American inclination to think in absolutes (total war vs. total peace, military vs. politics) that were distinct from each other. He asserted that up until now the atomic bomb had been viewed as
“merely another tool in a concept of warfare which knew no goal save total victory and no mode of war except all-out war”. However, now limited war had “forced itself on American strategic thought despite itself...[because] it is no longer possible to impose unconditional surrender at an acceptable cost.” It was impossible to “combine a deterrent based on a threat of maximum
51 William Kaufmann, Military Policy and National Security , Princeton University Press, 1956, pp. 21, 24-5
52 Robert E. Osgood, Limited War: The Challenge to American Strategy , The University of Chicago Press, 1957, pp.26, 244
32 destructiveness with a strategy of minimum risk”. He saw limited war as the blending of war and politics.
The prerequisite for a policy of limited war is to reintroduce the political element into our concept of warfare and to discard the notion that policy ends when war begins or that war can have goals distinct from those of national policy. 53
TACTICAL NUKES
This idea of the proportionality of retaliation created the idea of graduated deterrence which relied on degrees of retaliation based on the initial aggression. This strategy was mainly put forward in British writings on nuclear strategy (the term itself originated from Liddell Hart), but the common theme throughout was the necessity for economy of force. Rear-Admiral Sir
Anthon Buzzard said, “We should not cause, or threaten to cause, more destruction than is necessary”. The idea of tactical nuclear strikes were deemed favorable to graduated deterrent supporters because “the threat of tactical atomic war is a terrible and tremendous deterrent in itself, without the additional threat of total, global war”. 54
The idea that nuclear weapons could still find a purpose in war without ultimately leading to all-out nuclear destruction was popular among many military officials who wanted to make use of the technology. American Colonel Richard Leghorn saw tactical nuclear weapons as great defensive weapons. He proposed that populations could be spared from attacks by using tactical nuclear weapons to interdict enemy movement by targeting their reinforcements and logistics.
The idea required limiting the use of nuclear weapons to military targets only. He thought that
53 Henry Kissinger, Nuclear Weapons and Foreign Policy , Harper, 1957
54 Richard Goold-Adams, On Limiting Atomic War , Royal Institute of International Affairs, 1956, p. 20
33 the use of nuclear weapons on cities should be “unilaterally renounced” except in the case that the western cities were attacked first with nuclear weapons. 55
There were of course skeptics to this line of thinking. The destruction caused by nuclear
weapons was seen as complete and horrific and this extreme level of destruction made any use
difficult without incurring retaliation from the other side. Using any kind of nuclear weapons, as
Brodie put it, “greatly increases the difficulties in the way of making limitations”. 56 Escalation of the conflict was the major concern. “Once any kind of nuclear weapon is actually used, it could all too easily spread by rapid degrees, and lead to all-out nuclear war”. 57
MUTUAL ASSURED DESTRUCTION
The theory of limited war had much influence on the nuclear strategy of the early 60s. In a speech at the University of Michigan in June of 1962, Secretary of Defense Robert McNamara outlined the change in US nuclear strategy:
A possible general nuclear war should be approached in much the same way that more conventional military operations have been regarded in the past. That is to say, principal military objectives, in the event of nuclear war stemming from a major attack on the Alliance, should be the destruction of the enemy’s military forces, not of his civilian population. The very strength and nature of the Alliance forces makes it possible for us to retain, even in the face of a massive surprise attack, sufficient reserve striking power to destroy an enemy society if driven to it. In other words we are giving a possible opponent the strongest possible incentive to refrain from striking our own cities. 58
55 Colonel Richard S. Leghorn, “No need to bomb cities to win war”, US News & World Report , January 28 th , 1955, p. 84
56 Brodie, “More about limted war”, World Politics , October 1957, p. 117
57 Liddell Hart, Deterrence or Defense, op. cit. , p. 81
58 Robert McNamara, “Defense Arrangements of the North Atlantic Community”, Department of State Bulletin, 47, July 9 th , 1962, pp. 67-8
34
The idea of limiting nuclear strikes to military targets comes directly from limited war theory, but what was new was the combination of limited war theory with elements from massive retaliation theory. What McNamara realized was what Thomas Schelling would later point out:
“[War] appears to be, and threatens to be, not so much a contest of military strength as a bargaining process – dirty, extortionate, and often quite reluctant bargaining on one side or both
– nevertheless a bargaining process”. 59 Massive retaliation left no room for contingencies and
reserves, thus leaving many of the command and control structures vulnerable. It relied on being
able to carry out the first massive strike. This new strategy required both the ability to carry out
massive retaliation in the event of a massive strike, but also required the restraint found in
limited war theory when fighting the actual war.
Schelling critiqued McNamara’s view of the role of deterrence because it did not treat
nuclear weapons as being separate from conventional military actions (as he believed they
should be). The main critique was on the restraint McNamara proposed. According to Schelling,
restricting the use of nuclear weapons in a conventional war to only military targets was
completely different from how wars have been fought in the past. He uses WWI and WWII as
examples of how military force was not used on civilians, not because of restraint, but rather
because of an inability to do so.
The Germans did not, in World War I, refrain from bayoneting French citizens by the millions in the hope that the allies would abstain from shooting up the German population. They could not get at French citizens until they had breached the Allied lines...The allied air forces took the war straight to Hitler’s territory, with at least some thought of doing in Germany what Sherman recognized he was doing in Georgia; but with the bombing technology of World War II one could not afford to bypass the troops and go exclusively for enemy populations – not, anyway, in Germany. With nuclear weapons one has that alternative... 60
59 Schelling op. cit. p. 7
60 Ibid p. 25-6
35
This is not to say that Schelling dismissed limited war altogether. He saw the Korean War as an example of the restraint that could be shown in war in the nuclear age. The difference from
McNamara’s approach was that he was aware that by trying to maintain the use of nuclear weapons within the conventional military hierarchy not only was limited war not achievable, but deterrence altogether would no longer be stable. Entire civilizations were on the bargaining table and to limit your strength by not recognizing the need for coercive violence undermines your position. As the decade went on, McNamara would alter his strategy in order to better suit the realities of a separate nuclear war (in other words, a type of war separate from conventional warfare).
In 1964 a term was introduced that would completely change how people thought about the use of nuclear weapons. Originally known as ‘assured retaliation’, McNamara, afraid that the term did not accurately represent the horrors that went along with a nuclear war, introduced the idea of ‘assured destruction’. Assured destruction capability was defined as the ability to:
Deter a deliberate nuclear attack upon the United States or its allies by maintaining at all times a clear and unmistakable ability to inflict an unacceptable degree of damage upon any aggressor or combination of aggressors – even after absorbing a surprise first strike. 61
The unacceptable degree of damage was set by McNamara at 20 percent of the Soviet population and 50 percent of its industrial capability (well below the possible 50 percent and 80 percent during an all-out attack). 62 There was, however, an additional aspect that McNamara’s approach brought to assured destruction: his refusal to hinder or discourage the Soviet attainment of an assured destruction capability. This became known as Mutual Assured Destruction (or
MAD). The idea was to assure the other side that there was no intention of a first strike in the
61 Alain Enthoven & K. V. Smith, How Much Is Enough?: Shaping the Defense Program 1961-1969 , Harper & Row, 1971, p. 174
62 Freedman op. cit. p. 247
36 hopes of slowing (and possibly stopping altogether) the buildup of nuclear weapons by both sides.
MAD relied on the assumption that no defensive measures should or would be undertaken by either side. To McNamara this seemed a fair assumption. Passive defenses, such as nuclear shelters, faced practical problems like expense, but they also brought the less tangible problems of lulling the populace into a false sense of security and appearing as a provocation by mobilizing the population into a state of war-readiness. Active defense, the ability to destroy missiles before they hit, was not thought to be possible and even if it was (which McNamara highly doubted) it would destabilize the nuclear stand-off leaving the side without defenses vulnerable to a first strike. 63
What ended up happening, though, was that each side would ‘misinterpret’ the other’s
buildup of weapons (the Soviets saw it as closing the missile gap, while the Americans saw it as
a Soviet attempt to gain first strike capability) and this would cause the other side to buildup
their stockpile as well. An arms race ensued. McNamara lamented how this misunderstanding
was undermining the stability he sought. Each side tried to stop the other side from reaching first
strike capability. “But they could not read our intentions,” said McNamara, “...The result has
been that we have both built up our forces to a point that far exceeds a credible second-strike
capability against the forces we each started with. In doing so neither of us has reached a first-
strike capability.” 64
63 Ibid p. 251-3
64 Robert McNamara, “The dnamics of nuclear strategy”, Department of State Bulletin , LVII, October 9 th , 1967
37
SOVIET THINKING
In Moscow strategy discussions went a little differently, but eventually reached a situation akin to the mutual assured destruction put forward by McNamara. Soviet strategy of the
60s focused mainly on first determining “methods of delivering the first blow” and, more importantly, “means for reliably repelling a surprise nuclear attack by an aggressor”. 65 Soviet strategy was more focused on ensuring their victory in the event of a nuclear war than subscribing to a philosophy of stability through terror.
This strategy eventually evolved from a preemptive strategy to a ‘launch-on-warning’ strategy that depended on timely detection of an incoming attack to launch a retaliatory force before it is destroyed. Marshal Krylov, Commander-in-Chief of the Strategic Rocket Forces, wrote on the matter in 1967:
It must be stressed that under present conditions, when the Soviet Armed Forces are in constant combat readiness, any aggressor who begins a nuclear war will not remain unpunished, a severe and inevitable retribution awaits him...They [the retaliatory forces] will have time during the flights of the missiles of the aggressor to leave their launchers and inflict a retaliatory strike against the enemy. 66
This overreliance on means of detecting an attack meant the possibility of an accidental war would be higher. The threat of accidental war was a very real fear 67 , which is why many US strategists rejected the ‘launch-on-warning’ strategy in favor of deterrence. The Soviet strategy,
65 Vasily Sokolovsky, Military Strategy , 1962 pp. 91, 308
66 Quoted in Raymond Garthoff, “Mutual deterrence and strategic arms limitation in Soviet policy”, International Security , III:1, Summer 1978
67 In fact in 1983 a false alarm in Soviet detection equipment almost caused just that, but crisis was averted when the officer in charge of the early warning station, Stanislav Petrov, judged it to be a false alarm.
38 possibly fueled by the fear of the growing ‘missile gap’, continued along its aggressive development, culminating in the Cuban Missile Crisis.
Nikita Khrushchev’s plan was to disrupt any American plans for a first-strike by placing medium-range missiles in Cuba. This led to the famous case of brinkmanship where Khrushchev and Kennedy pushed back and forth over the maintenance of missiles on the island. To Thomas
Schelling, brinkmanship meant “manipulating the shared risk of war...exploiting the danger that somebody may inadvertently go over the brink, dragging the other with him”. 68 What happened
in 1962 was an extreme case of brinkmanship that almost led to, by means of threatening, all-out
nuclear war. However, Khrushchev eventually backed away from the brink and withdrew the
missiles. This was a turning point in Soviet thinking as it marked the beginning of real discussion
of non-victory oriented strategies, namely deterrence.
In 1969, during the first Strategic Arms Limitations Talks (SALT), it became clear for the
first time to the US that the USSR desired deterrence. The Soviet delegation made an official
statement to clearly demonstrate their desire to avert a nuclear war:
Even in the event that one of the sides were the first to be subjected to attack, it would undoubtedly retain the ability to inflict a retaliatory strike of crushing power. Thus evidently we all agree that war between our two countries would be disastrous for both sides. And it would be tantamount to suicide for the ones who decided to start such a war. 69
It should be made clear that this did not mean the Soviets had come around to
McNamara’s way of thinking. The USSR continued to pursue its Anti-Ballistic Missile technology against the advice of McNamara’s MAD and there was still a sense among Soviet military thinkers that a disbelief in victory would lead to fatalism and passivity. However there
68 Schelling op. cit. p. 99
69 Garthoff op. cit. p.126
39 was hope in shape of arms control talks, which seemed to bring about, however slowly, a more credible sense of stability than MAD’s stability of terror. 70
CIVILIAN NUCLEAR TECHNOLOGY
Nuclear technology also had a less sinister side that has made dealing with it all the more complicated. If the same technology that powers your schools and hospitals can be adapted and made into a weapon used to destroy your neighbor’s schools and hospitals, the development of such a technology is going to pose a security problem. No one wants to deny the civilian uses of nuclear energy to anyone, but if that meant giving everyone the ability to make a nuclear weapon the nuclear powers are going to be more weary.
The benefits of nuclear energy were clear from the beginning. It was a (relatively) clean energy source which produced enormous amounts of power from (relatively) little fuel. So much hope was placed on nuclear energy in the early years that it was actually thought as a replacement for fossil fuels in the world economy. Caryl Haskins lauded the benefits of nuclear energy, but envisioned a world of “violent competitive struggles for ownership of the richest deposits (the struggle for oil greatly intensified)”. 71 In reality, nuclear power never became a
large enough industry to put any strain on the world’s supply of uranium.
It was also believed early on that there would be absolutely no way to separate the
production of power from the production of fissionable materials. At the time most nuclear
processes involved converting Uranium-238 (the most abundant form of Uranium) into either
Plutonium-239 or Uranium-235, both of which have duel purposes as fuel for reactors and
70 Freedman op. cit. pp. 269-71
71 Haskins op. cit. p. 596
40 nuclear weapons. Therefore the only way to distinguish between a power plant and a weapons facility would be through thorough inspections. 72
Inspections have proven hard to maintain in a reliable and consistent manner, but overall can be said to have worked. The number of countries believed to possess nuclear weapons has only increased by six since the 1950s (if you include Israel) 73 while there are over 400 operation nuclear reactors in over 50 countries. 74 There are still issues of being able to trust a country to
not pursue nuclear weapons when they build their civilian infrastructure (e.g. Iran), but it has not
halted the use of the nuclear energy around the world. New technologies, such as Thorium
reactors (whose fuel is harder to weaponized), will help make the separation more distinct and
pave the way for more civilian use.
WHERE THINGS STAND NOW
Thankfully (and somewhat surprisingly) no nuclear weapon has ever been used in an act of aggression since 1945. Over 70 years have gone by without the use of nuclear weapons, but why did this occur? Was it the success of McNamara’s MAD? Was it the diplomacy and arms agreements? Did we just get lucky? There is still concern over certain states’ nuclear weapons programs (North Korea, Iran, and, formerly, Iraq) and even the possibility of a terrorist organization getting their hands on a nuclear device. These concerns, while valid in their own right, do not diminish the achievement that is the non-use of nuclear weapons by any nuclear power.
72 ibid
73 The Federation of American Scientists, http://www.fas.org/programs/ssp/nukes/nuclearweapons/nukestatus.html
74 The International Atomic Energy Agency http://www.iaea.org/pris/
41
One interesting explanation worth noting is the concept of a ‘nuclear taboo’. The taboo, as Nina Tannenwald explains in her aptly named article, “The Nuclear Taboo”, has served to delegitimize the use of nuclear weapons in modern war to the point where their first use is practically unthinkable. Because of their horrific nature, nuclear weapons have been classified as weapons of mass destruction along with chemical and biological weapons (which, it could be argued, have a similar taboo to their use) marking them as separate from conventional means of warfare. It is a taboo that has become increasingly prevalent in the international community:
The decreasing legitimacy of nuclear weapons is not simply reflected in public opinion but has become institutionalized in an array of international agreements and regimes, both multilateral and bilateral, which together circumscribe the realm of legitimate nuclear use and restrict freedom of action with respect to nuclear weapons. 75
To support her claim of the existence of a nuclear taboo (and it should be noted that she is not alone in this claim, many thinkers have acknowledged its existence in some form or another)
Tannenwald calls upon four wars and the decisions to either use or not use nuclear weapons in each case. In the first case, the Pacific War, no taboo had been developed yet and any taboo that existed against bombing civilian populations had already been dismissed by the strategic bombing of cities; nuclear weapons were seen as its natural extension.
In Korea, there was some fear that escalation of the fighting would occur if the use of
atomic bombs were permitted (not to mention a fear of using up the limited stockpile of the
time), but there was also evidence that popular opinion played a role in decision making. A State
Department official was quoted saying:
The military results achieved by atomic bombardment may be identical to those attained by conventional weapons, the effect on world opinion will be vastly different. The A-bomb has the status of a peculiar monster conceived by American cunning, and its use by us, in whatever situation, would be exploited to our serious detriment.
75 Nina Tannenwald, “The nuclear taboo: The nuclear taboo: The United States and the normative basis of nuclear non-use”, International Organization , Vol. 53 no. 3, Summer 1999, p. 436
42
During the Vietnam War, the taboo seemed to increase in strength with McNamara seen as being a chief proponent of the taboo itself. The Joint Chiefs of Staff considered using nuclear weapons during the war, but McNamara would refuse to allow their use and was appalled at how cavalierly the idea was thrown about in the military. In 1964 he stated that he “could not imagine a case where they would be considered.” Even Nixon, who was much less reluctant personally to use nuclear weapons than Kennedy and McNamara, acknowledged the “resulting domestic and international uproar would have damaged our foreign policy on all fronts."
Tannenwald’s most recent example is the First Gulf War where, even in the case of favorable conditions for the use of tactical nuclear weapons (dessert terrain with highly concentrated troop formations far from population centers), nuclear weapons were not even considered seriously. “President Bush decided at Camp David in December 1990 that the United
States would not retaliate with nuclear or chemical weapons even if the Iraqis attacked with chemical weapons.”76
While the taboo is most likely not the only explanation for the non-use of nuclear weapons (a point which she herself concedes), it is important to notice how such a norm developed over time and influenced decision making. When combined with more materialist explanations for non-use, the taboo becomes a meaningful factor. Theories like limited war and
MAD may have helped deter the use of nuclear weapons in the early years, but the taboo is what makes it a lasting deterrence.
76 Ibid pp. 442, 444, 452-3, 456, 458-9
43
THINGS TO KEEP IN MIND
There are many lessons to be taken from the history of nuclear strategy, but what is important to remember is the environment and technical factors that led to their development. It took almost twenty years from the creation of the bomb to the development of a coherent strategy for their use or, perhaps more appropriately, non-use. The main reason of comparing the future of Cyberwar to the past of nuclear war is in an attempt to reach that coherent strategy without the long lag period from the technology’s introduction. In the succeeding chapters it will hopefully become more apparent what those lessons are exactly and what may need to change in the way we think about Cyber.
44
A BRIEF HISTORY OF CYBER DIPLOMACY AND STRATEGY
“[The] cyber threat is one of the most serious economic and national security challenges we face as a nation... America's economic prosperity in the 21st century will depend on Cybersecurity.” -President Barrack Obama The problem with dealing with the strategy and diplomacy of cyber warfare is that there is yet to be a case of Cyberwar that can be used as a reference. Appendix A has a timeline of all major (known) cyber events of the past half century, none of which entails an event similar to a
Cyberwar. This has not stopped the discussion and nations across the world have developed
‘cyber doctrines’ in order to deal with what some believe is an inevitable reality. Others believe that cyber warfare has been hyped in a comparable fashion to how space warfare was in the
1980s.
Those in the former camp say it is just a matter of time before we have a “cyber pearl harbor” 77 that would catch us off guard and cause horrible damage. More conservative estimates liken the threat to the German U-boats on the Atlantic coast at the beginning of WWII. 78 Either way, cyber security is a very real issue and it is important to know how countries are preparing for the possibility.
Approaches vary from state to state and have changed greatly over time. This section will give an overview of those different doctrines developed across the world and attempt to give as accurate a picture of the current state in cyber strategy and diplomacy as possible (due to the current and changing nature of the issue). Of course not all information on the most current
77 A term used by Former Secretary of Defense Leon Panetta in a speech on cyber security to business executives in New York City on October 11 th , 2012
78 John Arquilla, “Panetta’s wrong about a cyber ‘Pearl Harbor’”, Foreign Policy , November 19 th , 2012, http://www.foreignpolicy.com/articles/2012/11/19/panettas_wrong_about_a_cyber_pearl_harbor
45 strategies will be available to the public. What follows is what can be gathered from open source materials.
EVENTS LEADING UP TOWARDS A US STRATEGY
The United States have been at the forefront of information technologies from the beginning. ARPANET (the foundations of the modern Internet) was developed by the
Department of Defense to ensure communications in the event of a nuclear war. Networks were not expected to become as integral a part of the global economy as they have become. The
Internet, therefore, was not designed with security in mind. Vinton Cerf, a program manager at
DARPA and co-inventor of the TCP/IP protocol, said in an interview with FORA.TV that one of the things he would change about the Internet would be the inclusion of authentication at various levels that would help a user tell who they are communicating with. 79
As networks became more prevalent (chief among them the Internet) in technologies it
became apparent that security would become an issue. In the beginning, the standard security
practices and software that have become a part of daily life for most of us (e.g. firewalls, spam
filtering, and anti-virus software) were good enough to protect important networks from major
attacks. This had less to do with the quality of these practices and more to do with the nature of
cyber-attacks in the early days.
Through the 80s and well into the 90s most cyber-attacks were undertaken by either lone
hackers or small groups not associated with any particular nation or organization. These hackers
(while being able to pull off some impressive developments in hacking like the Robert Morris’
79 Fora.tv, “Vinton Cerf lists the flaws in the Internet’s original design”, March 30 th , 2011 http://www.dailymotion.com/video/xhvn2j_vinton-cerf-lists-the-flaws-in-the-internet-s-original-design_tech
46 worm in 1988) were seen by the US government to be petty criminals who did not pose a major threat to national security. For the most part, the government was right and these early hackers were only interested in relatively modest monetary gains or were simply testing the limits of what could be done over a network.
The earliest law governing cyberspace in the US was the Computer Fraud and Abuse Act of 1984. The act made it a criminal offense to damage, alter, or steal information from ‘protected computers’. According to the act:
The term ‘protected computer’ means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; 80+81
To the US government, cybercrime was the real issue and was handled in the same manner. This all changed in 1998 when an event called ‘Solar Sunrise’ (the name given to it by the FBI) took the DoD by surprise. In February, during a crisis with Iraq, someone hacked into the unclassified DoD computers that were needed to manage the U.S. military buildup during a crisis with Iraq. The initial thought was that this was the beginning of an Iraqi Cyberwar attack, but after a few days of panic, the attackers were discovered to be not Iraqi but Israeli; specifically, a teenager in Israel and two teenagers in California.82
80 Computer Fraud and Abuse Act, 18 U.S.C. § 1030, last amended 2008, http://www.law.cornell.edu/uscode/text/18/1030
81 It will be important later on to note that the US government was only concerned with a certain subset of computers and did not extend that coverage to all computers.
82 Richard Clarke & Robert Knacke, Cyber War: the Next Threat to National Security and What to Do About It, p. 110
47
In this instance the US was very lucky that the attackers were not malicious in their intent
(Ehud Tenenbaum, the Israeli hacker, would later go on to found his own security firm 2XS 83 ).
The more troubling case began in the same year as Solar Sunrise, but would only be discovered two years later.
‘Moonlight Maze’ was the name given to the investigation to discover who was stealing information from government systems and even those of some private universities. As Richard
Clarke, former Special Advisor to the President on Cybersecurity:
The two deeply disturbing aspects of this were that the computer security specialists could not stop the data from being stolen, even when they knew about the problem, and no one was really sure where it all was going (although some people later publicly attributed the attack to Russians). Every time new defenses were put in place, the attacker beat them. Then, one day, the attacks stopped. Or, more likely, they started attacking in a way we could not see. 84
Since these attacks cyberspace has only become more dangerous. The NIMDA worm of
2001, attributed to the People’s Republic of China, became the fastest and most widespread worm of all time (in less than 22 minutes!) proving that the most secure computers in the private sector, the financial industry, were no match for determined hackers. 85 ‘Titan Rain’ in 2003 saw up to 20 terabytes of information (for comparison the entirety of the English Language
Wikipedia is only about 15 gigabytes, three orders of magnitude less!) extracted from the computers of the Pentagon and defense contractors like Lockheed Martin. And the GhostNet discovered by Canadian researches in 2009 “had the capability to remotely turn on a computer’s
83 Kevin Poulson, “’Analyzer’ defends Israeli sites”, Security Focus , November 20 th , 2000 http://www.securityfocus.com/news/116
84 Clarke & Knake, op. cit. p. 111
85 Software Engineering Institute – Carnegie Mellon, CERT Advisory, [last edited] September 25 th , 2001, http://www.cert.org/advisories/CA-2001-26.html
48 camera and microphone without alerting the user and to export the images and sound silently back to servers in China.” 86 Cyberspace was no longer just a playground for cyber criminals.
U.S. CYBER STRATEGY
The first branch of the US military to announce its development of a cyber warfare strategy was the Air Force. In November of 2006, the USAF announced the provisional creation of the Air Force Cyber Command. 87 Head of the Air Force General Norton Schwartz wrote to his
officers in 2009 that “cyberspace is vital to today’s fight and to the future U.S. military
advantage [and] it is the intent of the United States Air Force to provide a full spectrum of
cyberspace capabilities. Cyberspace is a contested domain, and the fight is on—today.” 88
Although the Air Force was the most vocal (and aggressive) about the need to develop a way to deal with Cyberwar, the other branches of the military would soon follow suit: The Navy eventually reactivated the sub-hunting 10 th Fleet of WWII in 2009; 89 And the Army has worked
CyberOps into their doctrine as “an integral part of full spectrum operations”. 90 Meanwhile, on the civilian side, the NSA had been developing their own cyber capabilities, which mainly focused on intelligence gathering.
86 Clarke & Knake, op. cit. p. 58-9
87 Staff Sergeant C. Todd Lopez, “8 th Air Force to become Air Force Cyber Command”, November 3 rd , 2006 http://www.af.mil/news/story.asp?storyID=123030505
88 Clarke & Knake, op. cit. p. 41
89 Department of Defense News Release no. 827-09, October 22 nd , 2009, http://www.defense.gov/releases/release.aspx?releaseid=13071
90 Jason Andress & Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners , Elsevier Inc., 2011, [e-book] location 1337-1339
49
The problem was a lack of centralization of cyber strategy. Each organization was only focusing on what was important to them about cyber, but no one was looking at the big picture.
Former Director of the NSA Lieutenant General Kenneth A. Minihan criticized the lack of coordination:
The Navy is focused on other navies. The Air Force is focused on air defense. The Army is hopelessly lost, and the NSA remains at heart an intelligence collection agency. Not one of these entities is sufficiently focused on foreign counterintelligence in cyberspace, or on gaining hold of foreign critical infrastructure that the U.S. may want to take down without dropping a bomb in the next conflict. 91
To remedy this then Secretary of Defense Robert Gates created the unified United States
Cyber Command (USCYBERCOM) as a sub-division underneath United States Strategic
Command (USSTRATCOM) in June 2009 to deal with cyber security. USCYBERCOM would
unite all the skills and techniques developed by these different organizations under one
department and create a coherent strategy of cyber security. According to its mission statement:
USCYBERCOM is responsible for planning, coordinating, integrating, synchronizing, and directing activities to operate and defend the Department of Defense information networks and when directed, conducts full-spectrum military cyberspace operations (in accordance with all applicable laws and regulations) in order to ensure U.S. and allied freedom of action in cyberspace, while denying the same to our adversaries. 92
From this unified standpoint, the US has since been able to develop its doctrine on the uses of and response to cyber-attacks. Military planners have divided cyber into three realms when discussing strategy: Computer Network Exploitation (CNE), Computer Network Attack
(CNA), and Computer Network Defense (CND). CNE is not what programmers think of for exploitation (exploitations are normally what are used for cyber-attacks) but is more like
91 Clarke & Knake, op. cit. , p. 43
92 United States Strategic Command, US Cyber Command, current as of December 2011, http://www.stratcom.mil/factsheets/cyber_command/
50 reconnaissance or espionage, CNA is offense, and CND is defensive operations. 93 Of these three,
defense has become the central focus (albeit it is hard to judge the extent to which cyber
espionage is being conducted, but even if US efforts rival or exceed that of China defense still
has a larger focus). This was doubly enforced in the memorandum by Gates establishing
USCYBERCOM:
Cyber Command will use five principles for the department's strategy in cyberspace: Remember that cyberspace is a defensible domain; make our defenses active; extend protection to our critical infrastructure; foster collective defenses; and leverage U.S. technological advantages. 94
This has added to (and in some respects taken precedent over) the Joint Doctrine for
Cyber (JP 3-13), which, while created in 2006, has found itself continually updated each year.
The doctrine places cyber under the slightly larger umbrella of Information Operations (IO).
According to the most recent edition available (as of this writing) defines IO as:
The integrated employment of electronic warfare (EW), computer network operations (CNO), psychological operations (PSYOP), military deception (MILDEC), and operations security (OPSEC), in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own.95
In order to further this focus on defense, the DoD has developed an INFOCON system similar to the DEFCON system, which is designed to measure the level of threat to networks and adjust preparedness accordingly. It operates on a scale of one to five (one being the highest level of threat, five being the lowest) just like DEFCON, but has an added possibility of Tailored
Readiness Options (TROs). These TROs are meant to supplement any given level of INFOCON.
93 Andress & Winterfeld, op. cit. , [e-book] location 1270-1274
94 Secretary of Defense Robert Gates, Memorandum June 23 rd 2009, http://online.wsj.com/public/resources/documents/OSD05914.pdf
95 Joint Publication 3-13, “Information Operations”, November 27 th 2012, http://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf
51
An example of a current TRO is the ban on the use of thumb drives at the DoD due to their risk of transporting malware onto DoD networks. 96
The DoD has also frequently expressed the need for a public-private partnership in order to create a successful defense, but so far any productive partnership has proven problematic. The first problem is that USCYBERCOM’s stated mission is defending government networks
(specifically those of the DoD itself). While it is mentioned that the defense should be expanded to critical infrastructure, this task has since been delegated to the Department of Homeland
Security who was already late to the cyber security game. The second problem is the reluctance of private corporations to share information when they have been attacked since it could hurt business. 97
All the stated doctrine for the United States’ cyber security underline the importance of defense in the digital age, however, offensive capabilities have been getting attention as well. In a formerly secret-level 98 document from 2006 called the ‘National Military Strategy for Cyber
Operations’ the Joint Chiefs of Staff asserts a much more aggressive stance than that found in the
declarations and published doctrines since. According to the document, the role of the military in
cyberspace is
...to ensure the US military [has] strategic superiority in cyberspace... [In order to preserve] freedom of action [and to] deny the same to our adversaries... Offensive capabilities in cyberspace [are needed] to gain and maintain the initiative. 99
96 Andress & Winterfeld, op. cit. , [e-book] location 1351-1378
97 Clarke & Knake, op. cit. , p. 44
98 It was declassified as a part of the Freedom of Information Act.
99 Chairman of the Joint Chiefs of Staff, “National Military Strategy for Cyberspace Operations”, December 2006, http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOperations/07-F-2105doc1.pdf
52
While the first part of that statement is almost identical to the mission statement of
USCYBERCOM, it takes the defensive doctrine detailed above and adds the need to remain offensively ahead. Elsewhere in the document it describes how vulnerable the US is to a coordinated cyber-attack and offers that the best way to avoid such an attack is by “inducing adversary restraint based on demonstrated capabilities.” The stated goal of cyber operations in the document is one where “adversaries are deterred from establishing or employing offensive capabilities against US interests in cyberspace.” 100
A state of cyber deterrence is the desired outcome for the US when dealing with nation-
state actors in cyberspace. The US government recognizes that, given the offense dominant
nature of cyber weapons, offense cannot be overlooked and may itself be the solution. The
Director of the Air Force Cyberspace Operations Task Force put it rather bluntly:
If you are defending in cyberspace, you’re already too late. If you do not dominate in cyberspace, you cannot dominate in other domains. If you are a developed country [and you are attacked in cyberspace], your life comes to a screeching halt. 101
For the first decade of the 21 st century, US cyber warfare strategy was in its infancy and focused mainly on defense and response. American emphasis on CERTs and other damage mitigation techniques underscores just how much US strategy needed to develop. There has been recognition of the desire for cyber deterrence, but little talk among officials what that would really be and if it is possible. The DoD runs exercises to simulate responses to a cyber-attack, but currently there is no exercise that is designed to see how the military itself would operate without cyber technology. “How well the military could perform without cyber-enabled command and
100 ibid
101 Clarke & Knake, op. cit. , p. 36
53 control systems may never be known until they are forced”. 102 Lieutenant General Kenneth
Minihan, former Director of the NSA, has expressed great concern over US cyber strategy quite
forcefully:
Though it is called the ‘Defense’ Department, if called on to defend the U.S. homeland from a cyber-attack carried out by a foreign power, your half-trillion-dollar-a-year Defense Department would be useless 103
Most recently, the US has come out publicly and forcefully as supporting cyber deterrence through retaliation. General Alexander, in a testimony in front of Congress on March
12 th , 2013, admitted to the buildup of American cyber offensive capabilities for this purpose: “I
would like to be clear that this team, this defend-the-nation team, is not a defensive team...This is
an offensive team that the Defense Department would use to defend the nation if it were attacked
in cyberspace”. 104
CHINESE CYBER STRATEGY
Surprisingly (or rather not so surprisingly as I will discuss later on in the section on cyber deterrence), the People’s Republic of China has been very open about their cyber warfare strategy. Since 1999 China has been developing its asymmetric war doctrine and at the center of that development was the development of a cyber strategy. The People’s Liberation Army (PLA) sees cyber warfare as a way to get on equal footing with a militarily superior force such as the
United States. The central goal of this type of warfare is to bring about an ultimate military
102 Andress & Winterfeld, op. cit. , [e-book] location 1685-1686
103 Clarke & Knake, op. cit. , p. 44
104 Mark Mazzetti & David E. Sanger, “Security Leader Says U.S. Would Retaliate Against Cyberattacks”, The New York Times , March 12 th , 2013
54 victory by expanding the battlefield to targets beyond the reach of conventional weapons such as an enemy’s economic and political system. 105
In an article for High Frontier , a journal published by the US Air Force Space Command,
Timothy L. Thomas lists some of the key Chinese concepts used in their cyber warfare doctrine as understood by the Taiwanese military:
• Acupuncture war, which establishes the examination of critical points in a network
that, when taken out, can shut down an entire system. This can mean “the first battle
[is] the final battle.”
• Strategic information war, which is understood to be the integration of political,
economic, military, diplomatic, and other areas to produce an overall or
comprehensive information victory. The targets of strategic IW include national,
political, monetary, communications, and other crucial sectors down to single weapon
systems such as aircraft carriers.
• Intangible war, which focuses on strategies, market competition, legal systems, and
intellectual property rights.
• Net Force is the acknowledgment of “all people being soldiers, the integration of
peace and warfare, and dual usage for the military and civilians.”
• Surgical warfare aims to attack the vulnerability of high-tech weapons systems,
namely, attacking one point in command-control structures reliant on cyber to cripple
the whole system. 106
105 Andress & Winterfeld, op. cit. , [e-book] location 1388-1389
106 Timothy L. Thomas, “Taiwan Examines Chinese Information Warfare”, High Frontier , USAF Space Command, Vol 5 no. 3, May 2009, pp. 26-35
55
All of these terms and concepts are geared towards the offensive, which is a persistent theme in the PLA’s cyber strategy. The need for dominance in cyberspace is one of the central points of China’s greater asymmetric war doctrine. Major General Dai Qingmin of the General
Staff has stated that such dominance could only be achieved by preemptive cyber-attack. 107
China’s strategy demands that they take a very proactive stance in cyberspace and their activity over the past decade has shown their dedication to this strategy, but this does not mean they have neglected to protect themselves.
China is also at the forefront of cyber defense strategy. The Chinese government has been rather notorious worldwide for its censorship of the Internet. Their extensive network of censors, dubbed “The Great Firewall of China”, used to block subversive materials from the nation’s internet, and the “Green Dam Youth Escort” software that, as of 2009, has been mandated to be pre-installed on every computer system to be sold in China have given China unprecedented control over their nations networks. 108 If the need should ever arise, the Chinese government has
ensured they have the capability to cut off their entire nation’s cyber infrastructure from the
outside world: an incredibly powerful defense.
Chinese cyber strategy comes off as being very aggressive with its preemptive strikes and
stalwart defense. It has had the benefits of being a chief concern of the Chinese military for over
a decade and has not had to deal with the issues of a public-private relationship with its critical
infrastructure. China has already begun to conduct cyber espionage (Titan Rain), has created
107 Clarke & Knake, op. cit. , p. 50
108 Ibid p. 57
56 cyber war military units (the most notorious being Unit 61398 109 ), has laced US critical
infrastructure with logic bombs 110 , and has created one of the most robust defenses short of not having cyber technology at all. To the Chinese, the Cyberwar has begun.
OTHER CYBER STRATEGIES FROM AROUND THE WORLD
The US and China are not the only nations who have developed specialized branches of government to deal with cyber security. Russia, the cyber-infamous nation whose ‘patriot hackers’ have disrupted two separate nations networks (first in Estonia in 2007 and then in
Georgia in 2008), has been almost completely silent on their own cyber warfare doctrine.
Whether this is because they desire to keep their plans a secret or because they legitimately have no plans to engage in Cyberwar (doubtful given their history) is unknown. What is known is that
Russia is home to one of the largest and possibly best hacker schools in the world. The military school in Voronezh is run by the Federal Protective Service (FSO), one of the modern decedents of the former KGB. 111
In Europe, the chief cyber security force to step forward is NATO’s Cooperative Cyber
Defense Centre of Excellence located in Tallinn, Estonia. It was created shortly after the 2007
DDoS attacks on Estonia (hence the location of its headquarters) in order to strengthen the cyber security of all its members. Its mission is “to enhance the capability, cooperation, and information sharing among NATO, NATO nations, and partners in cyber defense by virtue of
109 According to Mandiant, a US Cyber Security firm, this particular unit has been responsible for stealing information from over 140 US companies. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf February 2013
110 Clarke & Knake, op. cit. , p. 54
111 Ibid p. 64
57 education, research, and development, lessons learned, and consultation”. 112 The idea being that
a collective defense will be easier than each nation trying to fend for themselves, yet it makes no
claims to deal with Cyberwar in particular.
The United Kingdoms and France have taken the general approach to cyber security one
step further by defining the problem, and therefore how they handle it, more specifically. The
UK have decided to treat cybercrime and espionage as separate from cyber warfare in order to
better focus their cyber warfare capabilities. 113 France, instead, made the distinction not between cyber warfare and cybercrime/espionage, but rather between defense and offense. The new
French cyber strategy called for the creation of a Security of Information Systems Agency under the purview of the General Secretariat for Defense and National Security for defense while simultaneously developing an offensive cyber capability under the Joint Staff.114
This model of creating a separate agency to deal with cyber war has been generally the
case for most countries. While approaches vary on whether to focus on defense or offense, the
constant theme is that countries are recognizing cyber warfare as a separate realm from
conventional warfare. If this is true, devoted agencies will become increasingly important in the
future.
112 Cooperative Cyber Defence Centre of Excellence, NATO, http://www.ccdcoe.org/11.html [last accessed February 2013]
113 Andress & Winterfeld, op. cit. [e-book] location 1444-1445
114 Présidence De La République, “The French white paper on defence and national security”, « Le Livre blanc sur la défense et la sécurité nationale », 2007 http://www.livreblancdefenseetsecurite.gouv.fr/IMG/pdf/white_paper_press_kit.pdf
58
CYBER DIPLOMACY: A WORD FROM RUSSIA While Russia has had little to offer in the way of tangible cyber warfare strategy like
China or the US, its view on cyberspace can be gleaned from the way it has conducted diplomacy when matters of cyber security are at stake. In fact, Russia has been at the forefront of each attempt to create some sort of international agreement on cyber security as it relates to cyber warfare (they have been somewhat more silent when it comes to regulating cybercrime).
RUSSIA AND THE UN
Since 1998, Russia has submitted a draft resolution on information security every year in the First Committee of the United Nations, which concerns itself with issues of disarmament and international security. The original draft submitted entitled “Developments in the field of information and telecommunications in the context of security” served as the basis for all future proposals (changing only slightly over time) and was adopted without vote by the General
Assembly as Resolution 53/70 on 4 January 1999. 115
The goal of the resolution according to Sergei Ivanov, a high ranking Russian official
who served as Minister of Defense from 2001 to 2007, was to develop “international law regimes
for preventing the use of information technologies for purposes incompatible with missions of
ensuring international stability and security.” 116
115 “Cyber Norm Emergence at the United Nations – An Analysis of the UN‘s Activities Regarding Cyber- security? ”; Maurer, Tim; Discussion Paper 2011-11; Cambridge, Mass.: Belfer Center for Science and International Affairs, Harvard Kennedy School; September 2011; http://belfercenter.ksg.harvard.edu/files/maurer-cyber-norm-dp- 2011-11-final.pdf
116 “The Trouble with Cyber Arms Control”; Ford, Christopher A.; The New Atlantis ; 2010; http://www.hudson.org/files/publications/20110301_TNA29Ford.pdf
59
The proposal itself requests that member states of the United Nations begin to recognize
Information Warfare as a legitimate security threat to international stability. It also calls for the need to define key concepts. In particular it mentions the “unauthorized interference with or misuse of information and telecommunications systems and information resources.” 117
At first glance the proposal seems to be a rather benign call for awareness of a possible threat to international security and stability, but the United States and other Western powers were skeptical that the definitions Russia was proposing to come up with would prohibit censorship of the Internet. This rift was first noted by the United Nations in a discussion held on August 25-26,
1999. The meeting noted that the main divide lies between states that believe cyber crime and terrorism to be the greatest threats to the international community while others believe information operations (defined essentially as propaganda) and its use by the militarily advanced states to be the biggest threat. 118 More generally that is increased enforcement (the American
stance) versus disarmament (the Russian stance).
Russia continued to submit these proposals and have them adopted without vote until
2005 when it was put to vote for the first time. The resolution was adopted, but this marked the first time that the United States voted against the proposal. This vote against the proposal marked the United States taking a much stronger stance than it had for the past decade. However, this opposition did not have the effect the United States was hoping for. 119
117 “Developments in the field of information and telecommunications in the context of security”; Fifty-third session, Agenda item 63; 4 December 1998; http://daccess-dds- ny.un.org/doc/UNDOC/GEN/N99/760/03/PDF/N9976003.pdf?OpenElement
118 “Developments in the field of information and telecommunications in the context of security”; Private Discussion Meeting hosted by DDA and UNIDIR; Geneva, August 25-26, 1999; http://www.unidir.org/pdf/activites/pdf3- act81.pdf
119 “Cyber Norm Emergence at the United Nations – An Analysis of the UN‘s Activities Regarding Cyber- security? ”; Maurer, Tim; Discussion Paper 2011-11; Cambridge, Mass.: Belfer Center for Science and International
60
The American opposition may have made clear the doubts the United States was having about Russia’s intentions, but it inadvertently caused an increase in support for the proposal. The next year, 2006, saw the addition of eight co-sponsors to the proposal including China, Armenia,
Belarus, Kazakhstan, Kyrgyzstan, Myanmar, Tajikistan, and Uzbekistan. 120 This number would
continue to grow each subsequent year.
(It is important to note that the states that initially co-sponsored the proposal generally came from the former Soviet sphere and therefore have a closer relationship with Russian than the United States. Additionally this period of American opposition was also a period of uneasy relations with the UN in general. A policy shift occurred after the administrations changed, Bush to Obama, and a new policy with Russia and the United Nations was adopted.)
In 2009, as a part of the “reset” policy for Russo-American relations, the United States began talks with Russia on cyber security. Recognizing the need for international cooperation to help combat the misuse of cyber space, American officials began to talk with Russian officials in order to find common ground for the first time. However, this cooperation did not mean the
United States had come around to Russia’s way of thinking.
On the issue of “cyber terrorism” the Russians have called for a complete ban in order to protect state sovereignty. American officials, however, describe this as a Russian effort to restrict
“politically destabilizing speech.” 121 While cooperation was beginning to appear between the two sides, the fundamental philosophical differences were still proving to be the biggest impediment towards any meaningful outcome.
Affairs, Harvard Kennedy School; September 2011; http://belfercenter.ksg.harvard.edu/files/maurer-cyber-norm-dp- 2011-11-final.pdf
120 ibid
121 “In Shift, U.S. Talks to Russia on Internet Security”; John Markoff & Andrew E. Kramer; The New York Times; December 12, 2009; http://www.nytimes.com/2009/12/13/science/13cyber.html
61
However many Americans officials doubt Russian intentions when it comes to protecting the freedom of the Internet. Russian officials have their own concerns about American intentions. Gen. Vladislav P. Sherstyuk, undersecretary of the Russian Security Council, voiced anxiety that the United States was completely leaving out cyber-warfare from the conversation in order to protect the American “hegemony” over the Internet and specifically the United States potential power to shut off the Internet in certain states. 122
In 2011, Russia, along with China, Tajikistan, and Uzbekistan, penned a letter to the
General Assembly outlining a cyber code of conduct. Within this code of conduct are several
things that could alarm an American policy maker. It calls for an effort to stop the dissemination
of information that could “undermine other countries’ political, economic and social stability.”
Additionally it states that freedom in “information space” should comply with “relevant national
laws and regulations.” 123
This letter can be interpreted to be calling for a restriction of freedom of speech if it goes against a state’s agenda, a disturbing sentiment to the United States who seeks to promote
Internet freedom. But this is not the only interpretation. Oppressive regimes or terrorist organizations could use the same tools to spread propaganda of their own. At the very least it shows an effort on Russia’s part to open the dialogue on information security.
122 “At Internet Conference, Signs of Agreement Appear Between U.S. and Russia”; John Markoff; The New York Times; April 15, 2010; http://www.nytimes.com/2010/04/16/science/16cyber.html
123 “Annex to the letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General: International code of conduct for information security” ; United Nations – General Assembly; 14 September 2011; http://blog.internetgovernance.org/pdf/UN-infosec-code.pdf
62
RUSSIA’S THINKING
The key difference between the Russian and American philosophies on information security comes down to the definitions of terms. The most important of these terms is
“information operations”. Whereas the United States conception of “information operations” is limited to the dissemination or planting of information (true or false) the Russian definition is much broader. George Sadowsky, a United States representative to ICANN, said that when it comes to the Russian definition of information security “it’s a broader notion, and they really mean state security.” 124
Russian thought on information security, instead of focusing on just the offense and
defense of computer systems like the American doctrine, emphasizes the psychological aspect of
information warfare. There is a “totalistic ideal of information warfare as a contest between
whole societies. ”125 This idea that information, in the form of thought, is a significant threat to
state security has been a part of Russian doctrine since the formation of the Soviet Union and has
endured in Russian philosophy even after its collapse.
In 2000 the Kremlin created the Information Security Doctrine which listed the potential
threats to Russian information security as the “degradation of spiritual values, propaganda of
models of mass culture based on the cult of violence, and on moral values contradictory to values
accepted in Russian society; weakening the spiritual, moral, and creative potential of the Russian
124 “At Internet Conference, Signs of Agreement Appear Between U.S. and Russia”; John Markoff; The New York Times; April 15, 2010; http://www.nytimes.com/2010/04/16/science/16cyber.html
125 “The Trouble with Cyber Arms Control”; Ford, Christopher A.; The New Atlantis ; 2010; http://www.hudson.org/files/publications/20110301_TNA29Ford.pdf
63 peoples; [and] obstruction of the state mass-media’s efforts to inform Russian and foreign audiences.” 126
From an American perspective this doctrine comes off as authoritarian by design and made to ensure that freedom of expression is limited to what the state believes is appropriate. But when viewed in the context of Russia’s “warring societies” model it is understandable as to how this conclusion was reached.
Another main thread of Russian information security philosophy is the fear of a cyber arms race with the United States. This fear has been the major impetus for the call for an all out ban of cyber weapons. Russian officials are concerned that they would not be able to win an arms race with the United States. 127
The easiest way to stop an arms race would be to ban the militarization of the Internet altogether. This would leave the realm of “technical” information attacks to non-state actors, such as the patriot Russian hackers accused of conducting cyber attacks on Estonia in 2007 and
Georgia in 2008.
The playing field would be essentially leveled. The enormous technical advantage of the
United States would no longer matter as much because the only way they could carry out a cyber-attack would be vicariously through a non-state organization, which would not have the same capacity as the American government.
While American interests would say that this solution would end up leaving the world more vulnerable, it would give Russia a sense of security knowing that it would not have to worry about a growing gap between itself and the United States. This situation combined with
126 ibid
127 ibid
64
Russia’s tight control on Russian “spirit” would make patriot hackers a very powerful tool for
Russia.
The Russian doctrine also tends to focus more on the negatives than the American philosophy. The United States recognizes that good can come out of information operations by giving people a forum for free exchange. However, Russia has included these types of information operations as part of the behavior to be avoided. This type of activity is consistently listed as being criminal or terrorist in nature. 128
In his book The Net Delusion , Evgeny Morozov 129 , gives many examples of how authoritarian regimes have used this “liberating” technology to oppress their people. He cites
Hugo Chavez’s use of Twitter to solidify his rule, China’s Fifty-Cent Party and their role in driving all internet conversations towards pro-government topics, and he even talks about
Russia’s use of entertainment to distract its populace from “subversive thoughts.” 130
Morozov’s book is critical of Russian censorship and is not written by a pro-Russian thinker, but it highlights the skepticism of the benefits of a free internet that Russian officials have demonstrated in their proposals to the United Nations. I bring up the example of his book to demonstrate this emphasis on the disadvantages of a free internet.
The Russian mindset on information security is much more focused on fear than the
American outlook. From the very existential threat of a societal war to the more practical fear of getting tangled in an expensive and, ultimately, futile cyber arms race, Russian officials drafted
128 “Annex to the letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General: International code of conduct for information security” ; United Nations – General Assembly; 14 September 2011; http://blog.internetgovernance.org/pdf/UN-infosec-code.pdf
129 Morozov was born in Belarus, but has spent his career in the United States writing as a skeptic of the Internet Freedom Agenda.
130 The Net Delusion: the Dark Side of Internet Freedom; Evgeny Morozov; PublicAffairs, New York, NY, 2011
65 their proposals with these fears at the forefront. The fact that Russia has been so adamant about reaching an agreement for over a decade only highlights the severity of the Russian fears.
THE LESSONS OF HISTORY
Although a fairly new area of thought, cyber strategy contains some very diverse thinking. The USCYBERCOM is focused on defense, but hoping to use offense to create cyber deterrence. The PLA has seized the initiative in a big way and has not tried hard to conceal their actions. Russia has kept quiet on its own strategy, but has highlighted the role of fear and been highly vocal in diplomacy. These strategies are not all too different from the ones we saw during the 20 th century when nuclear weapons were the primary concern; they draw on elements from the past. But does cyberspace allow for this?
66
THE SIMILARITIES OF CYBER AND NUCLEAR
A century ago, armies discovered that technology could be the key to victory. Since then there has been a steady stream of new weapons, new technologies, and new ways to attack. Perhaps it is best to see the Internet and cyber-attack as the latest in a long line of technologies that have changed warfare and provided new military capabilities. -James A. Lewis Center for Strategic and International Studies We have examined the paths both nuclear thinking and cyber thinking have taken in order to understand where the comparison is coming from. But so far we have done little to question or support the claim that these two different technologies can be treated in a similar manner. This section lays out the parallels of the two technologies that give credence to the analogy, while simultaneously judging the strength of each similarity.
THE TECHNICAL SIMMILARITIES
DESTRUCTION
At first glance the technical capabilities and limitations of cyber and nuclear warfare can seem vastly different. On the one hand you have a battle taking place in virtual space whose physical consequences can be hard to imagine. On the other is the capability to cause the largest single explosive event humans are capable of. A thermonuclear detonation, even of relatively modest size, can wipe out the better part of a large American city. All the cyber-attacks we have seen to date have not come anywhere near to demonstrating this kind of destructive power. At worst cyber-attacks have proven to be an economic issue where either intellectual property is stolen or business is disrupted. So how could cyber ever compete with the horrific destruction of a nuclear bomb?
67
Detonation of a 340kt blast in central Washington, D.C. Courtesy of NUKEMAP http://www.nuclearsecrecy.com/nukemap/
It would be wrong to judge the potential damage that could be caused by a cyber-attack based on what we have seen so far. Most of the attacks that have been publicized and talked about have either been examples of hacktivism or espionage (and in some cases a mix of both).
The most common form of attack has been DDoS attacks backed up by basic viruses and worms.
DDoS attacks are a very primitive form of cyber-attack and are more akin to disrupting a place of business with a sit-in rather than, say, a bomb threat.
The famous (or infamous depending on your view) Stuxnet worm is one of the first signs of the maturation of cyber weapons. It marks the first use of a cyber weapon to affect objects in the physical world in order to achieve their goal. 131 This crossover from cyberspace to realspace
should serve as a portent of things to come. Stuxnet damaged equipment used in the Iranian
nuclear program, but it has since been discovered that the worm had the potential to cause
explosions. What was truly impressive about the Stuxnet worm was not its ability to affect the
131 There is a unconfirmed claim by Thomas C. Reed, former Secretary of the Air Force to Presidents Ford and Carter, that the 1982 Siberian Pipeline explosion in the USSR was caused by a logic bomb placed in the pipeline’s control computers that caused a buildup of pressure resulting in the explosion. While the exact details of the event are dubious, the general principles of the attack, outlined by Reed in his book At the Abyss: An Insider's History of the Cold War , are possible.
68 physical world (that very principle has been proven by the fact that we use computers to manage many aspects of our physical world), but that it was so precisely targeted. 132
According to the US security firm ESET, Stuxnet was unique in its ability to avoid the
pitfalls common to most worms and viruses:
Once self-replicating code is released, it’s difficult to exercise complete control over where it goes, what it does, and how far it spreads (which is one of the reasons reputable researchers have always been opposed to the use of “good” viruses and worms: for the bad guys, it also has the disadvantage that as malware becomes more prevalent and therefore more visible, its usefulness in terms of payload delivery is depleted by public awareness and the wider availability of protection).133
Stuxnet was a targeted attack on specific systems of a specific country. The capabilities of the worm give only the smallest glimpse into what is possible of a large scale cyber-attack, especially if the target is a nation highly integrated with information technology.
In their book Cyber War: The Next Threat to National Security and What to Do About It ,
Richard Clarke and Robert Knake spend three pages going into detail about what could happen if the United States was hit with a coordinated cyber-attack:
...Large-scale routers throughout the network are failing, and constantly rebooting. Network traffic is essentially halted... DoD’s classified networks are grinding to a halt... FEMA [has] reported large refinery fires and explosions... as well as lethal clouds of chlorine gas being released from several chemical plants... The Federal Aviation Administration’s National Air Traffic Control Center in Herndon, Virginia, has experienced a total collapse of its systems... Brickyard, the Indianapolis Center, has already reported a midair collision of two 737s... The Federal Railroad Administration has been told of major freight derailments in Long Beach, Norfolk, Chicago, and Kansas City... “The Chairman of the Fed just called. Their data centers and their backups have had some sort of major disaster. They have lost all their data... Nobody will know who owns what. The entire financial system will dissolve by morning.”... Washington’s streets are filled with car wrecks because the signal lights are all out... the blackout is covering the entire eastern half of the country ...Pipelines carrying natural gas to the Northeast have exploded, leaving millions in the cold. The financial system has also frozen solid because of terabytes of information at data centers being wiped out. Weather, navigation, and communications satellites are spinning out of
132 F-Secure, “Stuxnet Questions and Answers”, [last edited] November 23 rd , 2010, http://www.f- secure.com/weblog/archives/00002040.html
133 Aleksandr Matrosov, Eugene Rodionov, David Harley, & Juraj Malcho; “Stuxnet Under the Microscope”; ESET white paper; revision 1.31; http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf [last accessed February 2013] p. 10
69
their orbits into space. And the U.S. military is a series of isolated units, struggling to communicate with each other... In the days ahead, cities will run out of food because of the train-system failures and the jumbling of data at trucking and distribution centers. Power will not come back up because nuclear plants have gone into secure lockdown and many conventional plants have had their generators permanently damaged. High-tension transmission lines on several key routes have caught fire and melted. 134
The dramatic tone and apocalyptic scenario may seem more fitting for a Hollywood movie than a serious discussion on cyber policy, but it serves to illustrate an important point.
Modern society (especially in the industrialized world) has become increasingly dependent on information technologies in every aspect of daily life. The more integrated a society is with computers, the more vulnerable it is. However, one does not need to go to the extreme of envisioning planes falling from the sky and clouds of poison gas wafting towards population centers to see how damaging a cyber-attack can be. Take, for example, an attack on the power grid.
The US grid has already suffered several intrusions into its electrical grid by foreign entities in the past few years. The chief antagonists thus far have been Russia and China, who, according to US intelligence, have attempted to map the US electrical grid in order to probe for weaknesses and in some cases going so far as to leave behind pieces of malware (malicious computer code with the intent of causing damage) that could be activated to disrupt the grid. 135
While none of this code has been activated nor is it evident that either country successfully
completed their maps, the fact that two countries with which US relations can be somewhat
tumultuous have made it so far into our critical infrastructure is startling.
The cyber security of the current grid is such that it does not even require the resources of
a state to cause damage. Joe Weiss of Applied Control Solutions LLC, a security consulting
company based in California, estimates that a terrorist organization could potentially use cyber-
134 Clarke & Knake, op. cit. , pp. 64-7
135 “Electricity Grid in U.S. Penetrated By Spies”; Siobhan Gorman;
70 attacks to disable transformers resulting in a blackout that could last 9-18 months. 136 For
comparison, the August 2003 blackout that caused over $6 billion in economic loss and at least
eleven fatalities only lasted four days, with power being restored incrementally throughout that
time. Now, the 9-18 months figure may be a bit exaggerated (a security firm has an interest in
making situations seem more dire than they are), but if an attack could even manage to disrupt
service for a month, that damage would be incredible.
The situation becomes even gloomier when one examines the current price to efficiency
relationship of cyber-security for US energy companies. A Bloomberg survey of 21 US energy
companies found that the average spending on cyber security for US companies was $45.8
million a year and were able to defend against 69% of known cyber-attacks on their systems.
Estimates provided by these companies state that an increase of about $25 million in annual spending on cyber-security could improve their defense to 88%, but in order to get to 95% they would have to spend a total of $344.6 million per year, which is way too much for any one company to spend. The reason for this sharp increase in spending is due to the even sharper increase in the complexity of attacks. Most of the attacks deflected are simple in design and usually carried out by bots, so the percentages can be misleading. It is also this upper echelon of complex attacks that poses the greatest risks to the grid. To make matters worse, if an attack were to occur and damage critical hardware there is an issue of whether or not we have enough replacement parts in supply to quickly repair the system (there would not be). 137 So far we have been lucky and a large scale attack has been avoided, but it seems like only a matter of time before that luck runs out.
136 “Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months”; Brian Wingfield;
137 ibid
71
The electrical grid is just one of many critical infrastructure systems that could be hit. In a Cyberwar, it is improbable that an enemy would only target one such target and leave the others intact. Matters become increasingly worse with the introduction of ‘smart’ technologies and their growing prevalence. It is not likely (nor would it be prudent) that a nation would shun these new technologies and all the benefits they can bring (especially the energy benefits of a smart grid) out of fears of the vulnerabilities they create. However, as nations make the transition from being industrialized to informationalized, awareness of the dangers that a coordinated cyber-attack can have becomes paramount.
It may not be as flashy as a nuclear bomb, but a well-designed cyber-attack can bring society to a screeching halt. Casualties will not come as a direct result of the malware and logic bombs used, but rather from the indirect effects the attack has on critical systems. If we are dealing with wars between entire civilizations as McNamara and others realized in the 1960s, then cyber weapons do just as good of a job as nuclear weapons at bringing down a civilization.
CREATION
One of the saving graces of nuclear weapons technology has been that it is notoriously difficult to develop. Not just anyone with a desire to cause massive destruction can assemble a nuclear device in their backyard. The technical know-how needed to ensure the bomb will achieve a sustained chain reaction instead of just blowing itself apart (leaving the nuclear fuel virtually untapped) is the kind of knowledge that requires extensive education. Even if you were an evil genius nuclear physicist bent on destroying Manhattan you would still be faced with an incredibly difficult hurdle: money.
72
Nuclear bombs are not cheap to make. Finding a seller of fissionable material is easy enough (Uranium is a commonly traded commodity), but it still costs money and is most likely not weapons grade (at least 90% enriched, meaning U-235), unless you are lucky enough to find someone selling Plutonium-239.
Thus begins the process of enriching the Uranium which requires capable facilities. Once you have the fuel you need to assemble all the parts of the bomb (see right), double check your calculations, and transport it to where you will detonate it.
Easy. 138
Diagram of a Fission Bomb The point is, unless you have the backing of a state or equally powerful entity, a nuclear weapon is probably beyond your capability. But what about a cyber weapon? Surely the hacker community that prides itself on empowering the small to take down the powerful has some tools that individual or even groups of malefactors could get a hold of and use.
The physical costs of constructing a cyber weapon are not as high as those needed to construct a nuclear device. Estimates for the cost required to build Stuxnet vary from $3 million to $10 million dollars and would have taken about six months to create. 139 However, weapons like Stuxnet, for all their complexity, are still on the lower end of the spectrum of destructive cyber weapons. To even begin to reach the dire levels of destruction explored above you need
138 Lucien Dorneanu, “How to make an atomic bomb”, April 27 th , 2007 http://news.softpedia.com/news/How-To- Make-An-Atomic-Bomb-53392.shtml
139 Jane McEntegart, “Stuxnet is the World’s first cyber super weapon”, September 27 th 2007 http://www.tomsguide.com/us/stuxnet-cyber-weapon-worm-trojan,news-8122.html + Babak Dehghanpisheh, “Going cyber against nuke program”, Newsweek , October 4 th 2010 http://www.thedailybeast.com/newsweek/2010/10/04/stuxnet-worm-latest-attack-in-growing-cyberwar.html
73 not only a heftier investment in materials (although still not as much as nuclear device), but also, and more importantly, a significant investment in the human capital required to pull off the attack.
The most significant barrier to entry for an actor wishing to obtain cyber capabilities is the lack of skilled workers. According to Richard Clarke:
As with any developing technology, the cost and other barriers to entry are going down each year. Staging a devastating cyber-attack would not require a major industrial effort like building a nuclear bomb. Understanding the control software for an electric grid, however, is not a widely available skill. 140
Clarke goes on to explain how, because of the lack of skill, it is doubtful to see cyber weapons in the hands of terrorist organizations or anything less than a state-level actor. A terrorist group does not have the capacity to train its members in all the required skills needed to assemble an effective hacking team. It is possible that they could hire mercenary hackers from the cybercrime realm, but this would then increase their monetary investment substantially in order to compensate these hackers for taking time from their lucrative cybercrimes. 141
The scale of the attacks committed by terrorist groups (either nuclear or cyber) pale in comparison to the capacity of a state to inflict damage. They could maybe take down the power grid on the East Coast for a while, or place a small nuclear device in downtown New York, but neither of these attacks amount to the civilization destroying potential that both nuclear war and
Cyberwar possess. For that you need the coordinated effort of a state that has dedicated portions of its military towards that particular type of warfare and is prepared to go on the offensive at a moment’s notice.
140 Clarke & Knake, op. cit. , p. 136
141 ibid
74
SPEED
Thomas Schelling, Bernard Brodie, and others pointed out that the key difference of nuclear weapons from conventional weapons was not the amount of damage they could inflict.
They argued that it was the speed at which a nuclear war would be carried out. What was once a matter of months or even years now became a matter of hours and days. This new speed of war meant that peacetime decision making became all the more important since little time would be left in the event of a nuclear war. Plans had to be set in place about how to react to an attack before one occurred.
Cyber weapons take this aspect of nuclear weapons a step further. While it might take a nuclear missile up to 30 minutes to reach its target (in the case of an ICBM), a cyber weapon’s speed is only restricted by the speed of the mediums the information is transported. In almost all cases this is either light (radio signals or fiber optics) or electrons (in the computers themselves).
This brings down the hours and days reaction time of a nuclear war to a seconds and minutes timescale in a Cyberwar.
Commands in a cyber war would be sent at speeds near the speed of light; far faster than any human could ever hope to react. This makes having a fully thought out plan essential. Just like in a nuclear war, a cyber war will rely on those peacetime decisions of how to react in the event of an attack (or how to follow up an attack in the case of a first-strike). The compression of the timescale of war calls attention to another characteristic shared by both nuclear and cyber weapons.
75
ESCALATION
The fast paced nature of both types of warfare lead to a certain degree of automation of responses, especially during the initial phases of a conflict. In his book Escalation and the
Nuclear Option , Brodie warns against the “great deal of ground-in automaticity of response and counter response, resulting in a swiftly accelerating ascent in scale of violence”. 142 The same situation exists in cyber strategy.
Reactions to a cyber-attack have to happen on such a small timescale that the necessity to preplan them creates an automation of responses. In cyber there are even truly automated responses (such as anti-virus software), but these tend to only focus on defense and would not contribute to an escalation of violence. What is conceivable, however, is a quick escalation to physical fighting if low levels of cyber violence are automatically responded to in a certain way.
This makes the need for a coherent idea of limited cyber war crucial in averting an escalation of violence.
DEFENSE
As discussed in the section on the history of nuclear strategy, a good defense was never developed for nuclear weapons, nor was their much hope for one. Effort was given to try and develop ways to attack the delivery methods, but it was generally agreed that any defense, unless it worked consistently and perfectly, would not be good enough in the event of nuclear war.
Whatever defense could be gained would cost more than it would cost an aggressor to build up
142 Bernard Brodie, Escalation and the Nuclear Option , Princeton University Press 1966, p. 57
76 more weapons to overtake it. It makes more sense to maintain an emphasis on offense in the nuclear realm. The same is true of cyber. 143
Both firewalls and anti-virus software are not perfect solutions. Most internet users have
some form of anti-virus software installed on their computers now and it is nearly impossible to
find an internet connection that does not have even the most primitive firewall set up. The fact
that malware attacks still occur frequently shows how this is an incomplete solution.
Firewalls are the strongest form of protection available. A firewall can be set up in an
office environment where there is a large internal network which is then connected to the
Internet or in a home environment where computers usually have more direct internet access.
They work by controlling the flow of traffic to and from the Internet. This is done in one of three
ways. A firewall uses either (1) packet 144 filtering which analyzes packets against a library of
filters; (2) proxy service which sends the information to a requesting system that authenticates
the data; or (3) stateful inspection, a method that only looks for key parts of the packet to
compare against a database of unwanted information.145
In theory, a firewall can be 100% effective and block all malware and unwanted content, but this would also bring internet use to a halt by blocking all content. The only way to use a firewall then is to balance between allowing and stopping traffic. This can be done to varying degrees of security, but even the most well balanced firewalls often fall short. A November 2011
143 David C. Gompert & Phillip C. Saunders, “Paradox of Power”, National Defense University Press 2011, http://www.ndu.edu/press/paradox-of-power-execsum.html
144 Packets are small bits of information and are how data is sent over the Internet.
145 “How Firewalls Work”; Jeff Tyson; http://computer.howstuffworks.com/firewall1.htm
77 study conducted by Larry Suto (a security industry expert) found that a properly set up firewall can block about 79% of attacks. 146
Anti-virus software is not designed to prevent malware from entering a computer, but rather provides a method of dealing with it once infected. It achieves this by monitoring all the files on the computer in order to detect any signs of malware. This type of software relies heavily on virus dictionaries in order to compare the files to a list of known viruses. When a virus is detected it can delete, quarantine, or attempt to repair the file. 147
There is also a suspicious behavior approach that more recent anti-virus software uses as it does not require a virus dictionary. This helps protect against unknown and new viruses. This method monitors the behavior of all programs and looks for any program doing something unusual, such as writing an executable program. It will then alert the user and ask for permission to run the program. The problem is that this happens with great frequency so users get desensitized to the warnings and often just click allow without thinking. Malware also evolved to outsmart this system and often hides its processes from plain site (especially in the case of worms, which operate within the holes in network security). 148
Anti-virus software is also very costly and often viewed as causing more problems than they solve. The virus dictionary requires constant updating not only on the part of the security firm, but also on the part of the user (a task that more often than not goes neglected). The suspicious behavior detection has caused much complaint as it slows down overall computer speed by forcing these checks even on perfectly good software. A recent survey of different anti-
146 “ How Companies Can Defend Against Database Cyberattacks”; Joshua Phillips; http://english.ntdtv.com/ntdtv_en/science_technology/2011-11-22/How-Companies-Can-Defend-Against-Database- Cyberattacks-.html
147 “How Does Anti-Virus Software Work?”; http://www.antivirusworld.com/articles/antivirus.php
148 ibid
78 virus programs found that seventeen were unable to detect over 48% of the malware on the computer. 149
With a clear dependence on up to date information on malware, firewalls and anti-virus software are will always lag behind the latest malware. Improved techniques will enable cyber security to continue improving, but it will never be perfect. The high level cyber-attacks that will be employed during a cyber war will not be covered by these defensive techniques. As shown with the electric grid example above, the cost to defend against these more complex attacks becomes exponentially more expensive. For now and into the foreseeable future, cyber security remains an offense dominant realm.
ATTRIBUTION
Attribution of an attack poses a problem to both nuclear and cyber attacks, but it is not as bad as it seems. There is a lot left to be desired in both the fields of nuclear forensics and cyber attribution. Neither method is definitive, but both take time, which is in short supply in the wake of an attack. As we saw earlier, this posed little problem for nuclear strategists who saw the possibility of a ‘bolt from the blue’ as remote at best. Cyber strategists at the National Defense
University have reached a similar conclusion:
Many, if not most, big cyber threats or actual attacks on the United States, its military forces, or its allies are not likely to be conducted in a political vacuum. Rather, they will be conducted with an explicit political or strategic goal: as a means to an end rather than an end in themselves. They are most likely to be conducted to exert pressure, intimidation, and coercion on the United States to induce it to acquiesce in the larger agenda being pursued by the attacker. Such an attacker likely would not want to conceal its
149 “Security and the Internet: Fighting malware”; Lyndon Thompson; The OECD Observer; Paris, France; July 2008; Issue 268; p. 10
79
identity, because that would prevent delivery of the message and thereby dilute prospects for an acquiescent response. 150
Attribution in cyber, as in nuclear, will only pose a problem to an overall strategy in very rare and remote cases. Traditional investigative techniques and logical reasoning will be enough to determine where an attack came from. Examples like Estonia and Georgia show that attribution can still be an issue for cyber strategy. Russia has denied its involvement in either instance, instead maintaining that the attacks came from patriot hackers, but claims like this become less and less easy to hide behind as the severity of the attacks increase. 151
DUAL-USE
A complicating factor in both nuclear and cyber technology is that neither is purely a military or civilian technology. The dual-use of nuclear technology has proven to be one of the key hurdles to stopping nuclear proliferation. Nuclear energy is an end to which many peaceful nations strive towards, but it also brings the possibility for those with less noble intentions to develop the capability to build nuclear weapons.
Information technology has had a profound impact on the civilian economy. The Internet alone has revolutionized the way people conduct business. Networks have become pervasive all over the world and have been important parts of economic growth. This complicates issues of strategy. Too defensive of a posture (firewalls, restrictions, etc.) and you could end up strangling the economy. Too relaxed and you leave your country open and vulnerable. One solution to this
150 Franklin Kramer, Stuart Starr, Larry Wentz, Cyberpower and National Security , National Defense University Press, April 2009, p. 318
151 Plus it is almost universally recognized that even if the Russian Government did not conduct the attacks itself it would have been hard not to know about the attacks, implying at least a tacit support for the attacks by the Russian Government.
80 dilemma could be to borrow the anti-proliferation model from nuclear technology and establish an international agency similar to the IAEA meant to promote the safe use of cyberspace through international cooperation. Regardless, this dual-use property strengthens the similarities between cyber and nuclear technologies.
THE STRUCTURAL SIMILARITIES
QUICKLY WEAPONIZED
While it did take years to develop nuclear weapons, and cyber weapons have been developing steadily now for over two decades, they both found themselves adopted into military strategy rather quickly. Whereas planes and tanks had a learning and experimentation phase
(WWI) before they were fully adopted by any nation as part of their military strategy, nuclear weapons and cyber weapons have found themselves forced into doctrine without much historical experience.
The atomic bombs that were used on Japan at the end of WWII served to demonstrate the power of nuclear weaponry, but it did little to build military thinkers’ experience with the weapons. At that point in time it was seen as an extension of conventional strategic bombing. It was not until afterwards that a real discussion about how to use (or not use) nuclear weapons began. No one was exactly sure where they fit in the traditional military structure: were they a category of weapons separate from conventional war or were they best suited for tactical uses in combination with conventional forces?
The debate has gone similarly with cyber weapons. There are those who believe that we stand at the precipice of a new kind of warfare and those who believe cyber weapons are only
81 useful in a supporting role to conventional forces. They see a new form of airborne electronic jamming, propaganda, harassment, and nuisance-value disruption. 152
Where exactly in the military hierarchy cyber weapons will end up is still a matter of
debate, but the fact that this debate exists at all is telling. Just like with nuclear weapons,
strategists are being forced to work cyber weapons into their strategies quickly while countries
“[develop] and systematically [deploy] a new type of weapon...without a thoughtful strategy”. 153
UNKNOWN CAPABILITIES
Throughout the Cold War, there was always an issue of accurately representing your enemy’s capabilities. It was hard to know exactly what capabilities your opponent had. For the most part, policy makers and military leaders were at the mercy of what the other side decided to demonstrate or make known. Espionage could only gather so much information through agents and aerial photography, but definite knowledge was hard to come by.
This is part of the reason why events like Hiroshima and Nagasaki, military parades, and nuclear testing were important. They demonstrated credible capabilities to the enemy. Without those instances it would be hard to believe the country a) had a bomb and b) had the means to transport it and detonate it.
In cyberspace it is nearly impossible to know the capabilities of an adversary. Traditional intelligence information helps (knowing if a state is training hackers or setting up military cyber units is a good start), but in the end does not say that much about specific cyber capabilities.
There are ways to demonstrate cyber capabilities, but, like with nuclear technology, they are
152 Clarke & Knake, op. cit. , p. 30
153 Ibid ‘preface’
82 conscience decisions on the nation’s part. Methods include everything from penetrating an enemy nation’s networks and not doing much to cover up the fact that it originated from your nation (as has been the case with Chinese and Russian mappings of the US power grid) to being very vocal about cyber strategy and demonstrate a commitment to it.
INTERNATIONAL DIPLOMACY
Cyber security has increasingly become an issue brought up by diplomats. There is a general feeling that international cooperation may be necessary to maintain the peace in cyberspace. Russia has pushed for international security cooperation at the UN. NATO and the
EU have pushed for greater information sharing between nations. This echoes the feelings right after the development of nuclear weapons in the 40s:
If the development of atomic energy continues to rest entirely in the hands of separate nations, if there is no provision for the international exchange of information, for international cooperation and eventually international control, an international atomic arms race seems inevitable. 154
The fact that cyber has been given a treatment in international diplomacy that already sets it apart from how conventional force is treated is similar to the special status conferred unto nuclear weapons. Talking about these technologies differently on the international stage sets them apart in the way that they are thought of. This increases the likelihood of nations developing cyber war strategies separate from their conventional alternatives.
154 Caryl P. Haskins, op. cit. , p. 606
83
CIVILIAN TARGETS
Targeting civilians is not normally the desired outcome in a war. Civilian losses do happen, but in modern war fighting are viewed as accidental and generally frowned upon. When
McNamara backed down from the US threat to bomb Soviet cities in the 1960s he did so on the grounds that “principal military objectives...should be the destruction of the enemy’s military forces, not of his civilian population”. 155 He would soon realize, though, that such restrictions on
warfare are difficult to enforce.
Nuclear weapons have the ability to skip over the battlefield and bring immense coercive
violence to an enemy’s populace. The value of that coercive violence in an all-out war is very
high; it could be a deciding factor in the war. A nuke can be used on an opponent’s military, but
its full potential for destruction lies in wiping out entire cities.
Similarly, cyber weapons do not need to target an enemy military and in fact would do
more damage by targeting civilian infrastructure. A major cyber-attack would surely not skip
over the enemy military entirely, but if the goal was to cause large levels of coercive violence
then civilians will be the ones at risk. In addition to this, the critical infrastructure that most
cyber weapons would target is usually dual-use itself and serves both civilian and military
facilities.
With both of these weapons, the line between civilians and the battlefield is blurred. The
line between peace and war is blurred by the blindingly fast speeds at which they operate.
Distances are shrunk and geography means less. These are dangerous characteristics for weapons
155 Robert McNamara, “Defense Arrangements of the North Atlantic Community”, Department of State Bulletin, 47, July 9 th , 1962, pp. 67-8
84 of such an aggressive nature. But cyber and nuclear are not identical technologies. They differ in some very key ways that must be taken into account when making this comparison.
85
THE DIFFERENCES OF CYBER AND NUCLEAR
Cyberspace is the new frontier, full of possibilities to advance security and prosperity in the 21st century. And yet, with these possibilities, also come new perils and new dangers. -Fmr. Secretary of Defense Leon Panetta We have discussed the ways in which cyber weapons are similar to nuclear weapons and have seen that the similarities vary in strength, but there are aspects that are completely unique to each technology. It would be imprudent to continue our comparison without first taking into account the differences between the two. These differences will have an impact not only on the strength of our analogy, but also on what elements (if any) of the nuclear strategy we borrow and adapt for cyber.
RETALIATION
One of the most important distinctions to make when comparing nuclear and cyber strategy is the realization that cyber does not demand a like response. For a nuclear power nation, if a nuclear weapon is used against one of their cities the likelihood of retaliating (if possible) with a nuclear weapon is high. At the very least it is a clear act of war (leaving aside terrorist acts
for the moment) and would demand the use of conventional force as any other war would.
As was discussed, limited war theory’s influence on nuclear strategy made it clear that
there was a need for graduated deterrence or rather proportionality of responses. It was deemed
an unsustainable policy to threaten massive retaliation for any aggressive action, but to leave the
more minor offenses unpunished would result in the opponent doing everything they could just
under that threshold. So, strategists developed levels of responses for different types of
aggressions, but there was an understanding that once a nuclear weapon was used escalation
86 would be difficult if not impossible to stop. This was a major factor for the non-use of tactical nuclear weapons.
With cyber weapons there is a slightly inverted relationship between their use and escalation. At the lowest end of the spectrum are the harassment attacks and low grade criminal acts (hacktivism and cybercrime), which most likely would not warrant a military response.
Instead a government should seek traditional legal actions or (in the case of nation-state actors) diplomacy and sanctions. This is fine; we have already established that cybercrime, cyber terrorism, and hacktivism must be treated differently from cyber warfare.
This issue, however, does not disappear as you ascend in severity of attack. Responding to a cyber-attack with a cyber-attack is not always the best option. A ‘mild’ cyber-attack that disrupts government or financial networks, but causes no physical damage, would probably be a good candidate for cyber retaliation. There is no need to escalate to physical violence yet, but a show of cyber force might be in order. A more severe case, conversely, such as an attack on critical infrastructure causing physical damage akin to setting off a bomb, would probably provoke a response in physical force.
Former US Secretary of Defense Leon Panetta in a speech on cyber security in 2012 made it clear that the US would respond to a serious cyber-attack in the way it felt most appropriate. This includes using physical force when physical damage is incurred:
If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president.
For these kinds of scenarios, the department has developed that capability to conduct effective operations to counter threats to our national interests in cyberspace. Let me be clear that we will only do so to defend our nation, to defend our interests, to defend our allies and we will only do so in a manner that is consistent
87
with the policy principles and legal frameworks that the department follows for other domains including the law of armed conflict. 156
The more severe the cyber-attack the more likely conventional force will be used and cyber left to the side. This is opposite of the logic of nuclear weapons where it is only for the most benign use that one would even contemplate not retaliating with nuclear technology (and even then it is dubious). To policy makers and strategists, this transposed logic could cause issues with deterrence theory: how can one set up a credible deterrence without having to make the threshold between cyber and physical retaliation too transparent (but more on that later).
PRIVATE-PUBLIC RELATIONS
Perhaps one of the most interesting trends in the development of cyber strategies across the world has been how private enterprises have been almost entirely left to fend for themselves.
This is not to say world governments have decided to leave private companies to the cyber wolves, but rather highlights another important distinction between cyber and nuclear technologies: cyber security is heavily influenced by private interests.
When policy makers in the 50s and 60s were deciding what the best nuclear strategy for the US should be they did not have to concern themselves with what major US companies thought of their plans. If a US company was attacked with a nuclear weapon it was not seen as an attack on that company, but as an attack on the US. This has changed in the cyber age.
Part of a cyber defense strategy would require regulations to be placed on internet transactions and other protocols common in the civilian sector. Policy makers (at least in the US) have been hesitant to do this because of the negative impact it would have on business. Instead,
156 Former Secretary of Defense Leon Panetta in a speech on cyber security to business executives in New York City on October 11 th , 2012
88 the government has stressed the need for increased information sharing between the private sector and public security officials. The problem is that companies are not always so enthusiastic to share their information on cyber security: it requires them to either admit to being hacked
(showing that the company is vulnerable) or allow others to point out possible ways they could be hacked (showing that the company is vulnerable).
One private-public solution could be to support and help ‘white-hat’ hacker conventions grow. Richard Clarke explains how these conventions could vastly improve cyber-security:
When the ethical hackers discovered flaws they should first tell the software maker, and then, if they got no response, call the government. Only if the software maker refused to fix the problem, I said, should the hackers go public. My logic was that if the hackers at Black Hat could discover the software flaws, China, Russia, and others probably could, too...
Public knowledge of a “bug” in software would probably mean two things: (1) most sensitive networks would stop using the software until it got fixed, and (2) the software manufacturer would be shamed into fixing it, or pressured to do so by its paying customers, such as banks and the Pentagon. 157
However complex the interplay between the public and private sectors is, it has made it clear that the government’s umbrella of protection needs to be extended into cyberspace.
Companies should have a reasonable expectation to be protected from the actions of foreign nation states, terrorist groups, and criminal organizations just as they are in realspace. If China steals intellectual property from US companies, the government should help those companies prosecute them through legal and diplomatic means. If a cyber-criminal organization steals from a financial institution, law enforcement agencies should lead the investigations. Any cyber-attack that results in physical damage should be treated as a physical attack.
Governments and law enforcement agencies are realizing this need and reorganizing themselves in order to deal with it in the appropriate manner. Even though this trait is very different from nuclear weapon technology it should not hugely impact on strategy concerning
157 Clarke & Knake, op. cit. p. 129-30
89 cyber war. As Panetta said the US “needs to have the option to take action against those who would attack” it, especially when a cyber-attack results in physical damage.
BIPOLAR STABILITY
Nuclear deterrence theory was developed in a time where there were only two great powers in the world. It was clear who the strategy was directed towards and who the ‘enemy’ would be in the event of a conflict. This did not just mean that it made attribution of an attack easier (the list of suspects was limited and there was always one with the highest motivation), it also meant that in the development of the deterrence strategy it could be tailored specifically to the enemy. Now bipolarity is gone and there are many possible actors. 158
Cyber strategy authors do not have the luxury of being able to direct their strategy at a
single threat. An attack could come from China, Russia, or Canada 159 ! Each case would require a
different response because each country’s goals will be different. The idea of a catch-all
deterrence theory will not work. What might deter China from attacking will probably not deter
Russia. There may be overlapping strategy, but dealing with each actor will require its own
approach.
This greatly impacts the idea of creating a cyber deterrence strategy by making it
necessary not only to have the graduated deterrence that was developed during the Cold War, but
also an additional tailored deterrence to handle the different actors. The implications of this
158 Franklin Kramer, Stuart Starr, Larry Wentz, Cyberpower and National Security , National Defense University Press, April 2009, p. 314
159 Probably not, but you never know!
90 aspect of the environment of cyber will be very important when determining if and how nuclear strategies can be adapted.
NOT EVERYONE IS EQUALLY VULNERABLE
With a nuclear weapon the destruction does not discriminate based on whether you are
American, Chinese, or Russian. A nuclear bomb will work just as well on Washington as it will on Moscow. This is not the case in cyberspace. Different countries have different levels of dependence on information technology. The US is one of the most information technology dependent countries in the world, while a country like North Korea has virtually no dependence.
Dependence, not just offensive and defensive capabilities, must be added to the calculations of military planners when discussing the use of cyber-weapons. To highlight this point Richard Clarke made a chart of several nations and ranked them in each category (lower numbers of dependence mean greater dependence on information technology):
Nation Cyber Offense Cyber Dependence Cyber Defense Total
US 8 2 1 11
Russia 7 5 4 16
China 5 4 6 15
Iran 4 5 3 12
North Korea 2 9 7 18
160
160 Clarke & Knake, op. cit. , p. 148
91
While the numbers in Clarke’s chart may not be entirely accurate (he never explains how he came up with these numbers, but admits to oversimplifying), the point he is trying to make, on the importance of dependence, is still well taken. North Korea, a country with virtually no advanced networks, scores very highly in the dependence category. A cyber-attack against them would be useless making them practically invulnerable in cyberspace. The US, on the other hand, for all its technological superiority and offensive capabilities, would not fare so well in a cyber conflict.
This adds a whole new level to cyber strategic thinking. An attack may come from a nation who, because of their dependency and defense in cyber, may not be a target for retaliation in cyberspace. In theory, this could force a nation like the US to either have to respond more harshly than it would want towards an attack (by using conventional force) or to not respond at all and let the perpetrator get away with impunity. Neither one of those options is desirable.
The dependence issue may go away with time though. If current trends continue, information technology is bound to continue to spread and become even more pervasive across the world. It is likely that what was once a distinction between industrialized countries and non- industrialized countries will come to be the distinction between informationalized countries and non-informationalized countries. Eventually, in the long run, the entire world will be as dependent on information technology as the US. In the medium run, nations like Russia and
China (and others who have demonstrated offensive cyber capabilities) will become increasingly dependent. But in the short term this gap in dependency poses an issue to cyber strategy not found in nuclear strategy.
92
CYBER DETERRENCE? We have looked at the relative histories of nuclear and cyber and examined what exactly the two technologies have in common, and what they do not. The nuclear analogy seems to gain some credibility since the similarities outweigh the differences, but not all characteristics have an equal bearing when it comes to discussing strategy. Attribution, lack of proper defense, credible retaliation, and threat of escalation are all key components of deterrence theory in nuclear strategy. While cyber weapons may be similar to nuclear weapons in most of these respects, differing in just one of these aspects can lead to huge consequences for a cyber deterrence theory modeled off nuclear deterrence.
This section puts the analogy to the test. The similarities mean that there is the potential for a cyber deterrence strategy. However, the few differences are important enough that there is a need to rethink what that deterrence would look like. A straight grafting of nuclear deterrence into cyberspace will not work. Deterrence, in the end, might not even be the best strategy for cyber and should not be pursued simply because it is possible. But before we can rule it out we must first examine what makes it possible.
CAN THERE BE CYBER DETERRENCE? Yes. Cyber deterrence is quite possible given the many shared traits of cyber and nuclear weapons. It is by no means the same kind of deterrence as nuclear deterrence, but the end goal is the same. What makes it possible? In nuclear strategy we had McNamara’s support of MAD which was able to capture all the hopes and fears policy makers had when dealing with nuclear weapons. So is there a Cyber version of Mutual Assured Destruction (C-MAD)?
93
C-MAD
Cyber Mutual Assured Destruction is not as clear as the nuclear version of MAD and poses a few problems. The first issue is one of definition. Does C-MAD refer to a similar concept as MAD where major cyber-attacks between nations would be exchanged resulting in the destruction of their civilizations? Or does C-MAD refer to a complete destruction of cyberspace (perhaps more aptly called Mutual Assured Debilitation 161 )?
If we are dealing with the former definition then it is unlikely that C-MAD will be possible. One of the key differences mentioned between nuclear and cyber is that cyber-attacks do not necessitate like retaliation. At the higher levels of damage caused by a cyber-attack (the anti-society attacks that cause catastrophic problems) retaliating with cyber would require massive restraint on the targeted nation’s part. More than likely such an attack would provoke a physical response depending on the level of damage.
Differing levels of vulnerability also mean that responding to a massive cyber-attack with another cyber-attack might not work. If South Korea gets hit with a devastating cyber-attack from North Korea, a retaliatory cyber-attack will barely hurt the North at all since they have relatively little dependence on information technologies. The only response available to the crippled South would be a physical attack.
One could make the argument that the type of response would not matter in C-MAD and that just the threat of overwhelming destructive force resulting in the annihilation of both parties would be enough to discourage a first-strike. It is even possible to envision a world where the
161 I borrow this phrase from Matthew D. Crosston who uses it in his article “World gone cyber MAD: How ‘mutually assured debilitation’ is the best hope for cyber deterrence”, Strategic Studies Quarterly , vol 5 no 1, Spring 2011 http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf
94 second response is indeed a cyber-attack of its own. As the world becomes increasingly dependent on information technologies, the threat of bringing down a society through cyber- attacks becomes more credible. Just as nuclear weapons would not have been as effective in a pre-industrialized world (they do more damage to a country that is concentrated in cities versus a spread out agrarian population), cyber weapons will become more effective in the informationalized world.
Logic bombs set in place to go off if and only if a first strike is made against the country that created them could be a very powerful second strike tool. These could serve as tripwires and ensure a quick retaliation. If a country makes it fairly obvious that it has had access to another’s critical infrastructure (like how it is clear both China and Russia have poked around the US electrical grid) there exists a credible threat that they left such logic bombs behind just waiting for the right conditions to cause destruction. This could mean the possibility of C-MAD in the first sense.
The problem arises with the mutual part of C-MAD. If a nation can execute a sophisticated cyber-attack that can take down a target’s civilian and military infrastructure the threat of retaliation could be eliminated. I mentioned the use of logic bombs as good tripwires above, but in order for such tripwires to work they need to be handled very carefully. Make it too known that they are there and it is likely that the affected nation will develop a defense. Keep it too secret and a potential aggressor may not know the risks, causing them to stumble blindly down a path of mutual destruction. Either way it makes reliance on C-MAD in the first sense a risky proposition and probably not the best strategy for a nation.
Mutual Assured Debilitation, however, might be more practical. At the lower levels of damage caused by a cyber-attack (ones that do not affect critical systems or cause physical harm
95 to people) retaliation via cyberspace is much more appealing than a physical response. If the damage can be contained then cyber skirmishes may very well be more appealing than full retaliation.
Imagine a relatively tame Russian attack on the European transportation system. Perhaps this incident was brought on by a dispute over natural gas pricing so Russia decides to disrupt
European transportation computers bringing the system to a standstill. This scenario that is not too farfetched, Russia has, in the past, cut off Ukraine completely from the natural gas supply (to the detriment of countries that lay further along the pipeline) as a form of punishment. The
European nations would have to decide how to respond. They could simply denounce Russian actions and seek the aid of the international community to shame them into stopping. They could respond with a cyber-attack of their own on Russian systems. Or they could threaten physical force; this option, however, represents a huge leap in escalation and is strongly advised against.
The diplomatic route might gain some traction, but Russia could always claim it was the work of the “Patriot Hackers” as they have in the past. Retaliating with a cyber-attack of their own is a viable and possibly preferred option.
Debilitating an aggressor nation’s IT infrastructure would hinder their ability to conduct a cyber-attack. If European nations could, in response to the attack on European infrastructure, take down Russian ISPs then not only would they be retaliating with a like attack, but they would also disrupt Russia’s cyber capabilities. This would give time for affected systems to recover while simultaneously sending a clear message that these types of actions will not go unpunished.
If used effectively, debilitation techniques could prove to be a very useful deterrent. A potential aggressor will have to think twice before launching a cyber first strike if it could
96 threaten their capabilities to operate in cyberspace. At the very least it serves as a deterrent to follow up attacks (considering these would be disabled).
However, Mutual Assured Debilitation is a slightly misleading title. Just as with the cyber version of Mutual Assured Destruction, there is a problem with the mutual part of the equation. Once one side (whether it is the aggressor or the target) disables the other sides cyber capabilities it becomes difficult to ensure the debilitation of the other. Having extensive tripwires in place that can work regardless of the nation’s current cyber status is the only way to ensure the mutuality of this strategy.
As mentioned earlier, cyber tripwires, like nuclear tripwires, have to be carefully put in place. In addition to the issue of credibility, there is also a problem of mistaken escalation. Two of the benefits of nuclear warfare for this strategy were the relative absence of attacks
(cyberspace is filled with a constant ‘background noise’ of attacks) and the fact that the ultimate decision still rested with a human instead of a computer.
While humans are prone to making mistakes (especially when compared to a computer) they have the ability to be skeptical. A program sitting in China’s communications infrastructure waiting to trigger at the sign of an attack cannot ask questions. If it perceives an attack it will initiate. People feared this kind of automation with nuclear warfare, but governments always kept in the human element in their command and control structures to avoid this.
Cyber tripwires necessarily cut out the human decision. Even though a perceived nuclear attack would only give a human commander a matter of minutes to decide what to do, cyber does not afford that kind of time. The quite literally lightning fast speed of cyberspace means that retaliation, in order for it to be successful when dealing with possibly debilitating attacks, has to occur at a speed far faster than the fastest human reaction time.
97
This does not mean that cyber tripwires are dangerous hazards that should be avoided by strategists, but it does emphasize the need for extensive planning. The logic bombs that would be used need very specific instructions on the conditions on which to activate their retaliation.
General conditions could prove problematic.
Consider a seemingly reasonable proposal to have a command program only initiate an attack if the home nation’s cyber infrastructure goes down. This kind of instruction is reasonable enough and, if given to a human commander, might work. It is a similar principle to how nuclear-armed submarines work. If the commander loses contact with their government during their scheduled communications, s/he has to then decide whether or not to initiate a retaliatory strike and who to strike. The difference is this second step. There is no cyber-submarine commander making the final call.
A command program in a foreign nation’s infrastructure that is set to go off if the home country’s cyber infrastructure goes offline would have to periodically ‘check-in’ with the home servers. Individual servers can go down momentarily for a variety of reasons, so let us assume that the home government has set up multiple back-up servers to ensure redundancy. As long as this program receives a signal from at least one of these servers every so often it does not initiate its attack. It is unlikely that multiple dedicated servers across a country would all go down simultaneously without some kind of massive infrastructure failure. If these servers are on government protected networks then it is also unlikely that they would all go offline for any
‘natural’ reason (such as blackouts caused by bad weather). So the program assumes that any loss of signal means there has been an attack on the home country.
There are two major problems with such a general strategy. One is that the list of possible suspects, especially relative to possible nuclear threats, is large. Therefore these logic bombs
98 would have to be put in place in each suspected country. Programs do not have access to the state of the political climate and other information that would reveal the aggressor. With such a general strategy all these logic bombs would go off simultaneously, punishing innocent bystanders as well as the actual culprit. This is not a good way to establish an effective deterrent.
The second problem is that all the home servers do not necessarily have to go down for the ‘retaliatory’ strike to be initiated. If one of the suspect nations, for political reasons, decides
to cut off their cyber connection with the home nation it would have the same effect. This would
escalate whatever the political conflict was quickly. Similarly, an enterprising hacker with
malicious intentions could stumble upon this system and, during one of the periodic check-ins,
block or redirect the incoming traffic from the home servers.
Both Cyber Mutual Assured Destruction and Mutual Assured Debilitation both face
problems with their reciprocity. Such a strategy was better suited for the bipolar system of the
Cold War where gaining a first strike capability over a comparably powerful opponent was
incredibly difficult. Differing vulnerabilities and the lack of a credible tripwire make cyber first
strike capabilities much easier to come by.
C-MAD can be improved through specificity and the eventual informatization of the
world. As things currently stand, however, it is a very risky proposition for states that are more
vulnerable than their opponents. So, if we rule out C-MAD as the driver of deterrence, can we
still have a cyber deterrence strategy?
99
DETERRENCE WITHOUT C-MAD
Tailored deterrence is a good way for a cyber deterrence strategy to continue without necessarily invoking C-MAD. If the graduated deterrence discussed by limited war theorists can be described as a vertical form of deterrence (based on different levels of threats and their appropriate responses), tailored deterrence can be thought of as being a horizontal form of deterrence. It is the process of creating specific and unique responses not only based on the type of attack, but also on where the attack came from
The problems of C-MAD discussed above had mainly to do with its generality and lack of flexibility. Tailored deterrence, when combined with graduated deterrence, creates a plethora of possible responses designed to respond to very specific events. This requires extensive planning and forethought on the part of cyber strategists, but the possible rewards outweigh the investment in effort.
We have already seen how graduated deterrence works with nuclear weapons and it serves the same function with cyber weapons. Proportionality is just as important in cyber deterrence as it is in nuclear deterrence. Punish an action too harshly and you tempt escalation; be too lenient and the deterrent loses its force. If the US responded to a Chinese attack on US companies that disrupted business for one or two days (such as a DDoS attack) with massive cyber-attacks on Chinese infrastructure causing physical damage, it would be hard to stop an escalation to more physical conflict. Conversely, if European countries did nothing during the hypothetical Russian attack on transportation systems it could embolden the ‘patriot hackers’ to attack other systems (or at the very least not give up their attack). In this way nuclear strategy has a lot to teach cyber strategists.
100
The new step is to create tailored deterrence in addition to graduated deterrence. Consider two attacks of equal magnitude targeting the US: one from Iran and one from North Korea. The cyber-attacks are not of sufficient magnitude to warrant a physical response according to the
US’s graduated deterrence strategy, but cannot go unpunished. Iran’s dependence on cyber infrastructure is significantly larger than that of North Korea. The threat cyber debilitation attack might be enough to deter Iran, but would do little to stop North Korea. The US would have to respond differently to the North Korean attack. Increasing economic sanctions or increasing the diplomatic pressure on the state could force them to back down.
Kramer, Starr, & Wentz outline the six steps that would be needed by any government in order to create a tailored deterrence strategy:
1. Specify the deterrence objectives and the strategic context 2. assess the strategic calculus of adversary
decision makers 3. identify desired deterrence effects on adversary conduct 4. develop and assess
courses of action designed to achieve desired effects 5. develop plans to execute deterrence courses of
action and to monitor and assess adversary responses 6. develop capacities to respond flexibly and
effectively as the deterrence situation evolves. 162
This is a very involved process and requires much more thinking than a general deterrence strategy. Graduated deterrence adds an extra level of complexity because in addition to following this process for each potential aggressor you then have to consider each level of attack possible from that specific source. If it is completed in full it will no doubt serve as an excellent deterrent, but the complexity could result in holes in planning.
It is also important to realize that there is more to deterrence than retaliation. Deterrence can also come in the form of denial of benefits through defense. With nuclear weapons this had
162 Kramer, Starr, & Wentz, op. cit. p. 330
101 been ruled out for most of its history through treaties and practical hurdles (only recently has there been a renewed interest in the development of Anti-Ballistic-Missile systems). The offense dominance of nuclear and cyber warfare tend to cause strategists to focus only on retaliation.
This could cause defense to be overlooked when it would otherwise prove to be an effective deterrent.
Lower level cyber-attacks have a much higher chance at being thwarted through defensive means than by threats of retaliation. A good historical example is the 2009 DDoS attacks on US and South Korean government websites originating from North Korea. These attacks targeted government websites like Whitehouse.gov in an attempt to bring them down around the 4 th of July. Instead of initiating a retaliatory strike or any other action that could have escalated the situation, US cyber security experts redirected the traffic from North Korea to dummy servers. This stopped US government sites from being affected in any meaningful way. 163
There are many types of cyber-attacks that can and should be dealt with by cyber defense.
By denying the effectiveness of these attacks it discourages a potential aggressor from even
attempting them in the first place. Additionally, unlike with nuclear weapon defense systems,
cyber defense does not represent a destabilizing force.
In the 60s and 70s, nuclear strategists feared Anti-Ballistic-Missile systems (ABMs)
would give one side an undeniable first-strike capability. Cyber defense does not offer this same
undeniable advantage. Unlike how if an ABM can destroy a missile with a 20 kiloton warhead it
can destroy a missile with a 20 megaton warhead, a cyber defense system that filters out DDoS
163 Clarke & Knake, op. cit. pp. 23-25
102 attacks cannot stop logic bombs in the electrical grid from turning off the power. Cyber defense is an effective deterrent at these lower levels.
At higher levels of cyber related destruction defense does not work as well. As mentioned in the discussion of the state of the US electrical grid, as cyber-attacks become more intricate
(and as a result more dangerous), it becomes prohibitively expensive to defend against them.
Defense in cyberspace works by either fixing a vulnerability after it has been exploited or by beating the malicious hackers to the zero day exploit and fixing.
Retaliation for a massive cyber-attack is the only possible deterrent. Such an attack cannot be deterred by denial; its very nature ensures that the aggressor nation has the capability to pull it off. The only way to stop a massive cyber-attack from occurring is by threatening punishment severe enough so as to dissuade the attacker: a concept borrowed from nuclear deterrence.
NOT YOUR FATHER’S DETERRENCE
Cyber deterrence is not the same as nuclear deterrence. It operates according to many of the same principles, but the nuances and details are critically different. A successful cyber deterrence strategy must have the ability to recognize the ways in which it is similar and different to nuclear deterrence.
Tailored deterrence is a very different suggestion than what we saw in nuclear strategy throughout the 20 th century. Forcing strategists to think horizontally instead of just vertically
highlights one of the key differences of cyber weapons and nuclear weapons: differing levels of
vulnerability between nations exist and matter immensely. It is also representative of the
changing international environment. Instead of the bipolarity of the Cold War we are now facing
103 a world with rising powers, fading hegemons, and rouge nations. It is a much more chaotic atmosphere and any deterrence strategy developed within it must reflect that fact.
Cyber-deterrence can also function without any generalized strategy of C-MAD. While the importance of nuclear MAD can be debated (see the section on the Soviet view of nuclear strategy), it was still a possible solution to the nuclear problem. C-MAD cannot serve that function yet . It is conceivable that given time C-MAD could work in a completely informationalized world. 164 Perhaps this strategy may play a role in the future, but for now a more balanced and thoughtful approach to cyber deterrence is required.
Furthermore, lower levels of cyber-attacks can be successfully defended against without destabilizing the balance based on maintenance of a second strike capability. Deterrence by denial should not be overlooked just because it was not an integral part of nuclear deterrence strategy. It can prevent unwanted escalation of more minor attacks, which retaliation might not be able to do. Defense has the added benefit of being generalizable (i.e. it does not care where the attack originates from).
That being said, there are key lessons to be learned from nuclear deterrence strategy that can be adapted to cyber deterrence. Graduated deterrence from limited war theory is of paramount importance in any cyber deterrence strategy. Tailored deterrence without graduated deterrence would not work. It would simply be a list of what countries should be fought and which should not. The basic concept of graduated deterrence can be taken directly from its use in nuclear strategy. The focus on retaliation, however, must be reexamined.
The discussion of cyber tripwires underlines the need for credibility in cyber deterrence.
Nuclear strategists faced a similar issue: how to make your capabilities known without giving
164 Non-state actors would still throw a wrench in this, but they do the same to nuclear MAD (if a terrorist group nukes your city, who do you nuke back?).
104 away too much information. Unfortunately in cyber there is no way to conduct a ‘test’ as was done with nuclear weapons, nor are parades of cyber military might likely. Letting your presence in a foreign nations cyber infrastructure be known to them is a possibility, but must be done with caution. Make your presence too known and your capabilities may be blocked. Alternatively being very vocal with your cyber strategy (as China has been) is another way to make your credibility known. A foreign nation is less likely to risk an attack if they know you have been actively contemplating how to retaliate.
At the center of this deterrence still lies the necessity of second strike capabilities. In nuclear strategy, losing that capability was unacceptable since it gave the enemy an opportunity to attack with impunity. The same is true in cyber warfare. Military systems must be ensured to operate even if their cyber capabilities are taken down. A crippling first strike that takes out a nation’s military and civilian cyber infrastructure could leave that nation paralyzed and unable to retaliate (similar to how disruption of Georgian military communications in 2008 hampered their response). Redundancy of systems, a tactic employed in the Cold War, is a good way to ensure this capability in the most dire of situations.
BEYOND DETERRENCE We have been examining the difficulties and uses of cyber deterrence and trying to adapt old strategies to this new technology, but what if this is not the best way to think about cyber weapons? The point of this paper has been to look at the comparison between cyber and nuclear technologies that have led to cyber deterrence, but let us take a step back from the analogy. What if, instead of deterrence, national cyber doctrines called for a full war-fighting stance utilizing offense-defense strategies? After all, there was a time when nuclear weapons were seriously
105 being considered part of conventional warfare, so it is important to look at what would happen if cyber took this route.
CYBER WAR-FIGHTING
In their article “Leaving Deterrence Behind: War-Fighting and National Cybersecurity”,
Richard J. Harknett, John P. Callaghan, and Rudi Kauffman argue that it is time to leave behind the 20 th century idea of deterrence. The main problem with cyber deterrence they find is the lack of an appropriate definition of “appropriate government response”. In fact, they go one step further and imply that it is impossible to achieve an accurate enough definition in cyber because of the numerous possibilities of attacks and responses: a problem they have labeled “the Menu
Dilemma”. 165
The combination of tailored and graduated deterrence does leave many options in the hands of strategists and increases the likelihood that something will be overlooked. So to avoid this predicament Harknett et al. suggest a switch of focus from deterrence to war-fighting in cyberspace. This means that countries like the US should be focusing on doing what they can to enhance their cyber capabilities in order to win a cyber conflict. The goal is no longer war avoidance, but traditional victory. At the end of their paper they predict that this does not mean we have to submit ourselves to a state of perpetual war in cyberspace. “Effective norms against
165 Richard J. Harknett, John P. Callaghan, & Rudi Kauffman; “Leaving Deterrence Behind: War-Fighting and National Cybersecurity”; The Journal for Homeland Security and Emergency Management , Vol. 7 No. 1 Article 22, 2010, pp.11-13
106 cyber aggression will become increasing important in reining in unacceptable forms of behavior.” 166
While this view may be more appealing to those who want a more simplistic strategy of how to deal with cyber warfare it is not in the best interest of states like the US. Asymmetric vulnerability means that even if the US develops the most complex and destructive cyber weapons in the world they may do absolutely no good in a Cyberwar with a foe who does not rely on cyber as much or whose infrastructure is more heavily defended (e.g. China). The US cannot create a ‘Great Firewall’ without serious backlash from the American private sector so fixing that vulnerability is out of the question. With time this may even out, but according to
Harknett et al. this is supposed to be the short term solution with the longer term normative solution following in a few years.
Deterrence is not just a fluke of nuclear weapons; it has a long history. The avoidance of war has always been preferable to the fighting of it. Just War Theory requires war to be the absolute last resort and such a strategy of offense-defense seems to cavalierly throw this principle aside because fighting, in this case, might actually be easier. However, even the idea that fighting in a cyber conflict would be easier than developing intricate deterrence strategies is uncertain. It is not inconceivable that what starts as a purely cyber conflict could, through brinkmanship and escalation, result in a full scale conventional war that could involve nuclear powers.
166 Ibid p. 20
107
CYBER ARMS CONTROL
Cyber deterrence may be difficult, but the alternative proposed here seems far too destabilizing to international peace. Luckily this is not the only alternative available. Returning to the nuclear weapons analogy, what about international cyber arms control? Nuclear weapons have been (relatively) successfully controlled by international arms agreements. South Africa
willingly gave up its
nuclear capabilities
when it joined the
Nonproliferation Treaty
as a non-nuclear state in
1991. Even Libya
agreed to discontinue its
nuclear weapons
program in 2003. The above chart shows how successful arms control has been with the major powers. 167
Cyber arms control may not work as well as its nuclear counterpart. The first hurdle is one that it shares with its atomic cousin, the lack of a centralized governing body. Since the early days of nuclear weapons the IAEA has been created and has served this purpose to the best of its ability, but inspections in uncooperative states have proven difficult. In cyber this issue becomes even more complex. It is a lot easier to hide malicious code than a nuclear reactor and proving that your cyber security experts are not just hackers in waiting can be difficult.
167 “Nuclear Arms Reduction Infographic”, http://www.infographicsshowcase.com/nuclear-arms-reduction- infographic/
108
Transparency and information sharing between states could alleviate this strain on arms control. If instead of keeping zero day exploits a secret states shared them openly in the hopes of helping each other fix the vulnerabilities then a credible cyber arms control regime could be established. The problem comes from fomenting the level of trust between nations to share this kind of information about sensitive systems.
We have seen the amount of distrust that already exists between US and Russian diplomats when discussing cyber security. Neither side can agree on what needs to be done and have almost always rejected the others proposals out of suspicion that such treaties would be used to cover up illicit cyber activities. In this case the main skeptic has been the US, but Russia has not given the US any reason to believe its promises of mutual cyber security. How can one trust a country who frequently finds itself unable to control its population of ‘patriot hackers’?
This kind of international cooperation is not unheard of between allies, but it would require the inclusion of less-than-friendly nations as well. Whether or not this level of international cooperation is possible is beyond the scope of this paper, but it is necessary for cyber arms control to work.
Another issue with cyber arms control is that it may be outlawing a potentially beneficial weapon. Assuming that the level of cooperation and trust needed to create an effective cyber arms control agreement can be reached, banning cyber weapons across the board may not be the most prudent move. In many cases cyber weapons can be less damaging and less lethal than conventional weapons, while achieving the same goals.
Cyber weapons used once war has already been initiated could possibly bring about swifter and less bloody conclusions. One could drop a bomb on a transformer to shut off a city’s electricity or one could use a cyber-attack to shut it off without causing physical damage.
109
Support role cyber weapons could jam air defenses and disrupt troop communications. Even outside of war, low level attacks that aim to discourage certain actions without causing huge damage can be useful. Stuxnet like viruses could be used to discourage nuclear proliferation without the need for costly wars.
An absolute ban could have detrimental effects in its success. This does leave room, however, for more nuanced treaties that ban the use of cyber-attacks as destructive first strikes.
Seeking to limit the availability of cyber capabilities at these higher levels would no doubt bring about a more stable international status quo.
110
CONCLUSIONS
TO DETER OR NOT TO DETER?
Cyber deterrence is complex. There are many situations and contingencies that must be thought of for a successful strategy to exist. The correct balance of public knowledge of one’s capabilities and the secrecy needed to actually conduct an attack is crucial. But it is by far the most desirable outcome after a functional international treaty. While international cooperation demilitarizing cyberspace may be far off or even a dream, deterrence is conceivable in the near future and will only improve with time.
To be clear, cyber deterrence is not the same as nuclear deterrence. The principles are
similar, but the way in which it must be pursued is markedly different. A successful cyber
strategy can be created by adapting the nuclear strategies of the 20 th century, but close attention
must be paid to the differences. It is not a perfect analogy, but it is a useful one.
The similarities of nuclear and cyber weapons are non-trivial. Their offense dominance,
speed of destruction, and problems of attribution make the comparison an apt one. These two
types of weapons are immensely different in the way they are constructed, operate, and are
viewed in popular imagination, but their results and uses are more similar than not. Deterrence in
cyber warfare as in nuclear warfare is much more favorable to constant war-fighting and the
inevitable escalation that would bring.
At the same time attention must be paid to the major differences. Cyber weapons are
much more asymmetric in who they hurt than nuclear weapons. The changing political
environment and trend towards multipolarity make the Cold War era deterrence strategy too
111 general. Responses to cyber weapons are also not as clear cut as a response to a nuclear weapon would be.
There are also more nuanced differences that only come out when the two are compared side by side. We have seen how possible benefits of cyber weapons to reduce the violence of wars can undermine any international arms treaty. We have examined how the removal of human decision makers from the process due to the incredibly fast speeds of cyber weapons can lead to issues with retaliation. These smaller differences matter.
In the end, the issue of cyber deterrence is much more complex than nuclear deterrence was. The inclusion of graduated deterrence in nuclear strategy in the 1960s was an amazing advance in strategy and is what enabled credible deterrence. Proportionality is important in cyber as well, but tailored deterrence tells us we need a response to individual actors as well as individual attacks.
The complexity of cyber deterrence has caused some to believe that it is either impossible to achieve because something will unavoidably be overlooked, or too much of a drain on strategic thinking that could be better used to strengthen our cyber capabilities. This should not discourage the pursuit of cyber deterrence. The avoidance of war is always a worthwhile pursuit.
WHAT THE FUTURE MAY BRING
Following the nuclear analogy, we should not be too quick to discard any hopes of ever developing a good defense. Modern ABMs have dramatically increased in their efficiency while delivery methods for nuclear weapons have changed fairly little over the past few decades. This does not mean there has been a shift in nuclear warfare from offense to defense, but it is the beginning signs that defense might not be as impossible as was believed in the 50s and 60s.
112
Similarly we may be surprised in the next ten or twenty years with advances in cyber security. Already developers are thinking up ways to create ‘smart’ anti-malware systems that can preemptively detect intrusions and unwanted behavior. New internet protocols, if enacted, could make hiding behind fake IP addresses more difficult and decrease the anonymity of cyberspace. There is even an effort supported by the National Science Foundation to create a second Internet or ‘Internet 2.0’.
The NSF Future Internet Design (FIND) program is tasked with researching how a more perfect internet can be built from scratch. One of the specific problems FIND is aiming to resolve is how to design a more fundamentally secure internet. 168 After a recent evaluation of the programmer by five external researchers, FIND has placed security at the top of the list. The program is determined not to let security be an add-on as it is now. To ensure this the evaluating panel suggested the use of Red team tactics 169 .170
Any potential successor to the Internet is still a ways off. The NSF places their new version, now dubbed the Global Environment for Network Innovations (Geni), appearing somewhere between 10-15 years from now. The problem is that the Internet has grown so large and complex that it makes it incredibly difficult to start from scratch. There is also the worry that the new Internet, while possibly improving security, may be worse than the current Internet at
168 “NSF NeTS FIND Initiative”; http://www.nets-find.net/
169 Red team tactics refers to use of cyber attacks in order to expose vulnerabilities (as seen in PWN2OWN or DAST)
170 “FIND Observer Panel Report”; Vint Cerf, Bruce Davie, Albert Greenberg, Susan Landau, David Sincoski; April 9, 2009; pp. 1, 6
113 certain important tasks (a security heavy internet runs the risk of complicating all communication of data). 171
The point is that technical solutions may exist in the future and represent the best hope for security. Deterrence will help avoid a devastating war between cyber powers, but if the history of nuclear deterrence is any indication there are bound to be close calls.
Understanding where this strategy comes from is the first step to ensuring its success and limiting the amount of these close calls. Cyberspace is a unique frontier, but history can still lend powerful lessons. Hopefully there will never be a cyber ‘pearl harbor’ that Secretary of Defense
Panetta warned about. Maybe a well implemented cyber deterrence policy can keep the world from finding out the full destructive potential of cyber weapons.
After creating the atomic bomb, J. Robert Oppenheimer famously said that “the physicists have known sin”. In the coming years it may be computer scientists that learn of this sin. Technological progress can be a dual edged sword bringing both creation and destruction. It is important to remember this and to do our best to avoid the latter and encourage the former.
171 “How do you build a new internet?”; Bobbie Johnson; The Guardian ; August 1 2007; http://www.guardian.co.uk/technology/2007/aug/01/news.internet
114
APPENDIX A: CYBER TIMELINE 172
1969—Department of Defense (DoD) Advanced Research Projects Agency (DARPA) established Advanced Research Projects Agency Network (ARPANET)
1972—John Draper discovers a toy whistle from Cap'n Crunch could emit a 2,600-hertz tone to get free phone calls from pay phones
1974—Institute of Electrical and Electronic Engineers (IEEE) proposed TCP/IP
1977—PC modem developed
1978—First SPAM email sent – becomes rampant by mid-90s
1981—First IBM PCs sold
1982—The 414 group broke into 60 computer systems and the incident appeared as the cover story of Newsweek with the title “Beware Hackers at Play”
1984—Computer Fraud and Abuse Act passed
1984—The hacker magazine 2600 begins regular publication
1986—Electronic Communications Privacy Act passed
1987—Computer Security Act passed
1988—Robert Morris created the first “worm”
1989—Clifford Stoll discovers cyber spies on Berkeley mainframe, which becomes the book The Cuckoo's Egg
1990—Secret Service launches Operation Sun Devil to hunt down hackers
1991—First digital cell phones sold
1994—Russian Vladimir Levin leads a group of hackers that steals millions of dollars from Citibank though its dial-up wire transfer service
1995—Time magazine has cover on “Cyber War”
1995—Kevin Mitnick arrested and eventually gets a five-and-a-half-year prison term
172 From Jason Andress & Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners , Elsevier Inc., 2011, [e-book] location 7099-7191
115
1996—Term “Phishing Attacks” becomes common as identify theft becomes bigger issue
1996—Health Insurance Portability and Accountability Act passed
1997—Eligible Receiver exercise tests the government's readiness for cyber attacks, results immediately classified
1998—Google search engine established
1998—Solar Sunrise incident hits the news as Pentagon gets hacked, ends up being two kids from California mentored by Israel hacker
1998—Digital Millennium Copyright Act (DMCA)
1998—Internet Corporation for Assigned Names and Numbers (ICANN) stood up
1998—Moonlight Maze incident where DoD found intrusion from systems in Soviet Union but the sponsor of the attacks is unknown and Russia denies any involvement
1999—60 Minutes starts regular series of stories called “Waging War With Computers”
1999—Melissa virus unleashed and caused major problems with emails
1999—Hackers in Serbia attack NATO systems in retaliation for NATO's military intervention in Kosovo
1999—Gramm Leach Bliley Act passed
1999—NATO accidentally bombs the Chinese embassy in Belgrade, spawning a wave of cyber attacks from China against U.S. government web sites
2000—Y2K bug hype ends, with little impact
2000—Mafiaboy shuts down major commercial web sites
2000—First Top Officials (TOPOFF) exercise
2001—NIMDA (Admin spelled backward) hit
2001—U.S. Patriot Act passed
2001—Code Red worm hit, which was designed to conduct DDoS against White House
2001—Kournikova virus hit using social engineering to get men to open it
2002—Bill Gates decrees that Microsoft will secure its products and services, and kicks off a massive internal training and quality control campaign
116
2002—Federal Information Security Management Act passed
2002—Sarbanes–Oxley Act passed
2003—Titan Rain attacks identified; believed to be from China it spawns new term “Advanced Persistent Threat”
2003—SQL Slammer worm reached its peak within three minutes
2004—I LOVE YOU, aka Love Letter, email attack hit
2006—MySpace becomes main social networking site
2006—First Cyber Storm Exercise
2007—Hackers believed to be linked to the Russian government bring down the web sites of Estonia's parliament, banks, ministries, newspapers, and broadcasters. NATO reacts
2007—Storm Worm (one of the first major botnets) began infecting thousands of (mostly private) computers in Europe and the United States
2007—British Security Service, French Prime Minister's Office, and Office of German Chancellor all complained to China about intrusion on their government networks
2008—Facebook takes over in popularity versus MySpace as main social networking site
2008—Operation Buckshot Yankee caused U.S. military to stop using thumb drives
2008—Databases of both the Republican and Democratic presidential campaigns were hacked and downloaded by unknown foreign intruders
2008—The networks of several congressional offices were hacked by unknown foreign intruders (some incidents involved offices with an interest in human rights or Tibet)
2008—Cyber attackers hijack government and commercial web sites in Georgia during a military conflict with Russia 2008—FBI conducts Dark Market sting on cyber identity theft ring
2009—Twitter Revolution occurs in Iran over election unrest
2009—FAA computer systems were hacked
2009—Thomas Ryan creates fake online persona “Robin Sage” and lures in targeted friends
2009—Ghost Net report released by Canadian researchers who found espionage tools they attributed to China implanted on government networks of 103 countries
117
2009—Reports in the press suggest that the plans for Marine Corps 1, the new presidential helicopter, were found on a file-sharing network in Iran
2009—Conficker worm infiltrated millions of PCs worldwide including many government-level top-security computer networks
2009—Reports reveal that hackers downloaded data about the F-35 Joint Strike Fighter, a multibillion-dollar high-tech fighter jet
2010—First Cyber Shockwave exercise
2010—Operation Aurora in which Google publicly reveals being hacked (China blamed)
2010—October U.S. Cyber Command begins overseeing the protection of military networks from cyber threats
2010—WikiLeaks released United States embassy cables
2010—Stuxtnet worm attacks SCADA devices
118
APPENDIX B: GLOSSARY OF TERMS
∑ Nuclear Warfare: a military or political strategy in which nuclear weapons are used to inflict
damage on an enemy
‹ Mutual Assured Destruction: a military doctrine in which a full-scale use of high-yield
weapons of mass destruction by two opposing sides would effectively result in the
complete, utter and irrevocable annihilation of both the attacker and the defender
‹ Deterrence: the use of the threat of military action to compel an adversary to do
something, or to prevent them from doing something, that another state desires
° Nuclear Deterrence: the use of nuclear weapons to deter another state; an inferior
nuclear force, by virtue of its extreme destructive power, could deter a more powerful
adversary; creates a military deadlock
‹ Brinkmanship: the practice of pushing dangerous events to the verge of—or to the brink
of—disaster in order to achieve the most advantageous outcome
‹ Limited Nuclear Warfare: a small-scale use of nuclear weapons, usually at single specific
targets
‹ Full-Scale Nuclear Warfare; a large-scale use of nuclear weapons at many and more
general targets
‹ Tripwire: a passive triggering mechanism designed to promote quick retaliation
‹ Offense Dominance: the implication that being the aggressor will always be more
advantageous to staying on defense
119
‹ Credibility: the ability to make others believe you have the capability to attack and are
willing to use it
‹ Normative Taboo: the idea that nuclear weapons are not used because of a widespread
inhibition on using nuclear weapons; it is a counter theory to deterrence
∑ Cyber warfare: actions by a nation-state to penetrate another nation's computers or networks
for the purposes of causing damage or disruption
‹ Hacking: conducting malicious activity over computer networks
‹ Malware: created malicious code with the objective of causing unwanted actions on a
computer
° Virus: malware with the ability to spread between executable software
° Worm: malware that can actively transmit itself over networks
° Trojan Horse: malware disguised as useful software
° Rootkits: technique that modifies target’s operating system so that the malware
remains undetected
° Backdoor: a method to get around normal authentication procedures; usually put in
place by a Trojan Horse or other malware
° Logic Bomb: a piece of code intentionally inserted into a software system that will set
off a malicious function when specified conditions are met; usually found within a
virus or worm
120
‹ Authentication: a procedure used to establish the identity of a user
‹ Attribution: the ability to determine where/who an attack came from during or after the
fact
‹ Zero-Day Attack: an attack that exploits a vulnerability previously unknown to everyone
besides the one who exploits it
‹ Cyber-Crime: hacking without political motivation by non-state actor, usually for pure
financial gain against another non-state
‹ Cyber-Terrorism: hacking with political motivation by non-state actor, aimed at causing
damage or disruption, usually aimed at a state
‹ Hacktivism: hacking as a form of political activism y non-state actor, aimed at disrupting
or defacing web services
‹ CERT: Computer Emergency Response Team, these are used to respond to attacks after
they occur in order to quickly bring the networks or systems back online. Their duty is
not to prevent attacks, but rather to minimize damage once they have occurred.
‹ ISP: Internet Service Provider, the companies or government agencies that provide a
nation with access to the Internet and other network services.
121
WORKS CITED
• “How Does Anti-Virus Software Work?”; http://www.antivirusworld.com/articles/antivirus.php
• “NSF NeTS FIND Initiative”; http://www.nets-find.net/
• “Nuclear Arms Reduction Infographic”, http://www.infographicsshowcase.com/nuclear-arms-reduction-
infographic
• “TOR: Overview”; https://www.torproject.org/about/overview
• Andress, Jason & Winterfeld , Steve, Cyber Warfare: Techniques, Tactics and Tools for Security
Practitioners , Elsevier Inc., 2011, [e-book]
• Arquilla , John, “Panetta’s wrong about a cyber ‘Pearl Harbor’”, Foreign Policy , November 19th , 2012,
http://www.foreignpolicy.com/articles/2012/11/19/panettas_wrong_about_a_cyber_pearl_harbor
• Brian, Michael; “How Computer Viruses Work”; http://computer.howstuffworks.com/virus5.htm
• Brodie, Bernard, “Unlimited Weapons and Limited War’, The Reporter , November 1st, 1954
• Brodie, Bernard, “More about limted war”, World Politics , October 1957
• Brodie, Bernard, Escalation and the Nuclear Option, Princeton University Press 1966
• Brodie, Bernard, Frederick S. Dunn, Arnold Wolfers, Percy E. Corbett, William T.R. Fox, The Absolute
Weapon: Atomic Power and World Order , Yale Institute of International Studies, 1946
• Bush, Vannevar, Modern Arms and Free Men , Simon and Schuster, 1941
• Cerf, Vint; Davie, Bruce; Greenberg, Albert; Landau, Susan; & Sincoski, David; “FIND Observer Panel
Repot”; April 9, 2009
• Chairman of the Joint Chiefs of Staff, “National Military Strategy for Cyberspace Operations”, December
2006, http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOperations/07-F-2105doc1.pdf
• Churchill, Winston, speech in front of the House of Commons, November 1934
• Clarke, Richard & Knake, Robert, Cyber War: the Next Threat to National Security and What to Do About
It , HarperCollins 2010,
• Colonel Richard S. Leghorn, “No need to bomb cities to win war”, US News & World Report , January
28th, 1955
122
• Computer Fraud and Abuse Act, 18 U.S.C. § 1030, last amended 2008,
http://www.law.cornell.edu/uscode/text/18/1030
• Crosston, Matthew D.; “World gone cyber MAD: How ‘mutually assured debilitation’ is the best hope for
cyber deterrence”, Strategic Studies Quarterly , vol 5 no 1, Spring 2011
http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf
• Department of Defense News Release no. 827-09, October 22nd, 2009,
http://www.defense.gov/releases/release.aspx?releaseid=13071
• Dorneanu, Lucien; “How to make an atomic bomb”, April 27th, 2007
http://news.softpedia.com/news/How-To-Make-An-Atomic-Bomb-53392.shtml
• Dulles, John Foster; speech in front of the Council on Foreign Relations ‘The Strategy of Massive
Retaliation’; January 12th, 1954
• Enthoven, Alain & Smith, K. V.; How Much Is Enough?: Shaping the Defense Program 1961-1969 ,
Harper & Row, 1971
• Fairbank, John K.; “How to Deal with the Chinese Revolution”, New York Review of Books , February 17,
1966
• Fora.tv, “Vinton Cerf lists the flaws in the Internet’s original design”, March 30th, 2011
http://www.dailymotion.com/video/xhvn2j_vinton-cerf-lists-the-flaws-in-the-internet-s-original-
design_tech
• Ford, Christopher A.; “The Trouble with Cyber Arms Control”; T he New Atlantis ; 2010;
http://www.hudson.org/files/publications/20110301_TNA29Ford.pdf
• Freedmen, Lawrence; The Evolution of Nuclear Strategy , St. Martin’s Press, 1981
• F-Secure, “Stuxnet Questions and Answers”, [last edited] November 23rd, 2010, http://www.f-
secure.com/weblog/archives/00002040.html
• Garthoff, Raymond; “Mutual deterrence and strategic arms limitation in Soviet policy”, International
Security , III:1, Summer 1978
• Gompert, David C. & Saunders, Phillip C., “Paradox of Power”, National Defense University Press 2011,
http://www.ndu.edu/press/paradox-of-power-execsum.html
• Goold-Adams, Richard; On Limiting Atomic War , Royal Institute of International Affairs, 1956
123
• Gorman, Siobhan; “Electricity Grid in U.S. Penetrated By Spies”; The Wall Street Journal ; April 8, 2009;
http://online.wsj.com/article/SB123914805204099085.html
• Harknett, Richard J.; Callaghan, John P.; & Kauffman, Rudi; “Leaving Deterrence Behind: War-Fighting
and National Cybersecurity”; The Journal for Homeland Security and Emergency Management, Vol. 7 No.
1 Article 22, 2010
• Haskins, Caryl P.; “Atomic Energy and American Foreign Policy”, Foreign Affairs, 1945-1946,
• Johnson, Bobbie; “How do you build a new internet?”; The Guardian ; August 1 2007;
http://www.guardian.co.uk/technology/2007/aug/01/news.internet
• Joint Publication 3-13, “Information Operations”, November 27th 2012,
http://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf
• Kaufmann, William; Military Policy and National Security, Princeton University Press, 1956
• Khong, Yuen Foong; Analogies at War ; Princeton University Press; 1992
• Kissinger, Henry; Nuclear Weapons and Foreign Policy , Harper, 1957
• Kramer, Franklin; Starr, Stuart; & Wentz, Larry; Cyberpower and National Security ; National Defense
University Press; April 2009
• Lerner, Max; The Age of Overkill , Simon and Schuster, 1962,
• Liddell Hart, Basil; Deterrent or Defense , London: Stevens & Sons, 1960, p. 23 [reprint of original writing
made in 1954]
• Liddell Hart, Basil; The Revolution in Warfare , Greenwood Press, 1980
• Major-General J. F. S. Fuller, ‘The atomic bomb and warfare of the future’, Army Ordnance , January-
February 1946
• Markoff, John & Kramer, Andrew E.; “In Shift, U.S. Talks to Russia on Internet Security; The New York
Times ; December 12, 2009; http://www.nytimes.com/2009/12/13/science/13cyber.html
• Markoff, John; “At Internet Conference, Signs of Agreement Appear Between U.S. and Russia”; The New
York Times ; April 15, 2010; http://www.nytimes.com/2010/04/16/science/16cyber.html
• Matrosov, Aleksandr; Rodionov, Eugene; Harley, David; & Malcho, Juraj; “Stuxnet Under the
Microscope”; ESET white paper; revision 1.31; http://go.eset.com/us/resources/white-
papers/Stuxnet_Under_the_Microscope.pdf [last accessed February 2013]
124
• Maurer, Tim; “Cyber Norm Emergence at the United Nations – An Analysis of the UN‘s Activities
Regarding Cyber-security?”;; Discussion Paper 2011-11; Cambridge, Mass.: Belfer Center for Science and
International Affairs, Harvard Kennedy School; September 2011;
http://belfercenter.ksg.harvard.edu/files/maurer-cyber-norm-dp-2011-11-final.pdf
• Mazzetti, Mark & Sanger, David E.; “Security Leader Says U.S. Would Retaliate Against Cyberattacks”,
The New York Times, March 12th, 2013
• McCray, W. Patrick; “It’s Just Like That Except Different”, May 7th, 2008,
http://scienceprogress.org/2008/05/its-just-like-that-except-different/
• McEntegart, Jane;“Stuxnet is the World’s first cyber super weapon”, September 27th 2007
http://www.tomsguide.com/us/stuxnet-cyber-weapon-worm-trojan,news-8122.html + Babak
Dehghanpisheh, “Going cyber against nuke program ”, Newsweek , October 4th 2010
http://www.thedailybeast.com/newsweek/2010/10/04/stuxnet-worm-latest-attack-in-growing-
cyberwar.html
• McNamara, Robert; “Defense Arrangements of the North Atlantic Community”, Department of State
Bulletin, 47, July 9th, 1962
• McNamara, Robert; “The dnamics of nuclear strategy”, Department of State Bulletin, LVII, October 9th,
1967
• Mead Earle, Edward; “The influence of air power upon history”, The Yale Review , xxxv:4 June 1946
• Morozov, Evegeny; The Net Delusion: the Dark Side of Internet Freedom; Public Affairs, New York, NY,
2011
• NATO; Cooperative Cyber Defense Centre of Excellence; http://www.ccdcoe.org/11.html [last accessed
February 2013]
• Neustadt, Richard & May, Ernest; Thinking in Time: The Uses of History for Decision Makers , The Free
Press, 1986
• Nisbett, Richard E. & Ross, Lee; Human Inference: Strategies and Shortcomings of Social Judgment ,
Prentice-Hall, 1980
• Oppenheimer, J. Robert; “Atomic Weapons and the Crisis in Science”, Saturday Review of Literature ,
November 24, 1945
125
• Organization for Economic Cooperation and Development (OECD); “Malicious Software (Malware): A
Security Threat to the Internet Economy”; 17-18 June 2008; Seoul, Korea;
http://www.oecd.org/dataoecd/53/34/40724457.pdf
• Osgood, Robert E.; Limited War: The Challenge to American Strategy ; The University of Chicago Press,
1957
• Phillips, Joshua; “ How Companies Can Defend Against Database Cyberattacks”;
http://english.ntdtv.com/ntdtv_en/science_technology/2011-11-22/How-Companies-Can-Defend-Against-
Database-Cyberattacks-.html
• Poulson, Kevin; “’Analyzer’ defends Israeli sites”, Security Focus , November 20th, 2000
http://www.securityfocus.com/news/116
• Présidence De La République, “The French white paper on defence and national security”, « Le Livre blanc
sur la défense et la sécurité nationale », 2007
http://www.livreblancdefenseetsecurite.gouv.fr/IMG/pdf/white_paper_press_kit.pdf
• Rhodes, Keith A.; “Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measure”;
United States General Accounting Office ; August 29 2009; http://www.gao.gov/new.items/d011073t.pdf
• Schelling, Thomas; Arms and Influence , Yale University Press, 1966
• Secretary of Defense Robert Gates, Memorandum June 23rd 2009,
http://online.wsj.com/public/resources/documents/OSD05914.pdf
• Software Engineering Institute – Carnegie Mellon, CERT Advisory, [last edited] September 25th, 2001,
http://www.cert.org/advisories/CA-2001-26.html
• Sokolovsky, Vasily; Military Strategy , 1962
• Staff Sergeant C. Todd Lopez, “8th Air Force to become Air Force Cyber Command”, November 3rd, 2006
http://www.af.mil/news/story.asp?storyID=123030505
• Tannenwald, Nina; “The nuclear taboo: The nuclear taboo: The United States and the normative basis of
nuclear non-use”, International Organization , Vol. 53 no. 3, Summer 1999
• The Federation of American Scientists,
http://www.fas.org/programs/ssp/nukes/nuclearweapons/nukestatus.html
• The International Atomic Energy Agency http://www.iaea.org/pris/
126
• The United State Government, National Strategy to Secure Cyberspace , 2003,
http://www.whitehouse.gove/pcipb
• Thomas, Timothy L.; “Taiwan Examines Chinese Information Warfare”, High Frontier, USAF Space
Command, Vol 5 no. 3, May 2009, pp. 26-35
• Thompson, Lyndon; “Security and the Internet: Fighting malware”; The OECD Observer; Paris, France;
July 2008; Issue 268;
• Tyson, Jeff; “How Firewalls Work”; http://computer.howstuffworks.com/firewall1.htm
• United Nations – General Assembly; “Annex to the letter dated 12 September 2011 from the Permanent
Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations
addressed to the Secretary-General: International code of conduct for information security” ; 14 September
2011; http://blog.internetgovernance.org/pdf/UN-infosec-code.pdf
• United Nations “Developments in the field of information and telecommunications in the context of
security”; Fifty-third session, Agenda item 63; 4 December 1998; http://daccess-dds-
ny.un.org/doc/UNDOC/GEN/N99/760/03/PDF/N9976003.pdf?OpenElement
• United Nations“Developments in the field of information and telecommunications in the context of
security”; Private Discussion Meeting hosted by DDA and UNIDIR; Geneva, August 25-26, 1999;
http://www.unidir.org/pdf/activites/pdf3-act81.pdf
• United States Strategic Command, US Cyber Command, current as of December 2011,
http://www.stratcom.mil/factsheets/cyber_command/
• Wingfield, Brian; “Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months”; Bloomberg.com;
Feb 1, 2012; http://www.bloomberg.com/news/2012-02-01/cyber-attack-on-u-s-power-grid-seen-leaving-
millions-in-dark-for-months.html
127