Proxy Wars: Control Problems in Irregular Warfare and Cyber Operations Jon R. Lindsay University of California Institute on Global Conflict and Cooperation La Jolla, CA [email protected] Prepared for the International Studies Association annual meeting, San Francisco, April 2013 Introduction We hear much debate about unconventional warfare and cybersecurity, respectively, but little overlap between them. The first deals with unconventional actors like insurgents, terrorists, and armed gangs and the suitability of doctrine like counterinsurgency and counterterrorism to suppress them. The second focuses on vulnerable computer networks, proliferating hacking tools, and arguments about the revolutionary potential of cyberspace. “War amongst the people” in the developing world and high-tech cyberwar between advanced states seem, reasonably enough, to be radically distinct problems. Yet there are also important similarities between them. In particular, the experience of irregular warfare (IW) has lessons for cyber operations (CO) regarding the limits of simple doctrine for complex conflicts. The history of IW goes back centuries, but the tragedies of 9/11, Iraq, and Afghanistan injected new energy into discussion of COIN and CT. Initial frustration at the inability of conventional force to combat unconventional threats gave way to near euphoria at the rediscovery of an earlier era’s COIN doctrine and its apparent triumph in Iraq. The intellectual pendulum then swung back to disillusionment at the failure of COIN to fix the mess in Afghanistan.1 Even the efficacy of COIN in Iraq now appears dubious in recognition of other forces acting simultaneously, such as the Sunni realignment or “Awakening” in Anbar Province and the culmination of ethnic cleansing in Baghdad.2 Critical scholars have argued that COIN manuals which emphasize population protection and infrastructure development neglect the violent and highly localized bargaining processes which characterize civil war and state 1 For a sampling of disillusioned perspectives see Rory Stewart, Pervez Musharraf, Seth G. Jones, Amrullah Saleh, Sherard Cowper-Coles, Sarah Chayes, Alex Strick Van Linschoten, Felix Kuehn and Frederick W. Kagan, "What Went Wrong in Afghanistan?" Foreign Policy (March/April 2013) 2 See commentary by Jon Lindsay and Austin Long in International Security vol. 37, no. 4? (2013) on Stephen Biddle, Jeffrey A. Friedman and Jacob N. Shapiro, "Testing the Surge: Why Did Violence Decline in Iraq in 2007?" International Security vol. 37, no. 1 (2012): 7-40. See also Jon Lindsay and Roger Petersen, Varieties of Insurgency and Counterinsurgency in Iraq, 2003-2009, CIWAG Case Study Series 2011-2012, Ed. Andrea Dew and Marc Genest (Newport, RI: U.S. Naval War College, 2012) building.3 Indigenous security forces, armed militias, local contractors, and clan elites are critical in COIN, but their loyalty, competence, or efficacy cannot be taken for granted. Even CT, carried out unilaterally by special operations forces or armed drones, must contend with a restive population that reacts adversely to targeting errors, and successes as well. Moreover, the military and civilian agencies tasked with monitoring and influencing all these local actors have frequently been frustrated by self-inflicted failures to coordinate. Cybersecurity is a much more recent problem, and the onset of early frustration is gaining steam.4 Many policymakers and analysts now fear that ubiquitous dependence on cyberspace makes a “digital Pearl Harbor” or “cyber 9/11” increasingly likely.5 As Michael McConnell, a former U.S. Director of National Intelligence, observed rather ominously, “cyber-war mirrors the nuclear challenge in terms of the potential economic and psychological effects.”6 This is hardly a uniquely American perspective, for Chinese strategists also write that, “just as nuclear war was the strategic warfare of the industrial age, network warfare will be the strategic warfare of the information age.”7 However, the overwhelming majority of cyber “attacks” have actually consisted of online crime, espionage, and nationalist expression or “hacktivism.” The only historical case of cyber attack known to have damaged physical infrastructure, the Stuxnet infection of Iranian nuclear enrichment controls, produced just minor and 3 Joshua Rovner, "The Heroes of COIN," Orbis vol. 56, no. 2 (2012): 215-232; Paul Staniland, "States, Insurgents, and Wartime Political Orders," Perspectives on Politics vol. 10, no. 2 (2012): 243-264; Stathis N. Kalyvas, "Review: The New U.S. Army/Marine Corps Counterinsurgency Field Manual," Perspectives on Politics vol. 6, no. 2 (2008): 351-353; Jacqueline L. Hazelton, Compellence and Accommodation in Counterinsurgency Warfare (Ph.D. Dissertation, Brandeis University, 2011); Colin F. Jackson, Defeat in Victory: Organizational Learning Dysfunction in Counterinsurgency, Ph.D. Dissertation, Massachusetts Institute of Technology, 2008 ; Kelly M. Greenhill and Paul Staniland, "Ten Ways to Lose At Counterinsurgency," Civil Wars vol. 9, no. 4 (2007): 402-419 4 The roots of electronic warfare and information security roots go back many decades, but this history is usually forgotten in the future-oriented discussion of cybersecurity as a wholly novel threat. See Michael Warner, "Cybersecurity: A Pre-History," Intelligence and National Security vol. 27, no. 5 (2012): 781-799 5 As President Obama stated in the 2013 State of the Union address, “America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” http://www.whitehouse.gov/the-press-office/2013/02/12/president-barack-obamas-state-union-address. Statements of the emerging conventional wisdom on the potency of cyber attack from former senior U.S. officials include Richard A. Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do about It (New York, NY: Harpercollins, 2010); Joel Brenner, America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (New York: Penguin Press, 2011). 6 Mike McConnell, "Mike McConnell on How to Win the Cyber-War We’re Losing," Washington Post (28 February 2010) 7 Ye Zheng and Zhao Baoxian, “How Do You Fight a Network War?”, Zhongguo Qingnian Bao Online, 3 June 2011 temporary disruption.8 Moreover, an emerging literature by skeptical scholars argues that fears about catastrophic cyberwar are overhyped.9 At the same time, the growing scale of cyber espionage is indeed alarming, especially Chinese activities targeting expatriate political concerns and Western economic interests.10 This has prompted an alternative cyber threat vision of a “death by a thousand cuts” through chronic industrial espionage vice a “digital Pearl Harbor.” However, cybercrime damage estimates are notoriously overinflated and there are formidable obstacles involved in analyzing and acting on petabytes worth of stolen data.11 It is possible that present excitement over cyber warfare may well be headed for empirical disillusionment, not unlike that which met earlier enthusiasm for COIN doctrine. 12 IW and CO fall at extreme ends on a spectrum of cultural and technological perspectives on war, respectively, yet there is an underexplored family resemblance between them. In particular, both depend on undependable third parties. IW works “by, with, and through” indigenous militias, host country security forces, and local contractors amid a complex milieu of civilian interactions. CO works through an overwhelmingly civilian infrastructure, invented, owned, and administered by civilian actors involved in a wide variety of transactions. All action in cyberspace, from this perspective, is indirect 8 Jon Lindsay, “Stuxnet and the Limited Future of Cyber Warfare,” (2013) 9 Sean Lawson, "Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber- Threats," Journal of Information Technology & Politics (Forthcoming 2013); Thomas Rid, "Cyber War Will Not Take Place," Journal of Strategic Studies vol. 35, no. 1 (2011): 5-32; Adam P. Liff, "Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War," Journal of Strategic Studies vol. 35, no. 3 (2012); Jerry Brito and Tate Watkins, "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," Harvard National Security Journal vol. 3 (2011): 39-84; Myriam Dunn Cavelty, "Cyber-Terror: Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate," Journal of Information Technology & Politics vol. 4, no. 1 (2008): 19-36; Paul Ohm, "The Myth of the Superuser: Fear, Risk, and Harm Online," UC Davis Law Review vol. 41, no. 4 (2008): 1327. 10 Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace, Report to Congress on Foreign Economic Collection and Industrial Espionage 2009-2011, October 2011; Information Warfare Monitor, Tracking Ghostnet: Investigating a Cyber Espionage Network, Secdev Group and University of Toronto Citizen Lab, 29 March 2009. 11 Ross Anderson, Chris Barton, Rainer Bohm, Richard Clayton, Michel J.G. Van Eeten, Michael Levi, Tyler Moore and Stefan