Comment: By Rian Whitton
From Stuxnet to cyber-espionage in the 2016 US Presidential election, this will be remembered as a time of infancy regarding the academic and theoretical discussion of cyber-security, at least pertaining to the state and military matters.
A historical analogy would be the teething problems that thinkers had regarding nuclear weapons in the 1945-54 period. Up until the Ivy Mike and Castle Bravo thermonuclear tests, an orthodox view within American military circles was that nuclear weapons amounted to super-artillery. From this premise resulted the development of nuclear depth-charges and atomic recoilless rifles like the Davey Crocket.
Given the immense severity of these weapons’ use, the limited number of actors who had them, and the fact these actors were all governments whose interests were often intelligible to their adversaries, the ground was laid for theorists like Herman Kahn, Bernard Brodie and Thomas Schelling to build a theoretical and intellectual framework behind nuclear weapons. From here arose doctrines of deterrence and mutually assured destruction (MAD).
Thomas C Schelling separated the diplomacy of pain, hurt and violence from military action. The latter represented the clash of arms, the battling of armoured vehicles, the test of strength by which military victory was achieved. The former represented the ability to inflict pain, and using the threat of pain to affect the behaviour of opponents. While military action required no collaboration from the enemy, the threat of nuclear holocaust was a tool by which Washington and Moscow affected each other’s behaviour. Often the desired effect was to clarify and predict action, to deter, compel, assure and so forth.
Cyber-war and Cyber-Capabilities
If nuclear Weapons inculcated a new diplomacy of violence, does cyber-security demand an analogous diplomacy of pain, and if so, are the desired outcomes to stabilise or disrupt?
Like nuclear weapons, cyber-capabilities allow for near instant effect and are not particularly contained by geography.
But unlike them, they so far have not demonstrated a capacity for physical violence. Compared to the fatal blow of a nuclear exchange, offensive cyber-capabilities currently amount to micro-aggressions. Cyber-capabilities are available to a wide range of actors depending on their sophistication. Nuclear Weapons, thankfully, remain limited to nine (possibly ten) states.
A nuclear war, while hypothetical, is at least agreed upon; all parties can envision it. In fact, it is vital that they can imagine such a confrontation, for otherwise the concepts of shared threat and deterrence crumble.
The same cannot be said for a ‘cyber-war’. As emphasised by the academic back-and-forths of senior professors, there is no agreed understanding of what such a war would constitute. Some say it reflects a continuation of the liberal way of war and acts as a force multiplier, while others say it represents a ‘fifth’ domain of warfare.
On the other side, Thomas Rid has argued against the term of cyber-war because it doesn’t meet the highly abstract understanding of war prescribed by Clausewitz.
The term ‘cyber-attack’ is likewise a very poor mechanism by which policymakers and politicians describe this phenomena. Michael Schmitt, A professor at the US Naval War College and contributing author to Tallinn 2.0, has sought to restrict the term, given it can be ascribed to anything from stealing a Facebook password to destroying a country’s power grid. A more suitable term might be offensive cyber-capability.
Schmitt’s push is admirable, and perhaps desired. Given the deluge of jargon and poor thinking relating to cyber in the past few years, the push for more rigour regarding terminologies and refining doctrines of cyber-conflict is a valid way to go.
But owing to the amorphous and particular characteristics of cyber-security, practice will offer more guidance than theoretical elegance. From there, we can learn more from history than political science, and more from one general than the rationalist Clausewitz; the American civil war hero, William Tecumseh Sherman.
Sherman’s March To The Sea
As the historian Victor Davis Hanson describes, Sherman was a pioneer in the diplomacy of violence. But while both he and the nuclear theorists wanted the enemy to collaberate, the behaviours they wanted to engender were different.
Following appalling losses at the battle of Shiloh in 1862, Sherman was tasked with flanking the Confederate South from the West. While Ulysees S. Grant was blocked short of Richmond, Sherman and his 60,000 managed to capture Atlanta in late 1864.
Upon this victory, Southerners taunted that Sherman’s forces would not survive the winter, as their supply lines from Tennessee were faltering. Audaciously, he uprooted his men and made a 300-mile dash between Georgia and Savannah.
This 5-week march to the sea was characterised both by the relative absence of direct military engagement, and an employment of cold psychological terrorism. While only 1000 were killed, Sherman burned plantations, slaughtered pets, freed slaves, destroyed factories and severed lines of communication. Part of this strategy was based on sabotage; crippling Confederate command and the destroying the means of waging war.
But it was also profoundly psychological, in so far as it was orchestrated to send messages to Southerners, from the bourgeois slave-holding aristocracy to the Georgian farm-hands. For the poor, it was that war demanded collective punishment, and was no picnic in a far-off land. For the honour-loving gentry, the destruction of their French-inspired homesteads was the ultimate humiliation; a cavalier class being unceremoniously stripped of their livelihood by uncouth frontiersman from the mid-West.
In both cases, the violence was designed to cultivate some change in the victim’s psychological state; inflicting pain to compel the degeneration of an entrenched honour-bound mindset and force surrender. Furthermore, the violence was notable by its caprice; very few actually killed, lots of assets damaged and a general sense that no one was entirely secure. To this day, Sherman is hated in the South.
How does this help us understand cyber? Like Sherman, the job of policy-makers in the US and UK should be to affect the opposing side’s confidence, psychological stability, morale and humility. That could mean bringing home the consequences of hacking critical infrastructure to those that do it. It could also be to understand that offensive cyber-capabilties cause confusion and self-doubt disproportionate to their cost, and this should be factored into both defending and attacking.
The 2016 election hacks were impressive not because they were technologically sophisticated, nor that they found incriminating evidence, but rather that these acts established a sense of defencelessness within a a powerful group (The American Elite). Some were enthusiastic about the Wikileaks publications, others were apoplectic, and the rest were simultaneously keen to rail against John Podesta’s emails while worrying over Russian malpractice. It was an effective intrusion into the Democratic process, forcing disproportionate news coverage, venting and a sense of insecurity. Taken as a whole, the characterisation of a technological superpower having its dirty laundry aired by a clutch of unattributed hackers is embarrassing. Whoever is responsible, they seem to have echoed the importance Sherman placed on humiliation.
Stuxnet is similar. One can question the military and operational effectiveness of this action. It was costly in resources and time without stopping the enrichment programme. What can be said is that it sowed confusion and disquiet in the Iranian hierarchy regarding the competence of their scientists.
In the above-examples, the operational effectiveness or material damage of a cyber-attack is secondary to the psychological pressure it can put on a group. Thus their uses are well-placed to mimic the diplomacy of violence Sherman exhibited.
As determined by the differences between cyber and nuclear assets, the diplomacy of cyber-afflicted pain is much harder to anchor in a mutual understanding of deterrence. With thermonuclear weapons, deterrence is achieved by two actors simply having a survival instinct. But regarding cyber-deterrence, how would you (metaphorically) deter, compel or force collaboration from a range of actors who just want to throw eggs at your car and run off? The good news is you are protected and unlikely to be fatally wounded. The bad news is there are a range of actors, with cheap access to an armament, who can escape retaliation, and if you aren’t a little embarrassed, your fellow passengers might be.
Without effective deterrence, the diplomacy of cyber-saboatge amounts to sowing discord, humiliation, and uncertainty in the ranks of your opponent, perhaps forcing them into a long-winded FBI investigation, or leading businesses to throw money at cyber-security consultants so they feel covered in the future. Recently, North Korean hackers are suspected to have gained access into joint US-South Korean war plans (OPLAN 5027). Such an action raises doubts within the respective administrations about the likely success of their strategy. Sherman’s tactics were designed to engender similar behaviour in the South.
Is Deterrence possible?
Will the diplomacy of cyber-attacks ever be able to stabilise and force collaborative acts like deterrence, as opposed to psychological pressure? The 2007 Israeli bombing of a Syrian nuclear facility was made possible by Tel Aviv’s ability to invade the networks of air defence systems. This may assure hostile actors that their networks are not safe and deter them, but such threats rest on Israel’s long-strike aerial capability; not just cyber-attacks.
The potential of hardly-known cyber-capabilties like Nitro-Zeus may amount to something credible for deterrence. It is rumoured in Alex Gibney’s documentary Zero Days that Nitro-Zeus (an asserted Zero-Day weapon with very few details) was designed to cripple Iranian infrastructure at a national level, similar to the intended effects of a nuclear electro-magnetic pulse (EMP). Even at this point, such a system would surely demand further military action and to display having such a weapon may weaken its effectiveness.
Much like the advent of nuclear weapons, the proliferation of offensive cyber-capabilties has opened up a new diplomacy, and a way to affect the behaviour of opponents. But while nuclear diplomacy focused on clarification and getting the enemy to collaborate, the character of cyber-security instead reaps rewards by altering and undermining enemy psychology, much as Sherman did some 150 years ago.