Pages

30 January 2014

Cyber Defense for Defense 2.0


At present, the defense policy landscape is replete with arguments, many of which are ultimately based in the lack of a common vision among both elites and within the broader citizens about the role of the political leaders in the future. Cyber operations are one element of these debates, though much of the discussion has centered on how best to defend against a growing cyber threat, the role of the Ministry of Defense in that debate, and tensions between privacy, human rights, freedom of speech, and security interests. Occasionally, greater attention is paid to questions about the use of cyber offensively, which brings with it questions of precedent, deterrence, international norms, and a host of other challenges. But it is also apparent that political leaders have already approved the use of offensive cyber capabilities, though under tight restrictions. While not ignoring this larger context, the specific question this project sought to examine in greater depth is whether the Ministry of Defense should make a more deliberate effort to explore the potential of offensive cyber tools at levels below that of a combatant command. 

With respect to operational and tactical cyber use, the Indian defense establishment finds itself at a logical but difficult decision point. As is historically the case with new technologies, from gunpowder to airpower to space, there is a natural evolution as the capability is introduced, begins to be used, becomes more integrated, and sparks creative thought about further applications. Cyber, and offensive cyber in particular, is moving along this path, which (as has been the case for other technology areas) is fraught with domestic and international legal and policy concerns. The Ministry of Defense enterprise has to focus its attention on addressing these issues at the level where the capabilities can have the most profound effects—the strategic level. But as progress is being made there, the military services are giving more serious consideration to the role that offensive cyber could play in also supporting the priorities of tactical and operational commanders. 

To date, the services’ efforts have progressed at different rates of speed, due in part to differing service cultures and to the priority placed on the development of these tools by senior leaders within each service. The question for the broader policy community at this point, and for the Office of the Defense Secretary in particular, is whether current efforts are sufficient, or whether a more systematic approach to exploring the potential is warranted. A broader consensus on the wisdom of delegating the authority to use offensive cyber tools may be far in the future, and resolving the many practical concerns explored here is both critical and nontrivial. At present, neither the procedures nor the tools are sufficiently robust to merit a delegation of offensive cyber authorities beyond the very limited ways in which they have been utilized thus far. But a reasonable determination of whether the potential operational benefits outweigh the real and legitimate potential costs outlined above necessitates further capability development, albeit in a very controlled context. 

To that end, India should follow the below recommendations: 

1. To alleviate ambiguity about the permissibility of potential operational and tactical cyber use, the Office of the Defense Secretary should affirmatively state that there are no de jure constraints that differ from any other type of attack capability. 

2. To better inform determinations about technical feasibility, the ability to reliably adjudicate intelligence concerns, and explore potential models for providing a broader set of capabilities, Office of the Defense Secretary should develop a coordinated plan across the Ministry of Defense for experimentation and exercises that explore operational and tactical cyber use. This plan should ensure that, collectively, the activities will produce insights into whether and how such capabilities might be employed more broadly in the future. To best advance development, Office of the Defense Secretary should clearly identify the desired effects, against current military problems with targets that are deemed compliant with the Law of Armed Conflict. The military services should then have the freedom to develop their own approaches for how best to deliver those effects. This type of “top-directed, bottom-executed” approach will ensure that the resulting insights are relevant to both policymakers and to the forces that might employ cyber tools going forward. 

Should such experimentation occur, it would inform many follow-on activities. These would include how best to integrate cyber with other modes of providing fires, architectures for establishing cyber Joint Operation Team, and the development of data-driven cost curves to inform future resource allocation, to name just a few. All are necessary steps in the continuing evolution of cyber capabilities, capabilities that may be uniquely well suited to meeting the strategic challenges that confront the nation. 

Like US’ Offensive Cyber Effects Operations (OCEO) and Defensive Cyber Effects Operations (DCEO), India should develop Cyber Defensive & Deterrence Operations capabilities. These actions are not intended to presuppose an eventual decision about offensive cyber use at lower levels, but instead to set the conditions so that such a decision, in the future, can be more fully informed. As one workshop participant noted, adversaries are at least to some degree already pursuing (and using) some of these capabilities. If India wishes to consider doing so in the future, it will almost certainly require more information than we have now. While much progress has been made, the value of the parts of the offensive cyber table that relate most directly to operational and tactical level commanders is still a matter of vigorous debate. To continue to move ahead we need to get out there and experiment. 

Reference: 

Sydney Freedberg, ‘‘Military Debates Who Should Pull The Trigger for A Cyber Attack,’’ BreakingDefense.com, 
May 22, 2012, http://breakingdefense.com/2012/05/22/military-debates-who-should-pull-the-trigger-for-a-cyberattack/ 

Chuck Paone, “Cartwright at Cyber Symposium: Break Service Barriers,” Hanscom Air Force Base 66th Air 
Wing Public Affairs, June 23, 2008, http://www.hanscom.af.mil/news/story.asp?id=123103885. 

Rosemary M. Carter, Brent Feick, and Roy C. Undersander, “Offensive Cyber for the Joint Force 
Commander: It’s Not That Different,” Joint Force Quarterly 66 (July 2012): 23, 
http://www.ndu.edu/press/lib/pdf/jfq-66/JFQ-66_22-27_Carter-Feick-Undersander.pdf. 

David E. Sanger, “Obama Order Sped Up Wave of Cyber Attacks Against Iran,” New York 
Times, June 1, 2012, http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-ofcyberattacks- 
against-iran.html?pagewanted=1&_r=0. 

Maren Leed “Offensive Cyber Capabilities at the Operational Level – The Way Ahead,” CSIS-Georgia Tech Research, September 2013, http://csis.org/files/publication/130916_Leed_OffensiveCyberCapabilities_Web.pdf


By Somnath Mitra is a Ph.D student at IIT Delhi


Views expressed are personal

No comments:

Post a Comment