Pages

24 September 2022

Will deterrence have a role in the cyberspace ‘forever war’?Will deterrence have a role in the cyberspace ‘forever war’?

David Ignatius

At a time of growing concern about possible nuclear threats from Russia, some prominent defense strategists are arguing for a new theory of deterrence. They argue that military conflict is now so pervasive in cyberspace that the United States should seek to shift away from deterrence in this domain — and more aggressively exploit the opportunities it presents.

Beware, reader, in exploring this topic: Deterrence strategy is one of the wooliest and most abstract areas of defense analysis. In the early Cold War decades, it was the province of professors such as Herman Kahn at the Rand Corp., and Thomas Schelling and Henry Kissinger at Harvard — sometimes collectively known as the “wizards of Armageddon.” They “thought about the unthinkable” when it came to nuclear war, partly to dissuade the Soviet Union from ever launching an attack.

Times have changed, argues the new book “Cyber Persistence Theory: Redefining National Security in Cyberspace.” Its three authors have all worked closely on cyber strategy for the Pentagon: Michael P. Fischerkeller as a cyber expert with the Institute for Defense Analyses; Emily O. Goldman as a strategist at U.S. Cyber Command; and Richard J. Harknett as a cyber expert at the University of Cincinnati and the first scholar-in-residence at Cyber Command.

The book isn’t an official policy document. But a foreword from Gen. Paul Nakasone, the head of Cyber Command and the National Security Agency, notes that the three authors have been “laying the foundations for the Command’s approach of Persistent Engagement” and that their book offers a “framework for understanding … operational effectiveness moving forward.”

To sum up the authors’ arguments: Cyberweapons fundamentally change the nature of warfare. Borders don’t matter much to digital code. And cyberwar is a continuum (and always happening at a low level), rather than an on-off switch. It’s a new domain, with new rules.

“Cyberspace must be understood primarily as an environment of exploitation rather than coercion,” the authors write. “Achieving strategic gains in the cyber strategic environment does not require concession of the opponent.” In other words, much of what we think we know about war doesn’t apply in this domain.

I had a chance to explore this esoteric subject in August, when the authors asked me to moderate a public discussion of their book at the National Defense University. The gathering produced a lively exchange among military cyber strategists.

To get an overview of the evolution of deterrence thinking, let’s start with Harknett’s vision of three phases in the history of warfare, culminating in cyber.

The first period, beginning in ancient history, involved “conventional” weapons — rocks at first, then eventually guns, cannons, battleships, bombers — to coerce the adversary into submission. Nation states zealously defended their borders, and the goal of warfare was coercion and victory. Deterrence involved having more and better cannons, bigger battleships, more planes. But obviously, looking at the two world wars in the 20th century, that version of deterrence didn’t work very well. The arsenals almost invited war.

That first period lasted until 1945, when the United States introduced nuclear weapons that, soon enough, were duplicated by the Soviet Union. With the potential to kill hundreds of millions of people in a quick exchange, these weapons could effectively destroy civilization. The culmination of war became not victory but doomsday.

Nuclear war, as was often said, cannot be won and should never be fought. So, the goal of nuclear strategy was not to win wars but to prevent them. This nuclear version of deterrence has worked quite well for 73 years and counting.

The third period involves cyberweapons, and the assumptions are fundamentally different. Weapons can’t be counted, identified, tracked or easily controlled. They are used in a borderless electronic world where traditional ideas of sovereignty don’t work very well. The authors argue that this domain is “micro-vulnerable (and inherently exploitable),” in that targets can be hit easily, but “macro-resilient (and thus stable),” because nations will persist, even if targeted.

Two lessons of the Ukraine war is that cyber defenses appear to work better than might have been expected, and that cyber offense works worse. That’s one explanation for Ukraine’s amazing resilience against the Russian onslaught.

The authors offer some suggestions for this new domain: Strategists should have rules for continuous engagement, rather than plan for contingencies; they should prepare for continuous operations not “episodic” ones, and they should seek “cumulative” gains, rather than final victory. As the authors wrote in a recent article in the National Interest: “Because of the fluidity of digital technology, security rests on seizing and sustaining the initiative.”

No comments:

Post a Comment