I/S: A JOURNAL OF LAW AND POLICY FOR THE INFORMATION SOCIETY
Our on-line world Is Not a Warfighting Area
MARTIN C. LIBICKI*
Like everybody else who’s or has been in a US army
uniform, I consider cyber as a website. It’s now enshrined in
doctrine: land, sea, air, house, cyber. It journeys off the tongue, and albeit I’ve discovered the idea liberating after I assume
about operationalizing this area. However the different domains
are pure, created by God, and this one is the creation of
man. Man can really change this geography, and something
that occurs there really creates a change in somebody’s
bodily house. Are these variations necessary sufficient for us
to rethink our doctrine?
Normal Michael V. Hayden,
USAF, Retiredi
At first was the land area; with the invention of
flotation got here the ocean area. A century in the past, the air area was
added to the record; a half-century in the past, the house area was added as
effectively. Inside the final quarter-century, the mixture of ubiquitous
networking and common digitization has given rise to our on-line world, the
latest addition to the rising household of domains. Our on-line world, we’re
*Martin Libicki is a senior administration scientist on the RAND Company. His analysis
focuses on the impacts of knowledge expertise on home and nationwide safety.
Libicki recievied his Ph.D. in economics and M.A. in metropolis and regional planning from the
College of California, Berkeley, and his S.B. in arithmetic from the Massachusetts
Institute of Expertise.
1 Michael V. Hayden, The Way forward for Issues “Cyber,” 5 STRATEGIC STUD. Q. three,four(2011),
accessible at http://http://ww w.au.af.mil/au/ssq/2o11/spring/hayden.pdf.
2 In contrast with our on-line world, which is taken into account a website and which, as a website, is
headed by a full common, radio-frequency spectrum, the management over which nations have
sparred over since 1940, is just not thought of a website. Even by way of far extra money is
spent on digital warfare gear than in cyberwar gear, in no Service does the
I/S: A JOURNAL OF LAW AND POLICY
instructed, pervades the opposite domains within the sense that warfighters in every
of the prior domains could be severely handicapped if their entry to
our on-line world had been efficiently challenged. Thus understood, our on-line world
has change into the brand new excessive floor of warfare, the one area to rule
all of them and within the ether bind them, which, as this essay will argue, is
the unsuitable strategy to view our on-line world and what militaries can do by
working “inside” it.
Whether or not our on-line world does or doesn’t have the essence of a
warfighting area as per some platonic superb is just not at challenge. As an alternative, this essay contends that understanding our on-line world as a warfighting
area is just not useful in the case of understanding what can and
ought to be performed to defend and assault networked techniques. To the extent
that such a characterization leads strategists and operators to
presumptions or conclusions that aren’t derived from statement
and expertise, this characterization could effectively mislead. In different
phrases, connotations fairly than denotations are the issue. The
argument that our on-line world is a warfighting area, solely a extremely
totally different one, begets the Question Assignment of what goal is served by calling
our on-line world a website within the first place. Our goal is, due to this fact, akin
to what our historic Chinese language buddies would have known as the rectification
of phrases: making the title of the factor match the character of the factor.
To do that, I first characterize cyber operations and their tenuous
relationship to our on-line world. Subsequent, I look at how warfighting describes
the set of duties essential to defend or, alternatively, offend networked
data techniques. Lastly, I describe a few of the conceptual errors
which will come up by considering of our on-line world as a warfighting area
analogous to the standard warfighting domains.
I. FROM WHENCE CYBER OPERATIONS?
The networked techniques utilized by international locations and their militaries are
designed to hold out the instructions of their owner-operators. Whose
orders these techniques really perform, nevertheless, rely not on their
design, however upon the code that reifies their design.three As a rule, the
particular person whose main mission is to command digital warriors rank larger than a
brigadier common.
three It’s attainable to hold out cyber assaults by subverting not the code however the customers. An
approved consumer could be a spy/saboteur or be persuaded to do the unsuitable factor utilizing social
engineering. From a system perspective, nevertheless, most customers are shoppers. Good engineering
practices would restrict the harm that may be performed to servers by the actions of rogue consumer
machines, however the servers into which such ideas are encoded could themselves have
vulnerabilities, therefore returning to the problem of code as a main challenge.
322 [Vol. 8:2
LIBICKI
systems’ code and design conform almost perfectly, but in the term
“almost” lies the entire basis for offensive cyber operations.
Information systems are complex and, in their complexity, there can
often be minute cracks, no more than a bitstream wide, that hackers
can take advantage of by issuing commands to systems to which they
have no rights. These minute cracks are vulnerabilities; they are
invariably specific and can usually be patched once discovered and
understood. By depending on information systems to supply us the
right information or to command machines, we rely on their correct
performance, but this assumption is not always correct, particularly
when such systems are under pressure.
Offensive cyber operations attempt to exploit such vulnerabilities
to create effects that interfere with the ability of their victims to carry
out military or other tasks, such as production. As a rule, the more
these tasks require correct working of the systems, the greater the
potential for disruption or corruption that can be wreaked by others.
Similarly, the more widely connected the information systems, the
larger the population of those who can access such systems to wreak
such havoc. Conversely, the tighter the control of information going
into or leaving information systems, the lower the risk from the threat.
Stated more broadly, the sounder the security design of an
information system, the lower its susceptibility to such threats, the
faster such threats can be recognized, the easier they can be thwarted,
the less the damage, and the faster the recovery. Ultimately, the ability
to carry out offensive cyber operations is a direct function of the
weakness of the target system-something that cannot be said for, say, cities threatened by nuclear weapons. To be sure, clever hackers can
do more damage than mediocre ones-but a large part of their skill set
rests on the ability to discover and discern how to exploit these
vulnerabilities,4 if they exist in the first place.
What is there about such effects that necessarily describe a
medium of combat? The answer is empirical: the most common way
of accessing one information system is to take advantage of the fact
that systems are typically connected to other information systems, and
ultimately to all information systems, usually through the Internet.
The Internet is basically tantamount to cyberspace; everything
4 To wit, those who discover a vulnerability can usually generate the tools required to
exploit it-but a set of tools without the requisite vulnerabilities is not particularly useful. A
similar point is made about nuclear bomb making-no state that has the requisite fissile
material has failed to figure out how to make a bomb from what it has. See Peter D.
Zimmerman, Proliferation: Bronze Medal Technology Is Enough, 38 ORBIs 67, 75-78
(1994).
2012] 323
I/S: A JOURNAL OF LAW AND POLICY
linked to the Web is linked to our on-line world and, due to this fact,
a part of our on-line world. The connection even extends to techniques the place the
connection is intermittent and asynchronous-the greatest instance being
how bytes could be inserted into and extracted from supposedly closed
techniques, comparable to those who run Iran’s centrifuges at Natanz or the
Division of Protection’s (DoD’s) SIPRNET, utilizing detachable media, comparable to USB drives.
Web connectivity is an epiphenomenon of system assault, however
there are different methods to introduce errors into pc techniques. An
approved consumer could possibly be a international agent. A particular forces operator
may achieve illicit entry to a system and command it for lengthy sufficient to
make it err. The system could comprise rogue logic elements that
create sure varieties of errors based mostly on specific circumstances (e.g., if the radar sees a U.S. warplane, a circuit within the radar instructs the
display screen to not present something). A message despatched over a short-range, point-to-point radio-frequency connection could possibly be overwritten by a
long-range, high-power sign from exterior the supposed perimeter.
None of those strategies require our on-line world to work, however they will
create the identical results. Nonetheless, working by way of our on-line world is
the popular technique of entry for causes of financial system, certainty, and
danger.
II. CYBERSPACE, THE MALLEABLE MEDIUM
It’s one factor to acknowledge that the power of superior militaries
to hold out missions within the 4 bodily domains requires that they
alone can command their techniques. It’s one other to conflate the
epiphenomenon of Web-connectivity of such army techniques with
the proposition that our on-line world is a army medium topic to the
tenets of warfare that exist within the different bodily media.
Everybody concedes that our on-line world is man-made. That is what
makes it totally different from its predecessors. Most then proceed as if the
distinction between a pure and a man-made fight medium is of
no higher significance than the distinction between pure and artifical fibers. However it’s not the man-made nature of our on-line world that
makes it totally different. Cities are man-made, however metropolis fight shares many
of the foundations of nation fight. What issues is that our on-line world is
extremely malleable by its house owners, therefore its defenders, in methods different
media usually are not. Cities, though man-made, usually are not notably
malleable (at the very least not by these defending them).
How malleable is our on-line world? Within the business world, there are
many givens: the overwhelming majority of all machines run some
model of Microsoft Home windows; most software program merchandise are dominated
324 [Vol. 8:2
LIBICKI
by a handful of firms, often just one; communications with the outside
world have to use various protocols of the Internet suite (e.g., TCP/IP,
the Border Gateway Protocol); and major communications companies
transmit most of the traffic over what are, in the short run, fixed
hardware infrastructures. This still leaves a great deal of discretion for
the average user, even in the short run: which systems are connected
to the outside; what is accessible through systems so connected; what
provisions are made for back-up or process validation; how networks
are managed and secured (including which products and services are
purchased); where encryption and digital signatures are used; how
user and administrator identities are authenticated; how such
individuals are vetted for their responsibilities; what version of
software is used and how diligently its security is maintained; what
security settings are applied to such software (and who gets to change
them); how personnel are vetted; and so on.
In the slightly longer run, radically better system architectures and
ecologies are possible. Take Apple’s iPad. Little, if any, malware has
been written for it.5 Why? The iPad operating system will only run
software acquired through Apple’s iStore and such offerings are vetted
and never anonymous. Thus, while apps are not foolproof, they are
small, not resident (because iPads do not support multitasking, few
apps are on all the time), and much less likely than web pages to
deliberately become sources of malware (unfortunately, apps can be
quite nosy.) The iPad version of the Safari web browser limits plug-ins
(most famously, Adobe’s Flash player) and web downloads. The iPad’s
apps tend to be much simpler than those designed for personal
computers. The iPad also shuts down (but in a state-full way) when
not in use, thereby flushing memory-resident processes. It is unclear
how robust the iPad model is for general-purpose computing (its apps
come with far fewer user-set options than PC applications and
heavyweight database processes, for instance, have little presence on
the iPad). Yet the iPad demonstrates how alternative architectures
may radically change the security equation.
The U.S. military has a real need to shape its information systems.
Unlike most of us, it faces more competent, potentially serious foes
5 As of April, 2012 there has been no known malware for systems built with Apple’s iOS5,
which runs not only the iPad, but the iPhone and the iPod touch. Yes, the iPad itself is new,
but 25 million had been sold by mid-2011. Sam Costello, What Are iPad Sales All Time?,
ABoTr.com, http://ipod.about.com/od/ipadmodelsandterms/f/ipad-sales-to-date.htm
(last visited Apr. 9, 2012). Furthermore, the same generalizations apply to the iPod Touch
and the iPhone which use the same operating system and which all together have sold over
250 million units. Charles Jade, iPod Touch Now Outselling iPhone, GIGAOM, Jan. 28,
2010, http://gigaom.com/apple/ipod-touch-now-outselling-iphone.
2012] 325
I/S: A JOURNAL OF LAW AND POLICY
with a transparent curiosity in stopping its operations from working,
notably whereas preventing a conflict, when its capabilities are most
necessary. Foes are greater than prepared to penetrate the army’s
computer systems to take action. Thus, the DoD ought to be and is prepared to make
tradeoffs that guarantee its techniques do as they’re instructed even when doing so
makes techniques considerably costlier and extra inconvenient. Lots of its
techniques are air-gapped, that’s, with no digital hyperlinks to different
networks. 6 Encryption is widespread, notably on RF hyperlinks, which
characterize communications amongst warfighting platforms. The DoD
imposes many restrictions on what its customers can do; entry, for
occasion, requires a Frequent Entry Card (CAC). The DoD has its personal
Web area and runs its personal domain-name server. It has
acquired a lot of the supply code for Microsoft Home windows in order that it will possibly
perceive, and in some circumstances alter, its security measures. It vets customers
tightly. It operates a fancy system of doc safety
(classification). It has employed a few of the world’s smartest folks in
data safety, a lot of whom work for the Nationwide Safety
Company (NSA). In sum, the DoD has much more scope to form its
share of our on-line world than most organizations do and makes use of this
discretion vigorously. In different phrases, its our on-line world is unquestionably
malleable. In contrast to the bodily domains, our on-line world is just not a given
surroundings inside which the DoD should maneuver on the identical foundation
with its foes. Certainly, the duty in defending the community is just not a lot
to maneuver higher or apply extra firepower in our on-line world however to
change the actual options of 1’s personal portion of our on-line world itself
in order that it’s much less tolerant of assault.
III. CYBERSPACE AS MULTIPLE MEDIA
The usage of “its our on-line world” when discussing the DoD suggests
one other function of cyberspace-it is just not a single medium as, say, outer
house. Our on-line world consists of a number of media-at the very least, yours, theirs, and everybody else’s. Every of those media typically comprises submedia. Your cyberwarriors try to get into their our on-line world as a
means of getting their techniques to misbehave and theirs try to get
into yours for a similar cause. The Question Assignment of who controls the
6 Air-gapping isn’t any panacea. (What’s?) To be excellent, air-gapping has to exclude detachable
media, intermittent connections (e.g., for software program updating), and stray RF signaling. Even
then, an air hole could be defeated by these prepared to penetrate bodily safety perimeters
or by the insertion of rogue elements. However efforts to penetrate air-gapped techniques are
pricey and don’t scale effectively.
326 [Vol. 8:2
LIBICKI
public share of cyberspace, while important, is usually ancillary to the
ability of each military to carry out operations.
The extent to which our adversaries’ systems are an
undifferentiated subset of the greater Internet, and thus of public
cyberspace, varies. As a rule, the more sophisticated and well-financed
the adversary, the more it maintains its own communications links. In
any case, connectivity among mobile units has to use a different
architecture than the land-line Internet. Conversely, the less
sophisticated and well-financed the adversary, the less likely it is to be
able to afford the kind of networking upon which the United States
and comparable militaries have grown so dependent. Countries are
either too technically sophisticated to allow the systems on which they
depend to rely heavily on the Internet or countries lack the
technological sophistication to afford the systems upon which their
warfighting would depend. In other words, the ability to command or
at least to confound the Internet of foreign countries is likely to be of
modest military value. This is far from saying that such countries are
impervious to operations against their systems. It does mean, however, that carrying out such operations requires playing in their
corner of cyberspace and they too have considerable scope to shape
what they become dependent upon-cyberspace is not a given for
them either.
What about this broad cyberspace in the middle-is it worth trying
to dominate or preventing others from dominating? To some extent, it
is. Cyberspace operations can keep a state’s leaders from
communicating with its population easily, as Russia’s operations did
against Georgia in 2008. It can make life uncomfortable for citizens of
another state, as the operations of Russia against Estonia did in 2007.
The ability to interpose messages into media can have psychological
effects. The ability to take down web sites (e.g., Jihadist sites) can
complicate recruitment efforts. Interfering with services from, for
example electric and transportation utilities or maintenance
organizations, can reduce the support that militaries receive from
them. But these operations are carried out, not so much against
cyberspace which is to say the Internet per se, as against systems
connected by cyberspace to the rest of the world. Such systems, and to
some extent their connections, are themselves malleable. Thus,
Estonia reduced its vulnerability by having Akamai redo its network
architecture and Georgia did similarly by having U.S. companies, such
as Google and Tulip, re-host their web sites. Power companies do not
have to be vulnerable to hackers; they can air-gap their generation,
transmission, and distribution systems in advance. If they feel the
consequences of their failures to do so beforehand, they can correct
matters afterwards, albeit not instantly. Maintenance activities for the
2012] 327
I/S: A JOURNAL OF LAW AND POLICY
electrical grid corporations can undertake back-up strategies (e.g., telephones and
modems, VSATs) in order that they will proceed to serve their prospects
ought to the necessity come up. Making an attempt to manage the Web to be able to
intrude with civilian actions could contribute to an general
warfighting effort, however, as a common rule, what lies on the civilian
Web is often secondary to how bodily wars are fought.
We’re left to conclude that in nice distinction to different domains, our on-line world consists of a number of media and is malleable in methods
that benefit its varied owner-operators.
IV. DEFEND THE DOMAIN OR ASSURE MISSIONS?
Pondering of our on-line world as a warfighting area tends to transform
the issues related to working in cyberspace-creating helpful
results in your adversaries’ techniques and stopping the identical from
being performed to you-into a warfighting mildew formed by the 4 older
domains. This shifts the main focus of thought from the creation and
prevention of particular results to broader warfighting ideas, comparable to
management, maneuver, and superiority. This strategy emphasizes the
regular attributes of army operations, comparable to mass, velocity,
synchronization, fires, command-and-control, and hierarchy, on the
expense of different methods, comparable to engineering, as a means of making or
stopping results.
Begin with the issue of stopping results arising from misinstructed techniques, typically understood as “defending networks.” As
famous earlier, such a activity would possibly in any other case be understood as an
engineering task-how to forestall errant orders from making techniques
misbehave. One want look no additional than Nancy Leveson’s Safeware
to grasp that the issue of retaining techniques underneath management in
the face of unhealthy instructions is part of a extra common drawback of
security engineering,7 an in depth cousin of safety engineering as Ross
Anderson’s basic of the identical title expounds.eight Safeware, by the way, has no point out of militaries or army metaphors.9
Safety Engineering hardly ever discusses army issues and far of
what it does cowl is the secure command and management of nuclear
7 NANCY G. LEVESON, SAFEWARE: SYSTEM SAFETY AND COMPUTERS (1995).
eight Ross ANDERSON, SECURITY ENGINEERING: A GUIDE TO BUILDING DEPENDABLE
DISTRIBUTED SYSTEMS (second ed. 2008).
9 LEVESON, supra observe 7.
328 [Vol. 8:2
LIBICKI
weapons.10 Together with engineering, one could add the related
disciplines of architecture (how the various parts fit together
influences how faults echo throughout a larger system),
administration, and policymaking (how to make intelligent tradeoffs
between values such as security on the one hand and cost and
convenience on the other). For systems so complex that predicting
what they do by analyzing their components is difficult, warding off
unwanted effects may also call on the talents of a scientist used to
dealing with complexity theory.
Granted, there may well be ways of managing networks which
require activities that may be likened to warfare. Even well-designed
systems have to be tended to constantly. (Indeed, well-designed
systems facilitate such management.) Systems managers may even be
lucky enough to see incoming or circulating malware and intervene to
limit its malign effects by isolating and neutralizing it. In other words, there may be something worthwhile about having warriors “live in the
network.” But is such a reactive ability important compared to
systems engineering or is it simply something to be emphasized in
order to make network defense look like warfighting? Perhaps another
analogy may be illuminating. If illegal migrants entered the United
States in large gangs, forcing their way past border guards, a military
response to their penetration attempts may be appropriate. As it is, illegal migrants enter this country using guile by sneaking across
lightly guarded terrain or by overstaying their visas. Staunching their
flow is rightly seen as a police problem. Similarly, the problem of bad
bytes traversing borders is not a matter of force but guile and the
military metaphor just does not fit.
The same question may be asked of certain aspects of “active
defense.”,’ Cyber warriors want to take the fight to the enemy by
finding, targeting, and disabling the servers from which the intrusions
came. This is probably not a bad idea if foes lack the care or
sophistication to launch an attack in other ways, for example by using
fire-and-forget weapons (Stuxnet2) or by operating from multiple
10 ANDERSON, supra note 8.
11 “Active defense” comprises a large number of defensive activities which are “active” in
the sense of doing something other than waiting for the detection of malware or an
intrusion before acting. One component, for instance, is the collection of malware
signatures from the outside to constantly upgrade the list of material whose ingestion is
forbidden.
12 Stuxnet was a worm that infected and likely destroyed uranium centrifuges in Iran’s
Natanz facility. Once released, it carried instructions on how to destroy such centrifuges
without requiring further human command.
2012] 329
I/S: A JOURNAL OF LAW AND POLICY
servers as much as and together with peer-to-peer networks of bots. In opposition to
higher foes, search and disable missions are prone to be a lot much less
productive. Right here, once more, the standard imagery of our on-line world as a
warfighting area distorts how cyber operations are understood.
Extra broadly, the emphasis on defending the area places the
data assurance cart earlier than the mission assurance horse.
Militaries undertake networked techniques to be able to facilitate kinetic
operations. Adversaries goal these networks to be able to neutralize
the Helpance that networked techniques present to operations or, even worse,
to use the dependence on such techniques to render militaries much less
efficient than if that they had by no means adopted community techniques in any respect.
Data assurance refers to how militaries reduce such a
risk, however what these militaries actually need is mission assurance. A
giant element of mission assurance is with the ability to perform
operations in an surroundings through which the enemy has penetrated
their networks. This element requires understanding the
relationship of operations to data flows and adjusting
accordingly to be able to handle danger. It additionally contains coaching to make sure
that warfighters can operate in an surroundings the place networks are
often unavailable and knowledge from a single supply is just not
at all times reliable. But when our on-line world is seen as a website that wants
to be mastered by warfighting, the subsidiary nature of this area to
kinetic operations is misplaced and the emphasis shifts to attaining management
on this area for its personal sake fairly than understanding precisely why
such management was wanted within the first place.
V. UNDERSTANDING WHAT IT TAKES FOR OFFENSIVE OPERATIONS
If understanding our on-line world as a warfighting area is a poor means
to strategy mission assurance, would possibly it nonetheless be a great way to
perceive offensive cyber operations? At first look, sure. Envision
groups of cyber warriors getting into the networked techniques of
adversaries-controlling, disrupting, and corrupting as they go.
Nevertheless, at second look, not fairly. The metaphor of warfighters
residing in our on-line world is strictly that, a metaphor. In apply, an important
deal of what offensive cyber warriors do is reconnaissance, or
exploration; in no different army endeavor is intelligence so integral to
warfighting. However the nature of the reconnaissance is just not merely to
observe and report. The true goal of our on-line world reconnaissance
has a extra scientific bent-to look at a logical construction and
decide its flaws, both by statement or by experimentation. Because it
is, the connection between reconnaissance and operations in
our on-line world has modified an important deal within the final dozen years and will
33o0 [Vol. 8:2
LIBICKI
change yet again. In the late 199os, the act of exploration consisted of
lone hackers getting past barriers and interacting in real-time with the
target system. In that respect, it was much like special operations.
These days, the entry point is more likely to be some malware that has
been downloaded by some client. (A half-dozen years ago, servers
were a more logical entry point than they seem to be today.) Offensive
cyber warriors then communicate to the target system via the
malware. The center of gravity of such an operation is the act of
determining the target system’s vulnerabilities and creating a tool
embodied in malware to exploit them. In a sense, if defensive
cyberwar is largely a question of engineering systems to make them
resistant to attacks, then offensive cyberwar is reverse-engineering
target systems to understand how they may be vulnerable to attacks.
All this dynamism further argues against trying to force-fit cyber
operations into any mold, not the least of which is domain dominance.
None of these is alien to warfighting, but they do have different
rhythms.
Such rhythms necessarily derive from the unique nature of
cyberspace. A key characteristic of offensive cyberspace operations is
that most of them are hard to repeat; once the target understands
what has happened to its system in the wake of an attack, the target
can often understand how its system was penetrated and close the
hole that let the attack happen. Even if it cannot find the hole, the
target learns where its system is vulnerable and may rethink the
accessibility or trustworthiness of its system. The strong likelihood
that targets of cyberwar will make such adjustments suggests that
offensive cyber operations may be front-loaded over the course of a
campaign. The use of offensive operations against a naive target set is
likely to be considerably more effective than against the harder target
set several weeks later. This is not so characteristic of other
warfighting domains which retain their importance throughout a
campaign.
Indeed, one can characterize offensive cyber operations as a set of
carefully prepared one-offs that have a well-defined role to play as
niche operations in certain phases of a conflict. Stuxnet could be
described that way. But such a characterization ill fits the notion of
cyberspace as a continuous warfighting domain in the same way as
land, sea, air, and space.
Finally, focusing on cyberspace as a domain suggests that cyber
warriors be organized the same as warriors in other domains.
Using/Implementing a division of authority in which the enlisted
greatly outnumber officers (typically by more than four-to-one)
implies converting cyber warfare into a set of operations in which
most elements can be broken down into routines and taught to people
2012] 331
I/S: A JOURNAL OF LAW AND POLICY
who’re well-trained however not extensively educated. The wiser
different is to find out what ability combine the area requires, then
recruit and practice appropriately with out worrying an excessive amount of about
whether or not the ensuing hierarchy characterizes what are understood to
be warfare domains.
VI. OTHER MISBEGOTTEN CONCEPTS FROM CALLING CYBERSPACE A
WARFIGHTING DOMAIN
Calling our on-line world a warfighting area additionally promotes the urge to
force-draft warfighting ideas from the sooner domains of land, sea, and air,13 which can be required as a result of everybody within the subject, notably on the senior officer degree, began in a service devoted to
a historic area and got here outfitted with frameworks that may be
used to form how our on-line world is known.
Maybe probably the most pernicious idea is the notion of area
superiority-the notion that energy in a website can stop
adversaries from doing something helpful in it. Within the air or seas, whoever’s fleet can preserve the opposite from taking off or leaving port has
achieved superiority. However, as argued, our on-line world is just not unitary. In a
conflict of two sides, there are at the very least three sub-domains: mine, yours, and, least related for warfighting, everybody else’s. One of the best hackers in
the world can do little to intrude with a very air-gapped community of
their adversaries. Sufficient mentioned.
Notions of our on-line world as a excessive floor whose dominance
presages the dominance of all different domains are equally
meaningless. The power to get helpful work performed with one’s techniques
and make it tough for adversaries to do likewise is useful, however solely
instrumental. The standard, and partially out of date metaphor, that
air management means I can hit you and you can not hit me is just not even shut
to an correct pricis of what competent cyber warriors allow.
Different deceptive metaphors come from floor warfare. For
instance, take “key terrain.” True, in any community some bodily nodes
and providers are extra necessary than others. However offensive our on-line world
operations typically can’t break bodily nodes and the providers
13 Why not outerspace? Happily for warfighters in that area, it has but to provide its
first Clausewitz, Mahan, or Douhet. Though many have tried, all have fortunately did not
obtain such conceptual heights. A part of the issue is that the physics of orbital
mechanics are so daunting, and the artwork of the attainable is kind of constrained. Regardless of the
recurrent urge felt amongst house warriors that their devices ought to be designed for
fight amongst one another, satellites are completely used to Help the terrestrial marketing campaign,
up to now at the very least.
332 [Vol. 8:2
LIBICKI
provided by networks can be and are increasingly virtualized. The very
plasticity and malleability of software makes gaining the “possession”
of key terrain an empty victory. Or take “maneuver.” Again, no selfrespecting cyber warrior wants to stay in one place waiting for the
enemies to hone in, but, by the time this metaphor of place is
translated into cyberspace, it may be drained of all effective meaning.
Should malware be polymorphic? Should it be hopping from client to
client? Should systems dynamically reconfigure their address space?
Should server capacity be distributed across the cloud? These are all
good questions, but it is unclear how translating all of them into some
aspect of maneuver is particularly helpful in answering them.
If cyberspace is like other domains, then under current rules of
engagement for kinetic combat, U.S. forces are allowed to fire back
when under fire. This particular rule provides a robust rationale for
disabling machines that appear to be sending bad packets to military
networks. Such a rule arises in part because it is deemed unreasonable
to order people to be put in harm’s way without being able to protect
themselves-and people do put themselves in harm’s way in
cyberspace. As noted above, this perspective puts too much emphasis
on firing back as a way of protecting networks despite the likely
ineffectiveness against even a halfway-sophisticated adversary.
Interpreting this doctrine more broadly carries substantial risks, particularly given the problems of attribution. A closely related
assumption is that conflict in cyberspace features an opposing force
that one is supposed to disarm or destroy. But hackers cannot be
destroyed by a cyber attack and they cannot be disarmed because
none of the three weapons in their arsenal-intelligence, computers,
and networks-can be destroyed by a cyber attack in the same way
that kinetic warfare makes possible. Hence, such a quest is futile.
Fortunately, although these issues make writing concepts and
doctrine an error-prone exercise, the influence of concepts and
doctrine on what people actually do on a day-to-day basis is limited.
But why not start by not having to jettison such inaccurate concepts in
the first place?
VII. YET ANOTHER DOMAIN TO PROTECT THE NATION FROM
Anointing cyberspace as a domain creates expectations that the
DoD, notably the U.S. Cyber Command (USCYBERCOM), will protect
the nation’s cyberspace in the same way that the Army, Navy, and Air
Force keep hostile forces away from our borders. The U.S. Department
of Homeland Security has signed technical-Helpance agreements
with DoD knowing the latter brings the lion’s share of expertise into
2012] 333
I/S: A JOURNAL OF LAW AND POLICY
the home combat for our on-line world safety. U.S. protection officers
argue that, however their intention to focus on
defending the army area, ought to some digital Pearl Harbor
ensue, the DoD must reply for why it stood apart and did
nothing to guard the nation on this area.
Can america be protected by USCYBERCOM from hostile
forceS14 on this area? Clues to that chance could also be discovered within the
Einstein III program which is being rolled out to guard the U.S.
authorities’s portion of the Web (.gov). Proponents have
advocated extending the safety to the nation’s vital
infrastructure5 and the defense-industrial base.16 Such a program
would sit between the Web and the protected networks, inspecting
the contents of all incoming packets and neutralizing those who
comprise the signature of identified malware-a firewall to finish all
firewalls. However would it not work, or at the very least work higher than what already
exists? Keep in mind that these establishments can even contract with
skilled data safety corporations to acquire the identical
providers with out elevating government-spying points. If USCYBERCOM
has an edge, nevertheless, it may solely be as a result of it is aware of one thing
about malware signatures that these personal corporations don’t, both
arising from harvested intelligence unavailable to personal companies17 or
from having discovered a vulnerability themselves and telling nobody.
There’s absolutely some malware identified to the intelligence group
that has not but been seen within the wild, however there may be undoubtedly even
extra malware unknown to the intelligence group by dint of
being developed in small cells that don’t show their wares over the
unencrypted Web. It’s onerous to think about, as an illustration, that an
Iranian equal would have found Stuxnet.
14 Chris C. Demchak & Peter Dombrowski, Rise of a Cybered Westphalian Age, 5
STRATEGIC STUD. Q. 32,38-39 (2011), accessible at
http://ww w.au.af.mil/au/ssq/2011/spring/demchak-dombrowski.pdf (suggesting that
many states are prone to strive anyway).
15 Siobhan Gorman, U.S. Plans Cyber Defend for Utilities, Corporations, WALL ST. J., Jul. eight,
2010, at A3, accessible at
http://on-line.wsj.com/article/SB10001424o527487o45450045753529838504631o8.html.
16 Marc Ambinder, Pentagon Needs to Safe Dot-Com Domains of Contractors,
ATLANTIC, Aug. 13, 2010, http://www.theatlantic.com/politics/archive/2010/08/
pentagon-wants-to-secure-dot-com-domains-of-contractors/61456.
17 The bigger information-security corporations (together with Microsoft) have so many screens
in place that they do, actually, collect an excessive amount of what could be known as intelligence if performed
by governments.
334 [Vol. 8:2
LIBICKI
What Einstein III offers, a better firewall, is just one element of a
more complex array of information security measures. Returning to
Stuxnet, relying on such a firewall could have blinded defenders to the
need for inherent defenses, including eliminating USB ports on the
air-gapped network, ensuring that the programmable logic chip (PLC)
that governed the centrifuges could not be reprogrammed in situ, or
separating the mechanisms that controlled the centrifuges from the
mechanisms that monitored what the centrifuges were actually doing.
Indeed, creating something like Einstein III under government
auspices may well reduce the amount of real effort expended on
cybersecurity, just as USCYBERCOM has provided the Services with
excuses for not defending their own networks. Then, users can hide
behind the fiction that they are being fully protected and can no longer
be compelled to protect themselves, thereby limiting potential
lawsuits arising from third-party damage. After all, no one expects
private firms to mount their own anti-aircraft weapons.18
VIII. CONCLUSION
The notion that cyberspace is a warfighting domain is deeply
engrained in doctrine and the minds of those who carry out such
doctrine. This essay argues that this concept is misleading, perhaps
even pernicious. Faced with the question-if cyberspace is not a
“domain” what is it-one answer may be that “it” does not exist in a
sufficiently meaningful form to make conflict-related statements
about it. Such a stance suggests that the term be totally avoided, but
since the author himself has no intention of following such advice, the
second-best alternative is to use the term carefully. Take a sentence
with the offending word in it-for example, the United States must
achieve superiority in cyberspace-and restate it without that term.
The resulting sentence will likely be wordier, but if it is also
nonsensical or excessively convoluted, perhaps the underlying thought
needs rethinking as well. As for the argument that the military’s
calling cyberspace a domain is necessary if it is to organize, train, and
equip forces for combat in that medium,19 what is wrong with focusing
i8 More likely, such enterprises will object vociferously because they do not want the U.S.
government reading the contents of all their incoming traffic. Commercial satellite
operators, for which the case for protection is somewhat stronger, are adamant about not
wanting the DoD’s help.
19 The first strategic initiative of the DoD Strategy for Operating in Cyberspace is, “treat
cyberspace as an operational domain to organize, train, and equip so that DoD can take full
advantage of cyberspace’s potential.” DEP’T OF DEF., STRATEGY FOR OPERATING IN
2012] 335
I/S: A JOURNAL OF LAW AND POLICY
on the issues that such forces should solve-defending networked
techniques, interfering with these of the adversary-and then organizing,
coaching, and equipping to unravel such issues? Militaries do that for
digital warfare with out the latter, as famous, having been elevated
right into a separate area.
Nonetheless, is the combat over calling our on-line world a website over
even earlier than it has begun? Is it time to maneuver on? A dozen years in the past, a
equally misguided notion plagued the protection group. The
idea of knowledge warfare created a false unity binding numerous
actions comparable to our on-line world operations on the one hand and
psychological operations on the opposite. Fruitless hours had been spent
creating a complete idea overlaying this agglomeration.
When questioned about whether or not such a unity was not illusory, excessive
protection officers retorted: be that as it might, the idea was
established and that was that. However issues did change. The time period
data warfare, within the strategy of morphing into “data
operations,” created “affect operations,” which covers
psychological operations and concomitants, comparable to strategic
communications. The cyber a part of this formulation, pc
community operations, married the “cyber” prefix and separated itself
fully from issues psychological. Digital warfare returned to
its personal aerie. So, at the very least the time period, data warfare, has been
rectified.
CYBERSPACE 5 (2011). Though the Technique by no means makes use of the time period “warfighting area” as
such, our on-line world is to be handled no in a different way than the historic 4, “As directed by the
Nationwide Safety Technique, DoD should be certain that it has the required capabilities to
function successfully in all domains[-]air, land, maritime, house, and our on-line world.” Id.
336 [Vol. eight:2

Published by
Medical
View all posts