Cyber Deterrence Case Study Essay Assignment
Order ID:89JHGSJE83839 Style:APA/MLA/Harvard/Chicago Pages:5-10 Instructions:
Cyber Deterrence Case Study Essay Assignment
In 1000 words answer the following questions below using the attached sources.
Given the characteristics of the cyber domain, what are some of the elements necessary to make up an effective policy of cyber deterrence?
Is an effective cyber deterrence policy even possible?
What are some of the practical problems of deterring cyber attacks and what are some of the potential solutions?
One way to address this question is to look at the traditional forms of deterrence when it involves conventional weapons or nuclear weapons. Are there similarities?
In the nuclear era it was clear that such weapons were under the control of states – usually great powers – and therefore it was easier to convey intent to the adversary. How do we do that in cyberspace?
Should the US policy of cyber deterrence be implicit or explicit?
74 | Air & Space Power Journal
Cyber War and Deterrence Applying a General Theoretical Framework
Capt Isaac Nacita, USAF Lt Col Mark Reith, USAF, PhD Disclaimer: The views and opinions expressed or implied in the Journal are those of the authors and should not be con- strued as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government. This article may be reproduced in whole or in part without permission. If it is reproduced, the Air and Space Power Journal requests a courtesy line.
Introduction
Military history, when superficially studied, will furnish arguments in support of any theory or opinion.
—Paul Bronsart von Schellendorf
In September 1870, after just six weeks of what many thoughts would be a pro- longed war, Prussian bystanders jeered Louis-Napoléon Bonaparte as he was carried to captivity in what is now Kassel, Germany. It was a fitting portrait of French na- tional disgrace.1 Their military structures before the war and lack of strategic plan- ning were partly to blame.
National archivist Dallas D. Irvine points out, “it (the French system) was almost completely effective in excluding the army’s brain power from the staff and high command. To the resulting lack of intelligence at the top can be ascribed all the inexcusable defects of French military policy.”2 Never- the less, influenced by the idea that France had lost due to its lack of morale that an offensive approach would have provided, the military regrouped and refocused it- self, this time adopting “antique á outrance.” This doctrine was French military strategy entering World War I, and it was almost immediately proved spectacularly wrong. The French lost 300,000 soldiers in the first month of war.
Yet “the legacy of the adoption of the offensive was even more terrible in another sense. The wanton slaughter it spawned produced a similar reaction in all those who lived through it—a grim determination never to allow such slaughter again.”3 Once again, they turned to the defensive, and in the years leading up to World War II constructed the Maginot line. The Germans simply bypassed its strong points and broke through a weaker French line in unexpected terrain. The Maginot line is now a metaphor for something that creates a false sense of security.
Summer 2018 | 75
Cyber War and Deterrence
There is a saying that politicians and generals are always fighting the last war, which is emphasized when the weapons and characteristics of warfare are changing rapidly. However, if this is true, it is often not due to an inability to learn lessons from previous conflicts, but to “overlearn” or overcompensate for the failures and experiences of the past. In reality, this is not a learning problem but one of forming poor implications from historical events, which leads to poor applications of doc- trine the next time around.
The DOD now acknowledges that warfare has extended into cyberspace, and it is my central thesis that the military often suffers from a lack of meaningful conversa- tion concerning the problems it faces in that domain. The lack of discourse is due partly to poorly adopted metaphors and analogies pulled from other domains of war- fare and historical examples, and in general to a lack of rigorous strategic framing of the problem and its potential solutions.
The Problem What problem doesn’t the United States face in cyberspace? The online world re-
flects the totality of human societal issues. Is there a cyberwar occurring? Cyber- space is a “contested environment,” but so is the global business market.
Karl Von Clausewitz called war a clash of wills, a political act carried out by other means, yet also characterizes it with physical force that seems to require a physical domain.4 Some, therefore, argue that acts of sabotage, espionage, and subversion occur, con- ducted through a different medium, but not warfare.5 Martin C. Libicki suggests the possibility of “sub-rosa” warfare, implying the general population may be totally un- aware of what is occuring.6 Others downplay the terminology because what we have faced so far is overhyped and does not merit the title.
In many cases the actual ef- fects due to malicious cyberspace attacks are less than those that occur due to natu- ral or accidental events. There is a somewhat humorous incident in which, a year after alleged Russian cyber-attacks in Georgia, a 75-year-old woman accidentally cut a cable with a shovel and knocked out internet access in all of Armenia, outdoing Russia in terms of total effect.7 All of this is also compounded by the tendency to treat all of America’s social problems using warfare terminology. We are fighting a “war against poverty” and a “war on drugs.” There is winning, and there is losing but rarely a clear winner or loser.
These things notwithstanding, the DOD has already recognized cyberspace as a war-fighting domain. But the nature of the problem is central to the question of de- terring or prevailing in cyberspace. One source says, “stop debating on what to call the problem and get us some help!”8 The point is understood, but if the problem is not, we should not expect to receive any meaningful help.
The Defense Science Board (DSB) presents some examples of cyber attack that may be used to frame the problem. It points to Iran’s denial of service (DoS) attacks on Wall Street in 2012–13, North Korea’s hack of Sony Pictures, Chinese intellectual property (IP) theft, and Russia’s alleged involvement in the 2016 presidential elec- tions. The document also refers to attacks by nonstate actors like Anonymous or New World Hackers, acknowledging that all of these represent only a small sampling. Fears
76 | Air & Space Power Journal
Nacita & Reith
include the ability of these nations to hold US critical infrastructure at risk, to thwart American military response via the cyber domain, and to use a wide range of lower- intensity attacks that collectively take a toll on the foundations of national power.9
The DSB’s recommendations for cyber deterrence read like a Cold War deterrence playbook and not without acknowledgement. Its first initiative, planning tailored deterrence campaigns to cope with a range of attacks, unmistakably resembles flex- ible response, the concept that moved US nuclear policy away from massive retalia- tion toward something more proportional. Its second initiative, creating a cyber-re- silient “thin line” to key US strike systems, even uses the term “second strike” in a clear acknowledgement of its nuclear deterrence forbearers.
Even “countervailing” appears in the document, a term used during the Carter administration years to con- vey a particular nuclear deterrence strategy.10 The analogy is not limited to the DSB, presumably because the cold war itself is often invoked in discussions of the rela- tionship between countries over their interactions in cyberspace.11 A recently cited case described the suggestion to leak our cyber offensive capabilities, which takes the idea from nuclear deterrence, that is, a secret weapon cannot be a deterrence.12 Even the question posed for this article seems to echo President Reagan’s speeches on “prevailing” over the forces of communism and the Soviet Union.
In 2012, Defense Secretary Leon Panetta used the term “cyber Pearl Harbor” to convey the danger the US faced in the cyber domain;13 others have similarly used “Cyber 9/11.” In contrast, John Arquilla and David Rondfeldt suggested (more than a decade earlier) a “manifest destiny for the information age.”14 Others call cyber- space the new “wild, wild west” or harken the era of pirates and privateers, weak governments, and inexplicit or unenforced international norms.15 All of these have something in common: the desire to explain something new in understandable terms by reminding us of the past.
Cyberwar is complicated because it covers a range of attacks; DoS attacks and leaking of Democratic National Party documents represent two very different types of attacks and two very different strategies. The only thing they really have in common is that both were conducted using cyber do- main tools and directed at the US.
Scholars have noted that metaphor is an essential part of how humans rationalize and understand the world, not just in language, but also thought processes.16 Chris- topher R. Paparone argues that “management of meaning” is a primary task for leaders.17 They are often the best way to frame the narrative, but with the obvious problem of oversimplification. A naïve translation of nuclear deterrence principles into cyberspace, therefore, obscures the real problems we face.18 Metaphors “carry with them, often covertly and insidiously, natural ‘solutions.’ ”19 Computer viruses resemble biological viruses, so some have suggested a cyber version of the Center for Disease Control.20 Online piracy, like real piracy, is a problem of establishing in- ternational norms and compelling nations to enforce them.21 These are perhaps two of the better ideas, but they also show that the method of framing the problem af- fects the way the solution is formulated. Winston Churchill’s iron curtain descrip- tion painted a visceral image in Western minds that helped to shape the policy of containment under the Eisenhower administration. References to an “information curtain” or “tearing down this firewall” lack the same vitality.22
Summer 2018 | 77
Cyber War and Deterrence
Paparone discusses categories of metaphor used by leaders: Newtonian, post- Newtonian, and Humanities and Arts.23 Newtonian metaphors are based in the hard sciences, and tend to be deterministic in character. Military doctrine derives many of its concepts from Newtonian terminology, such as mass, friction, center of gravity, and power, which carry a quantitative quality. In contrast, post-Newtonian meta- phors allude to the complexity and mutual interaction of a system, based in fields like biology, medicine, and quantum mechanics, in which probabilistic effects char- acterize outcomes rather than linear, deterministic ones.
The terms are used exten- sively in the cyber domain; network, virus, infection, and worm all draw parallels to the “post-Newtonian” world. They are also used to explain things like terrorism and insurgency. Finally, the humanities and arts provide metaphors and analogies from historical, literary, and cultural references. In one of the better war metaphors, Clausewitz likened it to two wrestlers striving for dominance over one other.24
In summary, the cyberwar discussion is taking place within a language context that is as congested as the internet itself. This problem has some precedent. Lt Col Peter Faber, USAF, retired, argued that airpower theory and doctrine suffered inside a similar “prison house of language” during its development that mixed rationalist ideals, antinationalist thought, and army terminology.25 In response, Lieutenant Col- onel Faber suggested a framework originally conceived by Dr. Robert Pape and ex- panded by several works at the Air University.26 This framework was intended to generalize the ideas of airpower, but without locking it into a particular linguistic context.
Particularly, the goal of any strategy is to link ends with means. It is this framework that I propose can be utilized to help understand how to address the cyber- specific threats to national security that the US faces.
A Strategic Framework The framework takes the form of six key questions in anticipation of any strategy
utilizing military forces:27
What outcome am I seeking?
What are my specific politico-military capabilities and those of the adversary?
What type of strategy should I pursue?
What targets or objectives are most important?
What mechanisms do I expect my operation to trigger?
How should I time my actions?
Beginning with the first question, the outcome sought is primarily political in na- ture. However, it does not have to be destruction-oriented. In this case, the aim is to stop aggressive actions in cyberspace. Yet this requires further clarification. The outcome should be considered with respect to some receiver.28 Who should stop conducting aggressive actions in cyberspace, and which actions should stop? Is the political outcome that China reduce IP theft from American corporations? Or is it to reduce the vulnerability of US critical infrastructure? Changing the formulation of
78 | Air & Space Power Journal
Nacita & Reith
this outcome may change the direction of the strategy. For instance, the outcome may be stated in terms of stopping a particular nation-state from taking hostile cyber- actions against our power grid. Alternatively, it may be stated in terms of minimiz- ing the effects of a power system cyber attack on the functioning of society. In the latter case, perhaps the receiver is not the adversary but the private owners or man- agers of US critical infrastructure. We should avoid the temptation of grand, unified strategic deterrence aims to cover all possible cyber actors and activities; such a thing is akin to a “land” or a “sea” deterrence.29
Next, the comparison of politico-military capabilities. Policy, readiness, training, domestic culture, equipment, tactics, and attribution are all applicable in the cyber domain as in every domain. Perhaps the US holds a conventional warfighting ad- vantage, but how ready are forces to defend networks or conduct offensive actions in cyberspace? What about cultural strength, the responsiveness of the general pop- ulace to an information campaign pressing a particular narrative, as in alleged elec- tion meddling? Sun-Tzu may have summarized the importance of this question simply: know yourself, and know your enemy.30
The third key question asks that a particular strategy be considered. Lieutenant Colonel Faber suggests several:
punishment—pushing a society past its economic or psychological breaking point
risk—same as punishment but with gradual escalation
denial—neutralizing ability to wage war
decapitation—destroying or isolating leadership, national communications, or other centers of power
disabling—disrupting offensive abilities
delaying—using threats or deterrence method to preserve status quo
enabling—creating stability where it is weak
It now becomes clearer why language problems have often been crippling to cyber discussions. Nuclear deterrence analogies, which have been used but found wanting in most cases, do not usually fit because they were formulated for specific political outcomes and specific assessments of capability. It is of course true that cyber weap- ons aren’t nuclear bombs, but bombs were not the goal of deterrence, they were the means that fit the assessment. A more important lesson is how, not what, strategy was applied given the options.
The delaying or punishment strategies may have worked then; maybe a denial or an enabling strategy is more appropriate now. A possible example of a “cyber” decapitation strategy was the release of the Mandiant report, which simply used well-documented exposure of the PLA to isolate it in the international community.31 This led to international agreements, with observed de- creases in the number of cyber intrusions since.32
The fourth key question regards critical targets and their importance. Lieutenant Colonel Faber points out issues to consider:
Which aspects of the receiver’s power should be targeted?33
Summer 2018 | 79
Cyber War and Deterrence
Sources – military, industrial, cultural
Manifestations – government, ideological
Linkages – human and material networks
What is the generic strategy? • Direct – “head on” assault, confrontation, or support
Indirect – reduce will to fight or alter decision making
What level of destruction do I want?
Clearly, the previously mentioned adversaries make the same considerations. The indirect strategy is often assumed in cyberspace, which sometimes is trans- lated denial, degradation, disruption, destruction, or manipulation of information.34 In a general sense, however, a target may be chosen for either strengthening or weakening, depending on the previous formulations.35 Targeting theory forms a large part of airpower theory and is a key aspect of nuclear strategy. The US also often uses economic leverage to target sources of power. Cyber-targeting is a less developed concept but was recently considered in a thesis at Air University.36 As with airpower, the targets are endless. However, the linkage between this step and the next is what Lieutenant Colonel Faber refers to as the “holy grail” of airpower, something that has yet to be completely achieved.
The fifth key question is to ask which mechanisms are expected to be activated by the previous targeting choice. What changes or outcome should be expected? Political division? Mass confusion, revolt, or surrender? Increased will to fight? A key reminder from early airpower advocates is that they were often wrong; bomb- ing cities sometimes resulted in chaos or surrender and sometimes strengthened the people’s will to resist.
Cyber power effects are similarly difficult to predict. The 2007 DoS attacks in Estonia do not appear to have achieved any lasting effect. Stux- net delayed but did not seem to ultimately alter the direction of Iranian nuclear programs. On the other hand, understanding the real effect of the information cam- paigns during the 2016 election remains elusive. First-order effects in cyberspace are easier to calculate, as they were in strategic bombing, or they may not be the primary purpose at all. It is the second, third, and fourth-order effects that have al- ways been difficult, and these depend greatly on whether proper attention has been paid to question two.
Ultimately, deterrence is not a matter of thwarting technology, but of influencing decisions. These decisions are usually specific and limited. US nuclear policy perhaps influenced Soviet decisions to not launch nuclear weapons but did not prevent ev- ery undesirable Soviet military action, because there is no way to guarantee human behavior in every situation. However, one can use critical thinking and good judg- ment to seek solutions if the problem is framed well, the desired outcome is clearly defined, and the work to know ourselves and our adversaries well enough to make reasonable estimates of their responses has been done.
Finally, Lieutenant Colonel Faber considers timing. Should actions be single or multiple? Incremental, sequential, cumulative, or simultaneous? Once again, this is
80 | Air & Space Power Journal
Nacita & Reith
tied to the desired mechanism. Will a single response be enough to deter a particular actor from a particular behavior? Or actions taken on a regular basis? Declaratory policy may work in some cases and may not in others.
It is my assertion that this framework provides a helpful, yet nonprescriptive man- ner in which to gauge the question of strategy for war and deterrence in cyberspace. It is not prescriptive because war is ultimately not a deterministic mathematical equa- tion, and linking means and ends has always proved difficult. Nevertheless, it re- minds us of a few important lessons, and helps free us from the traps of communi- cating under a constrained set of references.
Some Final Recommendations What then, should the US do to better prepare for deterrence and, if that fails, to pre-
vail in cyberspace? There are at least three ideas that we should grasp from this exercise.
Critical thinking and judgment must replace lessons learned.
They said, that to go to the gate for entrance was, by all their countrymen, counted too far about; and that, therefore, their usual way was to make a short cut of it, and to climb over the wall, as they had done.
—John Bunyan, Pilgrim’s Progress
The central idea of this article has been that a poor usage of language and a lack of framing the problem has complicated and crippled the discussion of cyberwar and deterrence strategy. Senior leaders will not and should not throw out all metaphorical language and historical references. Our language and our history are part of our country’s strength.
Therefore, communication of the right pictures and the right historical lessons for the purpose of formulating today’s strategy remains the goal. This will happen to a greater degree when we commit ourselves to the hard task of critical thinking rather than taking the shortcut of a simplified lessons-learned ap- proach.
We must learn from those who considered nuclear warfare in the 1960s, or asymmetric warfare in the Middle East, but we should not try to take shortcuts in our solutions. We must consider problems on their own merit, while acknowledging the work of those before us, and reaping the benefit of strategic thinkers who helped provide a framework for thinking well today.
Courageous leadership will be required.
Never neglect the psychological, cultural, political, and human dimensions of warfare, which is inevitably tragic, inefficient, and uncertain. Be skeptical of systems analysis, computer models, game theories, or doctrines that suggest otherwise.
—Secretary of Defense Robert Gates, 2008
Decisions in war and peace are often based on insufficient intelligence, probabili- ties, and general principles. We can reduce the likelihood that we make fundamen- tally unsound links between our ends and our means by thinking clearly and criti- cally and taking into account a broad set of perspectives. However, at the end of the
Summer 2018 | 81
Cyber War and Deterrence
day, our leaders will have to be courageous enough to listen and courageous enough to act or not to act. We should expect nothing less. War is fundamentally un- certain, and courage to decide will always be required.
Humility is key.
A generally useful way of concluding a grim argument of this kind would be to affirm that we have the resources, intelligence, and courage to make the correct decisions. That is, of course, the case. And there is a good chance that we will do so. But perhaps, as a small aid toward making such decisions more likely, we should contemplate the possibility that they may not be made. They are hard, involve sacrifice, are affected by great uncertainties, concern matters in which much is altogether unknown and much else must be hedged by secrecy; and, above all, they entail a new image of ourselves in a world of persistent danger. It is by no means certain that we shall meet the test.
—Albert Wohlstetter, The Delicate Balance of Terror, 1958
Humility allows us to do several things. It allows us to consider the past and rec- ognize that we are not unique in facing problems and challenges of humanity. It in- sists that we recognize and accept strategic miscalculations and change our course of action. It gives us the ability to work with others from different fields and different backgrounds to solve a common problem. It dictates that we defer to others who are more able, more knowledgeable, and more informed about particular areas that we will have to consider. It causes us to realize that complete answers and complete solutions are not part of the realm of warfare and deterrence. Finally, humility re- minds us that it is not certain we will be successful and so shows us that we too must do the hard work that every past generation has faced in its own way. µ
Cyber Deterrence Case Study Essay Assignment
RUBRIC
Excellent Quality
95-100%
Introduction 45-41 points
The background and significance of the problem and a clear statement of the research purpose is provided. The search history is mentioned.
Literature Support
91-84 points
The background and significance of the problem and a clear statement of the research purpose is provided. The search history is mentioned.
Methodology
58-53 points
Content is well-organized with headings for each slide and bulleted lists to group related material as needed. Use of font, color, graphics, effects, etc. to enhance readability and presentation content is excellent. Length requirements of 10 slides/pages or less is met.
Average Score
50-85%
40-38 points
More depth/detail for the background and significance is needed, or the research detail is not clear. No search history information is provided.
83-76 points
Review of relevant theoretical literature is evident, but there is little integration of studies into concepts related to problem. Review is partially focused and organized. Supporting and opposing research are included. Summary of information presented is included. Conclusion may not contain a biblical integration.
52-49 points
Content is somewhat organized, but no structure is apparent. The use of font, color, graphics, effects, etc. is occasionally detracting to the presentation content. Length requirements may not be met.
Poor Quality
0-45%
37-1 points
The background and/or significance are missing. No search history information is provided.
75-1 points
Review of relevant theoretical literature is evident, but there is no integration of studies into concepts related to problem. Review is partially focused and organized. Supporting and opposing research are not included in the summary of information presented. Conclusion does not contain a biblical integration.
48-1 points
There is no clear or logical organizational structure. No logical sequence is apparent. The use of font, color, graphics, effects etc. is often detracting to the presentation content. Length requirements may not be met
You Can Also Place the Order at www.collegepaper.us/orders/ordernow or www.crucialessay.com/orders/ordernow
Cyber Deterrence Case Study Essay Assignment