Physical metaphors for cyber space create pernicious mistakes of intuition about strategy. The lay of the land determines a great part of battlefield strategy. Cyber space is as unfamiliar and surprising as a trip through the looking glass, frustrating many efforts to understand cyber strategy by way of analogy to physical space. Writing about cyber strategy would be greatly improved by careful attention to the shape of the battlefield. The battlefield is a vast, multi-layered network and not a physical terrain.
Problems with the metaphor of space for cyberspace
- Single physical location fails in two directions. One actor can be located in more than one location. One location can exist in more than one physical jurisdiction, or in the global commons (e.g., satellite Internet link to offshore platform).
- Perimeter defenses doesn’t work.
- The analogy to physical movement and distance yields poor intuition about movement in cyber space, e.g., velocity, acceleration, time to penetrate defenses, and maneuver.
- Control of physical objects is a particularly poor metaphor for cyberspace analogs, which requires neither direct physical access nor the attention of an individual. In physical space, individual agents control only those objects within reach; creation of new objects requires logistics, procurement.
- Crucial capabilities for control: autonomy of maneuver, force projection over a territory.
- Changing the physical landscape is time-consuming, expensive, and hard to conceal.
Concepts for cyber security
- Network locations. IP address, physical layer, hardware within the machine (MAC, SIM), organization providing Internet access (ISP, cell network, satellite link), states with governing authority over telecoms.
- Access control, difficulty of forging authentication, multiple factors of authentication, time-based security.
- Network measures of distance. Servers mediating access to a target system. Physical barriers mediating access to a system.
- Manipulation of remote systems is cheap, automated, replicable. Millions of poorly protected machines are widely available.
- Crucial capabilities for control: IT control policies and procedures, jurisdiction, surveillance, and collaboration in law enforcement, counter-intelligence.
- The network topology is a policy choice. Control over topology is shared between governments, business, civil society, and individuals. Topology is actively controlled by actors before, during, and after conflict.
Just as the domain of air warfare required new strategy, so does the cyber domain. The air domain vastly increased the reach of a few actors. Air operations prioritized the defense-industrial base, which could replace assets lost in battle. Together, air and naval power permitted the projection of power at previously unimagined distances.
The cyber domain will prioritize dominance in software engineering and reconnaissance. The best prepared actors for future cyber conflicts will have the greatest understanding of adversaries’ systems (software, hardware, and connections to strategically important economic and military assets). They will have deployed access in advance of the conflict, which can be activated on short notice. They will have the greatest understanding of the relationship between the cyber domain and the national will to fight: including the government’s ability to decide and execute strategy in wartime, the ability to procure vital natural resources and supply the battlefield, and the ability of the population to understand political developments and mobilize their efforts to support the government and the military.
Superiority in the cyber domain will look radically different from the air domain. Air superiority describes a state where the dominant power can compel adversaries to refrain from using aircraft in a given geographic territory. In the cyber domain, attacks look very similar to normal telecommunications and IP traffic. Attack messages are needles in the haystack of normal Internet and voice communications. There is no way in practice to identify and screen out the rogue packets among all Internet traffic, at least for the most sophisticated attacks. Cyber superiority may not yield the same freedom of action to the dominant power that air superiority does today.
The effects of cyber attacks can include the destruction of physical infrastructure, the disabling of military vehicles and communication systems, and the corruption of strategically important databases. Often states under attack will have little choice but to suspend the operations of undefended computer systems—meaning in many cases the cessation of normal business operations.
The differences between physical geography and cyber geography are fundamental. The consequences of these differences are not only tactical; they are strategic. Defense in the cyber era must be based on a clear understanding of the topology of cyber space, and the way it will change in a time of conflict.