I gave a talk this morning about cyberspace at the Fletcher Doctoral Conference 2011. It was a panel with renowned expert Greg Rattray (FF’98), Professor William Martel, and Col. Tom McCarthy (FF’12+).
On one level, the topic was whether cyberspace is a domain and why. In another sense, it was a talk about why we’re still talking about that. With so much ink spilled since the 1990s on strategy of cyberwar, cyberattack, and cyber defense, why are we still dithering over first principles? And is there any practical effect? Is the domain determination consequential, specifically with regard to the organs of government and military to protect American interests.
Many of the hot current issues got raised during the Q&A:
- How do we prepare government and the military to share responsibility for cyberspace with the private sector?
- How do we characterize the risks of cyber attacks, and can we have any useful measures of them?
- What is the government empowered to do on our behalf?
- What makes attribution difficult, or even different, in cyberspace?
- Why not simply refer nonstate cyber attacks to the relevant authorities in the host country?
My talk revisits an earlier blog post and focuses on a few points outlined below. I won’t summarize the other talks here, but they were well worth the time invested. In the Q&A, we referred to Jody Westby (2004) International Guide to Cyber Security, and to Qiao and Wang (tr. 2002) Unrestricted Warfare.
Things in cyberspace are located manywhere, not somewhere. That makes it hard to characterize what’s next to what, what is close to what, and how long it takes to get from somewhere to somewhere else. That distinction makes it essentially hard to say how concepts from land, sea, air and space have analogs in cyberspace.
Transit in cyberspace can refer to movement either of information or laptops, but not teleportation. The kinetic capabilities of cyber-enabled assets are still bound by the laws of physics.
Adjacency has a specific meaning in cyberspace. Things are adjacent when they can communicate directly with one another–either on the map of physical wires, compatible data standards, mutual encryption and decryption technologies, and shared understandings of trust in infosec. We can choose to make systems connect or disconnect. We can choose to grant access or to forbid access; and we can choose to penetrate forbidden systems. Adjacency is both a policy choice and the outcome of cyber operations.
Time is the key variable affecting the difficulty of control in cyberspace. Time is required to gain access to IT assets. Time is required to execute instructions. Time is required for humans to make decisions to cooperate on problem solving across legal and political boundaries. Time is required for attribution during cyber conflict. Time is required to develop effective cyber tactics to support non-cyber actors across the spectrum of business, government, and military.
Effective response in cyberspace will require political-military, public-private and international cooperation. Adversarial attempts to penetrate and mislead potential allies will poison the well for cooperation. So our strategic end forbids us in some profound sense from developing and deploying a cyber doomsday device, which would serve as the linchpin of deterrence.
Putting our cyber assets off in a silo will deprive them of necessary day-to-day training and operation with non-cyber forces. That daily interaction is crucial for understanding how cyber assets support low-level tactical units, how non-cyber operators handle cyber failures of various kinds, and what cyber capabilities are most worth developing. In short, a cyber silo is exactly the wrong strategy.
Finally, I warned of the dangers in substituting metaphor for policy in public discourse. Arbitrary features of extended metaphor may sway the judgment of non-technical personnel on enormously important matters of investment and strategy. Pervasive cyber euphemisms reinforce the culture of secrecy surrounding capabilities and tactics, to the detriment of legitimate oversight based on existing law, ethics, and risk management.