June 01, 2012

Lies, Sex, and Cyberhype

OK, there is no sex involved in this post (I'm not a 4Chan guy, my apologies if that's your thing).  I just wanted a catchy title. And the "lies" involved are the usual sort that states employ for covert operations. But there is a lot of cyberhype and red herrings associated with the Stuxnet disclosure. The revelation (which was not unsurprising to those following the Stuxnet case) that the US has been involved has raised all of the issues of the cyberwar/cyberpeace debate: what constitutes war vs. security, the lexical inflation involved in the term "cyberweapons,"  the force of norms in cyberspace, infrastructure attacks, and the role of international regulation. I will deal with each of them in turn.

Separating Cyber "War" and Cyber Peace (I)

First, there is a very concrete difference between cyber conflict, cyber war, and cyber warfare. Conflict is a generic term that refers to all manner of adversarial interactions in the international system. States conflict in a variety of ways, some of which involve various forms of coercion. The United States and Iran are arguably engaged in in multiple kinds of financial, covert, and proxy conflict. But the definition of war should not be unnecessarily expanded. As Thomas Rid has insightfully observed, standalone cyber war is impossible. But before I explain why, it's worth going into what the domain we are talking about actually represents.

The notion of cyber "war" is based on a misunderstanding of what cyberspace constitutes. Cyberspace is a domain utilized since the late 19th century that always existed in some shape or form, but only has been recently accessed by human tools. Cyberspace is only as much a "man-made" domain as space or the ocean is. It is different in that it governs the seams between the artificially constructed domain relationships that DoD has portioned out. The term "battlespace" accurately demonstrates that air, sea, and land are really permutations of the same thing, and the realm of "command, control, communication, coordination, and cognition" that cyberspace represents is something qualitatively different.

Cyberspace is, of course, not a separation from "real" life any more than the sea, air, or space is. Human beings are embodied in cyberspace, but our inability to visualize the complexity of the space in which our communications travel across large distances leads us to create an image of it as somehow being a Tron-like universe we lose our physical selves to enter. All things that send and receive information have cyberspace, something that the Chinese have always recognized in their theoretical juxtaposition of computer network operations (CNO) and electronic warfare (EW) under the common banner of information warfare. True, CNOs may exploit pre-existing vulnerabilities through zero-day exploits and EW physically degrades systems, but they are not conceptually separate.

It is a common truth of naval, air, and space warfare that people live on the land, hence the goal of military efforts is to influence events on land. The goal of cyber warfare is to cause political effects through uses of force. As we have seen from today's disclosure, attribution is overrated when it really counts. Ambiguity rarely serves either domestic or international purposes. Unless one has a narrow technical objective or is simply doing it for the lulz, there is no benefit to keeping silent about being the originator of an cyber attack that actually matters. Would the Obama administration, if it sought to stop the killings in Syria, launch an airstrike with a completely invisible fighter jet? No. The point of using destructive force is to let the other team know that there could be more on the way.

Separating Cyber "War" and Cyber Peace (II)

Rid argues that the vast majority of what has been dubbed "cyberwar" by the media is actually sabatoge, subversion, theft, vandalism, or intelligence exploitation. All of these things are important forms of conflict relevant to national security, law enforcement, and private security. In order to be war, however, they have to be lethal, instrumental, and waged to further political objectives. Is cybersecurity an important problem? Yes. But cybersecurity and cyberwarfare are two conceptually different problems that are routinely conflated.

It is true that some cyber operations and tactics constitute cyberwarfare, but they can never be "war" alone. Certainly some cyber attacks can constitute acts of war (more on that later), but it is illogical to believe that an adversary could attain his or her objectives solely through cyberspace or that war would be limited to cyberspace. The DoD's Plan X, for example, is based on the explicit presumption that cyber operations and tactics amplify conventional attacks or work in concert with them. Furthermore, the vast majority of what are called cyber weapons are not actually weapons. A weapon is designed with lethal intent--to purposefully cause or threaten loss of life and physical damage. The present generation of cyberweapons utilizes the target system itself as a vehicle for creating damage, and EW platforms explicitly create direct damage themselves.

Now, is Stuxnet an "act of war," as many have claimed? The answer is really not as crystal clear as it has been made out to be. First, the phrase "act of war" is a political rather than legal concept. The United States chose to interpret the Gulf of Tonkin skirmish as a casus belli but the Republic of Korea did not choose to do so when the Cheonan was purposefully sunk. Inasmuch as war is a lethal relationship between two competing forces seeking to impose their will on the other through violence, the Kargil conflict between India and Pakistan was a military conflict. But until India chooses to respond to Pakistan's numerous state sponsorship and in some cases operational control of terrorism against the Indian heartland and Kashmir, it will not rise to the level of warfare. Iran has not chosen to interpret the Stuxnet attack as an act of war and has even downplayed the damage. Had the United States executed an airstrike on the same centrifuges, do as anyone believe Iran would have sat on their hands? And this brings us into the next paragraph.

What we do have, however, are international law standards as to what constitutes an act that could justify retaliation. I will quote my own (rather crude simplification) summary of former Air Force JAG Charles Dunlap on this issue:

Charles Dunlap observed that international law of armed conflict (LOAC) tends to be "effects-based"--as in the effect of the action determines whether it constitutes an "armed attack" against which can be retaliated. LOAC can at times be confusing because it does not grant a clear go-ahead for states to respond to force more generally, even if it simultaneously prohibits threats of force (talking about Articles 2 and 51 of the UN Charter respectively).

The effect of Stuxnet has been vastly overestimated. It slowed Iran's nuclear program, certainly, by maliciously altering its operations. Had the United States desired to use Stuxnet as a means of compelling Iran through a more lethal attack, it could have done so. But this would contravene the purpose of utilizing a covert cyberweapon in the first place. The United States wanted to slow down the nuclear program in a narrow, technical sense rather than using lethal force to compel the Iranians to cease their efforts. Cyber covert operations offered the President the flexibility necessary to do so. The US, similarly, wanted to overthrow the Guatemalan and Iranian governments without engaging in warfare and used covert means to do so.

International Implications

My CTOVision colleague Matt Devost is right to observe that this heralds the beginning of state use of cyberweapons for infrastructure disruption in peacetime. The private sector has traditionally conceptualized infrastructure attacks through the prism of criminality or thrill-seeking. Now it is clear that they already have been used to further international strategic objectives. But Matt, in referencing Chinese military texts, is right to highlight that the US' role in innovating this is overblown. There is nothing close to a "no-first use" norm that the United States has just violated. To state that there was is to overstate the degree of consensus in the international system and also ignore the covert context of Stuxnet. Furthermore, other states have conceptualized and planned for information warfare long before Stuxnet was even conceived as a means of balancing against American high-tech power.

The Chinese military text Unrestricted Warfare's actual influence within the People's Liberation Army (PLA) hierarchy has been massively oversold, but "unrestricted warfare" against infrastructure targets through IW is a staple of openly accessible and translated Russian and Chinese military writings. Ask Taia Global's Jeffrey Carr, the Foreign Military Studies Office's Timothy L. Thomas, and the Heritage Foundation's Dean Cheng about it and they will talk for days about the ways in which IW attacks are conceived as perfectly normal tools of statecraft by major powers. The Chinese and Russians have not done so because they have no concrete strategic interest right now in doing so that would counterbalance the massive risks involved. As Bob Gourley noted, if the attack is serious enough attribution will become an afterthought:

For example, regarding attribution, I would like to point out that at a high level, there really is not an attribution problem. I can attribute any attack, I mean 100% if attacks,  with 100% confidence that I have made an attribution. Of course I know we always imply that attribution needs to be accurate. But I am trying to make the point here that decision-makers should know you can make decisions based on assumptions. And if we have not been able to think through this well enough we might have to understand this. And maybe we should make our adversaries understand this as well. Maybe we should make it policy that we will make any attribution we want to make and those we attribute attacks to will pay the consequences.

The Russians and Chinese understand this. Attacks that they can get away with are likely to pose problems for information security but not necessarily information war. And as anyone who has talked to a network defender recently knows, the Chinese and Russians are already launching countless cyber operations of this sort already. Certainly there may be room for miscalculation and misperception, but this has less to do with inherent technical considerations and more with the political questions of redlines and other states' perception of those threshholds.

Is US use of Stuxnet going to lead to the normative legitimization of cyber weapons? As my blogmate Dan has noted in the past, norms in international relations are fundamentally sustained by coercion. Had the Axis powers won the second World War, the current structure of political, economic, and legal relationships based on the 1945 regime would be unthinkable. The Responsibility to Protect (R2P) is on some way a backhanded acknowledgment of this brute fact, as it depended on massive military coercion executed by the United States in Libya. It is foundering in Syria because the United States is not going (at present) to repeat the process and no one else has the capacity to substitute for us.  Each of the three most powerful states in the information realm has an incentive to flout whatever embryonic set of norms about information warfare that may or may not have emerged. The United States seeks cyberweapons to lock in its conventional military advantage and Russia and China seek them to precisely negate that overwhelming power. And this is without going into the problem of cyber arms control that Mike Tanji has blogged about.

What the Chinese and Russians will do is exploit Stuxnet for the purpose of lawfare. As Jeffrey Carr has blogged, the Russians in particular are attempting to execute a legal end run around the United States through the United Nations, protecting their usage of offensive information tools while clamping down on American superiority in cyber weapon technology and operations. This is called "soft balancing" and is not really distinctive to the cyber realm. The Chinese and Russians have been "hard" balancing against the United States' information dominance since the Gulf War through their extensive investment in information warfare capabilities. Where Stuxnet and American investment in cyber warfare does become a concern is if other states perceive it as a threat to themselves and invest accordingly. It will likely accelerate a process of investment in asymmetric weapons by other states that has been ongoing since 1991, but the idea that it will scare other powers more than, say, a carrier battle group is somewhat off-base. Where is some more concrete danger is the US, in turn, being blamed for future malware utilized by other powers and groups. There are also legitimate questions about how the open use of the tool could lead to its reformatting as part of a "digital arms market," but also reasons to be skeptical as well due to the highly specific kinds of target intelligence needed.