The Center for Strategic and Budgetary Assessments (CSBA)--known for its assessments of the precision-strike revolution and work on Air Sea Battle--is tackling the intellectual challenge of cyber strategy. Its new report, Cyber Warfare: A 'Nuclear' Option? has not gotten much play in the blogosphere but has a number of interesting ideas. CSBA challenges dogmas on both sides of the cyber debate while retaining a welcome sense of humility about its ability to predict the future.
The report's author, Andrew Krepinevich, was one of the people in the early 90s that explicitly predicted cyber operations and tactics as a precursor to and element of major war. In his late Cold War work on the military-technical revolution (MTR), Krepinevich predicted that future conventional wars might start with an effort by both sides to use information warfare to suppress each other's systems. So his thoughts on the cyber weapon are definitely of interest to policymakers and enterprise CTOs. Having read a lot of dreck lately on all things cyber strategic-related, I was pleasantly surprised to find a historically informed argument that stakes a middle path between endemic cyber hype and underestimating the threat of state and non state cyber operations.
First, Krepinevech takes a fairly nuanced view of strategic bombing in World War II. While infrastructure attacks were not sufficient to break the will of the enemy in the European Theater of Operations, they did impose massive costs on the Germans. From the sheer density of air defense personnel tasked to the damage inflicted on crucial industries, strategic bombing did achieve effects--albeit at a high cost. Still, German forces had to be ground down the old-fashioned way, and at the time of surrender large combat units still remained in the field. The ability to realize prompt destruction only arrived with the atomic bomb, but its use as a battlefield weapon was at best ambiguous after Hiroshima and Nagasaki. Though the United States always planned to deploy nuclear weapons to stop the Soviet hordes should they break through its defenses, it used nuclear weapons primarily to advance its position in a bipolar international system.
Instead of raising the specter of a catastrophic "Cyber Pearl Harbor," the report raises the possibility of cost-imposing infrastructure attacks that progressively raise the financial losses involved in patching vulnerabilities and adapting to compromises with wide-ranging implications. Thus, while a countervalue cyber attack may not cause a societal collapse it could nonetheless cause problems that would advance an attacker's political objective. Infrastructure failures that mesh with features of modern society such as the dependence on electricity for refrigerated food would represent formidable advantages for the defender if coordinated together. Krepinevech, echoing Sam Liles' recent work on the evolution of cyber weapons, suggests that future weapons might not necessarily depend on exploits as we currently understand them. With a large enough botnet, an attacker could potentially crack even secure codes and enable attacker control. The CSBA report notes that officials are right to be concerned about vulnerabilities, but need to understand the distinct features of the weapons at hand. While not absolute weapons, the risks are real.
Much of the report rehashes vulnerability assessments and incidents (Aurora, Operation Shady RAT) that cyber observers will be well-familiar with. But James Hasik picks up some of the report's implications for the defense industrial complex:
As we saw in the Stuxnet case, cyber weapons can, with enough information, be targeted at individual pieces of equipment within individual facilities. And as we also saw, those things can escape into the wild, given just "one idiot with a thumb drive" (as I read the line once on Ars Technica). It's also notable that the surgicality is likely inversely related to the cost of the weapon: the more targeted, the more expensive (see below for more on costs). This is mostly the reverse from physical weapons—guided bombs and missiles, for example, are more expensive by the round, but by saving on all those unguided rounds that would go astray, and the extra aircraft to deliver them, they actually turn out to be more economical than dumb bombs. It's not necessarily that way with cyber weapons. ... As frequently as computer operating systems are updated, money sunk into developing a cyber weapon should show a high depreciation rate. That rate can even go stepwise as major desktop and industrial operating system upgrades roll out. Some military aircraft and ships may last for decades, but cyber weapons will likely have much shorter shelf-lives.
The costs of offense, when measured against the combined costs of defense and consequence management reveal some unique tradeoffs. On one hand, attackers seeking to cause damages that will generate strategic effect will require a substantial monetary investment in intelligence, targeting, and testing. But the weapon's shelf-life will be short. But defenders still face formidable costs in protecting infrastructure and conducting consequence management across interagency boundaries. Hence, while it is true that offense still is dominant in one side of the equation, the operational value of weapons are also complicated by their relatively short shelf lives and some of the uncertainties involved in whether or not they achieve desired effects on the target. Krepinevech's comments on the latter are also thought-provoking, if disturbing:
It may, therefore, be difficult for the leadership of one cyber power to determine when, in the mind of its enemy, it has crossed the line between cyber operations that are “acceptable” and those that will trigger a major escalation in the intensity of cyber activity that could lead to catastrophic attacks.
He concludes with a sensible call by the strategic studies community to examine cyber warfare with the same intensity it examined nuclear warfare during the Cold War. The community of analysts with a background in strategy and war studies looking at the issue is fairly small---but is nonetheless steadily growing. I will look forward to any future insights Krepinevech has on the subject.