June 1, 2010  

Cyberspace policies we need

The U.S. government has very limited national-level experience, knowledge or policy guidance for fighting a netwar across the cyberspace domain at the national level. It is difficult for policymakers to envision cyberwarfare because history lacks experience in cyber conflict. The government has no past to learn from, much less envision how a national-level conflict would be fought.

Adding to the challenges, cyberspace:

• Is a very recently established domain for nation-state conflict.

• Is the only artificial, manmade domain.

• Is highly technical and encompassed in a constantly and dynamically changing environment.

• Is primarily owned and operated by commercial entities (many of which are multinational entities themselves).

• Is considered a nonkinetic environment though it has the potential to inflict disastrous kinetic catastrophes.

• Presents exceptionally daunting legal and international issues.

A starting point for envisioning the spectrum of cyberspace conflict would be to explore some of the methods in which nation-states could use cyberspace to impose their geopolitical and economic objectives upon other nation-states (and increasingly, the emergence of nonstate actors as both aggressors and targets). In increasing danger and complexity, these are:

• Cyberspace conflict as national economic and military competition. Sophisticated government or military and national-supported civilian hackers conduct network espionage on behalf of government agencies to better understand other governments’ decisions and military capabilities, and commercial entities, which in many countries are highly integrated with their respective governments. Military and governmental cyberspace espionage represents an extension of the traditional espionage that has been conducted since the development of nation-states. The government and commercial entities form a symbiotic relationship to assist each other through this information exchange facilitated by cyberspace activities.

• Cyberspace conflict as a form of international geopolitical blackmail. An aggressor nation could quietly threaten to attack the critical networks and infrastructure of a target nation in order to influence decisions or impose its geopolitical will.

• Cyberspace conflict as a narrowly targeted Internet punitive attack of one nation upon another nation in an effort to influence, threaten and manipulate the target nation (and other target nations). The alleged Russian cyber attack upon Estonia in 2007 is an excellent example of a nation-state attempting to influence another nation with a destructive cyber attack that is not followed up with a kinetic-based attack in the other domains. The attack (assumed to be Russian sponsored) appeared to be an attempt to punish the Estonian government and population after actions interpreted by the Russians as national insults. The assumption was also that this Internet punitive attack had an ulterior motive, which was meant to influence other NATO or Russian-orbit nations that might entertain notions of disregarding or insulting Russia.

• Cyberspace warfare as an adjunct (force multiplier) to traditional warfare in the physical domains. The alleged Russian cyber attack on Georgia in 2008 was not only a virtual adjunct to traditional kinetic warfare, it was also a precursor to a limited-objective conventional attack upon the physical sovereignty of Georgia. The cyber attack started about one week before conventional hostilities. A cyberspace domain attack could be used as an attempt to degrade and deny the victim nation’s ability to perform command and control of traditional military forces; degrade its ability to mobilize, transport and logistically support forces in the other domains; demoralize the civilian population (parallel to historical airpower doctrine of strategic bombing); or to deceive the victim nation as to the aggressor nation’s objectives. The U.S. government should be acutely aware of these vulnerabilities, commit adequate resources and plan to defend its military and commercial mobilization, transportation and supervisory control and data acquisition systems residing on, or accessible from, the Internet.

• Cyberspace warfare as a form of national destruction, as an aggressor nation conducts a total warfare attack upon a target nation’s critical networks with the intent to destroy the government, military, economic and infrastructure (power, utilities, etc.) networks. This may or may not be conducted in conjunction with irregular, asymmetrical, regular or total conventional warfare in the other war-fighting domains (land, air, sea and space).

• Cyberspace warfare against the entire Internet, with the intent to degrade and destroy the worldwide economic, governmental and social network infrastructure. For example, a nation that is threatened with regime change (from internal or external sources) could perceive itself as having nothing to lose by world destruction and indeed might even accomplish some fraction of its goal. Capability to conduct this level of cyberspace operation would fit well with the concept of blackmail but conducted at the worldwide level as opposed to nation-to-nation level of geopolitical interaction. In this scenario, cyberspace warfare is akin to nuclear warfare, which is also highly attractive to conventionally weaker international actors. Some of these international actors already see irrational behavior (by Western standards) as a means to an end to confer internal power and external legitimacy. They profit by unpredictable acts and keeping Western powers off balance. Cyberspace warfare capability could become the “poor country’s” nuclear capability, with the implied ability to threaten and inflict worldwide devastation.

There are a number of specific issues of concern to national-level cyberspace warfare policy that emerge from this list. Attribution is a critical factor to any kind of full-spectrum diplomatic, informational, military or economic response to cyberspace aggression, yet attribution is almost impossible under current technological conditions. Nations such as China and Russia have an advantage over most Western democracies due to their ability to mobilize large numbers of highly trained, centrally controlled, civilian patriotic hackers. This hacker militia can perform sophisticated and focused cyberwar operations on behalf of the central government, yet the central government has plausible deniability of the operation. Accurate attribution, difficult under the best of circumstances, would lead the target nation to the conclusion that an attack was conducted by civilian hackers, not the responsibility of the aggressor nation. For example, Russia is thought to engage the Russian Business Network, a sophisticated Internet organized crime syndicate, as a cyberspace conflict proxy to influence target nations and provide a valuable adjunct to conventional war. The aggressor nation could claim ignorance of the proxy operation. A possible mechanism for these nations to escape international responsibility would be to conduct rigged public judicial prosecution against selected civilian militia proxy hackers in order to demonstrate their good faith to a worldwide audience.

The type of targets and characteristics of cyberspace weapons represent another complex national cyberwarfare issue. Many types of attacks cannot be confined to a specific target nation. There is a tremendous possibility and risk of a malware attack that is not confined to the original target nation but spreads across the national boundaryless Internet with devastating unintended consequences. Cyberspace fratricide and blowback are key considerations, as aggressor nation-states that are currently conducting network espionage typically leave root kits or malware behind during their exploitation (harvesting) of information. Stay-behind root kits and malware residing on target-nation networks nodes could be directed by the aggressor nation to attack other target-nation networks. Consequently, target nations would experience the spectacle of fratricidal attack via their own networks attacking other networks (with little or no attribution to the original puppet master). The result is that targeted nations might be forced to shut down an ”attacking” network to stop attacks against another network. Would the target nation choose to shut down the attacking networks if those were critical, high-priority networks? A counterattack against otherwise innocent networks could also emerge. These third-party networks, culpable due to a lack of effective defense, are typically used to conduct cyber espionage or attack by aggressor nations to avoid attribution. Are these networks liable for poorly implemented defenses if they are used to attack other networks? Should they be counterattacked or simply shut off by their Internet service providers? Do commercial networks have a social and fiduciary responsibility for a minimal yet substantial level of network defense in order to avoid being used by aggressor nations against other target-nation networks? Is action justified to disconnect a defenseless Internet user that has been unknowingly hijacked by an Internet aggressor? What about the ramifications of target-nation responsibilities as their exploited vulnerabilities threaten the Internet? For example, would the major multinational Internet backbone service providers cut off U.S. government (or U.S. military) networks if they were the target of a major cyber attack that, as an intended or unintended consequence, threatens the health and safety of the entire worldwide Internet? What are the consequences to the national infrastructure and the potential kinetic ramifications?


National cyberspace policy must include the ability to defend critical networks outside the boundaries of their owned infrastructure. Network defense today is comparable to an infantry unit that defends its perimeter by digging fighting positions with the weapons pointed inward. The infantry soldiers are forced to acquire and engage enemy targets as they run past their fighting positions. If the enemy successfully penetrates the perimeter, the infantry soldiers are forced to perform forensic analysis or investigation to find out where the enemy went and what it did. This is an unacceptable method to defend networks critical to national security. Defense forces need to be able to acquire and engage enemy targets well outside the network perimeter. National-level intelligence community assets should be able to more readily share unclassified Internet intelligence data with intergovernmental and commercial entities. They must also forcefully work to keep the information at the unclassified level. Defensive actions must include the ability to respond in a controlled but aggressive and forward manner.

Cyberwar at the national level has the potential to be comparable to nuclear war in situations where total cyberwar is conducted against a target nation’s government, power and financial cyberspace domain systems. These attacks could potentially target and impair or destroy national-level economics, social infrastructure and military operations and impact national sovereignty. Conflict and war in cyberspace are extremely dangerous, as an almost infinity of targets can be attacked simultaneously and a nation can find itself instantaneously in the depths of a cyberwar with no warning. For example, the SQL (Slammer) worm on Jan. 25, 2003, hit virtually all of its worldwide targets in approximately 20 minutes. Reverberations, discovery efforts and cleanup took months, but the worm traversed the worldwide Internet in minutes. Major events, such as the Slammer worm, occur with little or no indicators or warning.

National policy for the use and defense of cyberspace needs to be closely coordinated and integrated across intergovernment entities — national, state and local. National policy needs to be coordinated across the commercial sector because our greatest vulnerability lies within the private-sector commercial interests — the vast majority of the “terrain” on which cyberwar will be fought belongs to the commercial sector. Consequently, the commercial sector provides the largest and most lucrative targets resulting in potentially cataclysmic effects upon the populace. The commercial sector is on the front lines of future cyber conflict— no U.S. government agency has the legal authority or ability to protect this nation’s critical commercial networks from external attack.

A future cyberwar could initiate a tremendous competition for immediate cyberspace personnel expertise — government and commercial entities already compete for limited cyberspace personnel and experience. Cyber conflict would exponentially increase this requirement. For example, in the tactical-level defensive fight, networks will need to be patched, servers rebuilt from original media and firewalls strengthened — all requiring greater network management personnel and automated systems. Additional network personnel will also be engaged to build quarantined intranets to maintain communications (both government and private-sector entities) across critical communications nodes and boundaries that are not connected to the Internet. At the operational and strategic level, experienced staff planners and leaders will be needed to make the difficult decisions required to prioritize, ration and enforce restricted bandwidth communications, develop and direct full-spectrum response to cyber aggression, increase network resilience and “fight through” the communications degradation of cyberwar while weathering potential cataclysmic national infrastructure damage and collapse. National policy must be developed to ensure the adequate education and training of a cyber work force — not only in the government infrastructure, but also in industry and commercial networks. Cyberspace-oriented education must reach down to the elementary level and through higher education.

Actions in the cyberspace domain need to be synchronized and integrated with all other facets of national and international power. The government needs to closely coordinate with allies as the threat represents a worldwide menace; from conceptual development and implementation of multilateral full-spectrum flexible deterrent options to establishment of mature international legal protocols to fight cyber crime. The government needs to develop national policies and tools that would allow it to “fight through” a cyberwar fought primarily over the commercial terrain of the Internet. Future cyberwar will require a close integration of offensive, defensive and espionage or exploitation capabilities in cyberspace. National-level policy needs to be developed such that Internet controls in a national emergency can be implemented in order to effect an orderly prioritization of use of limited bandwidth in an environment of degraded Internet capabilities. For example, a national-level decision in a degraded Internet environment could be made to enable the government, financial and power sectors’ use of the Internet taking priority over social networking and personal usage.

Legal concepts of nation-state competition versus actual warfare on the cyberspace domain need to be further explored and defined. Most current activity in the cyberspace domain is clearly in the realm of national and economic competition, and much of the activity can be categorized more as cyber irritation as opposed to cyber attack. War is not a legal decision, it is determined in the political realm — in the cyberspace domain as well as the other domains. The lines between cyberspace conflict or competition and cyberspace warfare are overwhelmingly undefined (by lack of precedent as much as anything else) yet badly needed. These lines in cyberspace are also unprecedented in terms of a lack of definition due to the Internet’s ability to reach across all domains and cause immediate cataclysmic results. This only illustrates the importance of policy, law and rules of engagement in cyberspace. Laws and international norms are difficult to enforce given the lack of sovereignty on the Internet. Nations that respect the rule of law are at a disadvantage in an often lawless cyberspace competition with nations and entities that do not.


A national process to deconflict full-spectrum cyberspace operations needs to be developed. Offensive-type actions need to be evaluated at the national level for intelligence gain or loss and operational gain or loss. However, it is important to retain the agility to move at “Internet speed” so this deconfliction process needs to operate in minutes/hours cycle vice the current days/weeks/months cycle of bureaucratic deliberation. The need for national deconfliction needs to be balanced against a cyberspace rules of engagement that allows military, intelligence and law enforcement networks to “strike back” against an aggressor in real time to ensure continued operations. The national security staff should have sufficient authority and the oversight role to provide this national-level deconfliction and direction. However, it would need a massive overhaul of its slow, deliberative processes in order to function effectively in a real-time cyberspace environment.

Nations will continue to strive to influence and cause effects upon other nations, with or without the cyberspace domain/Internet. However, some of the environment and specific attributes of the cyberspace domain are radically different from those of the natural, physical domains — these differences need to be analyzed and understood, with the goal of well-crafted national-level policy developed in light of these differences. This national-level policy has not been developed and the national security bureaucracy’s process to develop it is mired in competing equities of various departments and agencies, lack of leadership, and an unfocused approach to cyberspace. The simultaneous and instantaneous nature of cyberspace; the high involvement of commercial entities; the dependency of modern national and international economics upon the Internet; the electronic control and dependence upon our national supervisory control and data acquisition systems and the reliance of our national infrastructure upon the Internet; our social addiction to the tremendously inexpensive communications revolution afforded by e-mail, online gaming, Voice over Internet Protocol, and social networking sites — all combine to make the cyberspace domain extremely valuable, different, dangerous and vulnerable compared to the other domains. AFJ

LT. COL. DAVID M. HOLLIS is an Army Reserve officer with the Strategic Command Joint Function Component Command – Network Warfare as a J5 joint operations planner and a senior policy analyst/planner with the Office of the Undersecretary of Defense for Intelligence. KATHERINE HOLLIS is on the Research Staff at the Institute for Defense Analysis specializing in cyberspace issues and is a graduate of the National War College. The views expressed here are the authors’ own and do not necessarily reflect those of the Defense Department or Army.