September 1, 2009  

Data bombs away

“The advent of cyberwarfare, which can go straight to the vital centers and either neutralize or destroy them, has put a completely new complexion on the old systems of making war. It is now realized that the hostile main army in the field is a false objective, and the real objectives are the vital centers.”

If the military theorist who made those statements is correct, then cyberwarfare, the launching of billions of bits of malevolent data through the world’s network of networks at the digital “vital centers” within targeted organizations or nations, has redefined the very concept of war. Why risk a physical attack launched from a known source if the same or even a greater impact can be achieved with a cyberassault that is virtually untraceable?

You’re probably wondering who the theorist quoted above is. First, full disclosure: The quotation is not presented exactly as originally written. Two words were changed — “air power” was swapped for “cyberwarfare.” It is remarkable how smoothly either phrase fits, because the words surrounding them were written 79 years ago by air power prophet and provocateur Brig. Gen. Billy Mitchell. Mitchell had never heard the term “cyber” — it was not cited as a formal prefix by the Oxford English Dictionary until 1966, 30 years after Mitchell’s death — but cyberwarfare’s strategic objectives and Mitchell’s were identical: Leap past the front lines of battle to the “vital centers” of the enemy and “make it impossible for the population to carry on in war or live in peace.”

The recent mass bombardment of U.S. and South Korean government Web sites, knocking some temporarily offline and bringing traffic to a crawl in others, hinted at the damage a cyberattack could inflict. Fortunately, the attack was, on the whole, unsophisticated, poorly executed and caused little more than inconvenience. In the larger context of the issue, it amounted more to cyberannoyance than cyberwar.

A truly strategic cyberassault would be aimed at the nerve centers of government agencies, power systems, communications networks or financial institutions. It would be far more difficult to mount but, if successful, could create widespread digital chaos, rippling through the networks that connect and serve us and playing havoc with the applications and systems that are the sinew of the American economy and the superstructure of its most vital public services. The continuity of government or, at the least, public faith in its ability to protect Americans, could be shaken.

Are cyberweapons actually that dangerous? If so, how do we defend against them? And even if they can’t fulfill the Mitchell vision of “paralyzed vital centers,” how much damage could they do? Are we talking about a weapon that is decisive, destructive or merely disruptive? Mitchell’s vision is predicated not only on preventing an enemy from “carry[ing] on in war” but also from “living in peace.” Where do the personal, commercial and military aspects of the challenge overlap? How prepared are we? How unprepared?

And, an inevitable final question: Do we need a Billy Mitchell to sound the alarm?

The only certainty is that Mitchell would have leapt at the chance. Mitchell — passionate, quotable, forward-minded, indifferent to higher authority, confident to the point of arrogance — would have loved this debate. The great debate over air power in the 1920s and 1930s bears a striking resemblance to the current debate over cyberwar, and Mitchell was its storm center, a World War I hero who brazenly went over the heads of the Army’s leaders to make his case directly to the American people.

So, today, he would be blogging. He would be ranting on the Sunday morning news panels. His books would be piled high in stores.

Given the rising prominence of the issue in the media and the many questions that remain to be answered about cyberwar strategy, it’s not surprising that Air Force Brig. Gen. Mark O. Schissler, formerly head of cyberoperations for the Air Staff, described the current debate as a “Billy Mitchell moment.”

The Mitchell analogy is tempting in many ways, as is the comparison between the air power debate and today’s debate about cyberwar.

Military parallels

Consider the military parallels. Both cyber- and air warfare, as preached during the 1920s and 1930s, offer an unproven but irresistible promise of a decisive blow to the enemy at a small or even nonexistent price to the attacker. Both challenge conventional military thinking. Both represent the military application of technologies that also offer vast commercial potential.

Second, there are the cultural parallels. Between the two worlds, powered flight, like the Internet and all things digital today, was simply the coolest technology of its time. The spread of commercial radio and the telephone represented profound social and technological change, but manned flight dazzled like nothing else.

Third, the debate that raged in the 1920s and 1930s about air warfare raised the same questions as today’s debate about cyberwarfare: How great is the threat, and how prepared are we to defend against it or respond in kind? There have already been many Billy Mitchell moments in the relatively short arc of cyberwar’s development. The first came in the mid-1990s, when the initial small-scale attacks were noted on entities connected by the Internet. A few lonely voices raised the alarm, but they suffered the same fate as Mitchell in his lifetime: They were largely ignored. The glowing promise of the billions of dollars to be made in e-commerce was so tantalizing that neither government nor business really wanted to hear that the Internet could be a dangerous place.

More recently, there were Billy Mitchell moments that would have pleased the old firebrand. Specifically, three widely held beliefs have been challenged and overturned.

The first of these casualties of reality was the belief that commercial network architectures were equal to the challenge of cybersecurity. This belief fell not only to the unceasing digital vandalism, or worse, of individual hackers but to the growing recognition that far more dangerous adversaries — nations or internal crime syndicates fielding battalions of their own cyberwarriors or enlisting bands of hacker mercenaries — could ride the Internet past supposedly stout defenses to plunder or pillage. The positive result of this Billy Mitchell moment is the development of applications specifically designed for assaults of this magnitude and which can be engineered into existing networks and systems to detect and repel attacks.

Beyond the development of new tools for network security, the issue of security itself has become a fundamental concern for networks, their designers and their operators. The evolution of the traditional NOC — network operation center — into a NSOC — network security operation center — is well underway.

The hacker within

The second belief to fall to a Billy Mitchell moment was the idea that technological defenses of a network equates to fully effective cybersecurity. This ignores the human factor, the presence of “insiders” integral to an asymmetric attack by advanced and persistent adversaries. Insiders are already operating among us, as they have for centuries. The often stated cyberstratagem of “defense in depth” of networks is simply insufficient if it stops at the boundaries of technology. The hacker of today may strike from afar but the saboteur of yesterday remains with us, a danger as old as warfare itself.

The third belief disproved by reality was the often dismissive attitude toward the proverbial hacker living in his parent’s basement and overdosing on video games. The truth is that street-grade attacks are increasingly employing malware packing a near “weapons grade” punch. This means that sophisticated cybersecurity measures will be required not just by major elements of national, economic or military infrastructure but increasingly by much smaller-scale enterprises and organizations.

The Billy Mitchell moment in which we now find ourselves is one that would be all too familiar to him: Who should lead the cyberwar effort, and how it should be organized?

In 2006, the Joint Chiefs of Staff, in Joint Publication 3-13, updated its view of “Computer Network Operations” in joint operations. One category of activity is computer network defense (CND), defined as protecting friendly computer networks and their information and services. What’s revealing is that in Joint Pub 3-13, under a chart heading of “Who Does It?,” the answer for CND is “Individuals, businesses, governments, militaries.”

In other words: everybody.

This wide range of constituents and players complicates the task of organizing for cyberwar. No other military domain intersects with the daily lives and business of Americans as does cyberspace. The military faces a battlefield congruent with the landscape of everyday American life. Protecting our network infrastructure is simultaneously a commercial challenge, a social challenge, a criminal challenge and a military challenge. Add to this daunting series of overlapping interests the further complication that our “national” digital infrastructure is, in fact, simply one component of a highly interconnected network of networks reaching everywhere on earth.

As Mitchell predicted, the “vital centers” for potential assault are not just command centers, military installations and harbors, but the banking industry, the transportation network, the power grid and the public health system.

With this welter of often conflicting interests in mind, it was probably comforting to many Americans when, in January 2008, the Bush administration announced its Cyber Initiative. In May, President Barack Obama released the results of a months-long review of cybersecurity, declared “our digital infrastructure … a strategic national asset” and announced the creation of the post of “cyberczar” in his administration. The military’s new, joint Cyber Command will be operational in October.

It amounts to a solid start, but, as always, success lies in execution, and the challenge is immense. Key government posts remain unfilled.

On the battlefield, the age of cyberwar has already arrived. One early lesson is that cyberattack does not have to be a decisive weapon all by itself — as Mitchell claimed for air power — to be effective. In fact, it might be most effective when used in support of land or air assaults. Last year, cyberattacks, albeit restrained, pulsed into Georgia last year as Russian tanks poured over the border, the world’s first employment of coordinated cyberweapons with conventional warfare strikes.

This nightmare marriage of military domains points to the “blitzkrieg” of the future. In 1940, Germany’s technological superiority, superb coordination of land and air forces and sheer speed brutally introduced the world to a new mode of warfare as it roared across the Low Countries and into France. On a much reduced but still revealing scale, the outlines of its lineal descendent, land-air-cyberwarfare, could be glimpsed in Georgia.

The current Billy Mitchell moment — recruiting the right leadership and firming up the organization for responding to the cyberthreat — remains unresolved. Even if this challenge is effectively addressed, we face many more Billy Mitchell moments in the future.

Would it help us if he were still on the scene?

If we listen carefully, he still is.

John Osterholz is senior executive of integrated cyberwarfare and cybersecurity for the Information Solutions business within BAE Systems’ Electronics, Intelligence & Support operating group.