An operational cyberwar scenario that is all too real
To illustrate how a cyberattack may implicate larger warfighting issues, consider a scenario that starts by Taiwan moving toward independence. China decides it is time to take the island but concedes that the United States will intervene on Taiwan’s side — so it tries to complicate and hence delay the transit of U.S. forces over the Pacific. It hopes that by the time the United States does arrive, the war will be over, or at least the Chinese will have a secure lodgment on the island. To do this, the Chinese carry out a full-fledged operational cyberattack on U.S. military information systems with the hopes of turning the data they contain into gibberish. Even before 2000, James Mulvenon, an authority on Chinese cyberwar, argued that the Chinese might corrupt the time phased force deployment data accessible through DoD’s unclassified Internet.
To the extent that the United States might use force — which the Chinese, in this scenario, already assume is inevitable — a cyberattack on such a force (before it has started to fight) is an understandable use of military power. Because it is entirely possible that such a cyberattack never hits the news (at least not until after the lessons-learned analyses take place), it would not automatically evoke a narrative of attack and defense (as an opening Chinese attack on U.S. critical infrastructure might). The workings of U.S. military logistics may not be secret, but they are often esoteric. If such a cyberattack were to take place after Chinese forces had begun irrevocable moves toward Taiwan, and if the fact of U.S intervention was already determined, then the U.S. military would have little choice but to work around the disruption or corruption of its databases.
To make matters more complex, imagine further that the Chinese are holding back on using kinetic force while waiting to see how badly U.S. forces have been delayed by the cyberattack. The Chinese may be looking for indications that are visible, but they may also be collecting from listening posts already emplaced within unclassified DoD networks. If these indicators reveal that the hoped-for effect has taken place, then the PLA may conclude that it has achieved a favorable correlation of forces and start fighting. If, however, the hoped-for effects fail to materialize, then perhaps the correlation of forces is not so good, and they may stand down and deal with the fallout from the cyberattack later, perhaps by denying everything.
Would a cyberattack on U.S. forces actually degrade mission effectiveness? If the military knew the specific vulnerabilities that such an attack would exploit, then presumably these would have been fixed already. But determining whether such a cyberattack would work may be secondary to whether the Chinese think that they can alter the correlation of forces by so doing. If the answer is yes and they find themselves debating whether to go to war, their confidence may impel them toward going ahead with both a cyberattack and a kinetic attack (incidentally, a similar argument can be made for outer space). In such a case, if they carry out a cyberattack and it turns out that the United States can fight its way through it with little effect, then although U.S. forces will be in a better position to fight, war will have begun anyhow.
Therein lies a challenge for the U.S. military: first, to determine to what extent its ability to carry out its missions is at risk from any cyberattack: second, to ensure that it has the resiliency to fight through cyberattacks: and third, to make everyone else aware of how well it can withstand attack — in reverse order. In January 2011, the secretary of defense said that “Chinese technological advances in cyber-and anti-satellite warfare posed a potential challenge to the ability of our forces to operate and communicate in this part of the Pacific.” That suggests that the third task had not yet been accomplished. Perhaps this is because the second task remains unfinished as well. It is unclear that DoD believes it understands the risk from cyberattack is to its mission effectiveness in requisite detail. These are not impossible tasks: DoD can make its networks into what it will — and do so in ways that nullify temptations to mischief that our weaknesses would otherwise engender.
Would China use Operational Cyberwar the Same Way?
All weapons of war are apt to be used if their use is efficacious and cost-effective, if they are not heinous: if their use does not put one’s own forces at great risk: and (at least for the United States) if their use comports to the law of armed conflict (LOAC). But that does not answer everything one can ask about how countries would use cyberattacks, it may also help to understand how a country’s strategic culture — revealed and reflected in how it uses other forms of warfare — may predispose its use of cyberattack.
For instance, how will cyberattacks be allocated against military targets over the course of a campaign? As noted, attacks early in a conflict could succeed spectacularly if the other side is surprised (and if they have not thought about their defenses against cyberattack seriously enough). But husbanded attacks can be saved for targets that do not exist or are not vulnerable early in the conflict, and those who wield them will benefit from experience (on how to exploit such attacks) that they lacked at the outset of conflict.
So other factors may come into play. One is whether front-loaded attacks solve a problem that a particular country has — such as China’s aforementioned desire to delay the entry to U.S. forces off its shores. If the goal is important enough, such a country may be willing to utilize exploits that it might otherwise have husbanded for later in the conflict in order to gain a decisive early edge. Another is whether national leaders bet on quick wins or hedge and hold reserves to prosecute what may turn into long wars. The tendency for countries to mount surprise attacks is also a factor; those that believe in surprise attack are likely to count on initial victories to shape the outcome and thus front-load operational cyberattacks. Cyberattacks, in and of themselves, may be attractive by dint of not requiring obvious buildup of the sort that creates indications and warning for surprise kinetic attack. But leaders who count on a surprise attack working because their cyberattacks are effective also have to believe that cyberattacks can be militarily effective and they have to have requisite confidence in their cyberwar forces in the first place. This confidence would cover not only the efficacy of such forces but also their ability to report diligently and accurately on the effects of cyberattacks. Not all leaders have such confidence.
Which countries might withhold attacks on networks and systems from which they are or could be collecting (notably, command and control systems in contrast to weapons systems) valuable intelligence? Military leaders could reason that they may be able to attack such systems because their efforts would be particularly hard to discern (for example, selective corruption attacks or disruptive attacks on systems that are prone to failure anyway). Alternatively, they may reserve their cybeattacks for systems with little information to harvest (such as an IADS) or whose destruction is imperative. A military orientation is associated with early use; an intelligence one, with later (if any) use. Countries whose cyberwarriors are aligned with their intelligence agencies would, it seems, adopt or at least understand the latter’s orientation and favor using penetrations for intelligence rather than attack. Those whose cyberwarriors are aligned with their electronic warriors should favor using cyberwar in conjunction with electronic warfare (and perhaps space warfare as well) — and strike at the outset of conflict.
Cultural factors matter. The American way of war highlights the merciless application of overwhelming force. China’s military thinkers pay homage to Sun Tzu, who famously emphasized winning without fighting (in fairness, there are multiply Chinese military texts, and others have a more conventional orientation). One recurring trope in Chinese strategic thinking is the stratagem, an attack or maneuver that is relatively small in scale but, if correctly timed and aimed, is capable of catching the adversary unprepared, thereby having an effect disproportionate to its size. The instrument is often known as an ‘assassin’s mace’. From a strategic perspective, though, the use of an assassin’s mace by inferior forces necessarily contains high risk because the fact, much less the effect, of surprise is by its nature difficult to test. Cyberwar’s use of an adversary’s computers against them fits with the Chinese strategic inclination to ‘attack with a borrowed sword.” All this suggests that the Chinese may opt to put disproportionate resources into looking for breakthroughs in the hope that such investments can give them a niche capability that can hold overall U.S. superiority at bay.
After cyberwar has been used to try to delay the entry of U.S. forces into Asia, its steady-state role would be part of China’s integrated network electronic warfare (INEW), whose aim is ‘controlling the flow of information in the adversary’s system and maintaining the PLA’s information superiority on a traditional, physical battlefield.” The PLA’s goal, according to two Chinese generals is being “proficient at electronic feints, electronic camouflage, electronic jamming, virus attacks, and space satellite jamming and deceptions, leading the enemy to draw the wrong conclusion and attaining the goal of strategic deception.” Proponents of the INEW strategy apparently believe that the goal is to attack only the key nodes of the adversary’s command and control and logistics information flow: if true, this suggests that China’s information warriors (or at least their planners and doctrine writers) see information as something to throttle, not corrupt. It is a very physical approach to the virtual world. Deterrence constitutes a third role for cyberwar as per General Dai Qingmin’s The Science of Military Campaigns: we must send a message to the enemy through cyberattack, forcing the enemy to give up without fighting. A fourth role is cyberwar as a subset of a broader information operations campaign designed to “attack the enemy’s perceptions.”
Four similar but distinct roles for cyberwar may not necessarily get along. For instance, using cyberwar as an assassin’s mace calls for something like a bolt out of the blue: using it as part of an INEW campaign also works better if the target is not given enough time to raise its defenses. The 2001 book Science of Strategy states that in a war of annihilation, nodes much be attacked to break up the network before attacking weapons systems. Other Chinese military academics argue that those who do not preempt will lose the initiative in what may be a very short-lived information’s operations war. Conversely, using cyberwar for deterrence or as part of a broader psychological operations campaign requires that China’s willingness and capability to use cyberwar be evident before conflict begins. The two are contradictory.
CYBERSPACE IN PEACE AND WAR
Martin C. Libicki
Publication: Naval Institute Press
Pages 478, Price Rs 8,999
Martin C. Libicki is the Maryellen and Richard L. Keyser Distinguished Visiting Professor in Cyber Security Studies at the U.S Naval Academy and adjunct senior management scientist at the RAND Corporation. His work involves the national security implications of information technology, notably as it involves cybersecurity and cyberwar. He lives in Kensington, Maryland.