The new fight: Writing cyber into the science of war

0
155

Every year, the Aspen Security Forum brings together the top minds in defense, intelligence and homeland security. This year, more than ever, the conversation is turning to cybersecurity – protecting computer networks and everything attached to them. Cyber is constantly changing the way conflicts and combat unfold. Here, former U.S. Navy Rear Adm. William Leigher offers insights on adapting the principles of kinetic warfare to handle the ever-evolving cyber threat: The future of cyber warfare starts at basic training.

One of the most remarkable things about boot camp is that a kid can go in not knowing what an M16 looks like, and come out able to assemble one while taking enemy fire. Cyber warfare demands the same type of weapon – powerful, portable and effective even in the hands of novices.

Our experts call it the “easy button,” and they caution that the enemy already has it. Hackers no longer need to know lines upon lines of computer commands; today they simply launch a program and tap or click their way to calamity. Our service men and women deserve cyber capabilities with the same ease of use – powerful software running on a cleanly designed interface that will allow even the greenest soldiers, sailors, Marines and airmen to venture out into the field and knock out power to an enemy base or jam a computer network to thwart an incoming attack.

DETERRENCE LOOKS DIFFERENT

Deterrence is a classic military tactic: The more visible power you have, the less likely your adversaries are to attack.  Deterrence has worked brilliantly throughout history, but when it comes to cybersecurity, the strategy falls apart.

Think about deterrence tactics – an army parading its tanks down the street.  Now imagine if showing off those tanks gave away every possible means of defeating them. That’s what we’re dealing with in cyber warfare. Showing adversaries what you have allows them to render it useless.

Unlike other acts of war, cyber attacks don’t necessarily happen in close combat – they take place from afar. The perpetrators aren’t flying their national flag – they often operate in isolation and secrecy. You can deter a hostile nation-state’s military by having them outnumbered and outgunned, but keeping a shadowy cyber force at bay is far more complicated.

ATTACKS AREN’T OBVIOUS

There’s a lot of talk in cyber circles about how the next major act of war will happen online – a “cyber Pearl Harbor.” The problem with the comparison is that the attack on Pearl Harbor became obvious as soon as the ambush started. Skilled cyber attacks are far more insidious.

They unfold slowly and strategically. Just like military operations, they begin with intelligence – information-gathering. Dossiers. Reconnaissance. Then comes the analysis – picking the information apart, creating aim-points and deciding how, when and where to attack. But unlike traditional military attacks, the intelligence breaches and battle damage from cyber strikes isn’t always immediately obvious – in fact, it can take months or even years to detect.

For years, cybersecurity experts have warned that high-stakes hacks were inevitable – a matter of when, not if. It’s time to take the thinking one step farther. It’s time to assume the attacks, or at least the groundwork for them, are happening now.

MEASURING MEGABYTES LIKE MISSILES

All the tools of traditional warfare have something in common: They are quantifiable. Every radar has a range, and every missile has a blast radius. We know how far something can go and how powerfully it can strike, and we can also use physics and other science to extrapolate the damage it can do to its target. All that math goes into the very same battle simulations the military uses to ensure efficiency and effectiveness.

The problem with cyber warfare is that it doesn’t conform to the same science. Without some meaningful method of measurement, it’s infinitely more complicated to say what something can do and how well it works. That’s where a lot of the hard thinking is right now – figuring out what a cyber blast radius looks like, and how best to measure it.