The cyber force matrix

There has been a lot of ink spilled on the idea of nation-state activities in cyber space and much of that discussion has been centered on military activities in the domain. Though interesting this misses the concept that a nation has many forms of national power that it can project and use at various levels of conflict. The conceptual misrepresentation that the military has a monopoly on force is simply irreconcilable with the realities of the modern nation-state. It is also counter to most elements of historical fact. It might be interesting to examine the different forms of national power and how and whether they are inherent through a cyber lens at different phases of nation-state conflict.

This is a thought exercise not representative of empirical analysis and it is not a statement to be found in national policy. As such the utility is limited but it does serve as a point of discussion. Standard caveats apply.

For this exercise we start with the forms of national power in a time-worn and well validated construct called DIME. These are respectively diplomacy, information, military and economic as forms of national power. It is often stated that the DIME construct acts upon the PMESII. Where PMESII is the political, military, economic, social, infrastructure, and information aspects of a society that can be effected.

Finally another element to this is the phases of conflict as set forth in doctrine of what happens when waging war. These is phase 0 where the environment of a future conflict is shaped and awareness of the environment is created. With allies we spend a lot of time in this phase and even with adversarial entities. Then we have phase 1 where deterrence of conflict is sought. At this point it can be active or passive activities to keep an enemy or ally from being aggressive to the nations interests. Phase 2 sets up the point where an engagement and action is chosen to seize the initiative. In some cases this might be moving carriers within range to attack a base or opening an exploit onto a system. Phase 3 is where the adversary is dominated. The exploit has already arrived on the system, but action is being taken against the adversaries’ interests. The bombing runs are occurring. Next to last is phase 4 where actions having been taken and the attempt to stabilize the environment occurs. De-escalation and attempts to create a secure environment continue and may be part of a fusion with phase 3 operations. Finally phase 5 is where attempts are made to enable civil authority. This is especially true in large-scale military engagements.

The first thing that becomes obvious is that using the phases we are obviously not at “cyber war” currently nor have we been in the past. This is interesting in that this can be applied to the other elements of national power and in the different war colleges they create matrixes to show where doctrinally the cross-functional coordination points would be required. This is usually done when considering a traditional military engagement. It is also obvious that no “cyber war” will ever be a pure “cyber war” but may be a joint conflict across several domains. It may be that limited and “phase restricted” war might occur that is less than domination but more than mere preparation.

In summary diplomacy as a force in cyber might be expressed as a treaties about cyber, discussions, or even normalizing behaviors within cyber. The legal frameworks between nations in dealing with cyber are quite obviously elements of diplomacy. Similarly the idea of information as messaging, assets of the domain of cyber and similar to how information and intelligence are considered relatively in other domains are expressed in cyber. The military activities in cyber as forces of the nation-state might be through releasing viruses or bombing specific physical cyber assets. And economic power can be found in various other areas similarly in cyber. The ability to purchase or not purchase, the market forces, or even the ability to deny those market forces are forms of nation-state power in cyber space.

There is a thread in the cyber conflict literature that since the networks of the United States are owned by private entities they should be involved in the decisions about conflict. This is an error in assumption and will be associated with negative outcomes for said industry. Since any activity by any national entity in conflict can be responded to by the other entity similarly industry actors could be targeted if they were to self identify as a form of national power. There is a lot of laden deep nasty stuff in that assertion but it is a topic for another day.

If we consider the idea of a matrix we end up with something like Table 1 “Cyber Force Phases” which is a matrix to apply to a few concepts. Once again this isn’t empirical and I would expect your answers to be different from mine. One thing I’m not interested in is engaging in GI Joe chest thumping, “The military can do anything.” In the concept of cyber as applied to this matrix I’m not going to even identify cyber itself. The idea is not just who might do it, but who should be doing it (as in cyber). Yes this has been done by others, but this is my matrix. I’m trying to find the non-political, perhaps soft cases in the center versus edge polarized cases.

So Table 1 depicts how cyber as a domain interacts with the different forms of national power and the over the phases of conflict.  An empty box in the matrix means the phase and form of national power have little to nothing to do with each other, and an X means there is some relationship or case to be made. This could easily be modified to a Delphi study with weighting for each intersection and would be interesting if an expert population could be found.

 

Table 1 Cyber Force Phases

 

D

I

M

E

Phase 0: Shape the Environment

X

X

 

X

Phase 1: Deter the enemy

X

 

X

X

Phase 2: Seize the initiative

 

X

X

 

Phase 3: Dominate the enemy

 

 

X

X

Phase 4: Stabilize the environment

X

 

X

X

Phase 5: Enable civil authority

X

X

 

X

 

From the start the military is pulling their very short hair out. Why isn’t the military part of shaping the environment in cyber? For one in the current practice the network centric nature of cyber is pushing an intelligence lead preparation of the battle environment. The lawfare push by various adversaries is a diplomatic form of force, and finally the economic incentives create a significant form of presence. There is relatively little in place for a military presence in shaping that doesn’t appear as an intelligence or information aspect. I use the “I” as intelligence and information interchangeably based on the National Resource Council merging of the two terms. The military through legal authorities has various aspects of intelligence powers, but those powers are tied to specific restrictions.

Why isn’t “I” tied to deterring the enemy? Isn’t that a process of messaging and strategic communication that inform the enemy of our red line? A great question, but the message is less important than the form of power that delivers it. That form of power is the diplomatic exchange even if the military is involved the exchange is a form of diplomacy. Similarly incentives and disincentives of economic power aren’t the information but the form of force used to act against specific actors.

On the principle of dominating the enemy I admit I punted. Looking at the forms of domination the military and economic seems to be the forms of force we apply. Sanctions are at one level of diplomacy, but the force is found in the economic realm. The metaphorical allegory of cyber being pulled toward the impacts of cyber on financial markets and sales restrictions while military bombs and destroys targets.

Similar to other elements the military often will say they do everything but enabling civil authority in cyber space is simply not going to be a military activity. The restrictions between different element of the national power infrastructure will not enable this and may run directly contrary to the expectations.

This is a blog post so don’t read any political aspersions or ideology into this matrix. The point is a discussion not an answer.

One of the early issues I have had with expressing cyber as a domain is how power is projected and expressed within that domain. The conceptual structure of cyber being the first man-made domain rings hallow and false. I’ve expressed my dissatisfaction to various levels of ridicule by leadership as them having expressed the domain as the tool rather than the environment. To understand this another domain will suffice. The sea is a domain that is the surface to the greatest depths. Man was unable to exploit the sub surface domain until weapons and tools were constructed. We don’t refer to that under ocean element of the sea domain as being man-made. The domain of cyber has always existed and we are just now building the tool to exploit that domain.

Another element that rings hallow in the expression of power and force through cyber is that it must be based on the electro magnetic spectrum (EMS). This again is mistaking a feature of the domain for the domain itself. Instead consider that EMS is a terrain feature rather than the matter of the domain. The domain of cyber is a naturally occurring domain of the information environment where information is “matter” and various aspects of exploitation and use are inherently part of the domain. Land is more than just dirt. It is various minerals, biological materials, and just air at the finest level of granularity. At the larger view it is just dirt. Set your scope similarly when thinking about cyber.

Why this is important when thinking about cyber as a domain is that if it has always existed and will always exist we can use human behaviors to model forms of force and conflict. More importantly the strategic seams inherent in a mere technological viewpoint can be discovered and advanced into defense and offense planning. If you only consider the networks, and associated infrastructure to be cyber space you are mistaking the interstate highway system for the domain of land. It is nice to use highways but I can build tools that don’t use those highways much like Stuxnet and Buckshot Yankee took overland routes nobody really considered previously. Big Data is one of those non-network based cyber challenges that should be considered. Once again a topic for another day.

So, if we have forms of national power and phases of conflict what are the different forms of national power going to work upon in another nation? This is where we apply the forms of power by their initials to the PMESII construct in a matrix of the phases of conflict. Once again PMESII is the political, military, economic, social, infrastructure, and information aspects of a society that can be effected

 

Table 2 PMESII and DIME matrix within the phases of conflict

P M E S Infra Info
Phase 0: Shape the Environment D, I D D, I, E D, I, E   I, E
Phase 1: Deter the enemy D, M, E M D, E D, M, E M D, E
Phase 2: Seize the initiative M M M, E M, E E M
Phase 3: Dominate the enemy M M M, E M, E M, E M
Phase 4: Stabilize the environment D, E D, M E D, E D, M D, E
Phase 5: Enable civil authority D, E D D, I, E I, E E I, E

 

There will be lots of argument over the relative merits of such a matrix. What it attempts to show is through a cyber lens how different elements of force might be applied. Whether there is any utility in such time will tell. The concept though has been done many times by various entities for different discussions and to specific scenarios. The same process could be done using a Likert scale in a Delphi process to give each of the forms a weighted average. The reliability then could be checked between the specific instances and patterns might emerge. Still the concept shows that the quite simply there are a lot of discussion about cyber not occurring.

The key take away is that current pundit and policy focus on specific actors of national power have ignored the key actions and adversaries that require a varied governmental approach. The biases of particular policy agents within the cyber realm are also ignoring factors that could be used in risk calculation of defense. Those biases result in strategic seams upon which hostile actors at or below the nation-state level could utilize. The network centric, signals based, biases of intelligence ignore the other forms of nation-state power and the resulting power envelope that could be categorized by the nation-state actors capabilities. Similarly pundits and proponents of alternative views of national power in cyberspace specifically ignore the other than military actors in cyberspace and miss an entire dimension of conflict.

Leave a Reply