I have been reading extensively about whether cyber warfare exists, whether it is a defensive only engagement, and if it does exist does it actually involve combat. These questions are born upon the back of the military establishment well entrenched into the ideas of high intensity conflict. I on the other hand see much of cyber warfare not through the goggles of an army armor officer, but the mud spattered boots of counter insurgency. What has happened is the discussion is based on various military documents, created in an echo chamber, and supported by the choir. Leading to whether cyber is simply a defensive stance that all militaries should take.
Relegating the cyber components to a defensive posture is just as egregious an error as claiming a soldier with a rock destroying a computer is a cyber operation. My experience is obviously quite different than a large component of the military. I have however been a senior engineer at a major telecom with a responsibility spanning about 3/4s of the Internet. The topic though is cyber warfare, cyber operation, and the aspects of electronic warfare and the role of cyber within and outside of that realm.
Cyber is a “sexy” term over used and abused since it was coined by the cybernetics crowd in the 1950s. When Gibson in 1984 discussed cyber space he really wasn’t sure what it was, but with advent of a connected world the definition has expanded to cover the expanse as it has grown. Cyber warfare though has struggled as people have attempted to layer the command and control aspects and the communications and coordination through computers. All definitions are but shadows of the concepts that attempt to envelope and cyber is no different.
One of the reasons we struggle is that unlike other operational aspects such as electronic warfare the cyber aspect is not so much directed as distributed. Much like the social networks aspects suggested by Arquilla and Ronfeldt and expanded to cyber warfare show there is not so much direction as intention. This is the reason that though we have excellent materials on security, protection, mitigation and the knowledge to achieve them the vagaries of cyber still elude the brightest of minds. A platoon of soldiers I imagine is a set of discrete elements on a battlefield and there are not multiple layers of abstraction and instantiated metaphorical representations between the commander and the commanded. Yet that is exactly the case with cyber.
I’ll be the first to tell you that the military likely has no hope of repelling or fighting a cyber war with any chance of success. It just isn’t something that hierarchical highly structured organizations is going to be able to do. Who will they attack and with what tools other than kinetic weapons? A general who shall not be named mentioned in a briefing that most cyber attacks world wide are generated from within the United States. Who are you going to attack? In the discussion I am privy to (Parameters, JFQ, etc..) the discussion often refers to cyber engagements. With what?
Consider the likely profile of an attacker from the last few “cyber wars”. Non-state actors working under the ideological and political intention of larger entities empowered by technology to take action against a nation state. If you are a military engaging in cyber warfare what will you attack? What will they attack? The best-case scenario is using a botnet that has more computing power than most super-computers and they attack the domain-name-servers across a large chunk of your backbone. That will make a lot of people angry but not many will die. Web pages may get defaced and you may find yourself with corrupted servers. The next worse case is espionage or changes to command and control messaging systems. Direct attacks against a sovereign powers capability of waging war may then become more troublesome. Jumping from server to server and using elements like The Onion Routing network the hope of attribution rapidly fades. Who will you attack again? The worst case is somebody using a zero day exploit does something like the infamous DHS attack against generators and pops a couple before people realize what is happening. Working at the deepest layers attackers create a kinetic result.
I take the pedantic divergence to point out that in my opinion cyber is a war fighting domain, it has effects, it can have kinetic effects that are exponentially greater than the cost, and it is poorly understood at many levels. Rattray discusses in glorious detail strategic cyber warfare and contrarians want to know the tactical effects based outcomes. Even if effects based outcomes I guess was banned by the Joint Commanding General. The tactical effects can be found in the many mistakes and issues reported daily. Cyber is not linear, it is not a bullet, bomb, or death ray to have a switch flipped or trigger pulled. Cyber is a distributed network of intentions that follows a chain of events except for when it doesn’t. Worse cyber has almost no requirement to attack the military directly. In each of the recent cyber hooliganism called cyber warfare the attacks were against civilian targets.