Policy as the Clausewitzean Continuation of Cyberwar7 minutes read

Part I

Nicholas Kristof’s July 4 opinion piece in The New York Times is a misleading contribution to the public discourse, especially at a time when the U.S. is battling the worst imaginable crisis in cyberspace.

Kristof begins by painting the picture of an all-out cyberattack jamming the nation’s critical networks – symptomatic of the ‘Cyber Pearl Harbor’ mentality of overplaying the risk of a digital conflict. It even paralyzed decision-making at the top in the runup to the Russian disinformation campaign.

Jacquelyn Schneider, an assistant professor at the Naval War College, realized the very alacrity with which even the most battle-hardened teams succumb to the hype. A study of wargames conducted by the Naval War College from 2011 to 2016 revealed a consistent pattern of going overboard with the escalatory risk of cyber operations – that they would eventually lead to a nuclear war.

So awesome was the mythos around cyber that the defensive teams exercised restraint in cyberspace even when the allies were getting nuked. This fear psychosis pervaded all the way up in the chain of command. It could be the case that governments rushed to declare cyber as a full-fledged domain of warfare when it ought to be treated first as an operational resource.

Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs, corroborated this false belief when he recorded, “The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings.” This was in 2016 when the possible retaliatory options against Russia were being evaluated in the Situation Room of the White House. Despite its enviable cyber capability, it was the U.S. which got deterred as the then Director of National Intelligence James Clapper dreaded that the Russians may bring down the power grid.

Here is the problem: we are still grappling with the fact that pretty much everything is on the frontlines now. All the abstract thresholds and redlines around conflicts have gone for a toss.

Who would have imagined Obama vowing a proportional response when Sony Pictures was attacked? Is an accounting firm critical infrastructure? It better be, as the hacking of one such company in Ukraine to facilitate the spread of the NotPetya worm was deemed as an act of cyberwar perpetrated by Russia. Dave Aitel, the architect of some of the earliest cyberweapons of the National Security Agency (NSA), believes that even the Bill of Rights needs picket-fencing. A nation may be forced to respond if an adversary muzzles its citizen with cyber means.

Everything is critical now or nothing is. Before I elaborate that, let me point out that Kristof went on to propose a “Geneva Convention for hacking”. Michele Markoff, the State Department’s envoy to the UN-led discussions on cyber norms, admitted that the U.S. only got serious in 2009 when it saw a trailer of Russian capabilities in Estonia.

Till that time, the priorities of the establishment were to make sure that the U.S. dominance in cyber offense is maintained and any workable international consensus is never reached. Col. Gary D. Brown, a former staff judge advocate of the U.S. Cyber Command, elaborated that nation states not defining their limits and capabilities in cyber is an impediment to norms. Bolstering offense by systematically weakening the internet – and then expecting other governments to not do so due to a vague commitment to global cyber stability – is the kind of cognitive dissonance that brought the U.S. at this juncture of indecisiveness.

Norms, as we imagine them, are derivable around weapons whose intent is objectively calculable – bombs, tanks and nuclear weapons, etc. We also believe that the law of armed conflict (LOAC), an essential ingredient of the Geneva Convention, could somehow be enforced upon cyber operations. The LOAC was only meant to deal with kinetic incidents where the damage is physically observable – in cyberattacks that is rarely the case. It is exactly why the Tallinn Manual remains such a dud. A malware could pulsate the objectives of espionage, attack or defense at a rate beyond human comprehension. When the equations of causality falter, the impact could easily be subjected to a miscalculation. Are we then ready to go to war for a piece of esoteric code?

The thresholds of battle need to be devolved into ‘yellowlines’ for any logical applicability and then be organically scaled up on a case-by-case basis. The fog of cyberwar really is the fog of paralyzing uncertainty.

At the heart of the problem lies the human bias to see everything in a spatial manner. All international effort to ratify cyber norms makes a presumption that sovereign cyberspace could somehow be demarcated.

As the national security kahuna Richard J. Danzig postulated that cyberspace remains a contested territory. Thomas Dullien, the legendary malware reverse engineer who now works for Google, stated at this year’s Nato CyCon conference that ‘possession’ and ‘control’ in cyberspace necessarily do not overlap. Aitel goes to the extent of declaring that offense-defense is the wrong dichotomy: it should be control and non-control. “Think about it for a moment – we share the same network with our adversaries,” exclaimed George Tenet exactly 20 years ago. This anxiety around the paradox of control, or the lack of it, in cyberspace has not waned even a bit.

It is exactly why many of the modalities of fighting an insurgency are relevant to cyberwar. Offense is not merely a fitment in the matrix of dominance but of order and control – so the Department of Defence leads the way in cyber and not the Commerce or State departments. Matthew Monte, a cyber operative who was earlier associated with the CIA, proclaimed defensive measures not incorporating offense as “ineffective”. All dovish norm-setting initiatives in cyber are stillborn because of this disruptive interleaving. Policymaking then becomes a mere instrument to perpetuate hegemony. Or as Aitel surmised, it is just cyberwar by other means.

Part II

(Additional commentary after the indictment of 12 Russian agents.)

The recent indictment of 12 cyber operatives of the GRU, the Russian military intelligence agency, by special counsel Robert Mueller is a case in point. The supporting document is a rare artefact – in a sense that it is the most public exposition of American cyber tradecraft ever.

The analysis has been tacitly bolstered by the NSA whose very DNA has been hardcoded with operational deniability. It is worthy to mention that the U.S. still issues a Glomar response on Stuxnet even when the operation has been outed by a hundred different sources.

The specific reason behind that, in a nutshell, is: nation states are still figuring out how cyber operations fit into the escalatory and declaratory ladders of conflict.

Until that gets chiseled with experience and mistakes, cyber attacks would keep on enjoying a sort of forced plausible deniability. Would our world be any different if Iran, North Korea or Russia had owned up to Shamoon, Sony or DNC? Probably not.

Emblematic is President Obama’s statement after he confronted President Putin on the sidelines of the 2016 G-20 summit at Hangzhou:

Look, we’re moving into a new era here where a number of countries have significant capacities…But our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so everybody’s acting responsibly.

Aitel labelled Stuxnet as the “announcement of a team” more than anything else, which could take out any factory, any time. Over the course, the Department of Defense (DoD) seems to have figured out cyber’s fitment into the declaratory dimensions of power. It is exactly why the DoD tries hard to control the mathematics of the domain.

But cyber deterrence has little to do with its technicalities.

When the NSA, via the Federal Bureau of Investigation, goes on to name the operatives and publishes their internet search histories, `

Most pundits have fallen into the wow-trap. The competence of the NSA is well respected, thanks to Snowden. The attribution of APT 28 or Fancy Bear has been open-sourced, too, as the private sector has had a major investigative role to play. Even the details of the GRU units had trickled out earlier.

The NSA is actually giving a banshee-like scream with this trailer of capabilities – You may win a battle or two, but we are here to win the war.

Andrea L. Limbago of Endgame, Chief Social Scientist at the cyber countermeasures firm Endgame sums it up:

[These] indictments demonstrate the potential for attribution and the level of capabilities that can provide this evidence, help support a broader deterrence strategy.