- A huge budget (in tens of billions of dollars) and a massive uniformed/private bureaucracy (tens of thousands of "cyberwarriors"). Standard DoD scaling rules apply -- as in a gaggle of personnel drawn from multiple organizations and companies with a patina of training in "cyberwarfare."
- Extreme confusion over its mission -- it will attempt to cover not only information systems, but the entire electromagnetic spectrum.
- Extensive rules of engagement (ROEs). The new Command will require a complex legal and regulatory framework within which to operate.
Success On The Playing FieldThis new Command's ability to wage cyberwarfare will be judged based on its success in three areas:
- Real-world experience and rapid (open source) innovation. Most, if not all, of this experience and innovation in cyberwarfare is gained through criminal activity. Innovation is a product of rapid cycles of competition with software vendors and computer security companies.
- Massive self-replication. Think in term of small teams (the smarter, the better) designing software that seizes control of tens of millions of computer systems through various forms of infection.
- Deniability. Nearly all of the successful operations conducted in offensive cyberwarfare will require deniability. Post-attack forensics must not point back to a government since these wars/battles will be fought in peacetime.
What This MeansGiven these requirements, this new Command will likely fail (and badly). To provide contrast, the Russian Business Network (the RBN is a computer criminal syndicate responsible for an estimated 60% of online criminal activity), gets top marks in all of these areas. Here's a round up of what this means:
- Nation-states that protect or maintain close ties to computer criminal networks will gain advantages in emerging cyberwarfare capability. Early example: Russia's use of the RBN against Estonia and China's use of vigilante hackers for control of domestic dissent and computer espionage.
- US institutional cyberwarfare will create public embarrassments as it attempts to operate in this environment. This will generate friction with allied nation-states and run afoul of domestic privacy advocates. As a result, ROEs will tighten mightily (debilitating).
- The Command will become almost exclusively defensive over time. It won't be able to innovate at rates even remotely comparable to the competition. As a result, its activity will likely devolve to the "active" defense of government systems (most corporations will stay with private security companies for support). Additionally, its scale will be only a small fraction of the competition's hundreds of thousands of contributors and its tens of millions of infected computers (it will be out-mobilized).