THE US DoD AND CYBERWARFARE?
In 2008, the US military will start to fund a new Air Force "Cyberspace" Command (which will essentially attempt to create an ability for the US to wage warfare within civilian information infrastructures). As is typical with most post-conventional military efforts, the new command will sport:
- A huge budget (in tens of billions of dollars) and a massive uniformed/private bureaucracy (tens of thousands of "cyberwarriors"). Standard DoD scaling rules apply -- as in a gaggle of personnel drawn from multiple organizations and companies with a patina of training in "cyberwarfare."
- Extreme confusion over its mission -- it will attempt to cover not only information systems, but the entire electromagnetic spectrum.
- Extensive rules of engagement (ROEs). The new Command will require a complex legal and regulatory framework within which to operate.
Success On The Playing Field
This new Command's ability to wage cyberwarfare will be judged based on its success in three areas:- Real-world experience and rapid (open source) innovation. Most, if not all, of this experience and innovation in cyberwarfare is gained through criminal activity. Innovation is a product of rapid cycles of competition with software vendors and computer security companies.
- Massive self-replication. Think in term of small teams (the smarter, the better) designing software that seizes control of tens of millions of computer systems through various forms of infection.
- Deniability. Nearly all of the successful operations conducted in offensive cyberwarfare will require deniability. Post-attack forensics must not point back to a government since these wars/battles will be fought in peacetime.
What This Means
Given these requirements, this new Command will likely fail (and badly). To provide contrast, the Russian Business Network (the RBN is a computer criminal syndicate responsible for an estimated 60% of online criminal activity), gets top marks in all of these areas. Here's a round up of what this means:- Nation-states that protect or maintain close ties to computer criminal networks will gain advantages in emerging cyberwarfare capability. Early example: Russia's use of the RBN against Estonia and China's use of vigilante hackers for control of domestic dissent and computer espionage.
- US institutional cyberwarfare will create public embarrassments as it attempts to operate in this environment. This will generate friction with allied nation-states and run afoul of domestic privacy advocates. As a result, ROEs will tighten mightily (debilitating).
- The Command will become almost exclusively defensive over time. It won't be able to innovate at rates even remotely comparable to the competition. As a result, its activity will likely devolve to the "active" defense of government systems (most corporations will stay with private security companies for support). Additionally, its scale will be only a small fraction of the competition's hundreds of thousands of contributors and its tens of millions of infected computers (it will be out-mobilized).
Cyberwarfare is a fact of life, and the USAF should formally establish a command for it, however they clearly are approaching it the wrong way. China, on the other hand, has a much more interesting model involving several civilian hacker corps which I've just covered at IntelFusion.net (http://idolator.typepad.com/intelfusion/2007/12/10000-methods-c.html
Posted by:Jeffrey Carr | Wednesday, 12 December 2007 at 05:40 PM
Problem with that approach: China's vigilante model applies more against internal online dissent than anything else.
Posted by:John Robb | Thursday, 13 December 2007 at 04:25 AM
Not according to an academic study just published by a group of Chinese researchers. I have the link in that post that I referenced above. This is a very large group of cybercriminals, exceptionally well-versed in network intrusion and extremely loyal to the PNC who are cracking web sites and corporate and government networks pretty much at will, both in the U.S. and Britain.
Posted by:Jeffrey Carr | Thursday, 13 December 2007 at 11:40 PM
US institutional cyberwarfare will create public embarrassments as it attempts to operate in this environment. This will generate friction with allied nation-states and run afoul of domestic privacy advocates.
I'd note further that the U.S. is at a distinct disadvantage given the view that the domestic and world hacker communities have of it and of its relation with criminal elements in non-hacker criminal groups.
Posted by:Coathangrrr | Sunday, 16 December 2007 at 09:26 AM
I agree with Jeffrey about the civilian hacker corps--they could also serve as a useful red team corps for open-source modeling of internal weaknesses. I have my own take on the issue on the Defense and the National Interest blog (http://dni2.wordpress.com/2007/12/16/cyberwarfare-comes-of-age/)
Posted by:AE | Sunday, 16 December 2007 at 02:30 PM
Hmm, link doesn't work. Here's another one:
http://dni2.wordpress.com/2007/12/16/cyberwarfare-comes-of-age/
Posted by:AE | Sunday, 16 December 2007 at 02:31 PM
What is "open source biowarfare"?
Posted by:Jeffery | Sunday, 16 December 2007 at 02:56 PM
The establishment of the command is important and can be fixed by simple congressional modification, requiring the command to make room for auxiliaries who have been granted letters of marque or reprisal from Congress.
Yes, it's insane, nobody'll ever go for it, Congress won't issue the letters, etc. But after the next big failure where the death toll shoots past our pain point, especially where there's a cyber component to the attack, americans will howl for something better and all the old restrictions will be out the window. We'll also know how long it'll take for the DoD to fix its systems, too long.
A little foundation work now will go a long way towards making that moment less out of control.
Posted by:TM Lutas | Thursday, 20 December 2007 at 10:34 AM