- A huge budget (in tens of billions of dollars) and a massive uniformed/private bureaucracy (tens of thousands of "cyberwarriors"). Standard DoD scaling rules apply -- as in a gaggle of personnel drawn from multiple organizations and companies with a patina of training in "cyberwarfare."
- Extreme confusion over its mission -- it will attempt to cover not only information systems, but the entire electromagnetic spectrum.
- Extensive rules of engagement (ROEs). The new Command will require a complex legal and regulatory framework within which to operate.
Success On The Playing Field
This new Command's ability to wage cyberwarfare will be judged based on its success in three areas:- Real-world experience and rapid (open source) innovation. Most, if not all, of this experience and innovation in cyberwarfare is gained through criminal activity. Innovation is a product of rapid cycles of competition with software vendors and computer security companies.
- Massive self-replication. Think in term of small teams (the smarter, the better) designing software that seizes control of tens of millions of computer systems through various forms of infection.
- Deniability. Nearly all of the successful operations conducted in offensive cyberwarfare will require deniability. Post-attack forensics must not point back to a government since these wars/battles will be fought in peacetime.
What This Means
Given these requirements, this new Command will likely fail (and badly). To provide contrast, the Russian Business Network (the RBN is a computer criminal syndicate responsible for an estimated 60% of online criminal activity), gets top marks in all of these areas. Here's a round up of what this means:- Nation-states that protect or maintain close ties to computer criminal networks will gain advantages in emerging cyberwarfare capability. Early example: Russia's use of the RBN against Estonia and China's use of vigilante hackers for control of domestic dissent and computer espionage.
- US institutional cyberwarfare will create public embarrassments as it attempts to operate in this environment. This will generate friction with allied nation-states and run afoul of domestic privacy advocates. As a result, ROEs will tighten mightily (debilitating).
- The Command will become almost exclusively defensive over time. It won't be able to innovate at rates even remotely comparable to the competition. As a result, its activity will likely devolve to the "active" defense of government systems (most corporations will stay with private security companies for support). Additionally, its scale will be only a small fraction of the competition's hundreds of thousands of contributors and its tens of millions of infected computers (it will be out-mobilized).