In less than an hour, I had become an Internet soldier. I didn't receive any calls from Kremlin operatives; nor did I have to buy a Web server or modify my computer in any significant way.
Evgeny Morozov, Slate, An Army of Ones and Zeroes
How I became a soldier in the Georgia-Russia Cyberwar.
Cyberwarfare is a form of open source warfare (see Brave New War for a deep exploration of open source warfare) over the Internet fought by groups civilians for reasons of nationalism, revenge, and (worst of all) fun. It's messy, chaotic, and nearly impossible to control. The benefits of an open source cyberwar include:
- Deniability. Offensive operations by government computers/personnel against a target nation is an act of war. Actions by civilian vigilantes is not and can be disowned. An inability to point to a an offending organization can make blame difficult to affix: note the speed at which the US tech press was willing to deny a Russian cyberwar against Estonia.
- A huge talent pool. Rather than spend money on training a limited number of uniformed personnel (likely poorly), it's possible to draw on a talent pool of hundreds of thousands of participants (from hackers to IT professionals to cybercriminals). Given the rapid decay/turnover in skills, high rates of innovation, high compensation, and the value of real-world expertise, the best people for cyberwarfare don't work (nor will they ever) in the government. The best you can do is rent/entice them for a while.
- Access to the best Resources/Weaponry. The best tools for cyberwarfare are developed in the cybercriminal community. They have vast and rapidly growing capabilities: a plethora of botnets, worms, compromised computers within target networks, identity information, etc. Further, these capabilities are cheap to rent.
The Problem
Unfortunately, in the US, there is nothing but confusion over cyberwarfare. The news that the Pentagon will not create a new USAF new Cyber Command added to a recent failed attempt by the US military to define what 'cyber deterrence' means and it becomes evident that the entire concept of 'cyberwar' is yielding little but confusion. Unfortunately, it appears little relief is in sight.
In contrast to failed US efforts, both China and Russia have adopted the OSW approach to cyberwarfare. How did they do it? Simply:
- Engage, co-opt, and protect cybercriminals. Essentially, use this influence to deter domestic commercial attacks and encourage an external focus. This keeps the skills sharp and the powder dry.
- Seed the movement. Once the decision to launch a cyberattack is made, start it off right. Purchase botnets covertly from criminal networks to launch attacks, feed 'patriotic' blogs to incite attacks and list targets, etc.
- Get out of the way. Don't interfere. Don't prosecute participants. Take notes.