The increasing ability to access and distribute information through cyberspace is profoundly changing how people and societies interact. The pace of these changes, particularly with regards to malicious behavior, can seem rather alarming. Reports of network intrusions, stolen data, website defacements, and phishing scams are daily fodder for local and international news. Even the Georgetown Journal of International Affairs was the target of a nationalist hacking group, apparently in retaliation for a less than flattering article about Turkey’s government. Unfortunately, lost in the sensationalism and fear of these “attacks” is any way to place these events contextually. Without a theory of cyber warfare, we risk both overreacting to mundane bad behavior and poorly preparing for true war in cyberspace.
Not all malicious activity in cyberspace constitutes cyber warfare. Richard Clarke separates events occurring in cyberspace into four different types of “phenomenon:” crime, hactivism, espionage, and war. These activities are nothing new in the realm of human behavior, but the methods and capabilities available through cyberspace are extraordinarily different. Consequently, countering such behaviors will require different strategies based on the unique characteristics of cyberspace.
In contrast to the hype so prevalent among pundits and politicians, rarely does a malicious action in cyberspace result in permanent damage. Copies are easy to make and store, actions are traceable, and with varying degrees of effort, even a system that has been completely wiped can be restored. For the most part, hactivists are simply annoying, crime still doesn’t pay, and protecting state secrets from espionage is more of a personnel and policy problem than a network security issue. The offense does not really have the advantage in cyberspace. In fact, the vastness and heterogeneity of cyberspace could provide the defense with significant advantages to counter most malicious activities. Unfortunately, many of today’s defensive strategies are focused on simply keeping bad actors out using firewalls and intrusion detection systems. These static measures do not take full advantage of the dynamic characteristics of cyberspace.
Where these flawed strategies become most worrisome is in the realm of war. There are serious concerns that state infrastructure and military forces could be targeted through cyberspace. In fact, the U.S. government is going to great lengths to craft strategies to address potential vulnerabilities, but their efforts will come up short in the absence of a theory of cyber power or cyber warfare. Theory is the vehicle that explains why observed behaviors and activities are taking place. As Kenneth Waltz reminds us, “if we could directly apprehend the world around us, we would have no need for theory.” Even more importantly, theory provides predictive capability to guide the development of strategy and shape responses.
A theory of cyber warfare would explain that the purpose of war in cyberspace is to control the flow of information. To do this, we need a military force organized, trained, and equipped to defeat an adversary’s ability to attack our information. Defensive tactics would include protecting information through dynamic networking and information dispersal such as IP and frequency hopping, data fractioning, cloud architectures, and steganography. The focus should be ensuring that the information can be collected, transmitted, or stored, and not on simply securing the networks. Currently, strategists working on cyberspace plans are simply cobbling together a variety of capabilities with little to no understanding of why.
During the 1980s and ‘90s, a significant effort was made to explain the changes taking place as part of what was termed an emerging revolution in military affairs. Numerous books and articles on the subject of cyberwar, network-centric warfare, and information warfare attempted to explain the changes that were occurring as a result of the rapid growth of networked communications systems. However, those efforts were largely abandoned in the wake of 9/11 as emphasis shifted to theories on counter terrorism and counter insurgency. Without theory there is no way to understand or explain the 2007 attacks against Estonia, the use of Stuxnet, or the defacement of the Georgetown Journal. Without theory there is no way to know how to respond or prepare for conflict in cyberspace.
Problematically, all the malicious activities happening in cyberspace today are lumped together into a broad category of “cyber attack” with a corresponding perception that there is a war going on in cyberspace. While the defacement of Georgetown University’s academic journal may have been embarrassing, the reality is that it was cleaned up within a few hours—faster than it would take to clean spray painted graffiti off of a building or billboard. Still, the increasing number of network intrusions spawn a real fear that society is in danger. While not all malicious behavior is a siege and not every response requires standing up a cyber militia, we nevertheless need to be ready to defend the nation in cyberspace. For that to happen we need to put serious effort toward developing a theory of cyber warfare.