Cyberwars Should Not Be Defined in Military Terms, Experts Warn
But that may be the wrong approach to cybersecurity, said Martin Libicki, senior management scientist at the RAND Corp. It also would be a mistake for the U.S. government to assume that “cyber deterrence” can work to avert attacks, the scientist said March 31 at the Air Force Association’s CyberFutures symposium.
The United States already has a strong deterrent in the form of the world’s most powerful military, Libicki said. And while cyberwar contains elements of electronic warfare, special operations and terrorism, activities in cyberspace are unique and not related to other forms of warfare, Libicki said.
“Is this really a place dominated by warriors or engineers?” he said. “Is it a domain in which superiority makes sense? Is it a domain in which you can even talk about dominating because you have your cyberspace and they have their cyberspace? . . . You can’t talk about [cyberspace] as domain No. 5 and let it go at that.”
Political leaders do not grasp the concepts of cyberspace and cyberwar at a level to confidently write policies, he said. “Cyberwar is a lot of magic. Try talking to high-level folks and figuring out what they actually understand about it. The best of them don’t have a clue and the worst of them think of things that have no basis in reality. So when something happens, it’s always a head-scratching event.”
The Stuxnet virus infected Iran’s nuclear system, but “are they 100 percent certain that they have cleaned it out?” Libicki asked. “I’m not so sure they are.”
In cyberspace, “you don’t know that you haven’t been hit, and you don’t know that you aren’t infected.”
Libicki defined cyberwar as “the use of information to attack information using information systems.” However, these actions are carried out in a malleable environment by a variety of actors, many of whom authorities can never put a finger on. The sight of Army tanks rolling makes it clear it is warfare, Libicki said. That obviousness doesn’t exist in cyberspace. Generally, the first symptom of a cyber-attack appears when someone notices that his computer is acting funny.
While a certain amount of forensics may be able to trace an attack back to a specific machine, that in no way proves who carried out the action, Libicki said. Sophisticated hackers rarely launch attacks through hardware that can be linked to them. Often they find ways to send worms and viruses through the computers of unsuspecting users. There would be giant ramifications to the U.S. government retaliating against the wrong party or failing to make it known to an attacker that he has been countered, he said.
The laws of traditional warfare say that the best defense is a good offense. But in certain cases, it wouldn’t even make sense for the United States to counter a cyber-attack with similar offensive maneuvers, Libicki said. Those capabilities must be reserved for certain state-level threats, but it remains a tricky proposition even in those cases.
“If you are going to use offensive cyberwarfare, you are going to have to use it against a state that has something to lose. If al Qaida took down the [U.S.] electric infrastructure, it would be rather unsatisfactory to try and take down al Qaida’s electric infrastructure because they don’t happen to have one.”
Because of the complexities involved, it doesn’t make sense for the United States to adopt a cyberdeterrence policy that promises anything specific, Libicki said.
“We have a deterrence policy simply by virtue of being the world’s most powerful military and a country with a short temper. And that will persuade a lot of folks,” he said. “Beyond there, I use the carpenter’s rule — measure twice before you cut once.”