Monday, March 8, 2010

On offensive operations in cyberspace

This year started out in full gear for me and it seems that this is the first week where I can take a breath and write down some of my thoughts.

Last week I was invited to give a talk at one of many cyber defence/IA related conferences in Europe. As is often the case, the question of offensive cyber operations came up. It seems that whenever this happens, the automatic (and politically correct) answer is: well, the military can't plan an offensive cyber campaign, because most likely they will not be able to identify the actor behind the incoming cyber attacks (the attribution problem). They are right, counterattacks in cyberspace can be tricky.

However, this misses the point completely. Who says that cyber operations have to be symmetric (targeting only cyber aggressors with cyber ops). There is every reason for the military to plan and prepare offensive cyber operations for various military situations. When a military is deployed to fight someone, then the target should already be identified and is not necessarily limited to cyber operatives.

It makes sense to consider different ways to achieve a military objective: aerial bombardment, naval blockade, precision drone strikes, landing a division of Marines, cutting off C2 with cyber attacks, jamming radio communication with EW, threatening with nukes, etc. In fact, according to the principle of least harm, it is consceivable that the commander should FAVOR cyber attacks over more lethal options, if the end result is the same.

There is no good reason to limit the options of the commanders in the doctrine-writing phase between conflicts. Sure, there are legal issues, attribution issues, collateral damage issues and so on - as is the case with drone strikes, for example. And yet the drones are in the sky today. It just shows that where there is a will, there is also a way.

The only real counterargument for offensive cyber is that we don't want to see it on the battlefield (like nukes, bio and chem). However, clearly this is a Genie that we cannot force back into a bottle. Potential adversaries, both state and non-state are already using cyber attacks on a daily basis. Therefore, it makes sense to include this option in the play book of the commanders of the future.

It should be noted that I am not advocating military use of cyber attacks on a daily basis, but only in conflict situations and against "legal" targets. I am also aware that the whole "legal" issue is far from solved and most likely will not be solved in any reasonable timeframe.

No comments:

Post a Comment