Time for another review of the articles published in the
proceedings of the CCD COE
Cyber Warfare Conference. Next up is Amit Sharma from India, who wrote an interesting paper titled "Cyber Wars: A Paradigm Shift from means ot Ends".
He starts out by explaining the idea behind the paper. He hopes to provide a
"framework in which cyber warfare will have a strategic effect by acting as primary means to achieve conventional ends, hence will induce a paradigm shift from the conventional notion of cyber warfare as a tactical force multiplier to the notion of strategic cyber warfare acting as primary means of achieving grand strategic objectives in the contemporary world order. The author will accomplish this objective by deriving the elixir of Clausewitz’s Trinitarian warfare and applying the concepts of Rapid dominance and Parallel warfare in cyber space so as to generate the strategic paralytic effect envisaged in effect based warfare. The author will conclude by shattering the conventional dictum of cyber defence, based on the notion of “defence in layers” and legal aspects of Law of Armed Conflict; by providing the only feasible and viable cyber defence strategy relying on the application of Rational Deterrence Theory (RDT) in general and on the idea of Mutually Assured Destruction (MAD) in particular so as to maintain the strategic status quo."
A tall order by any standard. The paper is written in an artistic and forceful language, painting the scene of an apocalyptic cyber strike that ends all and paralyses the entire state from the government to the citizen by simultaneously disrupting the trinity of government, military and people. I think that this strong emphasis on total paralysis (and total war) is a potential weakness of his approach.
Even though all theoretical model are abstractions, I believe his trinity (imagine a triangle) model is somewhat idealistic and naive. His description of the
people corner is exclusively oriented to the liberal western countries (which includes the minority of the world's population and, arguably, are not as liberal or democratic as they may portray themselves). What about the rest of the world? The model's military corner is focused on the network-centric digital troops, which again represent the minority (although a powerful one) in the militaries of the world and even that is not always as networked on the battleground as the doctrine would imply. Last, but not least, the government corner, where governments are charged to provide "a secure, secular and democratic environment" for the people. Well, let's try to name some big countries that fit that idealistic description to the letter in practice, as well as in theory. It won't be easy. So, the model applies in a theoretical ideal case and I agree that in such a case the implications can be extremely dangerous.
The danger comes from simultaneously taking down all three components of the trinity with a parallel cyber campaign, which, as we have just reviewed, is entirely dependent on the assumption that the country is wired beyond the point of safe return. He concedes that in most recent cyber conflicts this parallelism has not taken place and we have seen much more limited campaigns.
He then proceeds with a five step plan for a strategic cyber campaign: "Shape, Deter, Seize initiative, Dominate and Exit". This is a nice and clean model for describing a (cyber) conflict, but I disagree with some of his conclusions.
In discussing the deter stage, he touches on the concept of countervailing, or "making known to the potential adversary that the implication of a nuclear strike would be far greater than the potential gains an adversary can achieve by initiating the first strike." He mentions that the recent cyber attacks against Estonia, Georgia, UK, France etc. may be an example of cyber counterveiling. I do not see it that way, as a key point of countervailing relies on letting the enemy know your capability - and no state has taken responsibility for the attacks listed. Furthermore, the cases he cites are not traditional military conflicts (with the possible exception of the Georgia attacks), but merely harassment or espionage, which do not demonstrate the potential destructive capability of a state. They do serve as reminders that networks are vulnerable, however.
He does make a good point that in order to deter an attack you need a "Cyber Triad capability", which consists of
"Regular defence/military assets and networks, [...] isolated conglomerate of air-gapped networks situated across the friendly nations as part of cooperative defence, which can be initiated as credible second strike option; and [...] a loosely connected network of cyber militia involving patriotic hackers, commercial white hats and private contractors which can be initiated after the initial strike or in case of early warning of a potential strike."
He proceeds by demonstrating that the concept of defense in layers and the Law of Armed Conflict (LoAC) do not work in a strategic cyber campaign. I do not understand his point that a system built on the concept of defense in layers (defence-in-depth) is "as strong as its weakest link." To me, defense in layers means exactly the opposite - you can take out any single node and the system remains secure due to the other layers.
His other argument is that LoAC does not cover strategic cyber warfare. Granted, there have been no successful applications of LoAC to strategic cyber warfare yet, but that is because we have not yet seen a strategic cyber warfare campaign in the armed conflict sense. As mentioned above, we have plenty of hactivism, espionage and other examples that fall
outside the LoAC framework, but no state-on-state wars where cyber has played a significant role. Therefore, it is premature to throw LoAC out of the window as it is today. However, I agree that it needs updating to meet modern scenarios and the
CCD COE is among the experts that work toward this goal (some discussions on this took place at the
Cyber Conflict Law and Policy Conference).
He finishes by arguing that Mutually Assured Destruction (MAD) doctrine is the best way to keep states from engaging in strategic cyber warfare. I would argue that MAD simply does not work well in cyberspace, as
- attribution of the cyber attack may be impossible,
- in case attribution can be achieved, there is a question of false-flag operations,
- in case a second strike is launched, there will be ample collateral damage to third states, which can escalate the conflict further,
- the cyber triad is never ideal and many (most) countries in the world today are almost invulnerable to strategic cyber warfare, because they have little or no reliance on cyberspace,
- in case a strategic cyber campaign succeeds against a modern military power, they can always retaliate with weapons of mass destruction (missile silos should be air-gapped from the rest of cyberspace, at least I would hope so).
Overall, the paper has a lot of provocative thoughts and arguments and I enjoyed reading it (what would be the point of reading things that do not raise a single question or counterargument). I have not covered some of his points that I agree with and, as always, I recommend reading the full paper. We met briefly at the Conference in June and discussed some of the points above, and in the end agreed to disagree on some of them. I wish him luck in his research, as he definitely rocks the boat.