Sunday, March 18, 2012

Miscellany: Cyber war isn't the same as cyberwar — or is it?

Although cyberwar is no longer a priority interest for me, I still follow it a bit. Mostly via topical postings at a handful of blogs.* And lately by reading the debate between Thomas Rid and John Arquilla about cyberwar at Foreign Policy. This has roused me to want to roll out a bygone distinction — even though it ends up feeling more like I’m revisiting a Sisyphusian rock than a potential nugget of an idea.

* * * * *

In brief, their debate — not to mention earlier debates involving other bloggers — reminds me of a distinction that, for years, I was sure was in John’s and my 1993 paper on cyberwar.  But when I went looking for the pertinent paragraph a few months ago, I couldn’t find it. The missing paragraph distinguished between “cyberwar” (one word) and “cyber war” (two words). Back then I wanted to be sure no one confused our concept of cyberwar with computer hacking, which was becoming quite the rage at the time.

Accordingly, cyberwar (one word, as John had proposed) would be thoroughly military in nature — in keeping with our paper, mostly about information-age ways of organizing, knowing, and fighting, and barely about computer code attacks. In contrast, cyber war (two words) would refer to aggressive hacking — computer code attacks. This distinction from nearly 20 years ago was aimed at clarifying that cyberwar, as a future-oriented military concept, was not mainly, or necessarily, about hacking. Armed warfare can be conducted according to information-age principles without requiring computer code attacks. And the latter can be conducted without involving military matters.

But however valid the underlying point, it’s an awkward distinction to make that way. I have a vague memory (and so does John) that a reviewer or editor of a draft of our paper called the distinction into question, on grounds that it might confuse or distract a reader, and would be difficult to brief since a listener might constantly ask whether we were voicing the one- or two-word notion. So I suppose we agreed to drop the paragraph, and evidently it was never put it in any subsequent publication.

While I may wish — and long believed — it had been retained somewhere, I doubt it would have been heeded. For since then, the two terms have taken on crowd-sourced lives of their own, often interchangeable or conflated ones at that. Adding to the lexical turmoil, a slew of related terms has appeared, also in both one- and two-word versions: e.g., cyberattacks, cyberwarriors, cyberweapons, cyberwarfare, cyberterrorism, cybercrime, cyberespionage, cybertheft, cybersubversion, cyberdeterrence, cyberstrategy, cybersecurity are often seen split apart, or hyphenated, with no difference in meaning. Besides, if cyber is considered a domain like air, land, and sea, or a realm like the political, economic, and cultural realms, then two-word phrasings are the norm (e.g., sea power, economic war); one-word contractions rarely appear for the domains (e.g., airspace), and never for the realms (e.g., no one uses a term like econowar). So why shouldn’t cyberwar mean the same as cyber war?!

Yet, I’d like to think that the missing point bears repeating, even though it stands no chance of taking hold: Cyber war (two words) is mostly about cyberspace — computer hacking. Cyberwar (one word) may be partly about cyberspace, but was meant to be mostly about a comprehensive approach to warfare attuned to the information age — to see this, just go back and read the first two pages of our 1993 paper.

If so, this distinction helps parse the debate between Rid and Arquilla. Rid is writing mainly about cyber war (two words), and barely about cyberwar (one word). Arquilla is writing about cyber war too, but I gather he means to be writing mainly about cyberwar.

Thus, Rid’s post emphasizes the cases of Stuxnet and Estonia, and disputes the prospects for an “electronic Pearl Harbor” or a “cyber 9/11” — all of which are about computer code attacks. He also points out that our major protagonists in the domain of cyber conflict, Russia and China, seem more concerned about the social than the military implications of cyber warfare:
“So Russia and China are ahead of the United States, but mostly in defining cybersecurity as the fight against subversive behavior. This is the true cyberwar they are fighting.”
Good points to make. But in John’s and my terms à la 1993, a “fight against subversive behavior” pertains mainly to social netwar, not military cyberwar.

In contrast, Arquilla’s post emphasizes the Soviet military ground attack on Georgia, which was accompanied by cyberattacks and other information operations. But he also treats Stuxnet and Estonia as cases of “strategic cyberattack” or “strategic cyberwar” — a “low-intensity form of cyberwar” that attacks covertly without engaging militarily, yet might become fully military. Says Arquilla,
“My deeper concern is that these smaller-scale cyberwar exploits might eventually scale up, given the clear vulnerability of advanced militaries and the various communications systems that cover more of the world every day. This is why I think cyberwar is destined to play an increasingly prominent role in future wars.”
Thus he too makes good points. And then he too brings the debate around to our concept of netwar, by introducing points about the “color revolutions” and Arab Spring. But he says “If there is to be more cyberwar in the future, better it should be what we called ‘social netwar’ than the alternatives.” I tend to agree with what I think he means. Yet, this phrasing makes netwar seem like a subset or variant of cyberwar. It would be more in keeping with our original spectrum about cyberwar and netwar, if that last sentence were to read “cyber war” and not “cyberwar”.

So, I’m left with as many questions as ever; lexical and other debates about cyberwar seem far from settled. My point about one-word versus two-words renders no resolution — it would be a Sisyphusian task to insist on rolling it along — but it underscores that cyberwar has gained a crowd-sourced life of its own. Today, its meaning is indeed centered around computer code attacks, and it’s a strain to maintain the broad military dimensions we once saw for it. But even though the definition we originally gave to the term keeps receding, the vision we raised behind it (see Appendix below) keeps gathering momentum, often via new terms (e.g., distributed operations).

As Rid and Arquilla noted, the Russian military attack on Georgia looks a bit like a case of military cyberwar. But I gather that it was more an instance of a coordinated cyber attack, perhaps partly involving surrogate privateers, conducted in support of an otherwise rather conventional military raid. Thus it really doesn’t qualify much as a military effort at cyberwar, at least not as we originally envisioned it.

Our vision was more about prospects for military operations built around small units of distributed networked special-operations forces — a trend barely mentioned by Rid or Arquilla in their debate about cyberwar at the Foreign Policy blog. Thus a better example of cyberwar than Georgia would be the phase of Operation Enduring Freedom in Afghanistan in 2001 when a small number of U.S. special operations forces, coordinating with U.S. air units and Northern Alliance forces, drove the Taliban out of power. Another example might be Operation Neptune Spear, in which Seal Team Six and associated forces did away with Osama bin Laden in 2011. Such operations did not involve the kinds of cyber attacks that Rid and Arquilla emphasize above, but these operations were much in keeping with our original concept of cyberwar. So too may be some recent operations involving drones.

Since I’m not a military person, I hesitate to write about military operations on my own. Arquilla has — and could further — write about them expertly. But I gather from other writings that he now treats them more as instances of military netwar than cyberwar. Moreover, in recent years the U.S. Army and Navy have both created new organizations that have netwar in their name or acronym. Thus, as time passes, it appears that the lexical reach of netwar is being militarized, and cyberwar demilitarized.

Will that spell further twists in future lexical debates? It seems as though the conflict spectrum we initially laid out — a single spectrum with cyberwar at the fully military end, netwar at the social end — has served its original purpose: to call attention to the advent of new modes of conflict. But by now, some 20 years later, it has become problematic, and is being turned 90º, split into two separate parallel spectrums, and stretched — such that netwar defines the top spectrum and now has both military and social spans, while cyberwar (cyber war) defines a parallel spectrum underneath, with its own military and social spans. In this re-envisioning, netwar becomes the top spectrum, because it now seems to have the more organizational and doctrinal content of the two; and cyberwar (or cyber war) is underneath, because it has been reduced to emphasize its technological aspects.

I’m not seriously proposing such a re-envisioning of the spectrum. I’m just pointing out that it seems implicit in recent discussions about cyberwar (and netwar). If so, I suspect it’ll represent more a new puzzle than a solution as lexical debates continue to arise. At the same time, it’s not clear how much the lexical debates matter. They certainly roil discussions about policy and strategy; but they’re also a bit of a sideshow, for many major issues — e.g., how to prioritize threat scenarios, how to organize for cyber defense, how to create deterrence — can be addressed without necessarily first settling the lexical debates, engaging as they tend to be.

[UPDATE — March 19, 2016: John provides some clarification of his view in his article “Toward a Discourse on Cyber Strategy” (Communications of the ACM, January 15, 2016 — here). In it, he notes that
“… we were focused on the overall military operational and organizational implications of "cyber," not just the specific cyberspace-based concerns. It was our hope that this very wide-angled perspective would help to shape the strategic conversation.

“Sadly, it was not to be. Forests have been felled to provide paper for the many books and articles about how to protect information systems and infrastructure; but too little has emerged to inform and guide the future development of broader strategies for the cyber era.”]

* * * * *

Appendix: Excerpts about Cyberwar and Netwar

In the text above, I noted that, even though the definition we once gave to cyberwar keeps receding, the vision behind it keeps gaining momentum. I’m not going to reiterate that vision here; but as a reminder, I excerpt two sets of quotes that apply to the conflict spectrum as we once saw it. The first is about the rise of network forms of organization, the second about the rise of swarming as a way that networks fight.

1. The excerpt below reiterates our basic maxims about the rise of network forms of organization and related doctrines, strategies, and technologies. The excerpt is from our chapter (with Michele Zanini as a co-author) about “Networks, Netwar, and Information-Age Terrorism” (1999). I’ve also used this excerpt in a prior post’s appendix here about creating a collaborative community for cyber defense. The maxims mainly mention netwar, but in my view they also pertain to cyberwar. [UPDATE — May 22, 2012: Earlier expressions of these maxims appear in The Advent of Netwar (RAND, 1996, pp. 81-82), and The Zapatista “Social Netwar in Mexico (RAND, 1998, pp. 17-18.)]
Hierarchies have a difficult time fighting networks. There are examples across the conflict spectrum. …
It takes networks to fight networks. Governments that would defend against netwar may have to adopt organizational designs and strategies like those of their adversaries. This does not mean mirroring the adversary, but rather learning to draw on the same design principles of network forms in the information age. These principles depend to some extent upon technological innovation, but mainly on a willingness to innovate organizationally and doctrinally, and by building new mechanisms for interagency and multijurisdictional cooperation.
Whoever masters the network form first and best will gain major advantages. In these early decades of the information age, adversaries who have adopted networking (be they criminals, terrorists, or peaceful social activists) are enjoying an increase in their power relative to state agencies.” (1999, pp. 55-56, italics in original)
2. The next excerpt is from what we wrote later in our first full statement (2000) about swarming and the future of conflict. Accordingly, swarming will emerge across the spectrum, becoming an attribute of both cyberwar and netwar.
“Here we advance the idea that swarming may emerge as a definitive doctrine that will encompass and enliven both cyberwar and netwar.” (2000, p. iii)
“Swarming is a seemingly amorphous, but deliberately structured, co-ordinated, strategic way to strike from all directions at a particular point or points, by means of a sustainable pulsing of force and/or fire, close-in as well as from stand-off positions. This notion of “force and/or fire” may be literal in the case of military or police operations, but metaphorical in the case of NGO activists, who may, for example, be blocking city intersections or emitting volleys of emails and faxes. Swarming will work best — perhaps it will only work — if it is designed mainly around the deployment of myriad, small, dispersed, networked maneuver units. Swarming occurs when the dispersed units of a network of small (and perhaps some large) forces converge on a target from multiple directions. The overall aim is sustainable pulsing — swarm networks must be able to coalesce rapidly and stealthily on a target, then dissever and redisperse, immediately ready to re-combine for a new pulse.” (2000, p. 12)
“Swarming, we hypothesize, provides an important alternative vision of the future for the American military — and it may well do so for other militaries, too, if they begin looking for innovations that may enable them to outwit the Americans. Whoever gets there first may find in swarming the doctrinal catalyst for waging cyberwar — the military end of the information-age conflict spectrum that has long been a central theme in our research (see Arquilla and Ronfeldt, 1993).” (2000, p. 77)
Swarming remains a potent trend for organization, doctrine, strategy, and tactics all across the conflict spectrum — and we’ve written more about this since then. But swarming has proven as debatable as cyberwar in resistant military circles. In contrast, swarming and netwar have been welcome ideas among social activists. Indeed, cyber warfare often involves “hacktivist” swarming, as in DDOS (distributed denial of service) attacks by groups like Anonymous and LulzSec.

- - - - -

NOTE:  *While cyberwar / cyber warfare is a marginal interest for me at this point, I still try to follow — and recommend others follow — topical posts by David Betz, Jeffrey Carr, Adam Elkus, Sam Liles, Thomas Rid, and Tim Stevens at their blogs.  They provide additional background for this post, and provide good guides to writings elsewhere by other experts.

No comments: