Our long dead Prussian friend understood that tactics change with time and technology, and that strategies remain similar even if the metaphors change. When he tells us that strength of will is more to make a change in strategy versus tactics) p. 178) he recognizes that which is the parasitic force of decision. He identifies in one paragraph they “why” of how cyber warfare has existed and been known for nearly four decades yet has no mind share among generals. Only recently has the public picked up on the issues and the media reported incidents closely aligned with cyber warfare.
The issue with the current milieu of cyber warfare is identified when Clausewitz informs us that possible engagement s are to be regarded as real ones because of their consequences (p. 181) yet military leaders continue to ignore those risks. Consider that the most media reporting is on the denial of service of web services and considered to be cyber warfare. Yet that ignores the entirety of the Internet and the gateways to other technologies defined by the military as the global information grid (GIG). The risk is that for those who ignore a new strategy they will have to defend against it (p. 182) The totality of cyber warfare is much larger than a single battlefield and strategy must consider that. Clausewitz did not know of the GIG but his idea of strategy allows for the existence of it.
The moral virtues (p. 187) cannot be ignored. Whether bravery, concern, perfidy, or willingness the detachment from perceived physical harm creates a new morale dilemma for commanders. There though is an entire difference between the citizen and soldier as much as there will be between the “hacker” and the soldier. Professionalism in service is a requirement of the nation-state as much as the egalitarian inquisitiveness of the individual is needed. Hackers are not soldiers and neither should they be, and soldiers are not hackers nor should they. In some ways I take a paternalistic view of what I call hackers. More than cyber criminals the intelligence and drive of open thinking found in the hacker legions are at consistent odds to the military virtues alliterated by Clausewitz (p. 187). The citizen and the soldier are not the same man.
Of the characteristics the defender and the attacker in cyber warfare will find so needed is perseverance (p. 193). Where the defender must always be successful we find that the attacker need only be successful once. Clausewitz, discuses this concept in his idea of superiority of numbers (p. 194). In this maelstrom of asymmetric attack is the epitome of anti-attrition. Yielding any space is catastrophic and where strength and stamina may hold sway it is actually perseverance that should be considered the primacy of the cyber battlefield.
Of course, the appearance of “surprise” (p. 199) should not be to those who study cyber warfare. There is a certain amount of maturity that occurs through the study of cyber conflict. The beginner sees that it is of risk, then danger, and then imminent threat. The journeyman reflects on the continuing risk and the asymmetric nature realizing the dangers while always finding new elements. The master of cyber warfare can perceive that there is a distinct pattern of conflict and that the patterns of conflict have existed for a long time. To the beginner surprise is always new and to the master there is only a continuation of conflict following patterns long set in the human soul. Surprise is the period of peace in an asymmetric landscape categorized by attacks saturating the mind with numbers and values of truly epic proportion.
Consider the current strategy of the cyber planners for the United States. They are concentrating connectivity to the Internet to as few portals as possible as a concentration of force (p. 204). This has merit according to Clausewitz but in a world where control of access is no longer possible it makes no sense. The castle with walls was superseded first by the trebuchet then by the cannon. Now we see the advent of air power and distribution of troops is becoming a winning strategy. Similarly cunning is a unification of forces in time (p. 205) is becoming less of a defensive strategy but nicely describes the concept of a denial of service attack. As Clausewitz says it is good to be very strong (p.204).
I haven’t been keeping up with the Clausewitz discussion due to work issues, but the topic of cyber-warfare may be better described by other theorists. Liddell Hart’s indirect approach, which is really a modern reformulation of Sun Tzu, requires upsetting the enemy’s equilibrium as a precondition of victory. The target is the mind of the enemy commander. You win by imposing the burden of uncertainty on the opponent. You put multiple objectives in danger so that he must either leave one undefended or spread so thin as to leave them all inadequately protected. Best of all, make the fog of war much thicker on his side than on yours, so that his sources of information are compromised, intermittent, and subject to doubt. Even when the landing had been made, Hitler still thought that Normandy was a diversion, although a disciple of Liddell Hart would have suggested that shifting to Calais or Antwerp should have been left open as real alternatives had the deception failed.
Cyber-warfare is disruption of the enemy’s communications and sources of information. Ideally, the enemy should doubt the integrity of his networks and the security of his transmissions. At a minimum, he will have to verify the information he receives, and use extra precautions in passing information on. Everything slows down. At best, he may not know who the attacker is, or even doubt it is an attack at all. Prudence requires defending what is vulnerable, but paranoia means defending against what does not exist, which is exactly what the attacker wants. When the CIA slipped bad software to the USSR and blew up a gas pipeline, the real damage came from the Soviets’ efforts to find whatever else may have been embedded in their systems.
The counter to cyber-warfare is not just building up defenses, but taking active measures to push the burden of uncertainty back onto the attacker. How well can the defender identify the attacker’s origins and routes of attack? Are there defenses that the attacker suspects but cannot be sure about? What kind of retaliation is available to the defender? Will the attack leave the attacker’s own resources vulnerable, and if so, which ones? Does the attacker even know the extent of the defender’s resources? In other words, which side can disrupt the opposing commanders’ ability to plan and act?
If knowledge is power, then FUD (fear, uncertainty, doubt) is ammunition.