Reviews | Will deterrence play a role in the “eternal war” of cyberspace?
Attention, reader, while exploring this topic: deterrence strategy is one of the most hazy and abstract areas of defense analysis. At the start of the Cold War, it was the domain of professors such as Herman Kahn of the Rand Corp., and Thomas Schelling and Henry Kissinger of Harvard – sometimes known collectively as the “wizards of Armageddon”. They “thought the unthinkable” when it came to nuclear war, in part to deter the Soviet Union from launching an attack.
Times have changed, claims the new book “Cyber Persistence Theory: Redefining National Security in Cyberspace.” Its three authors have all worked closely on the Pentagon’s cyber strategy: Michael P. Fischerkeller as a cyber expert with the Institute for Defense Analyses; Emily O. Goldman as a strategist at U.S. Cyber Command; and Richard J. Harknett as a cyber expert at the University of Cincinnati and first scholar-in-residence at Cyber Command.
The book is not an official political document. But a foreword by Gen. Paul Nakasone, head of Cyber Command and the National Security Agency, notes that the three authors “laid the foundation for the Command’s persistent engagement approach” and that their book provides a “framework for understanding…operational effectiveness in the future.
To summarize the authors’ arguments: Cyberweapons are fundamentally changing the nature of warfare. Boundaries don’t matter much for the digital code. And cyber warfare is a continuum (and always happens at a low level), rather than an on-off switch. It’s a new area, with new rules.
“Cyberspace should be understood primarily as an environment of exploitation rather than coercion,” the authors write. “Achieving strategic gains in the strategic cyber environment requires no concessions from the adversary.” In other words, much of what we think we know about war does not apply to this area.
I had the chance to explore this esoteric topic in August, when the authors asked me to moderate a public discussion about their book at National Defense University. The gathering resulted in a lively exchange between military cyber strategists.
To get an overview of the evolution of deterrence thinking, let’s start with Harknett’s view of the three phases in the history of warfare, culminating in cyber.
The first period, beginning in ancient history, involved “conventional” weapons – first stones, then eventually guns, cannons, battleships, bombers – to compel the adversary into submission. Nation states zealously defended their borders and the goal of war was coercion and victory. Deterrence meant having more and better guns, bigger battleships, more planes. But obviously, looking at the two world wars of the 20th century, this version of deterrence didn’t work very well. The arsenals almost invited war.
This early period lasted until 1945, when the United States introduced nuclear weapons which, soon enough, were duplicated by the Soviet Union. With the potential to kill hundreds of millions of people in a rapid exchange, these weapons could effectively destroy civilization. The culmination of the war did not become victory but apocalypse.
Nuclear war, as has often been said, cannot be won and should never be fought. Thus, the goal of nuclear strategy was not to win wars but to prevent them. This nuclear version of deterrence worked quite well for 73 years old and cash.
The third period concerns cyberweapons, and the assumptions are fundamentally different. Weapons cannot be counted, identified, tracked or easily controlled. They are used in a borderless electronic world where traditional ideas of sovereignty don’t work very well. The authors argue that this domain is “micro-vulnerable (and inherently exploitable)”, in the sense that targets can be reached easily, but “macro-resilient (and therefore stable)”, because nations will persist, even if they are targeted.
Two lessons from the war in Ukraine are that cyber defenses seem to work better than one would expect, and that cyber crimes work less well. This is one of the explanations for Ukraine’s astonishing resilience in the face of the Russian onslaught.
The authors offer some suggestions for this new area: strategists should have rules of ongoing engagement, rather than planning for contingencies; they should prepare for continuous, not “episodic” operations, and they should seek “cumulative” gains, rather than a final victory. As the authors wrote in a recent post in the national interest: “Because of the fluidity of digital technology, security depends on taking and sustaining the initiative.”
Cyberspace could turn out to be the ultimate version of eternal war. But if these strategists are right, it could be less dangerous, and ultimately more stable, than the convulsive outbursts we’ve called warfare for millennia.