SPRING 2011 Vol. 5, No. 1 An Air Force Strategic Vision for 2020–2030 Gen John A. Shaud, USAF, Retired Adam B. Lowther Rise of a Cybered Westphalian Age Chris C. Demchak Peter Dombrowski Retaliatory Deterrence in Cyberspace Eric Sterner Perspectives for Cyber Strategists on Law for Cyberwar s Maj Gen Charles J. Dunlap Jr., USAF, Retired p r i World Gone Cyber MAD: How “Mutually Assured n g Debilitation” Is the Best Hope for Cyber Deterrence 2 Matthew D. Crosston 0 1 1 Nuclear Crisis Management and “Cyberwar”: Phishing for Trouble? Stephen J. Cimbala Cyberwar as a Confidence Game Martin C. Libicki Chief of Staff, US Air Force Gen Norton A. Schwartz Commander, Air Education and Training Command Gen Edward A. Rice Jr. Commandant, Air University Lt Gen Allen G. Peck Director, Air Force Research Institute Gen John A. Shaud, PhD, USAF, Retired Col W. Michael Guillot, USAF, Retired, Editor L. Tawanda Eaves, Managing Editor CAPT Jerry L. Gantt, USNR, Retired, Content Editor Nedra O. Looney, Prepress Production Manager Betty R. Littlejohn, Editorial Assistant Sherry C. Terrell, Editorial Assistant Daniel M. Armstrong, Illustrator Editorial Advisors Gen John A. Shaud, PhD, USAF, Retired Gen Michael P. C. Carns, USAF, Retired Keith Britto Christina Goulter-Zervoudakis, PhD Colin S. Gray, PhD Robert P. Haffa, PhD Ben S. Lambeth, PhD John T. LaSaine, PhD Allan R. Millett, PhD Ayesha Ray, PhD Contributing Editors Air Force Research Institute Daniel R. Mortensen, PhD School of Advanced Air and Space Studies Stephen D. Chiabotti, PhD James W. Forsyth Jr., PhD Harold R. Winton, PhD The Spaatz Center Michael Allsep, PhD Edwina S. Campbell, PhD Christopher M. Hemmer, PhD Kimberly A. Hudson, PhD Col Basil S. Norris Jr., USAF, Retired Gary J. Schaub, PhD Strategic Studies Quarterly (SSQ) (ISSN 1936-1815) is published quarterly by Air University Press, Maxwell AFB, AL. Articles in SSQ may be reproduced, not for profit or sale, in whole or part without permission. A standard source credit line required for each reprint. Strategic Studies Quarterly An Air Force–Sponsored Strategic Forum on National and International Security VOLUME 5 SPRING 2011 NUMBER 1 Commentary The Future of Things “Cyber” . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Gen Michael V. Hayden, USAF, Retired Part I Feature Article An Air Force Strategic Vision for 2020–2030 . . . . . . . . . . . . . . . . 8 Gen John A. Shaud, USAF, Retired Adam B. Lowther Perspectives Rise of a Cybered Westphalian Age . . . . . . . . . . . . . . . . . . . . . . . . 32 Chris C. Demchak Peter Dombrowski Retaliatory Deterrence in Cyberspace . . . . . . . . . . . . . . . . . . . . . . . 62 Eric Sterner Perspectives for Cyber Strategists on Law for Cyberwar . . . . . . . . . . 81 Maj Gen Charles J. Dunlap Jr., USAF, Retired World Gone Cyber MAD: How “Mutually Assured Debilitation” Is the Best Hope for Cyber Deterrence . . . . . . . . . . . . . . . . . . . . . . 100 Matthew D. Crosston Nuclear Crisis Management and “Cyberwar”: Phishing for Trouble? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Stephen J. Cimbala Cyberwar as a Confidence Game . . . . . . . . . . . . . . . . . . . . . . . . . 132 Martin C. Libicki Book Reviews Cyberdeterrence and Cyberwar . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Martin C. Libicki Reviewed by: COL Jeffrey L. Caton, USA, Retired Cyberpower and National Security . . . . . . . . . . . . . . . . . . . . . . . . 150 Edited by: Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz Reviewed by: Col Rizwan Ali, USAF The Essential Herman Kahn: In Defense of Thinking . . . . . . . . . . . 151 Edited by: Paul Dragos Aligica and Kenneth R. Weinstein Reviewed by: Col Joe McCue, USAF, Retired Part II On-line Version Blown to Bits: China’s War in Cyberspace, August-September 2020 Christopher Bronk http://www.au.af.mil/au/ssq/2011/spring/bronk.pdf Cyberdeterrence between Nation-States: Plausible Strategy or a Pipe Dream? Jonathan Solomon http://www.au.af.mil/au/ssq/2011/spring/solomon.pdf Cyber Glossaries Glossary of Security Terms The SANS Institute http://www.sans.org/security-resources/glossary-of-terms National Information Assurance (IA) Glossary Committee on National Security Systems (CNSS) http://www.ecs.csus.edu/csc/iac/cnssi_4009.pdf The Future of T hings “Cyber” Years ago, when I was an ROTC instructor, the first unit of instruction for rising juniors dealt with communication skills. Near the beginning of the unit, I would quote Confucius to my new students: “The rectification of names is the most important business of government. If names are not correct, language will not be in accordance with the truth of things.” The point had less to do with communicating than it did with thinking— thinking clearly. Clear communication begins with clear thinking. You have to be precise in your language and have the big ideas right if you are going to accomplish anything. I am reminded of that lesson as I witness and participate in discussions about the future of things “cyber.” Rarely has something been so impor- tant and so talked about with less clarity and less apparent understanding than this phenomenon. Do not get me wrong. There are genuine experts, and most of us know about patches, insider threats, worms, Trojans, WikiLeaks, and Stuxnet. But few of us (myself included) have created the broad structural framework within which to comfortably and confidently place these varied phenomena. And that matters. I have sat in very small group meetings in Washington, been briefed on an operational need and an operational solution, and been unable (along with my colleagues) to decide on a course of action because we lacked a clear picture of the long- term legal and policy implications of any decision we might make. US Cyber Command has been in existence for more than a year, and no one familiar with the command or its mission believes our current policy, law, or doctrine is adequate to our needs or our capabilities. Most disappointingly—the doctrinal, policy, and legal dilemmas we currently face remain unresolved even though they have been around for the better part of a decade. Now is the time to think about and force some issues that have been delayed too long. This edition of Strategic Studies Quarterly, therefore, could not be more timely as it surfaces questions, fosters debate, and builds understanding around a host of cyber questions. The issues are nearly limitless, and many others will emerge in these pages, but let me suggest a few that frequently come to the top of my own list. How do we deal with the unprecedented ? Part of our cyber policy prob- lem is that its newness and our familiar experience in physical space do not easily transfer to cyberspace. Casually applying well-known concepts Strategic Studies Quarterly ♦ Spring 2011 [ 3 ] from physical space like deterrence, where attribution is assumed, to cyber- space where attribution is frequently the problem, is a recipe for failure. And cyber education is difficult. In those small–group policy meetings, the solitary cyber expert often sounds like “Rain Man” to the policy wonks in the room after the third or fourth sentence. As a result, no two policy- makers seemed to leave the room with the same understanding of what it was they had discussed, approved, or disapproved. So how do we create senior leaders—military and civilian who are “cyber smart enough”? Is cyber really a domain ? Like everyone else who is or has been in a US military uniform, I think of cyber as a domain. It is now enshrined in doc- trine: land, sea, air, space, cyber. It trips off the tongue, and frankly I have found the concept liberating when I think about operationalizing this do- main. But the other domains are natural, created by God, and this one is the creation of man. Man can actually change this geography, and anything that happens there actually creates a change in someone’s physical space. Are these differences important enough for us to rethink our doctrine? There are those in the US government who think treating cyber as an independent domain is just a device to cleverly mask serious unanswered questions of sovereignty when conducting cyber operations. They want to be heard and satisfied before they support the full range of our cyber potential. Privacy ? When we plan for operations in a domain where adversary and friendly data coexist, we should be asking: What constitutes a twenty- first-century definition of a reasonable expectation of privacy? Google and Facebook know a lot more about most of us than we are comfortable sharing with the government. In a private-sector web culture that seems to elevate transparency to unprecedented levels, what is the appropriate role of government and the DoD? If we agree to limit government access to the web out of concerns over privacy, what degree of risk to our own security and that of the network are we prepared to accept? How do we articulate that risk to a skeptical public, and who should do it? Do we really know the threat ? Former Director of National Intelligence Mike McConnell frequently says we are already “at war” in cyberspace. Richard Clarke even titled his most recent cautionary book, Cyber War. Although I generally avoid the at war terminology, I often talk about the inherent insecurity of the web. How bad is it? And if it is really bad, with the cost of admission so low and networks so vulnerable, why have we not had a true cyber Pearl Harbor? Is this harder to do than we think? Or, are we just awaiting the inevitable? When speaking of the threat, citizens of a [ 4 ] Strategic Studies Quarterly ♦ Spring 2011 series of first-world nations were recently asked whom they feared most in cyberspace, and the most popular answer was not China or India or France or Israel. It was the United States. Why is that, and is it a good thing? People with money on the line in both the commercial and government sectors want clear, demonstrable answers. What should we expect from the private sector ? We all realize that most of the web things we hold dear personally and as a nation reside or travel on commercial rather than government networks. So what motivates the private sector to optimize the defense of these networks? Some have observed that the free market has failed to provide an adequate level of security for the net since the true costs of insecurity are hidden or not understood. I agree. Now what: liability statutes that create the incentives and disincentives the market seems to be lacking? Government intervention, including a broader DoD role to protect critical infrastructure beyond .mil to .gov to .com? The statutory responsibility for the latter falls to the Department of Homeland Security, but does it have the “horses” to accomplish this? Do we await catastrophe before calling for DoD intervention, or do we move preemptively? What is classified ? Let me be clear: This stuff is overprotected. It is far easier to learn about physical threats from US government agencies than to learn about cyber threats. In the popular culture, the availability of 10,000 applications for my smart phone is viewed as an unalloyed good. It is not—since each represents a potential vulnerability. But if we want to shift the popular culture, we need a broader flow of information to corpo- rations and individuals to educate them on the threat. To do that we need to recalibrate what is truly secret. Our most pressing need is clear policy, formed by shared consensus, shaped by informed discussion, and created by a common body of knowledge. With no common knowledge, no meaning- ful discussion, and no consensus . . . the policy vacuum continues. This will not be easy, and in the wake of WikiLeaks it will require courage; but, it is essential and should itself be the subject of intense discussion. Who will step up to lead? What constitutes the right of self defense ? How much do we want to allow private entities to defend themselves outside of their own perimeters? In- deed, what should Google appropriately do within its own network when under attack from the Chinese state? I have compared our entry into cyber- space to mankind’s last great era of discovery—European colonization of the Western Hemisphere. During that period, large private corporations like the Hudson Bay Company and the East India Tea Company acted Strategic Studies Quarterly ♦ Spring 2011 [ 5 ] with many of the attributes of sovereignty. What of that experience is in- structive today for contemplating the appropriate roles of giants like Google and Facebook? We probably do not want to outfit twenty-first- century cyber privateers with letters of marque and reprisal, but what should be the relationship between large corporations and the govern- ment when private networks on which the government depends are under sustained attack? Is there a role for international law ? It took a decade last century for states to arrive at a new Law of the Seas Convention, and that was a domain our species had had literally millennia of experience. Then, as a powerful sea- faring nation, we tilted toward maritime freedom rather than restraints. Regulating cyberspace entails even greater challenges. Indeed, as a powerful cyberfaring nation, how comfortable are we with regulation at all? After all, this domain launched by the DoD has largely been nurtured free of government regulation. Its strengths are its spontaneity, its creativity, its boundlessness. The best speech given by an American official on macro net policy was given late last year by Secretary of State Clinton when she emphasized Internet freedom, not security or control or regulation. But there are moves afoot in international bodies like the International Tele- communications Union to regulate the Internet, to give states more con- trol over their domains, to Balkanize what up until now has been a rela- tively seamless global enterprise. How and when do we play? Is cyber arms control possible ? As a nation, we tend toward more freedom and less control but—given their destructiveness, their relative ease of use, and the precedent their use sets—are distributed denial-of-service attacks ever justified? Should we work to create a global attitude toward them comparable to the existing view toward chemical or biological weapons? Should we hold states responsible if an attack is mounted from their physical space even if there is no evidence of complicity? And, are there any legitimate uses for botnets? If not, under what authority would anyone preemptively take them down? These are questions for which no prece- dent in law or policy (domestic or international) currently exists. If we want to establish precedent, as opposed to likely unenforceable treaty obli- gations, do we emphasize dialogue with like-minded nations, international institutions . . . or multinational IT companies? Is defense possible ? At a recent conference, I was struck by a surprising question: “Would it be more effective to deal with recovery than with prevention?” In other words, is the web so skewed toward advantage for [ 6 ] Strategic Studies Quarterly ♦ Spring 2011 the attacker that we are reaching the point of diminishing returns for de- fending a network at the perimeter (or even beyond) and should now concentrate on how we respond to and recover from inevitable penetra- tions? This could mean more looking at our network for anomalous be- havior than attempting to detect every incoming zero–day assault. It could mean concentrating more on what is going out rather than what is com- ing in. It could mean more focus on mitigating effects and operating while under attack rather than preventing attack. Mike McConnell and I met with a group of investors late last year, and we were full-throated in our warnings about the cyber threat. One participant asked the question that was clearly on everyone’s mind, “How much is this going to cost me?” At the time I chalked it up to not really understanding the threat, but in retro- spect our questioner may have been on to something. At what point do we shift from additional investment in defense to more investment in response and recovery? There are more questions that could be asked, many of them as funda- mental as these. Most we have not yet answered or at least have not yet agreed on answers, and none of them are easy. How much do we really want to empower private enterprises to defend themselves? Do we want necessarily secretive organizations like NSA or CyberCom going to the mats publicly over privacy issues? At what point does arguing for Internet security begin to legitimate China’s attempts at control over Internet speech? Do we really want to get into a public debate that attempts to distinguish cyber espionage (which all countries pursue) from cyber war (something more rare and sometimes more destructive)? Are there any cyber capabilities, real or potential, that we are willing to give up in return for similar commitments from others? Tough questions all—tougher (perhaps) but not unlike those our air- power ancestors faced nearly a century ago. As pioneer air warriors grap- pled with the unfamiliar, so must we. Until these and other questions like them are answered, we could be forced to live in the worst of all possible cyber worlds—routinely vulnerable to attack and self-restrained from bringing our own power to bear. Gen Michael V. Hayden, USAF, Retired Former Director, National Security Agency Former Director, Central Intelligence Agency Strategic Studies Quarterly ♦ Spring 2011 [ 7 ] An Air Force Strategic Vision for 2020–2030 John A. Shaud, General, USAF, Retired Adam B. Lowther Two decades of continuous operations that began with Desert Shield/ Desert Storm (1990–91) and continued to the conflicts in Afghanistan and Iraq have resulted in Airmen engaged in responding to current opera- tions, leaving little time to contemplate the longer-term strategic impera- tives that will influence the future force structure of the United States Air Force. With Operation Iraqi Freedom recently coming to an end and troop reductions in Afghanistan scheduled to begin this year, it is both timely and appropriate to reinvigorate strategic thought within the Air Force. This article seeks to stimulate a discussion concerning the Air Force’s future by addressing a single question: What critical capabilities—through combat- ant commanders’ lenses—will the nation require of the Air Force by 2030? To answer this question, the Air Force Research Institute analyzed national interests; economic, demographic, and technological trends; defense scenarios spanning the strategic planning space; and Air Force capabilities required to meet future strategic challenges.1 Research was conducted using futures analysis methods and the Delphi method. The resulting analysis of these issues appears in Air Force Strategy Study 2020–2030. Its findings suggest the Air Force should focus on five critical capabilities over the next two decades: (1) power projection, (2) freedom of action in air, space, and cyberspace, (3) global situational awareness, Gen John A. Shaud, PhD, USAF, retired, is director, Air Force Research Institute, Maxwell AFB, Alabama, where he directs an 80-person organization charged with conducting independent research, outreach, and engagement to enhance national security and assure the effectiveness of the US Air Force. He provides guid- ance to a team of 15 operationally savvy researchers; the Air University Press, and Air University research and conference support. General Shaud also supervises production of the Strategic Studies Quarterly and the Air and Space Power Journals, the latter published quarterly in six languages and distributed worldwide. Adam Lowther, PhD, is a faculty researcher and defense analyst at the Air Force Research Institute, Max- well AFB. He is the author of Americans and Asymmetric Conflict: Lebanon, Somalia, and Afghanistan (Praeger, 2007) and co-editor of Terrorism’s Unanswered Questions (Greenwood, 2009). Dr. Lowther served in the US Navy from 1994 to 2001 aboard the USS Ramage (DDG-61) and at CINCUSNAVEUR, London. [ 8 ] Strategic Studies Quarterly ♦ Spring 2011
Description: