Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki

[Miles Fidelman <mfidelman () meetinghouse net>]

Nate Lawson wrote:
> We don't have conferences discussing "explosive" vs. "projectile" 
> warfare. These are all techniques and tools for waging war, not a 
> unique type of war.

Agreed that "cyberwar" is a technique (or family of techniques) for 
waging war. Beyond that, isn't this discussion turning into whether or 
not "cyberwar" is a poor choice of terminology for a real set of 
techniques? (As a personal bias, I dislike the prefix "cyber" in general 
- whether applied to cyberspace, cyberwar, or something else - except 
perhaps "cybernetics," as coined by Norbert Wiener, has a long history 
as a discipline, though is somewhat archaic term for control theory.)

We commonly use these terms, and have conferences about:

Land Warfare
Undersea Warfare
Electronic Warfare
Anti-Submarine Warfare
Irregular Warfare
Asymmetric Warfare
Guerrilla Warfare
Information Warfare (as in propaganda, misinformation, etc.)
Financial Warfare
etc., etc., etc.
(a quick google of +warfare +conferences also turns up quite a few on 
"spiritual warfare" but I think they're talking about something else 
entirely :-)


So what are we really discussing here?

1. Are there a set of techniques that are identifiably within the scope 
of a term like "cyber warfare" (irregardless of whether it's the 
greatest choice of terminology - it seems to have stuck)?

Seems to me that it's pretty hard to deny that there are both offensive 
techniques for attacking computers and defensive techniques for 
protecting them - and that studying, developing, and applying them are 
becoming part of modern warfare. For that matter, attacking an 
adversary's computers is well established in lots of forms (much of 
electronic warfare involves confusing computers that integrate sensor 
data; attacking an adversary's command and control systems goes back to 
the days of runners, signal flags, and smoke signals).

 From a definitional point of view, a quick look in a dictionary yields:
"warfare, noun, engagement in or the activities involved in war or 
conflict"
"cyber warfare" certainly seems like a legitimate way of characterizing 
and identifying a discernible subset of the "activities involved in war 
or conflict" akin to "undersea warfare" or "land warfare"

One might ask: Is it useful to talk about warfare in the "cyber domain" 
in the same way that we talk about land or air warfare; or is it more 
useful to talk about attacking/defending computers in the contexts where 
those computers are applied (e.g,. in the context of command & control 
systems). Might be an interesting discussion. I'm not sure how I'd 
categorize stuxnet, though - seems like "cyber warfare" fits.


2. Are there likely to be (or have there been) wars that occur purely in 
the "cyber domain" (a "cyberwar" as opposed to "cyber warfare")? 
Personal opinion: "acts of war, possibly; small scale actions, of 
course; large scale "cyberwar" outside the context of more general 
warfare, probably not, but perhaps a worthy subject for wargaming and 
planning exercises.

Again, from a definitional standpoint, my dictionary says:
"war, noun,
- a state of armed conflict between different nations or different 
groups within a nation or state
- a state of competition, conflict, or hostility between different 
people or groups
- a sustained effort to deal with or end a particular unpleasant or 
undesirable situation or condition"
Or, as Von Clausewitz put it "the continuation of politics by other means."

Again it certainly seems reasonable to discuss the concept of a "cyber 
war" in the abstract, or to refer to "the cyber war in Asia" in the same 
way that we discuss "the land war in Asia."


3. Are we discussing the question raised in the paper "Cyberwar as a 
Confidence Game" which starts by asking "Is cyberwar the twenty-first 
century version of nuclear war" and whether "cyber weapons are now the 
latest class of strategic weapon... (that can) do enormous damage to 
societies," and goes on to explore whether "mak(ing) other states think 
twice about going down the road toward network-centric warfare as the 
United Sates is doing" is a "plausible strategic rationale for the 
United States’ developing cyber weapons" -- i.e., is it all a big con 
game for spreading FUD.

Libicki concludes with the statement: "It has become the latest 
manifestation of a
trend that, when it comes to the means of war, what you do with it has
become less important than what you say with it. Thus, the nuclear era
was all about deterrence not combat, while more-modern cyber-limited
conflicts are meant to serve as warnings. Building up our offensive
capabilities is a confidence game. It says to those who would compete in
our league: are you confident enough in your cyberwar skills that you can
build your military to rely on information systems and the machines that
take their orders?"

Which certainly seems an interesting question - in which regard, I note 
the impact that a mere threat by Osama Bin Laden (e.g., in the form of a 
videotape) seems to cause lots of disruption, and perhaps that the movie 
"Live Free or Die Hard" is just plausible enough to have the potential 
for causing serious FUD.


4. And then there's the article itself, and the "Quick Review" thereof -

Dave Aitel was pretty succinct (3 paragraphs) in his original summary 
and review: of which the two takeways are:

"One thing missing from this paper is any evidence that this kind of
logic (aka, Fear Uncertainty and Doubt in military information systems
as applied to network centric warfare) has any real-world effect.
Militaries (including our own) simply don't take these things into
account when deploying new systems."

Which I'd disagree with - military procurement is very subject to fads 
and politics. There's a reason that every service has some kind of 
"cyber command" or program, and that a disproportionate amount of R&D 
funding is currently going to cyber warfare - even though the folks 
spending the money often don't seem to have a clue what they're talking 
about. And we have an awful lot of weapons systems under development 
that have questionable utility.


"But the main anomaly in the paper is simple: He treats Stuxnet as an"
aberration, rather than the tip of the iceberg that finally made the
newspapers. And this leads him (and most other strategic analysts) to
conclude that hacking does not have real world effects. I have to
assume this is the WWII legacy of Enigma - where in order to take
advantage of intelligence you had to go out and order your sub killers
to go sink a boat. But just because hacking is tied to intelligence
bodies in most countries, and staffed with people who look and act a
lot like intelligence officers, does not make it the same thing.
Hacking is as kinetic as a cruise missile when you do it right."

Which strikes me as on-the-money, and a serious point.

--
My own quick review of the paper would be just a little different, 
dismissive, and probably less useful:

- interesting questions and conclusions, some interesting facts

- way too wordy, not very readable, reads more like an opinion piece in 
quasi-academic language

- I sort of wonder what qualifies a "senior management scientist" with a 
BA in Math, MA in City & Regional Planning, and Ph.D. in Economics (even 
from MIT and UC Berkeley) to be an expert in cyber warfare. Ok, he's 
written several books on the subject, but his resume primarily consists 
of "12 years at the National Defense University, three years on the Navy 
staff as program sponsor for industrial preparedness, and three years as 
a policy analyst for the U.S. General Accounting Office's Energy and 
Minerals Division" on his resume. Nothing there about technological or 
operational expertise, or even service on a military planning staff. We 
need better analysts.

Miles Fidelman










-- 
In theory, there is no difference between theory and practice.
In<fnord>  practice, there is.   .... Yogi Berra


_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave