Dailydave mailing list archives
Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki
From: Miles Fidelman <mfidelman () meetinghouse net>
Date: Fri, 25 Mar 2011 10:15:40 -0400
Nate Lawson wrote:
We don't have conferences discussing "explosive" vs. "projectile" warfare. These are all techniques and tools for waging war, not a unique type of war.
Agreed that "cyberwar" is a technique (or family of techniques) for waging war. Beyond that, isn't this discussion turning into whether or not "cyberwar" is a poor choice of terminology for a real set of techniques? (As a personal bias, I dislike the prefix "cyber" in general - whether applied to cyberspace, cyberwar, or something else - except perhaps "cybernetics," as coined by Norbert Wiener, has a long history as a discipline, though is somewhat archaic term for control theory.) We commonly use these terms, and have conferences about: Land Warfare Undersea Warfare Electronic Warfare Anti-Submarine Warfare Irregular Warfare Asymmetric Warfare Guerrilla Warfare Information Warfare (as in propaganda, misinformation, etc.) Financial Warfare etc., etc., etc. (a quick google of +warfare +conferences also turns up quite a few on "spiritual warfare" but I think they're talking about something else entirely :-) So what are we really discussing here? 1. Are there a set of techniques that are identifiably within the scope of a term like "cyber warfare" (irregardless of whether it's the greatest choice of terminology - it seems to have stuck)? Seems to me that it's pretty hard to deny that there are both offensive techniques for attacking computers and defensive techniques for protecting them - and that studying, developing, and applying them are becoming part of modern warfare. For that matter, attacking an adversary's computers is well established in lots of forms (much of electronic warfare involves confusing computers that integrate sensor data; attacking an adversary's command and control systems goes back to the days of runners, signal flags, and smoke signals). From a definitional point of view, a quick look in a dictionary yields: "warfare, noun, engagement in or the activities involved in war or conflict" "cyber warfare" certainly seems like a legitimate way of characterizing and identifying a discernible subset of the "activities involved in war or conflict" akin to "undersea warfare" or "land warfare" One might ask: Is it useful to talk about warfare in the "cyber domain" in the same way that we talk about land or air warfare; or is it more useful to talk about attacking/defending computers in the contexts where those computers are applied (e.g,. in the context of command & control systems). Might be an interesting discussion. I'm not sure how I'd categorize stuxnet, though - seems like "cyber warfare" fits. 2. Are there likely to be (or have there been) wars that occur purely in the "cyber domain" (a "cyberwar" as opposed to "cyber warfare")? Personal opinion: "acts of war, possibly; small scale actions, of course; large scale "cyberwar" outside the context of more general warfare, probably not, but perhaps a worthy subject for wargaming and planning exercises. Again, from a definitional standpoint, my dictionary says: "war, noun, - a state of armed conflict between different nations or different groups within a nation or state - a state of competition, conflict, or hostility between different people or groups - a sustained effort to deal with or end a particular unpleasant or undesirable situation or condition" Or, as Von Clausewitz put it "the continuation of politics by other means." Again it certainly seems reasonable to discuss the concept of a "cyber war" in the abstract, or to refer to "the cyber war in Asia" in the same way that we discuss "the land war in Asia." 3. Are we discussing the question raised in the paper "Cyberwar as a Confidence Game" which starts by asking "Is cyberwar the twenty-first century version of nuclear war" and whether "cyber weapons are now the latest class of strategic weapon... (that can) do enormous damage to societies," and goes on to explore whether "mak(ing) other states think twice about going down the road toward network-centric warfare as the United Sates is doing" is a "plausible strategic rationale for the United States’ developing cyber weapons" -- i.e., is it all a big con game for spreading FUD. Libicki concludes with the statement: "It has become the latest manifestation of a trend that, when it comes to the means of war, what you do with it has become less important than what you say with it. Thus, the nuclear era was all about deterrence not combat, while more-modern cyber-limited conflicts are meant to serve as warnings. Building up our offensive capabilities is a confidence game. It says to those who would compete in our league: are you confident enough in your cyberwar skills that you can build your military to rely on information systems and the machines that take their orders?" Which certainly seems an interesting question - in which regard, I note the impact that a mere threat by Osama Bin Laden (e.g., in the form of a videotape) seems to cause lots of disruption, and perhaps that the movie "Live Free or Die Hard" is just plausible enough to have the potential for causing serious FUD. 4. And then there's the article itself, and the "Quick Review" thereof - Dave Aitel was pretty succinct (3 paragraphs) in his original summary and review: of which the two takeways are: "One thing missing from this paper is any evidence that this kind of logic (aka, Fear Uncertainty and Doubt in military information systems as applied to network centric warfare) has any real-world effect. Militaries (including our own) simply don't take these things into account when deploying new systems." Which I'd disagree with - military procurement is very subject to fads and politics. There's a reason that every service has some kind of "cyber command" or program, and that a disproportionate amount of R&D funding is currently going to cyber warfare - even though the folks spending the money often don't seem to have a clue what they're talking about. And we have an awful lot of weapons systems under development that have questionable utility. "But the main anomaly in the paper is simple: He treats Stuxnet as an" aberration, rather than the tip of the iceberg that finally made the newspapers. And this leads him (and most other strategic analysts) to conclude that hacking does not have real world effects. I have to assume this is the WWII legacy of Enigma - where in order to take advantage of intelligence you had to go out and order your sub killers to go sink a boat. But just because hacking is tied to intelligence bodies in most countries, and staffed with people who look and act a lot like intelligence officers, does not make it the same thing. Hacking is as kinetic as a cruise missile when you do it right." Which strikes me as on-the-money, and a serious point. -- My own quick review of the paper would be just a little different, dismissive, and probably less useful: - interesting questions and conclusions, some interesting facts - way too wordy, not very readable, reads more like an opinion piece in quasi-academic language - I sort of wonder what qualifies a "senior management scientist" with a BA in Math, MA in City & Regional Planning, and Ph.D. in Economics (even from MIT and UC Berkeley) to be an expert in cyber warfare. Ok, he's written several books on the subject, but his resume primarily consists of "12 years at the National Defense University, three years on the Navy staff as program sponsor for industrial preparedness, and three years as a policy analyst for the U.S. General Accounting Office's Energy and Minerals Division" on his resume. Nothing there about technological or operational expertise, or even service on a military planning staff. We need better analysts. Miles Fidelman -- In theory, there is no difference between theory and practice. In<fnord> practice, there is. .... Yogi Berra _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki, (continued)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Dominique Brezinski (Mar 25)
- Message not available
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Dominique Brezinski (Mar 27)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Michal Zalewski (Mar 27)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Jim O'Gorman (Mar 27)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki beenph (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Yiorgos Adamopoulos (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Nate Lawson (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Kevin Noble (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Marsh Ray (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Nate Lawson (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Miles Fidelman (Mar 27)
- Message not available
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Nate Lawson (Mar 27)
- Message not available
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki delchi delchi (Mar 25)