Defending yourself by catching arrows is not much fun. Yet in cyberspace we are hesitant to go after the archer. Why is that?
If we are defending a piece of ground from air attack we are not content to build hardened shelters, set up anti-aircraft guns and missiles and then hope that we can effectively blunt the attack by absorbing the blows. Instead we send airplanes over the border to shoot down the enemy enroute, we bomb the airfield so the runways cannot be used and we attack the command and control system so the order to launch the raid cannot be issued. None of these is an “offensive” action. All of them, to include attacking the airfield, is a defensive action. We should do the same in cyberspace, but it is hard to get permission to attack in cyberspace even when the purpose is to defend ourselves.
I argue it is easier to get authority to drop a bomb on a building full of hackers, than it is to get the authority to conduct a cyber-attack against the same group. That is because we have great confidence in our ability to conduct a very precise attack from the air. We need the same confidence in cyberspace and it needs to go up and down the line from the policy makers through the military chain of command.
If I drop a bomb on a building, I know what will happen to the building and what will not happen to the building next door. In cyberspace, I cannot provide the same level of precision regarding either the desired effects or the potential for undesired effects. In most cases I cannot guarantee that when I take out the power to the missile site, that I will not affect the hospital attached to the same grid.
About 80 years ago some Airmen at Maxwell Field in Montgomery Alabama had this idea that we needed to be able to put a bomb in a pickle barrel. It took another 50 years, but we eventually figured out how to put a bomb in pickle barrel and to do so with very little chance of error. (Note that we do not always aim at the right pickle barrel.) Once we achieved that level of precision with the actual attack we developed Joint Munition Effects Manual (JMEM), “bugsplat” models and all sorts of other techniques so that we could predict with great accuracy what would happen to the pickle barrel we were aiming at and what would not happen to the surrounding barrels. With repetition, we proved the validity of the models and precision air attack while not perfect, has become in many cases the weapon of choice.
If we want to have the same authority to conduct operations in cyberspace we must define with the same level of precision that we can hit what we are aiming at and that we can characterize the desired and undesired effects with the same level of fidelity. Some say this is impossible. Cyberspace is too complex, it changes too frequently and despite the inherent logic of cyberspace based on 1’s and 0’s we cannot predict the outcome. I disagree.
Cyberspace is a manmade domain. We can shape the domain like we cannot shape the air, land or water. It is not going to be easy but by leveraging advanced applications of machine learning and artificial intelligence we can get to a JMEM-like capability for cyberspace that normalizes the integration of cyberspace operations with operations in the other domains.
We still have to wrestle with a number of issues such as the ubiquitous and interconnected nature of the domain that makes fratricide and collateral damage a different problem than exists in physical space. We still have to sort out issues of borders—if I change a one to a zero on your hard drive have I violated your sovereignty? And finally, we have thousands of years of experience attacking each other kinetically and we can estimate the reaction of the target. We do not have a good understanding of how the enemy will react to a significant cyber attack. All of those issues must be addressed, but first we have to prove that we can deliver precision in cyberspace like we can through the air.
Please share this article and visit my website, www.thecyberspeaker.com and my Facebook page, facebook.com/thecyberspeaker.