The Zero-Sum Game

Listen up, Obama. By Jan. 1, there should be not a single U.S. troop remaining on the ground in Iraq.

Let me be clear. The United States should have no -- zero -- troops in Iraq on Jan. 1, 2012, when the Status of Forces Agreement signed between the two countries requires a complete withdrawal (this number excepts, of course, a small military presence at the U.S. Embassy's Office of Military Cooperation -- a presence that exists in almost every embassy worldwide). This is not about delivering on an Obama campaign promise or saving money. This is about doing the right thing for both the United States and Iraq. Although the White House's proposal to keep approximately 3,000 troops in Iraq is better than the rumored 17,000 desired by the commander of the U.S. forces in Iraq, Gen. Lloyd Austin, maintaining any American presence is simply the wrong decision for both parties.

Despite having both a political problem and a terrorism problem, Iraq is now a reasonably stable country that must have the opportunity to chart its own course. Yes, the 2010 national election failed to provide any bloc with a clear mandate and has resulted in a political stalemate. Yes, the remnants of al Qaeda in Iraq continue to commit atrocities against both Iraqi Shiites and the moderate figures of their own Iraqi Sunni community. And yes, Iranian groups and their proxies continue to destabilize Iraq in order to diminish its effectiveness as a buffer state against Iranian ambitions. But despite these issues, Iraq continues to muddle along without returning to the chaos of 2004 to 2008. This is a very real accomplishment of which both the United States and Iraq should be proud, even if the road to get here was excessively long and costly.

It is time for Iraq to stand on its own -- without a U.S. presence to disrupt its politics. There are significant factions within both Iraq's Kurdish and Sunni communities that would look favorably on a residual U.S. force in Iraq. They need to move on. The lingering U.S. troop presence on Iraqi soil is -- quite understandably -- perceived as an insult to Iraqi nationalism by significant portions of their fellow citizens. This is an issue that must be taken off the table so that Iraqi politics can normalize, not least with regard to Iraq-Iran relations. Ironically, it is by leaving Iraq that the United States can best let Iraq stand up to its Iranian neighbor. Ending what Iraq's neighbors perceive as its "occupation" by U.S. forces will finally permit Iraq to complete the normalization of regional relationships.

Iraq does have some serious security gaps that it will have to address, likely through the use of U.S or other Western contractors. Airspace control remains a concern for the Iraqis, but numerous aerospace firms will be happy to provide the equipment and the trainers to remedy this problem. The recently announced purchase of F-16 fighter jets from the United States is a good first step toward true airspace control. The Iraqis, however, will need to hire trainers for the pilots of their still-fledgling air force. The Iraqis may similarly require continued training on the use of their artillery pieces and the tactical employment of other weapons systems. But these technical gaps can easily be filled, and the market will respond quickly to Iraqi petrodollars.

Honoring the terms of the Status of Forces Agreement (SOFA) is equally critical for the United States. Leaving Iraq on the terms dictated by its sovereign government will put to bed the very real perception that the United States invaded the country to transform it into its "51st state." Should the United States need to intervene in another country, it will be very helpful to be able to point to Iraq as evidence that the United States does leave when asked. While U.S. diplomats in Baghdad are reportedly in negotiations to amend the SOFA to allow a residual presence, this effort could -- and should -- be turned off quickly.

Some prominent U.S. foreign-policy leaders, such as Sen. John McCain and other public figures, have argued that it is in the U.S. interest to leave a residual force in Iraq to counter Iranian influence. This logic is misguided. Iran has been able to make inroads in Iraq largely because of the U.S. presence. Among Iraqi nationalists -- the Sadrists in particular -- the U.S. presence, which they still refer to as "occupation," has overshadowed increasing Iranian influence. Once the United States leaves, the nationalists can then turn their full attention to what a legitimate relationship with Iran might look like, recall that they did fight a very long and bloody war with their Persian neighbor, and recognize that they have no desire to be anyone's client state.

Although the argument for eliminating the U.S. presence in Iraq is not about U.S. domestic politics, it is certainly good domestic politics. It culminates the U.S. military mission in Iraq in a truly bipartisan manner, with the current Democratic president overseeing the withdrawal of U.S. forces as negotiated by his Republican predecessor. Cost savings, while hard to estimate, would not be insignificant. The marker of 3,000 troops put forward by the administration is a good step toward these goals, but it should be willing to truly close the deal and execute the currently signed agreement.

Finally, the debate over the U.S. military presence is distracting policymakers from the real issues in the United States' future relationship with Iraq -- the role of the State Department (and particularly its ambitious police-training mission) and of the American business community. It is these two instruments of U.S. "soft power" that will shape U.S.-Iraq relations going forward, and to put it frankly, the sooner the military can get out of their way, the better.

The State Department police-training mission -- the contours of which I helped set some years ago -- does appear to have learned from earlier errors. The State Department has avoided the earlier confusion involved in contracting out this mission and has instead hired the trainers as temporary government employees. A well-qualified ambassador, who will report directly to the chief of mission, James Jeffrey, has been positioned in Baghdad to oversee the mission, giving senior hands-on oversight. And rather than attempting to train the rank-and-file patrolmen, the State Department's Bureau of International Narcotics and Law Enforcement Affairs has focused on the systematic problems -- management, pay, promotions, and especially logistics -- in the more senior police headquarters.

Serious concerns remain about continued funding from Congress and the possibility that the mission could be sabotaged by the risk-adverse nature of diplomatic security officials (though concerns about al Qaeda and Iranian-sponsored terrorism are valid). But this mission appears to be in a much better position to assume police training from the U.S. military than many of those involved in its creation dared hope when the transition was planned in 2008 and 2009. But it can only benefit by continual monitoring by senior policymakers.

To be frank, American business (with the notable exception of the oil and oil-services sectors) has not thrived in Iraq -- a problem not experienced by the Turks, the French, or the Chinese. There are many reasons for this fact, and the U.S. mission in Baghdad should elevate the priority it gives to assisting American businesses attempting to enter Iraq. The long-term Strategic Framework Agreement that accompanied the Status of Forces Agreement makes it clear that Iraq desires a long-term commercial (and cultural) relationship with the United States. Although there are numerous barriers to this aspirational goal -- corruption issues, legal issues, language barriers, and in some quarters a lingering resentment of Americans -- quiet engagement by the U.S. Embassy could go a long way toward reducing and remediating these obstacles. Visiting American business people should be able to view the U.S. government officials in Iraq as their allies.

There are issues that could prevent Iraqis from immediately taking complete control of their security. The disputed "Green Line" that marks the boundary between the provinces of the Kurdistan region and Iraq's Arab provinces remains a potential flashpoint for ethnic violence. While it is in the interest of both parties to have a peaceful settlement of territorial and other claims, the presence of Iraqi and Kurdish armed forces in this tense region heightens the possibility of an unfortunate incident, which could spiral out of policymakers' control. U.S. forces have done an admirable job in dampening tensions along the Green Line, but some kind of outside presence on this border may be desirable until a final settlement of Kirkuk (the primary territory in dispute) can be reached.

This presence, however, does not have to be American. Accepting the fact that the SOFA requires the withdrawal of U.S. forces by the end of the year, the United States and Iraq might find it worthwhile to look for some other external force or international organization that could put a peacekeeping force in place. The United Nations is, of course, the traditional source for such a force, but time is short. One can perhaps see some other international organization -- potentially the European Union or even the Gulf Cooperation Council -- responding to an Iraqi request for a limited third-party presence. Initial reports indicate that the Arabs and Kurds are managing the tensions themselves, but the situation should still be monitored carefully.

Finally, all international agreements are subject to modification by consent. If the Iraqi government -- of its own accord, without U.S. pressure -- comes to desire an extension of a small U.S. presence in Iraq, then that should be carefully considered. I do not believe it is in Iraqi leaders' interest for them to ask for an extension of the U.S. presence, but they certainly have the right to manage their own relations with the United States. But the visible U.S. diplomatic pressure on the Iraqis to come to this decision, as exemplified by Defense Secretary Leon Panetta's comments in Baghdad, should immediately cease, so that any request will not be tainted.

In short, it is time for the United States to stop being a "helicopter parent" to the Iraqis. To extend the metaphor: The Iraqis have graduated and are now legally of age. Let them go. They will doubtless not do everything perfectly or in the way the United States would prefer. So be it. They are no longer America's wards, no longer its charges, no longer in receivership.

This is how the U.S. war in Iraq ends.

Spencer Platt/Getty Images


Denial of Service

Lawyers are crippling America's ability to defend against cyberwar with arcane rules and regulations. But war waits for no man.

Lawyers don't win wars. But can they lose one?

We're likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they've left the military unable to fight or even plan for a war in cyberspace. But the only thing they're likely to accomplish is to make Americans less safe.

No one seriously denies that cyberwar is coming. Russia pioneered cyberattacks in its conflicts with Georgia and Estonia, and cyberweapons went mainstream when the developers of Stuxnet sabotaged Iran's Natanz uranium-enrichment plant, setting back the Islamic Republic's nuclear weapons program more effectively than a 500-pound bomb ever could. In war, weapons that work get used again.

Unfortunately, it turns out that cyberweapons may work best against civilians. The necessities of modern life -- pipelines, power grids, refineries, sewer and water lines -- all run on the same industrial control systems that Stuxnet subverted so successfully. These systems may be even easier to sabotage than the notoriously porous computer networks that support our financial and telecommunications infrastructure.

And the consequences of successful sabotage would be devastating. The body charged with ensuring the resilience of power supplies in North America admitted last year that a coordinated cyberattack on the continent's power system "could result in long-term (irreparable) damage to key system components" and could "cause large population centers to lose power for extended periods." Translated from that gray prose, this means that foreign militaries could reduce many of U.S. cities to the state of post-Katrina New Orleans -- and leave them that way for months.

Can the United States keep foreign militaries out of its networks? Not today. Even America's premier national security agencies have struggled to respond to this new threat. Very sophisticated network defenders with vital secrets to protect have failed to keep attackers out. RSA is a security company that makes online credentials used widely by the Defense Department and defense contractors. Hackers from China so badly compromised RSA's system that the company was forced to offer all its customers a new set of credentials. Imagine the impact on Ford's reputation if it had to recall and replace every Ford that was still on the road; that's what RSA is experiencing now.

HBGary, another well-respected security firm, suffered an attack on its system that put thousands of corporate emails in the public domain, some so embarrassing that the CEO lost his job. And Russian intelligence was able to extract large amounts of information from classified U.S. networks -- which are not supposed to touch the Internet -- simply by infecting the thumb drives that soldiers were using to move data from one system to the next. Joel Brenner, former head of counterintelligence for the Office of the Director of National Intelligence, estimates in his new book, America the Vulnerable, that billions of dollars in research and design work have been stolen electronically from the Defense Department and its contractors.

In short, even the best security experts in and out of government cannot protect their own most precious secrets from network attacks. But the attackers need not stop at stealing secrets. Once they're in, they can just as easily sabotage the network to cause the "irreparable" damage that electric-grid guardians fear.

No agency has developed good defenses against such attacks. Unless the United States produces new technologies and new strategies to counter these threats, the hackers will get through. So far, though, what the United States has mostly produced is an outpouring of new law-review articles, new legal opinions, and, remarkably, new legal restrictions.

Across the federal government, lawyers are tying themselves in knots of legalese. Military lawyers are trying to articulate when a cyberattack can be classed as an armed attack that permits the use of force in response. State Department and National Security Council lawyers are implementing an international cyberwar strategy that relies on international law "norms" to restrict cyberwar. CIA lawyers are invoking the strict laws that govern covert action to prevent the Pentagon from launching cyberattacks.

Justice Department lawyers are apparently questioning whether the military violates the law of war if it does what every cybercriminal has learned to do -- cover its tracks by routing attacks through computers located in other countries. And the Air Force recently surrendered to its own lawyers, allowing them to order that all cyberweapons be reviewed for "legality under [the law of armed conflict], domestic law and international law" before cyberwar capabilities are even acquired.

The result is predictable, and depressing. Top Defense Department officials recently adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations, even as Marine Gen. James Cartwright, then vice chairman of the Joint Chiefs of Staff, complained publicly that a strategy dominated by defense would fail: "If it's OK to attack me and I'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy."

Today, just a few months later, Cartwright is gone, but the lawyers endure. And apparently the other half of the U.S. cyberwar strategy will just have to wait until the lawyers can agree on what kind of offensive operations the military is allowed to mount.


We've been in this spot before. In the first half of the 20th century, the new technology of air power transformed war at least as dramatically as information technology has in the last quarter-century. Then, as now, our leaders tried to use the laws of war to stave off the worst civilian harms that this new form of war made possible.

Tried and failed.

By the 1930s, everyone saw that aerial bombing would have the capacity to reduce cities to rubble in the next war. Just a few years earlier, the hellish slaughter in the trenches of World War I had destroyed the Victorian world; now air power promised to bring the same carnage to soldiers' homes, wives, and children.

In Britain, some leaders expressed hardheaded realism about this grim possibility. Former Prime Minister Stanley Baldwin, summing up his country's strategic position in 1932, showed a candor no recent American leader has dared to match. "There is no power on Earth that can protect [British citizens] from being bombed," he said. "The bomber will always get through.... The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves."

The Americans, however, still hoped to head off the nightmare. Their tool of choice was international law. (Some things never change.) When war broke out in Europe on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of air power. Citing the potential horrors of aerial bombardment, he called on all combatants to publicly affirm that their armed forces "shall in no event, and under no circumstances, undertake the bombardment from the air of civilian populations or of unfortified cities."

Roosevelt had a pretty good legal case. The 1899 Hague conventions on the laws of war, adopted as the Wright brothers were tinkering their way toward Kitty Hawk, declared that in bombardments, "all necessary steps should be taken to spare as far as possible edifices devoted to religion, art, science, and charity, hospitals, and places where the sick and wounded are collected, provided they are not used at the same time for military purposes." The League of Nations had also declared that in air war, "the intentional bombing of civilian populations is illegal."

But FDR didn't rely just on law. He asked for a public pledge that would bind all sides in the new war -- and, remarkably, he got it. The horror at aerial bombardment of civilians ran so deep in that era that Britain, France, Germany, and Poland all agreed to FDR's bargain, before nightfall on Sept. 1, 1939.

Nearly a year later, with the Battle of Britain raging in the air, the Luftwaffe was still threatening to discipline any pilot who bombed civilian targets. The deal had held. FDR's accomplishment began to look like a great victory for the international law of war -- exactly what the lawyers and diplomats now dealing with cyberwar hope to achieve.

But that's not how this story ends.

On the night of Aug. 24, 1940, a Luftwaffe air group made a fateful navigational error. Aiming for oil terminals along the Thames River, they miscalculated, instead dropping their bombs in the civilian heart of London.

It was a mistake. But that's not how British Prime Minister Winston Churchill saw it. He insisted on immediate retaliation. The next night, British bombers hit (arguably military) targets in Berlin for the first time. The military effect was negligible, but the political impact was profound. German Luftwaffe commander Hermann Göring had promised that the Luftwaffe would never allow a successful attack on Berlin. The Nazi regime was humiliated, the German people enraged. Ten days later, Adolf Hitler told a wildly cheering crowd that he had ordered the bombing of London: "Since they attack our cities, we will extirpate theirs."

The Blitz was on.

In the end, London survived. But the extirpation of enemy cities became a permanent part of both sides' strategy. No longer an illegal horror to be avoided at all costs, the destruction of enemy cities became deliberate policy. Later in the war, British strategists would launch aerial attacks with the avowed aim of causing "the destruction of German cities, the killing of German workers, and the disruption of civilized life throughout Germany." So much for the Hague conventions, the League of Nations resolution, and even the explicit pledges given to Roosevelt. All these "norms" for the use of air power were swept away by the logic of the technology and the predictable psychology of war.


American lawyers' attempts to limit the scope of cyberwar are just as certain to fail as FDR's limits on air war -- and perhaps more so.

It's true that half a century of limited war has taught U.S. soldiers to operate under strict restraints, in part because winning hearts and minds has been a higher priority than destroying the enemy's infrastructure. But it's unwise to put too much faith in the notion that this change is permanent. Those wars were limited because the stakes were limited, at least for the United States. Observing limits had a cost, but one the country could afford. In a way, that was true for the Luftwaffe, too, at least at the start. They were on offense, and winning, after all. But when the British struck Berlin, the cost was suddenly too high. Germans didn't want law and diplomatic restraint; they wanted retribution -- an eye for an eye. When cyberwar comes to America and citizens start to die for lack of power, gas, and money, it's likely that they'll want the same.

More likely, really, because Roosevelt's bargain was far stronger than any legal restraints we're likely to see on cyberwar. Roosevelt could count on a shared European horror at the aerial destruction of cities. The modern world has no such understanding -- indeed, no such shared horror -- regarding cyberwar. Quite the contrary. For some of America's potential adversaries, the idea that both sides in a conflict could lose their networked infrastructure holds no horror. For some, a conflict that reduces both countries to eating grass sounds like a contest they might be able to win.

What's more, cheating is easy and strategically profitable. America's compliance will be enforced by all those lawyers. Its adversaries' compliance will be enforced by, well, by no one. It will be difficult, if not impossible, to find a return address on their cyberattacks. They can ignore the rules and say -- hell, they are saying -- "We're not carrying out cyberattacks. We're victims too. Maybe you're the attacker. Or maybe it's Anonymous. Where's your proof?"

Even if all sides were genuinely committed to limiting cyberwar, as they were in 1939, history shows that it only takes a single error to break the legal limits forever. And error is inevitable. Bombs dropped by desperate pilots under fire go astray -- and so do cyberweapons. Stuxnet infected thousands of networks as it searched blindly for Iran's uranium-enrichment centrifuges. The infections lasted far longer than intended. Should we expect fewer errors from code drafted in the heat of battle and flung at hazard toward the enemy?

Of course not. But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.

No one can welcome this conclusion, at least not in the United States. The country has advantages in traditional war that it lacks in cyberwar. Americans are not used to the idea that launching even small wars on distant continents may cause death and suffering at home. That is what drives the lawyers -- they hope to maintain the old world. But they're being driven down a dead end.

If America wants to defend against the horrors of cyberwar, it needs first to face them, with the candor of a Stanley Baldwin. Then the country needs to charge its military strategists, not its lawyers, with constructing a cyberwar strategy for the world we live in, not the world we'd like to live in.

That strategy needs both an offense and a defense. The offense must be powerful enough to deter every adversary with something to lose in cyberspace, so it must include a way to identify attackers with certainty. The defense, too, must be realistic, making successful cyberattacks more difficult and less effective because resilience and redundancy has been built into U.S. infrastructure.

Once the United States has a strategy for winning a cyberwar, it can ask the lawyers for their thoughts. But it can't be done the other way around.

In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. For 150 years, having the largest and most modern navy was all that was needed to project British power around the globe. Like the American lawyers who now oversee defense and intelligence, British admirals preferred to believe that the world had not changed. It took Japanese bombers 10 minutes to put an end to their fantasy, to the Prince of Wales, and to hundreds of brave sailors' lives.

We should not wait for our own Prince of Wales moment in cyberspace.

Paula Bronstein/Getty Images