Cyberwarfare unleashes confusion on Washington
Last month, while reviewing his career a few days before retirement, former Joint Chiefs Chairman Adm. Mike Mullen discussed what he sees are the two "existential" threats facing the United States. After nuclear weapons, Mullen listed cyberattacks, which, he said, "actually can bring us to our knees." During the Cold War, the United States developed an elaborate deterrence doctrine, backed up by an enormous investment in strategic nuclear weapons. Asked about similar preparation for the cyber threat, Mullen said, "We're a long way from that right now." This week, Air Force Gen. C. Robert Kelher, commander of Strategic Command, the command responsible for the Pentagon's cyber operations, said there still needs to be "a full conversation" about doctrine, rules of engagement, and legal issues regarding the Pentagon's responses to cyberattacks.
While policymakers in Washington converse, a new computer worm called Duqu arrived in Europe. Duqu, apparently a derivative of the Stuxnet worm that briefly crippled Iran's uranium enrichment plant at Natanz, has been quietly gathering intelligence data and documentation on certain industrial control systems. Stuxnet set back Iran's nuclear program by delivering false instructions to the industrial control system at Natanz. Duqu, termed "extremely sophisticated" by the computer security firm Symantec, seems to be performing reconnaissance for a future attack on a discrete industrial control system.
If, as Mullen asserted, a sophisticated cyber attack "can bring us to our knees," why does the U.S. government seem to have such difficulty formulating a doctrine to adequately address the threat? The Pentagon's official cyberstrategy, a brief and vague document unveiled in July, called for better cooperation and training, but apparently failed to give Kelher and his command the guidance and authorities he needed to establish a retaliatory doctrine and cyberwar rules of engagement.
Why is the Pentagon struggling to make progress on an issue that Mullen, Kelher, and others view with such gravity? The simplest explanation may be that the obstacles to establishing deterrence and rules of engagement in cyberspace are formidable and continue to resist policymakers' attempts at a solution.
For example, this week the New York Times revealed that, last March, Obama administration officials considered, then rejected, a proposal to use cyberweapons to attack Libya's air defense system at the beginning of NATO's air campaign. One reason for rejecting this course of action was that the cyber-reconnaissance necessary to prepare the way for the attack would have taken too long while a government armored column was approaching Benghazi; U.S. Navy Tomahawk land-attack cruise missiles made much quicker work of Libya's air defense system.
But a more important argument against a cyberattack was the desire to avoid setting a precedent that other adversaries could later exploit against the United States. Similarly, the U.S. government considered hacking Osama bin Laden's bank accounts but refrained because officials feared that such an attack could cause investors to lose faith in the safeguards underpinning the global financial system. The common theme is that the United States, including its military forces, is among the heaviest users of computer networks and thus has the strongest incentive to avoid escalating combat in this domain.
Effective deterrence requires demonstrating a threatening capability that intimidates would-be adversaries. Nuclear weapons tests in the 1950s, not to mention the attacks on Hiroshima and Nagasaki, served this purpose for the United States and the Soviet Union during the Cold War. This week, Kelher hinted at his command's offensive cyberpower. But until demonstrated, it remains hypothetical and likely of little deterrent value, especially against anonymous non-state actors. And for the reasons stated above, such a demonstration seems unlikely.
The "full conversations" on doctrine and rules of engagement that Kelher are waiting for are not likely to occur any time soon. Wanting to avoid escalation in cyberspace, U.S. policymakers are forced into a reactive posture, war-gaming how they would respond to attacks and mitigate their consequences. The difficulty of the cyber issue is one more example of how irrelevant the lessons of the Cold War are to many current problems. Meanwhile Duqu is out there ... somewhere.