Democracy Lab

The Man to Watch

Is Burma's top general maneuvering for a run at the presidency?

People in Burma are accustomed to keeping a close eye on their generals. It seems like a reasonable habit when you consider that the military ruled Burma for more than the last half-century, relinquishing its absolute control over politics only recently. Even today, despite three years of liberalizing reforms, high-ranking officers retain considerable sway.

So you can hardly blame people for sitting up and taking notice earlier this week, when a local weekly published details of a speech made by Min Aung Hlaing, the commander-in-chief of the armed forces (pictured above). In the speech, he declared, among other things, that the military is "afraid of no one." Just in case someone didn't get the message, he also noted that "the Tatmadaw [Burma's armed forces] will always follow policies set by retired Senior General Than Shwe." Than Shwe was, of course, the head of the ruling military junta in Burma from 1992 to 2011.

His remarks, which were supposedly given during a closed meeting with officers on Nov. 29 and not published in the state-run newspapers, were accompanied by several highly provocative comments about the simmering ethnic conflicts that have plagued the country for decades. Strikingly, the general pinned the blame for Burma's long-running civil war on the leaders of ethnic groups who have been fighting for greater autonomy and a bigger share of the country's national wealth.

Nor are these the only statements by the general that have attracted notice recently. Three weeks ago, on Dec. 21, a state-run newspaper, the Mirror, surprised readers by devoting almost its entire front page to four separate stories on the most recent activities of the commander-in-chief. To be sure, flattering coverage of top generals is hardly unusual in a country where the military still holds significant power. Yet these latest publications have drawn attention precisely because of the message they seem intended to convey.

The paper devoted a full page, no less, to one of the stories, which covered Min Aung Hlaing's appearance at the graduation ceremony of the Military Medical University. In his speech at the event, the general noted: "When it comes to implementing state security, unconventional measures should be taken into account as well as conventional ones." He then elaborated on what he meant by "unconventional measures," speaking at some length about the concept of "human security." This, he said, is a category that includes economics, food security, health, the environment, individual personal security, and national security. Particularly striking is the fact that the military strongman used the phrase "human security" in English.

So what's going on? Can we learn anything useful from reading between the lines here? In fact, that there are at least two important conclusions we can draw from Min Aung Hlaing's speeches. First, his remarks signal an important shift in the development of military doctrine, one that entails a major change in the style of the leadership of the armed forces. Second, his statements strongly suggest that the commander-in-chief is considering the possibility of entering politics, perhaps by running for president in the next national election scheduled for 2015.

Over the past 25 years, since the military seized power in 1988, the Tatmadaw (armed forces) has professed to follow an ideology based on "Three National Principles" -- namely, the preservation of the union, the maintenance of national solidarity, and the defense of sovereignty.

Based on these principles, the armed forces developed a doctrine they called "total national defense," which is included in Burma's 2008 constitution. This was the third phase of doctrinal development in the recent history of the armed forces. The Tatmadaw announced its first official doctrine in 1950, followed by a second in 1958. While some of the details have changed, the ideological program articulated in all three cases revolves around the notion of state security. As experience has shown, the armed forces take these statements of doctrine very seriously. In the past, even when these ideological guidelines were kept secret from the public (right up into the 1990s), the armed forces nonetheless used them as the basis for civil-military relations and its interventions in civil politics. In the doctrine developed in the late 1950s, for instance, the Tatmadaw expanded its role from defense to public administration and business. The military then proceeded to put these principles into practice, seizing state power for two years starting in 1958 and establishing military conglomerates in late 1950s.

The military staged its coups in 1958, 1962, and 1988 in the name of state security -- the same rationale cited by the successive juntas to justify economic autarky and self-imposed isolation in foreign policy. The coup leaders continued to cite state security needs to legitimize their expansion of the army at the expense of education, economic welfare, and health care. The military built roads, bridges, dams, and even a new capital deep in the jungle. The former military leaders I've interviewed in the course of my studies placed supreme emphasis on state security, despite their clear awareness that the public has entirely different priorities, such as democracy and social welfare. Members of the military dismiss such views as "populist" or "short-sighted."

In this historical context, Min Aung Hlaing's explicit embrace of "human security" represents a dramatic departure from the norm. If his statements are to be taken seriously, they indicate an attempt by the military to win the people's hearts and minds by re-defining the armed forces as the defenders of democracy and social welfare.

And what about the possibility that the commander-in-chief is positioning himself for the 2015 elections? According to several sources inside the military, Min Aung Hlaing, who will reach retirement age that same year, is quietly preparing a run for the presidency. Some of Burma's military lawmakers have stated that the armed forces will nominate Min Aung Hlaing as a presidential candidate in 2015. If this is the case, Min Aung Hlaing's "human security" rhetoric might well resonate with the public's aspiration, and he could present himself as a statesman with a clear political vision, perhaps enabling him to profit from intense personal rivalries among the other contenders, including the incumbent president Thein Sein, the parliamentary speaker Thura Shwe Mann, and opposition leader Aung San Suu Kyi.

In any event, it's quite clear that observers of Burma's political scene will find themselves paying even closer attention to the doings of Min Aung Hlaing in the months to come.



Cult of the Cyber Offensive

Why belief in first-strike advantage is as misguided today as it was in 1914.

In military circles 100 years ago, whatever the question was, attack was always the answer.

Attaque à outrance, or "Attack to excess," was a concept that took hold in European military circles at the turn of the 20th century. The idea was that new technologies like the railroad and telegraph gave an advantage at the strategic level to whichever nation could mobilize first and go on the offensive, while new technologies like the fast-firing cannon, machine guns, and rifles meant at the tactical level that the troops who showed the greatest offensive élan (a concept that combined both willpower and dash) would always carry the day on the battlefield. The philosophy gained huge popularity. In Germany, it drove the adoption of the Schlieffen Plan (which envisioned a rapid mobilization of the army to first knock out France to its west with a lightning offensive and then swing back to face Russia to the east), while in France it was actually written into military law in 1913 that the French army "henceforth admits no law but the offensive."

There were only two problems with Attaque à outrance, an idea that historians now call the "cult of the offensive." The first was that it drove the European powers into greater and greater competition and ultimately war. When crisis loomed after the assassination of Archduke Franz Ferdinand in 1914, few thought it worth going to war. But soon the sides feared that they were losing a tight window of opportunity during which to mobilize to their advantage, or even worse, that they would be caught helpless. Fear of being on the defensive prompted the powers to move to the offensive, launching their long-planned attacks as part of a war most didn't want. The second problem was even worse. These new technologies didn't actually give the offense the advantage. Once the war started, it became clear that "attacking to excess" against fast-firing artillery, rifles, and machines guns was not the way to quick victory, but rather to a quick death. A bloody stalemate of trench warfare instead resulted.

Today, this question of whether new technology favors offense or defense is a critical one for cybersecurity and cyberwar, and it shapes everything from the likelihood of war to how governments and even businesses should organize themselves. And just as prior to the outbreak of World War I, there is widespread assumption that cyberattack has the inherent advantage over cyberdefense. As one Pentagon-funded report concluded in 2010, "The cyber competition will be offense-dominant for the foreseeable future." This kind of thinking is why Congress repeatedly in 2013 pressed the U.S. military about its cyberoffense capabilities, to make sure we are ahead, with military leaders like Gen. Keith Alexander, the simultaneous head of the NSA and Cyber Command, assuring them that, "Our offense is the best in the world."

This belief in the inherent superiority of cyberoffense has helped drive increased spending on offensive capabilities by militaries around the world, with the U.S. military spending, depending on the measure, 2.5 to 4 times as much on cyberoffense research and development as cyberdefense research. An accompanying industry has also arisen: markets for so-called zero days -- coding flaws that can be exploited by hackers -- and now even "hackback" firms that will take the offensive for hire.

The conventional wisdom about offensive advantage has become so entrenched that some argue that the real problem is not that the offense has an advantage, but that it isn't talked about enough, meaning that few have been warned about the risks of actually using such weapons.  "We've got to step up the game; we've got to talk about our offensive capabilities and train to them; to make them credible so that people know there's a penalty to this," said James Cartwright, the four-star Marine Corps general who led much of the initial U.S. strategy in cyber issues until his retirement in 2011. "You can't have something that's a secret be a deterrent. Because if you don't know it's there, it doesn't scare you." (Two years later, this quote took on far greater resonance, when Cartwright was reported to have been the alleged source of leaks to the media that revealed the U.S. role in building Stuxnet, the first true use of a cyberweapon.)

The basic thinking behind assumed offensive dominance is, as one Center for Strategic and Budgetary Assessments (CSBA) report explained, "It will be cheaper and easier to attack information systems than it will be to detect and defend against attacks." Indeed, as a former senior Pentagon official explained, "A few teenaged hackers sipping Red Bull in their parent's basement can have a WMD-style impact."

More importantly, the attackers have the advantage of being able to choose the time and place of their attack, whereas the defender has to be everywhere. This is true with any weapon, but in cyberspace it is even more pronounced. While in the physical world territory is relatively fixed, the amount of "ground" that the defender has to protect is almost always growing in the cyberworld -- and growing exponentially. The number of users on computer networks over time is an almost constant upward curve, while the number of lines of code in security software, measured in the thousands two decades ago, is now well over 10 million. By comparison, malware has stayed relatively short and simple (some is as succinct as just 125 lines of code), and the attacker only has to get in through one node just one time to potentially compromise all the defensive efforts. As the director of the Defense Advanced Research Projects Agency (DARPA), put it, "Cyber defenses have grown exponentially in effort and complexity, but they continue to be defeated by offenses that require far less investment by the attacker."

Just as before World War I, however, the story of offense's inherent advantage is actually not so simple. The cyberattacks that are truly dangerous require a great deal of expertise to put together. And while they might play out in terms of microseconds, they often take long periods of planning and intelligence gathering to lay the groundwork. Neither Rome nor Stuxnet was built in a day. This means that crippling attacks out of the blue are not as easy to pull off in the cyber world as is too often depicted by both policymakers and Hollywood.

Another challenge for offensive actors is that the outcome of a cyberattack can be highly uncertain. You may be able to get inside a system or even shut it down, but that is only part of the story of what makes a good offense. The actual effect on your target is hard to predict, and damage assessment is difficult to carry out, meaning that it's tough to know if the attack worked or what to do next.

Nowhere was this more evident than in the United States' covert cyber campaign against Iranian nuclear facilities. Stuxnet was not something your run-of-the-mill terror group could have pulled off. It involved a Manhattan-project style of organization and expertise. The people involved ranged from intelligence agents and analysts -- who teased together the exact location, make, and model of the targets in Iran -- to some of the top cyber weapons designer talent in the world to engineering and nuclear physics experts, who helped the group understand the target and how best to compromise the research. The result was a weapon of sophistication and nuance not seen before that could be deployed without the initial knowledge of the Iranians.

Despite this amazing level of effort and expertise, Stuxnet ended up not just in the Iranian targets, but in thousands of computers around the world, from India to Eastern Europe. It was that unexpected result that led IT researchers to first begin to explore it and ultimately piece together what Stuxnet actually was, compromising the operation.

But it's not just that cyberoffense can be unpredictable and even counterproductive -- cyberdefense is not as helpless as is often portrayed. The attackers may have the luxury of choosing the time and place of their attack, but they have to make their way through a "cyber kill chain" of multiple steps if they actually want to achieve their objectives. According to Charles Croom, a retired U.S. Air Force lieutenant general who once led the Defense Information Systems Agency, "The attacker has to take a number of steps: reconnaissance, build a weapon, deliver that weapon, pull information out of the network. Each step creates a vulnerability, and all have to be completed. But a defender can stop the attack at any step."

Moreover, defenders who are losing in the cyber realm don't have to restrict the game to just that domain or one iteration. They can try to impose other costs on the attacker, whether they be economic or diplomatic costs, traditional military action, or a cyber counterattack. Rather than just sitting there defenseless, they can take action either to deter the attack or reduce the benefits from it.

The most important lesson researchers have learned in traditional offense-defense balances -- and now in cybersecurity -- is that the best defense actually is a good defense. Regardless of which side has the advantage, any steps that raise the capabilities of the defense make life harder on the offense and limit the incentives for attacks in the first place. In cybersecurity, these include any and all measures that tighten network security and aid in forensics to track back attackers.

The Internet evolves and so do doctrines. The smart players in the field are moving from a traditional framework of defense to an approach of resilience. Instead of building walls, they are focusing on how systems recover rapidly, or, even better, keep on functioning even after they have been compromised. The idea is to build systems where the parallel for offense and defense isn't from warfare, but biology. When it comes to bacteria and viruses in our bodies, human cells are actually outnumbered by as much as 10 to 1. But the body has built up an amazing capacity of both resistance and resilience, fighting off what is most dangerous and, as Vint Cerf, the computer scientist who is literally one of the "fathers of the Internet," puts it, figuring out how to "fight through the intrusion."

No computer network will mimic the human body perfectly, but DARPA and other groups are working on "intelligent" computer security networks that learn and adapt to resist cyberattacks. In the future, it's not difficult to imagine that cyberdefense will sometimes be able to outsmart an adversary and turn the tables on them. Other efforts aim at misdirecting attacks down false alleys of faked information or sending them into so-called honeypots to ensnare and study them. Just the mere existence of such systems, moreover, would sow doubt among adversaries that an attack is going to work.

In the end, the focus on offense and defense obscures a crucial reality of modern-day cybersecurity that distinguishes it from World War I, or, even worse, the poorly thought-out Cold War parallels that too many leaders and commentators make.

In 1914 and again in 1945, the powers of the day ended up split into two alliances, worried that one or the other side would seize the offensive advantage. But much like the users of the broader Internet itself, cyberattackers and defenders today range from the more than 100 militaries that have built some kind of cybermilitary unit to large and small technology firms to collectives that join Anonymous netizens interested in everything from Internet Freedom to cute cat videos. The online world is hardly bipolar, and nor should our thinking on it be.

So when the question is how to protect your online glass house, buying a stone sharpening kit is certainly not the only answer.