5 Reasons We Don’t Have Good Strategic Thought about Cyber
Reading Daniel Steed’s recent article at War on the Rocks regarding realist thinking and cyberwar got me to thinking about how nice it would be to have a robust body of strategic cyber discourse. Sadly, we don’t have any such thing.
There is a smattering of works that point to the potential of having such a body of literature. The 1993 study Cyberwar is Coming! auspiciously launched the field. In that study, John Arquilla and David Ronfeldt suggested that cyberwar might become something analogous to the combined arms (and air-ground) phenomenon of blitzkrieg. Their ur-cyberwar was mounted by the Mongols in the thirteenth century. However, over time Arquilla and Ronfeldt lost control of the dramatic term “cyberwar.”
A number of recent works—notably by Colin Gray and Thomas Rid—have performed the useful task of trying to dispel some of the flabby thinking that has characterized the field since 1993. Also, this year, Jason Healey and Karl Grindal published A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, a book that suggests there are (usually ignored) historical commonalities in cyber operations that could provide the basis for theorizing and strategizing.
But why is there not more good strategic writing on conflict in cyberspace? Herewith five hypotheses.
1. We’ve been distracted. Good strategic minds are a scarce resource. Colin Gray has commented that unfortunately over the past two decades, the best strategic minds were working on other things. First, it was the so-called Revolution in Military Affairs (RMA), then it was defense transformation, then counterterrorism and counterinsurgency were added to this mix.Unfortunately, this period has coincided with the rise of the cyber world. The result, in Gray’s view, has been a shortage of solid strategic thinking about things cyber.
However, the RMA and defense transformation debates have come and gone; American involvement in Iraq and Afghanistan is all but over; the COIN debate has jumped the shark; and al Qaeda does not seem to pose the threat that it once did. Perhaps the time is now.
Unfortunately…
2. Cyber seems so complicated. Gray has further opined that many strategists with only modest technical backgrounds have probably felt disenfranchised by the subject because cyber sounds so complicated. This is an unfortunate perception. While it is true that actually conducting cyber operations requires a degree of technical expertise that is not vouchsafed to ordinary mortals, it is also irrelevant. Consider that not many strategists could build a nuclear warhead or design an ICBM guidance system; yet, we’ve had lots of good nuclear strategy written by people who probably never passed a class in physics or engineering. For that matter, how many strategists could explain how a wing produces lift, design a laser rangefinder, or summarize the fundamentals of submarine acoustics? The list is short and yet great strategic thought has been produced that assumes the existence of functioning, ground, naval, air, and space forces.
Well, surely technically competent people in the military are developing cyber strategy. Yes, that may be true, but…
3. Classified fora are not optimal for good strategic thought. Strategic thought entails the synthesis of ideas of many people and often entails bringing in influences from far afield. For instance, Clausewitz brought the ideas of the Romantic Movement to bear; Thomas Schelling brought in game theory; John Boyd drew on the physics of fighter plane engagements. In general, this sort of work is best done in open communities, not in small secret societies. Look back at history and with the obvious exception of Sun Tzu’s Art of War, most of the strategic texts that have been influential have been born as unclassified, and in most cases, public.
Certainly some very good strategic thought has been done in classified realms—most Soviet military thought for instance—but on average the best work is done in the open. Secret work is only optimal when there is information that must be protected, such as sensitive intelligence sources or war plans. However, there is a big difference between developing strategic thought and writing war plans. Strategic thought can be the basis of war plans, but it is seldom itself sensitive by any reasonable definition.
Further, classified fora are administered by bureaucrats. (As a former bureaucrat myself, I use that word with affection.) Bureaucrats are concerned with things like budgets, authorities, wiring diagrams, and programmatics. I’d wager that most of what goes into the U.S. government’s so-called “cyber strategy” documents has nothing to do with strategy in the international sense and everything to do with domestic bureaucratic maneuverings.
4. In any event, we don’t need “cyber strategy.”The term “cyber strategy” seems to imply that cyber operations would be the only, or at the very least, the predominant factor in the execution of such a strategy. This is a doubtful proposition that only seems reasonable if we believe that cyber operations are like nuclear operations. However, by general consensus, nuclear weapons are special. In fact, they are so special that they have only been used in anger twice. The results: some 200,000 dead bodies and a taboo that appears to have prevented its further use for the last 68 years. By contrast, cyber attacks are launched thousands or millions of times per day and have yet to kill anybody.
Gray suggests that we might be better off thinking about “strategy for cyber” than “cyber strategy.” This brings in the possibility that the strategy might actually involve more than simply cyber operations and allow us to think about the role of cyber operations in a broader, multi-domain, joint context, returning us in part to the vision of Arquilla and Ronfeldt.
Speaking of which, we’ve made some…
5. Poor language choices. Our poorly made vocabulary choices have militarized our thinking about cyber in ways that are probably unhelpful. We talk about cyberwar, cyber attacks, cyber defense, and cyber deterrence. All of these suffixes are terms with strong military connotations. Obviously, cyber is an issue of national security, but that does not mean that it has to be a military issue, at least not exclusively. In fact, this militarization of cyber discourse limits our thinking about how to defend ourselves in this realm and how to exploit it for offensive purposes. The CIA and the Departments of Treasury, Justice, and State, for instance, all have important capabilities, or at least potential roles in the cyber realm. The way things are presently going, will strategists even think to incorporate perspectives from those disparate worlds into strategy for cyber?
Fortunately, Thomas Rid’s recent work Cyber War Will Not Take Place has aggressively addressed the language problem. He observes that war is a bad metaphor for cyber operations pursuant to which he points out that most cyber “attacks” are crime, espionage, or subversion, and all have been decidedly non-lethal. Rid is exactly right. Perhaps now that he has cleared away some of the conceptual underbrush, somebody can start building a useful strategic edifice.
It might be objected that cyber security attracts a great deal of attention from senior U.S. government officials. That fact, however, does not mean that the problem should be conceptually militarized; merely, that it is a serious problem. Espionage, crime, poverty, and hurricanes also attract a lot of senior government attention, but that does not mean they are military problems.
In short, the strategist community should get to work. We have more than enough source material to draw on—a quarter century of cyber history, millennia of military history, centuries of strategic thought, and as Healey and Grindal point out, the “fundamental policies of national security and international relations.”
Mark Stout is a Senior Editor at War on the Rocks. He is the Director of the MA Program in Global Security Studies at Johns Hopkins University’s School of Arts and Sciences in Washington, DC.
Photo credit: watchingfrogsboil
