The Real Fog of Cyberwar: Operational Cyber Planning
Cyber operations and strategies are assumed to be critically important to national security strategies. The United States has gone to great lengths to implement cyber planning at the national level, as well as at the operational level in the U.S. military. The problem is that we have little ability to answer the question of “what can we do?” with cyber strategies as they are utilized in the real world. Few really understand the behavior of these unicorn-like operations that are thought to be easy, safe, and cheap. In fact, cyber operations are not easy, nor are they cheap or safe. Not being able to answer critical questions of how to operationalize cyber strategies leaves us also unable to ponder the deeper question of “what should we do?” in cyberspace once we have an idea of capabilities and effects.
Since cyber conflict is now considered the fifth domain of war (a conceptual framework not entirely accurate, but useful enough) the military will continue to look for ways to integrate cyber strategies into its operational framework. This effort will be fraught with complications because there is a real fog of war in cyber operational planning. Cyber operators in the military and policy-makers alike cannot evaluate the effects of cyber actions; this is because the step of planning realistic operations for battle has been skipped. It is impossible to conceive of how to run a cyber operation if there is no clear strategy providing the intellectual backbone for such operations.
We can see the fog of war in cyber operations in a recent article by Colonel Martha S. H. VanDriel, an experienced operational planner and Army strategist, on planning cyber operations. When it comes to integrating operational level actions into the structure of the U.S. Army, there are clear problems of implementation, knowledge, coordination, and command. Since the United States is the global hegemon and leader in military operations, its course of action will be replicated by country after country as others learn similar processes. Yet, just what is the American process? Do we have a plan for fighting future cyber battles in coordination with kinetic operations?
VanDriel makes the clear point that since we have little knowledge of past cyber actions, it is tough for anyone to really understand the “what can we do?” question needed to formulate a plan. She notes, “there is little to no historical, operational analyses of how cyberspace operations have been integrated into military operations, so operational planners have no concrete examples from which to learn.” I would add that since we are unclear on what we can do in cyberspace, we also skip the critical self-examination required to answer the question of what we should do.
Analysts assume a priori that cyber operations are effective and will be a deeply connected part of the warfighting process. This problem persists because of the lack of historical operational analysis of past cyber actions that might be used for training and strategy purposes. Unfortunately, the problems of conducting a cyber offensive action are too immense to be effective, and deterrence is ineffective in cyberspace since there exists no demonstration effect. These challenges become obvious after one reviews the recent examples of how cyber tactics have been used diplomatically and in the military.
For cyber weapons to deter an adversary there needs to be a demonstration effect, making cyber power and deterrence inherently problematic. Once the power of the weapons is made known, the threat then needs to be credible. This is classic deterrence strategy, which has seemingly been forgotten since the end of the Cold War. Cyber weapons cannot be demonstrated effectively as used by states. Once used, others can replicate those efforts in various situations, as Iran apparently did with the Shamoon malware used against Saudi Arabia’s oil facilities. Even more important is the question of credibility. To deter an adversary and get them to back down, they need to know that one is willing to use the weapons; otherwise, the opposition will take advantage of the threatening state. This is impossible in cyber as I chronicle in a new book I wrote with Ryan Maness, Cyber War versus Cyber Realities, given the remarkable restraint seen in the domain. Despite the stated importance of the domain, we have few examples of states being willing to use cyber weapons in even the most likely situations (Iraq, Libya, the U.S. against ISIS, Ukraine).
What we are left with is the matter of how to proceed given the situation at hand. We need to think about the nature of cyber operations, their deep connection to civilian operations, and the efficacy of cyber actions. Without a cyber strategy, we remain in the dark about how to use, plan, and deploy cyber tools on the battlefield or as coercive devices.
There are many other deeper complications with using cyber operations as a military tool. VanDriel notes that American systems lack basic notions of cyber hygiene (strong passwords and consistent updates), and that on another level there is a deep weakness in the military’s dependence on civilian computer systems, which are open to known vulnerabilities. Flaws in civilian systems will be too exploitable: Like the drone program before it, a cyber system built on conventional software will be too easy to exploit. There must also be a clear awareness of what is going in and out of a military network during a military operation, which is nearly impossible if conventional systems are used. Like a base, a military network needs to be locked down.
There is a need to invest more energy in thinking about cyber operations, and in communicating these ideas to both cyber planners and commanders in the field. As VanDriel points out, military leaders need to have some experience in how cyber operations are conducted, yet the U.S. system is currently not set up to train and intake so many officers.
There are no easy answers to all these questions and problems. The plan will not come quickly, nor will it be simple. In fact, it might be best if cyber operations were entirely divorced from military operations, given their ineffectiveness and liability in harming civilian systems. There is room to figure these issues out, but these debates are either not being held, or are dominated by those that rush to state the importance of the cyber domain without examining how and why it is important.
It is critical that we have a deep discussion and dissection of what can done in cyberspace and what should be done in cyber military operations. This conversation is only beginning, but it requires much more than historical evaluation and training: It requires real theoretical and ethical examinations of the processes and assumptions inherent in the cyber domain.
Brandon Valeriano is a senior lecturer at the University of Glasgow and the author of Cyber War versus Cyber Realities: Cyber Conflict in the International System (Oxford University Press, 2015).
Photo credit: Fort George G. Meade Public Affairs Office