From the preceding article, it should already be clear that the cornerstone of traditional military development – i.e. deterrence – is simply untenable in the CTI realm. However, given the preponderance of authors and so-called experts that keep pushing the traditional military model on cyber-warfare, and thus onto CTI as a tool of such ideology, the incommensurate nature of the two systems should be stressed again.
Despite the repeated use of many authors, traditional military ideology relies on a methodology that is unsuitable and incommensurate with cyber warfare and CTI. Western warfare in particular, since before the Romans, has generally relied primarily (if not exclusively) on a brute force approach in both offense and defense. The military field can be summarized as “there’s nothing we can’t bang our way out of.”[i] With the military goal of subjugating the opposition through unconditional surrender or destruction, the military approach reflects the ideology and methodology of chess. This approach lies at the core of the problem to be considered.
To begin with, any brute force method relies first and foremost on the ability to correctly identify the correct target. For attacking hackers, this is an easy task. For InfoSec defenses, this has proven to be an insurmountable problem. All the combined forces of the US military become only so much sound and fury when no legitimate target can be identified. Second, building on the attribution problem, is the inability to retaliate and/or counterattack. The InfoSec field simply has no counterattacking capabilities, nor is it likely to develop any.[ii] This invalidates the key point of traditional military methodology: namely deterrence through the threat of retribution.
Finally, the asymmetry of the field robs the defender of any permanent security, by exposure to potential attack from any person with an internet connection (and possibly without one).[iii] There is no military analogue to this level of asymmetry. One may be tempted to consider various MENA[iv] insurgencies as a possible candidate, but these only affect the US troops in the region, and may be countered by simply withdrawing – an option not available in the field of information security.
A common analogy of traditional war is chess. The goal in both war and chess is the eradication of the opponent, or their subjugation through unconditional surrender (check-mate). The theater of war is a single battlefield; the resources are perfectly symmetrical (and any asymmetry on the field is a clear benefit to the stronger group), armies are arrayed in a neat fashion, and their destruction in the course of the battle is incidental to victory.
Other than an occasional remark in the footnotes of history, along the lines of Pyrrhus’ famous “One more victory like this, and we are undone,” warfare is commonly understood as an epic battle now, followed by rest and recuperation later (followed by yet another war). That is, wars generally revolve around the ability to resoundingly smash the opponent, after which one has a chance to regroup and rebuild. We find this to be the case from as far back as the Battle of Thermopylae and Alexander’s invasion of Persia, to America’s use of nuclear weapons against Japan in WWII, and the “Shock and Awe” campaigns in Iraq and Afghanistan.
Yet, the InfoSec realm is qualitatively different. For InfoSec , there is no Thermopylae, no nuclear option, no “shock and awe.” The tide of battle never truly turns – the attacks are unceasing. Expanding a great deal of resources against an attack neither guarantees safety nor is it a sustainable long-term tactic. The chess analogy, which works so well for the traditional military paradigm, is as useless for InfoSec as knowledge of snakes and ladders is for playing chess. They both play out on a grid – but that’s where similarities end.
Thus, we must conclude that the traditional military paradigm, which has informed much of the InfoSec ideology so far, is unsuitable to the task, and must ultimately be rejected. The military approach has already failed – as evidenced by the continuous nature of hacking that has affected major corporations, institutions, and the US government itself. Attempting to find a solution from the position clearly based on false assumptions, is a recipe for failure, by definition. By treating cyber-warfare as we would traditional warfare – namely by the chess analogy – we’re playing the wrong game: confusing chess for checkers is a sure way to lose in a hurry. We are then faced with the question: if the military paradigm has failed, what is there to replace it?
Before considering possible replacement options, we must explore the factors of the military methodology that have led us to its rejection. The problems were:
- Limited state of war – war as a chess analogy, with ultimate “once-and-done” goals of clear and lasting victory;
- Brute force approach – war as a violent victory through physical domination;
- Deterrence – safety by threat of retaliation, based on attribution.
With the negative points in mind, we can derive some positive ones. In essence, by looking at ideas that have been deemed unsuitable, we can try to devise a system that negates those issues. A new system:
- Must be designed for a potentially permanent state of war, where no particular victory signifies an end to war itself;
- Must rely on indirect and non-violent means of attaining victory;
- Must negate the need for attribution and retaliation – thus negating the entire point of deterrence.
The question then becomes, “does such a system exist?” Ideally, we would prefer to use an existing system, or adapt one similar enough to our purposes, for two reasons: first, inventing complex systems from scratch is a long and painful process; second, an existing system affords us an opportunity to examine some practical problems, pitfalls, and benefits in the history of that system – and thus save time and effort. Whenever possible, we want to avoid reinventing the wheel.
In the next section, we turn to a possible replacement candidate, and consider its merits and problems
[i] We are indebted to Brett Schmithuber for this phrase.
[ii] Retaliation/counterattacking is different from attacking, in that the former must, by definition, be able to correctly identify the original aggressor to target for attacking. While retaliation/counterattacking is a reactive activity, and is entirely dependent on our ability to strike back, attacking, on the other hand, requires only the selection of any target – and as a matter of aggression does not require any additional knowledge.
[iii] Social engineering hacks are believed to be behind such massive hacks as Stuxnet.
[iv] Middle East and North Africa