The need for cyberwarfare theories
Before last month, most Americans thought very little about cyberwarfare. But when North Korea attacked Sony Pictures for daring to mock its leader Kim Jong-un in the now-famous film “The Interview,” cyberwarfare arrived at center stage.
Pyongyang's idea of a Christmas present offers us an opportunity we should not miss. Cyberspace, information technology and social networks can all be used for malign as well as beneficial purposes. While digital businesses, information-technology executives and defense officials have been worrying about protecting cyberspace, broader public awareness was largely missing. “Hacking” might have been a well-known term but war in cyberspace still sounded like science fiction. The often-arcane-sounding debates had a minimal effect on public policy.
Indeed, despite the best efforts of many concerned about national security, we as a nation remain woefully unprepared to appreciate and adapt to the cyberwarfare world. Kim Jong-un, inadvertently to be sure, has given us a critical opportunity to catch up.
A vital starting point is defining carefully what we actually mean by “cyberwarfare.” Our ongoing (and very dangerous) confusion already is evident in the Sony Pictures incident. President Obama called it “vandalism,” even while attributing responsibility for the attack to a hostile foreign government and acknowledging Sony's substantial economic and social costs. Moreover, the perpetrators combined their electronic offensive with threats of 9/11-style terrorism against theaters and moviegoers. Given North Korea's history of terrorism, its closeness to terrorist states like Iran, and its nuclear weapons capability, the threat was chilling.
But how should we judge? To decide properly how to prepare for, defend against and respond to cyberthreats, we must get the basics in order. Today in the cyberwarfare realm, we lack essential theoretical and conceptual foundations. There are no cyberwarfare theories comparable to what Albert Wohlstetter and Herman Kahn created for nuclear weapons. We are at far more elementary levels.
To start, we need an “escalation ladder” for cyberspace so we can better understand and distinguish the gravity and implications of various kinds of intrusions and interferences in the digital world; defend properly against them; and develop and deploy the necessary offensive capabilities to enhance our safety by creating the perception and reality of effective deterrence. To provoke a wider discussion, consider the following, concededly imperfect, outline for such an escalation ladder.
At the low end of the spectrum, we face vandalism, the cyber equivalent of spray-painting graffiti, causing relatively low levels of damage. Vandalism might come from digital delinquents (“hackers”), students with nothing better to do or troublemakers with grudges. These are essentially local law-enforcement problems.
Next higher on the ladder is significant criminal activity, including today's electronic equivalents of second-story men; identity thieves; malicious business competitors; intellectual-property pirates; and governments purloining critical technology or resources. Such criminal behavior is basically a more-serious law-enforcement problem, at least where the perpetrators are domestic.
When foreign states are involved, however, we are edging into the next-higher threat level, namely espionage, hostile clandestine actions and “influence” operations. Intelligence agencies routinely engage both in gathering information and conducting covert actions that can involve significant damage to their targets. We are long past Secretary of State Henry Stimson's disdainful observation that gentlemen do not read each other's mail, especially in cyberspace.
The most threatening, most dangerous categories of attacks amount to acts of war or terrorism, at various levels of intensity. This end of the spectrum is difficult for many to grasp because cyberwarfare does not necessarily involve visible physical damage, at least initially. But warfare or terrorism it is nonetheless. Thus, North Korea's attack on Sony should be seen, at a minimum, as state terrorism, verging on an act of war, not mere vandalism, as Obama opined.
Moreover, for countries like North Korea or China, cyberwarfare is quintessentially asymmetric warfare; such states cannot realistically confront America in the traditional spectrum of military conflict. That is also why the likes of North Korea and Iran have nuclear-weapons programs. And it is gravely important that we grasp that cyberattacks and our responses cannot necessarily be confined to cyberspace but must be evaluated in broader politico-military terms.
America's posture, therefore, cannot simply be defensive. We need far more muscular offensive cyber capabilities, since in cyberspace, as elsewhere, offense and defense are two sides of the same coin. Enhanced U.S. offensive power will help build the psychology of deterrence to prevent or dissuade future cyberattacks.
Thus, our response to Pyongyang should not be, as Obama asserted, merely “proportional.” It should be disproportional and not confined to cyberspace. The newly announced sanctions against Pyongyang might be a first step but are not nearly enough.
We need both more public debate about cyberspace and far greater awareness of the foreign and domestic threats our citizens, businesses and governments now face. We are behind (although not hopelessly so). But we cannot delay any longer. We have precious few laurels to rest on.
John Bolton, a senior fellow at the American Enterprise Institute, was the U.S. permanent representative to the United Nations and, previously, the undersecretary of State for arms control and international security.
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.