The need for cyberwarfare theories
Before last month, most Americans thought very little about cyberwarfare. But when North Korea attacked Sony Pictures for daring to mock its leader Kim Jong-un in the now-famous film “The Interview,” cyberwarfare arrived at center stage.
Pyongyang's idea of a Christmas present offers us an opportunity we should not miss. Cyberspace, information technology and social networks can all be used for malign as well as beneficial purposes. While digital businesses, information-technology executives and defense officials have been worrying about protecting cyberspace, broader public awareness was largely missing. “Hacking” might have been a well-known term but war in cyberspace still sounded like science fiction. The often-arcane-sounding debates had a minimal effect on public policy.
Indeed, despite the best efforts of many concerned about national security, we as a nation remain woefully unprepared to appreciate and adapt to the cyberwarfare world. Kim Jong-un, inadvertently to be sure, has given us a critical opportunity to catch up.
A vital starting point is defining carefully what we actually mean by “cyberwarfare.” Our ongoing (and very dangerous) confusion already is evident in the Sony Pictures incident. President Obama called it “vandalism,” even while attributing responsibility for the attack to a hostile foreign government and acknowledging Sony's substantial economic and social costs. Moreover, the perpetrators combined their electronic offensive with threats of 9/11-style terrorism against theaters and moviegoers. Given North Korea's history of terrorism, its closeness to terrorist states like Iran, and its nuclear weapons capability, the threat was chilling.
But how should we judge? To decide properly how to prepare for, defend against and respond to cyberthreats, we must get the basics in order. Today in the cyberwarfare realm, we lack essential theoretical and conceptual foundations. There are no cyberwarfare theories comparable to what Albert Wohlstetter and Herman Kahn created for nuclear weapons. We are at far more elementary levels.
To start, we need an “escalation ladder” for cyberspace so we can better understand and distinguish the gravity and implications of various kinds of intrusions and interferences in the digital world; defend properly against them; and develop and deploy the necessary offensive capabilities to enhance our safety by creating the perception and reality of effective deterrence. To provoke a wider discussion, consider the following, concededly imperfect, outline for such an escalation ladder.
At the low end of the spectrum, we face vandalism, the cyber equivalent of spray-painting graffiti, causing relatively low levels of damage. Vandalism might come from digital delinquents (“hackers”), students with nothing better to do or troublemakers with grudges. These are essentially local law-enforcement problems.
Next higher on the ladder is significant criminal activity, including today's electronic equivalents of second-story men; identity thieves; malicious business competitors; intellectual-property pirates; and governments purloining critical technology or resources. Such criminal behavior is basically a more-serious law-enforcement problem, at least where the perpetrators are domestic.
When foreign states are involved, however, we are edging into the next-higher threat level, namely espionage, hostile clandestine actions and “influence” operations. Intelligence agencies routinely engage both in gathering information and conducting covert actions that can involve significant damage to their targets. We are long past Secretary of State Henry Stimson's disdainful observation that gentlemen do not read each other's mail, especially in cyberspace.
The most threatening, most dangerous categories of attacks amount to acts of war or terrorism, at various levels of intensity. This end of the spectrum is difficult for many to grasp because cyberwarfare does not necessarily involve visible physical damage, at least initially. But warfare or terrorism it is nonetheless. Thus, North Korea's attack on Sony should be seen, at a minimum, as state terrorism, verging on an act of war, not mere vandalism, as Obama opined.
Moreover, for countries like North Korea or China, cyberwarfare is quintessentially asymmetric warfare; such states cannot realistically confront America in the traditional spectrum of military conflict. That is also why the likes of North Korea and Iran have nuclear-weapons programs. And it is gravely important that we grasp that cyberattacks and our responses cannot necessarily be confined to cyberspace but must be evaluated in broader politico-military terms.
America's posture, therefore, cannot simply be defensive. We need far more muscular offensive cyber capabilities, since in cyberspace, as elsewhere, offense and defense are two sides of the same coin. Enhanced U.S. offensive power will help build the psychology of deterrence to prevent or dissuade future cyberattacks.
Thus, our response to Pyongyang should not be, as Obama asserted, merely “proportional.” It should be disproportional and not confined to cyberspace. The newly announced sanctions against Pyongyang might be a first step but are not nearly enough.
We need both more public debate about cyberspace and far greater awareness of the foreign and domestic threats our citizens, businesses and governments now face. We are behind (although not hopelessly so). But we cannot delay any longer. We have precious few laurels to rest on.
John Bolton, a senior fellow at the American Enterprise Institute, was the U.S. permanent representative to the United Nations and, previously, the undersecretary of State for arms control and international security.