Secretary of Defense James Mattis’ fondness for reading history and using its lessons to inform decision making is well known. He often quotes Ecclesiastes’ maxim, “There is nothing new under the sun,” referring to the United States’ national security challenges and the probability that comparable challenges have been confronted before. “If you read enough biography and history,” Mattis has said, “you learn how people have dealt successfully or unsuccessfully with similar situations or patterns in the past.”
{mosads}Indeed, the success and failure of millions of warriors over thousands of years guides how service members operate today. These lessons manifest themselves in the laws, regulations, and standard procedures that are applied to current military operations. However, as international competition in cyberspace intensifies, and without an adequate body of successes and failures to guide cyber operations, military leaders cannot rely on history in this domain to the extent they have in others. Traditional principles of war provide useful guidance for confronting aggressive cyber activities, but there are unique, significant differences that must be factored into cyber operations planning.
With this in mind, we offer Secretary Mattis the following observations regarding cyberspace operations:
1. International law restrains nations from using force; it won’t protect us from malign use of cyberspace.
The United Nations Charter prohibits nations from using force against each other unless in self-defense or approved by the Security Council. Though not a perfect deterrent, these restrictions have significantly diminished interstate conflict for nearly 70 years. Cyber operations can have strategic impact without crossing the force threshold, as we have seen in the events involving the Office of Personnel Management, Sony Pictures, and the Democratic National Committee. Without an attack to repel, under current international law, the U.S. has no right to use force in response. The international community’s demands for a return to lawfulness can halt state-on-state violence, but such pleas cannot be expected in the legally ambiguous cyberspace domain. To develop meaningful and widespread U.S. cybersecurity, the effective options are coercing adversaries, creating an environment that incentivizes self-restraint or deters aggressive cyber acts, and seeking verifiable non-aggression accords.
2. Geographic Combatant Commanders are accustomed to owning authority over and responsibility for all the assets, personnel and missions in their areas of responsibility; cyberspace operations cannot be conducted effectively in this manner.
The advent of Geographic Combatant Commands cemented the Department of Defense’s geographic organization. DoD, like the Department of State, organizes most national security responsibilities based on political borders and physical location. While some physical threats traverse two GCCs at their borders, only cyberspace enables adversaries to exist, employ equipment, and have effect in multiple GCCs simultaneously. This challenges the foundation by which DoD starts to solve problems. The speed of cyber operations precludes meaningful coordination between multiple commands. Combatant commanders must either cede the autonomy they are used to or accept diminished capacity to conduct effective cyber operations.
3. DoD installations are normally physically secure; DoD networks are normally insecure.
Enemy infiltration of a military installation, from the most secure domestic base to the most dangerous combat outpost, is a major failure of force protection. Even the intrusion of a harmless trespasser can lead to a commander’s relief. In cyberspace, the enemy is, and likely always will be, inside our lines. Cybersecurity experts have confirmed what might be concluded from the constant barrage of hacking reports in the media – cyber devices, no matter how well defended, all have vulnerabilities that may be exploited by adversaries. This environment only allows for risk management, not complete and exclusive control. Applying a mindset of absolute security, as commanders do with bases, will lead to frustration and failure in cyberspace. Leaders should assume, if not accept, that the enemy is inside our military and government networks and make decisions regarding defense of those systems accordingly.
4. Legality of uses of force can be evaluated based on past operations; legality of cyber operations is established by current operations.
In the legal fields of contracts, property, or military operations, law has formed around existing customs and practices. Practices have not had time to develop regarding cyber operations, and because of the secrecy in which operations are conducted, acceptable practices are unlikely to be developed in a fully informed environment. Norms likely will develop based on the few events known to the public. Based on this fraction of events, political leaders (some in the know, most not), citizens, academics, and other audiences will form opinions regarding the acceptability of cyber operations. If development of this field proceeds in the same manner as other bodies of law, those under-informed opinions will shape the law that applies to cyberspace operations. What the public knows about Stuxnet sets a precedent that will legitimize or delegitimize the next Stuxnet-like event. Without knowledge of the legal and policy considerations made when planning a cyber operation, an event cannot be evaluated properly.
At this nascent stage, DoD should remain cognizant that U.S. cyber operations are driving the creation of new law. This includes the possibility that failure to respond to cyber aggression establishes a norm that will make a future decision to respond more difficult. The U.S. should also be prepared to explain operational and political context in order to distinguish its (presumably lawful) cyber operations from those of its adversaries, who might have little desire to comply with international law.
5. DoD considers cyberspace a domain, but it is fundamentally different from the others. Among the differences: Land, sea, air, and space are relatively stable, but cyberspace changes constantly.
As the only manmade domain, cyberspace is manipulated by all its users, billions of them, logging on and off, connecting and disconnecting devices, adding and deleting content, and more. The fact that the changes are rapid, constant and to some extent unpredictable makes cyber planning a different proposition than planning in the kinetic realms.
Rapid change isn’t the only thing that makes “cyber geography” challenging. Unlike the physical world, in cyberspace, physical proximity is irrelevant. The speed of packets moving across the internet means that being geographically near to the target, for most military purposes, is irrelevant. Does it matter that an activity will take an extra 100 milliseconds to complete because the target is located halfway around the globe? Humans are incapable of operating at that speed, anyway, whether they are attacking or defending. Planning for both must take the rapidity of cyber operations into account.
The speed of actions in cyberspace also makes the volume of data affected essentially irrelevant. It has been reported that Chinese actors were able to exfiltrate the files of around 21 million Americans who hold security clearances. Moving that number of physical files would not have been possible without detection. Standard terminology and concepts are fairly interchangeable in the physical domains, and applying them to cyberspace is certainly convenient. Unfortunately, those terms and ideas can be a faulty crutch when applied to cyberspace. They will require rethinking to be successful in this realm.
War and its causes have changed little over the years. By contrast, the methods of waging war have changed significantly, usually in evolutionary rather than revolutionary ways. In instances of revolutionary change, such as nuclear war and airpower, the means and conduct of hostilities have been similar enough that they fit in existing frameworks. Cyberwarfare is different. Legacy ideas about command and control, the dictates of geography, the constancy of the domain, and the nature of its effects can stand in the way of developing successful military and national security strategies. Cyberwarfare may not exactly be something “new under the sun,” but it is different enough to merit a re-examination of how we think and talk about warfare going forward.
Gary Brown served as senior legal counsel for U.S. Cyber Command, and is a retired U.S. Air Force colonel. Kurt Sanger is a lieutenant colonel and judge advocate in the U.S. Marine Corps, and a graduate of the Georgetown University Law Center’s National Security Law program. The views expressed here do not represent those of any U.S. government organization.
The views expressed by contributors are their own and are not the views of The Hill.