While cyber security is a topic of lively discussion all over the world today — a discourse subtly shifting in emphasis from firewalls to strong encryption and cloud computing — little is heard about broader notions of cyber strategy. That is, efforts to understand how future conflicts will be affected by advanced information technologies seem to be missing – or, at best, are taking place quite far from the public eye. When David Ronfeldt and I first published Cyberwar Is Coming! nearly a quarter-century ago, we were focused on the overall military operational and organizational implications of "cyber," not just the specific cyberspace-based concerns. It was our hope that this very wide-angled perspective would help to shape the strategic conversation.
Sadly, it was not to be. Forests have been felled to provide paper for the many books and articles about how to protect information systems and infrastructure; but too little has emerged to inform and guide the future development of broader strategies for the cyber era. To be sure, there have been at least a few voices raised in strong support of taking a fresh approach to strategic thought in our time — interestingly, with some of the very best contributions coming from naval strategists. Among the most trenchant insights were those of two very senior U.S. Navy officers. Vice Admiral Arthur Cebrowski, with his concept of "network-centric warfare," emphasized that this period of technological change would favor the network form of organization. Admiral Bill Owens, in his Lifting the Fog of War, argued for extensive information gathering and sharing in what he called a "system of systems." Both were writing over 15 years ago, and their respective visions proved to be just a bit too cutting-edge to gain much traction. Then or now.
Around the same time Cebrowski and Owens were sketching out their visions of strategy for a cyber age, some astute naval officers in China were doing much the same. Then-Captain Shen Zhongchang, the (People’s Liberation Army) PLA Navy’s R&D director, along with a few of his staff officers, appreciated the importance of networks and systems thinking as well — keying on the former as principal targets in future conflicts and directing their energies on battle doctrines. They understood huge increases in the information content of weaponry virtually decoupled range from accuracy, making possible a form of "remote warfare" and demanding the dispersal rather than the concentration of forces in future wars.
Unlike the still-unrealized ideas of Cebrowski and Owens, Zhongchang’s team has played a measurable role in shaping current Chinese strategic thought. Overall, though, there has been very little open debate of these ideas about the age of cyberwar in world strategic circles. How very different this is from the lively international discourse that arose over the prospect of nuclear war. In the first decade of the atomic age, a range of strategic ideas arose and shaped lively debates. In the U.S., for example, the enthusiasm for nuclear weapons among senior policymakers led to serious ideas about waging preventive wars against enemies before they could acquire such capabilities. Thankfully, many scholars and others involved in security affairs rose up in protest and, in 1954, President Eisenhower publicly renounced the idea that the U.S. would ever wage preventive nuclear war.
Other countries were ahead of the U.S. on this point, including adversaries like the then-Soviet Union, and even friends like France, where Charles DeGaulle put the notion of endless nuclear arms racing to rest with the formulation that all that was needed was an "arm-tearing-off" capacity for deterrence to work well. Mao Zedong adopted this view, too; so have most others who have developed nuclear weapons. Eventually, in part because of public debate — and sometimes because of protests in both countries — Moscow and Washington came around to this view, and arms racing turned into the nuclear arms reductions we see continuing today.
But this is not the case with cyber. There is a raging arms race in virtual weaponry under way, secretly, in many countries — with concomitant plans for pre-emptive, preventive, and other sorts of Pearl Harbor-like actions. The potential for "mass disruption" (as opposed to nuclear mass destruction) is generally the focus of these efforts. The results could be extremely costly if these ideas were ever acted upon. As Scott Borg, director of the U.S. Cyber Consequences Unit, has noted: "An all-out cyber assault can potentially do damage that can be exceeded only by nuclear warfare."
Yet instead of an outcry about this looming threat, and a thoughtful discourse about how to bring these capabilities under control, efforts to develop ever-more-sophisticated weaponry of this sort are proceeding unabated. In some places, like the U.S., the complacency in the face of the potential threats is staggering. Witness the comments of the current American "cyber czar," Michael Daniel, on this point: "If you know about it, [cyber is] very easy to defend against." In an age where the world has repeatedly seen how vulnerable commercial enterprises are (such as Sony, Target, Anthem Blue Cross, to name just a few), and where even very sensitive information held and guarded by government is breached (as was the case with the U.S. Office of Personnel Management), the statement that cyber attack is "easy to defend against" rings all too hollow.
So what is needed now is a lively discourse on cyber strategy. It should probably begin with consideration of whether offense or defense dominates, as parsing the peril in this way will affect the larger debate about continuing the cyber arms race or, instead, searching out various ways to craft sustainable, behavior-based international cyber arms control agreements. The wisdom or folly of using cyber weaponry in pre-emptive or preventive actions — à la Stuxnet — should also be openly debated.
In an earlier era, atomic scientists played central roles in guiding and informing the key nuclear debates — in the military, government, and among the mass public. In this era, it may well be up to the computer scientists and other information technology experts to provide a similar, signal service — and now is the time for them to ramp up that discourse.