by the end of 1942 the Germans were decisively defeated in grinding land battles at El Alamein and Stalingrad. The Allies quickly learned to use aircraft carriers as the “tip of the spear” in sea fights, and that tank–plane coordination was the key to Blitzkrieg-style armored breakthroughs in land battles. Diffusion of the best warfighting practices happened quickly during World War II, and the methods developed in that great conflict have continued to shape much of military strategy in the more than 75 years since its end.
But swift adaptation has hardly been the case in our time, an era of emerging “postmodern” warfare. For decades, the dark, predatory pioneers of cyberwar have proved consistently able to overcome defenses and enjoy sustained freedom of action. In terms of cyberspace-based political warfare, for example, the Russians have proved masters, hitting at electoral processes in the United States and across a range of other liberal societies. Faith in the accuracy of the voting processes so vital to democracy has been undermined. China, for its part, has developed a high degree of skill at accessing and absconding with the cutting-edge intellectual property of a range of firms around the world. Mid-level powers such as North Korea have also shown considerable muscle in what might be called “strategic criminal” aspects of cyberwar, the proceeds of such larceny used to support their governments’ nefarious activities, not least in the realm of nuclear weapons proliferation.
Even non-state actors of the more malevolent sort, from terrorists and militants to hacker cliques, have used cyberspace as a kind of virtual haven from which to operate. All have, one way or another, learned how to “ride the rails” of advanced technological systems, exploiting their vulnerabilities and using them as launching points for infrastructure attacks, theft of money, and more. Emergence of the Internet of Things (IoT) has only strengthened these disruptors – both hostile nations and dark networks – as now they can mobilize hundreds of millions of connected household devices to serve in their zombie networks. The current situation, far from seeing an equilibrium arise in which offensive and defensive capabilities are balanced, is one in which attackers retain the advantage because defenders rely overmuch on the least effective means of protection: Maginot-Line-like firewalls and anti-virals that are always a step behind advances in malicious software.
Clearly, one of the principal challenges today is to improve defenses. In my view, this would be by ubiquitous use of strong encryption and regular movement of data around and among the Clouds – that is, others’ data systems. The Fog, consisting of the available portions and lesser-mapped areas of one’s own information space and capacity, can also provide improved security, easing the fundamental problem that “data at rest are data at risk.” But even a very robust remote storage and movement system cannot substitute for strong encryption; weak codes will invite acts of cyber aggression. Unfailingly.
Aside from the way poor cybersecurity leaves societies open to having both their politics and their prosperity undermined, there is another risk: that disruption of Net- and Web-connected military communications will lead to wartime disasters – in the field, at sea, and in the aerospace environment. Future battles between advanced armed forces will be incredibly fast-paced, replete with weapons empowered by artificial intelligence and coordinated to strike in networked “swarms.” A military whose reflexes are slowed by the kinds of disruption computer viruses, worms and other cyber weaponry cause will find itself at risk of being outmaneuvered and swiftly defeated. This aspect of cyberwar – focused on “battle” – is the successor to World War II’s Blitzkrieg doctrine; I call it Bitskrieg to draw the analogy with that crucially important previous inflection point in military and security affairs.
The dangers posed by the more familiar aspects of cyberwar, from political disruption to criminal hacking and potential infrastructure attacks, pale next to the consequences of failing to see that military operations can be fatally undermined by information insecurity. That is why the need to start paying serious, effective attention to armed-conflict aspects of cyberwar is urgent. But the scope and variety of cyber threats are daunting, making it difficult to address all, especially given the attention-grabbing nature of the latest incident of one sort or another. This suggests that there is one more important, also unmet, challenge that should be taken up alongside efforts to improve cybersecurity and prepare to wage Bitskrieg-style field operations: arms control. Since virtually all advanced information technology is “multi-use” – employable for commerce, provision of services, social interaction or war – the nuclear model of counting missiles and controlling fissile material will no longer do. This has led many (well, most) to scoff at the very idea of cyber arms control. But there is another paradigm that is based on behavior, rather than “bean counting.” It has worked well, for many decades, with the Chemical and Biological Weapons Conventions – covering types of deadly arms whose basic materials can be fabricated by countless countries – whose signatories have covenanted never to make or use such devices. A similar, behavior-based approach to cyber arms control is possible as well.
The need to protect individuals, intellectual property, infrastructures and elections from cyber attack is hardly new; the way to meet challenges to them that I advance is. “New” in the sense that the current approach to cybersecurity, so reliant on firewalls and anti-virals, should for the most part be jettisoned in favor of the strongest encryption and the widespread use of Cloud and Fog computing. The failure of existing security systems is so overwhelming, as the reader will see, that the need to shift to a new security paradigm is now well beyond urgent. As a wise American chief of naval operations once said to me about cyber threats, “The red light is flashing.”
And, with armed forces and armed conflict in mind, I argue herein that the direct, warfighting implications of advanced information technologies – including artificial intelligence – have received too little attention for far too long. The fundamental problem is that a wide range of these new tools have simply been folded into or grafted onto older practices. Thus, the shift from Blitzkrieg to Bitskrieg has not yet been made. My goal is to make sure that aggressors don’t make this leap first. The painful lessons inflicted by the Nazi war machine from 1939 to 1941, at the outset of the Mechanization Age, should sensitize us to the potential cost of failing to parse the profound implications for warfare posed by the Computer Age. A cost that will surely be imposed should cyber challenges to society and security remain unmet.
Aside from illuminating the current challenges that must be met and mastered if peace and prosperity are to have a reasonable chance of thriving as we look ahead, I also “look back” in two principal ways. One aspect of this retrospection focuses on linking current – and future – issues in military affairs and information security systems to what has gone before. The best example of this tie to earlier history is the manner in which, during World War II, the Allies, using the world’s first high-performance computers, “hacked” the Axis and won critical victories in desperate times, often when the odds were stacked heavily in favor of the aggressors, as at the Battle of Midway in June 1942. The knowledge advantage that the Allies possessed over the Axis played a crucial role in the latter’s defeat. Clearly, mastery of the information domain has long mattered; it matters just as much to victory today, and will only grow in importance over the coming decades.
The second way in which I engage in retrospection reflects my own experiences and ideas in this field over the past 30-plus years, in war and peace. As I look back, from early debates about the strategic implications of the Information Age circa 1990 to very recent times, I find that, Forrest-Gump-like, I have been present at many high-level American policy debates about the various dimensions of cyberwar, and have sometimes played an active role in events.
The reflective passages, the reader will find, offer a range of first-time revelations about: how the information advantage over Saddam Hussein enabled General Norman Schwarzkopf to opt for the daring “left hook” plan that was the heart of Operation Desert Storm; why the 78-day air campaign during the Kosovo War did so little damage to Serbian forces; what went on at the first Russo-American meeting of cyber experts; and where the current debates about the military uses of artificial intelligence are, and where they are headed. It has been a privilege to be involved in these and a range of other cyber-related events over the years. But having a privilege is hardly the same as witnessing real progress, and of the latter I have seen far too little. Perhaps