« New Reports Reveal Flaw in Government's Justification for NSA Metadata Program | Home | Sometimes In Class Action Settlements Plaintiffs Gain Nothing, But Risk Everything »

Offensive Cyber Operations and America's Grand Strategy Mistake

David Husband image The New York Times recently revealed a secret debate that has been taking place behind the scenes within the Obama Administration regarding whether or not to undertake cyber-attacks against the Assad regime in Syria. The Pentagon and the National Security Agency developed a plan in 2011 to "essentially turn the lights out for Assad," but President Obama rejected the cyber-strikes, as well as regular kinetic approaches, to the conflict. The Times speculates that some of the reasons for not attacking Syria include the doubtful utility of the strikes, the possibility of retaliation, and the larger debate about the use of cyber-weapons in general.

Another possible reason, which the NYT does not discuss, may be a lack of legal authority. Over at Lawfare, Jack Goldsmith provides a cogent analysis of the potential domestic legal basis for the strikes. Goldmsith first notes the relatively sparse legal authority for the President to undertake overt action without the support of Congress against an adversary that is unconnected to the war on terror (so the AUMF would not apply.) He also believes it is unlikely to fall within the Article II self-defense powers that may have justified action against Iran (as with Stuxnet), while concluding there might be statutory authority under § 954 of the National Defense Authorization Act for Fiscal Year 2012.

However, it is the larger debate over the use of cyber-weapons in general that is most fascinating. The Washington Post disclosed last August that America mounted 231 offensive cyber-operations in 2011 alone, noting that "the scope and scale of offensive operations represent an evolution in policy, which in the past sought to preserve an international norm against acts of aggression in cyberspace, in part because U.S. economic and military power depend so heavily on computers." A major question is why has this policy changed? Why is the American military so determined to engage in offensive cyber-warfare when America may be one of the most vulnerable countries in the world to cyber attack?

There should be a serious, public debate about the value of offensive cyber operations for American security versus the costs. There are indications that this debate has occurred behind the scenes, but if we have learned anything from the NSA surveillance scandal, it is that the American people should be involved in the debate. It is the American people who should be setting the terms of whether we should even engage in this war and, if we choose to do so, to what extent we should prosecute the war. This debate, quite frankly, should be far more public than it has been. It is high time that Americans are aware of what is being done in our name in the realm of national security, when the potential blowback and costs are so high.

The costs are manifold: they include giving increased prominence to cyber-warfare (thus increasing the likelihood that cyber-attacks will become a more broadly accepted military option), militarizing cyberspace and the internet, the publicity costs and reputational harm to American interests when these secret operations are inevitably revealed, and the threat of counter-attacks which can cause substantial economic damage when they occur. Finally, in a time of budget austerity, the increased cyber-arms race represents misdirected tax dollars that could be developing America rather than tearing down other countries.

In 1800, the submarine was first introduced to the Royal Navy, impressing Prime Minister William Pitt, but not the First Sea Lord at the time, Earl Vincent. Vincent exclaimed, "Pitt was the greatest fool that ever existed to encourage a mode of warfare, which those who command the sea did not want, and which, if successful, would deprive them of it." Obviously, the answer to the submarine problem was not simply to ignore submarines. From the Royal Navy's perspective, the answer was to focus on devising effective responses to them in order to maintain control of the ocean.

Yet, there is wisdom in Vincent's words. Why encourage and lead the way in developing an asymmetric technology that can dangerously harm your position, which you have expended great blood and treasure to build up? Even if this technology were developed, why would you do so while your existing defenses were woefully inadequate?

This, in short, is the dilemma the American military is facing with regards to cyber-warfare. According to security experts, "Cyberwar is the greatest threat facing the United States--outstripping even terrorism." Former Secretary of Defense Leon Pannetta publicly proclaimed, "such a destructive cyber attack could virtually paralyze the nation." Yet currently, the "most kinetic cyberattack to date was probably the Stuxnet worm that attacked Iran's Natanz nuclear enrichment facility in 2010," which the U.S. is widely believed to be responsible for. Previously, the Pentagon seemed to understand these shortcomings, believing that cyber-deterrence would be exceptionally difficult.

However, the current strategic thinking seems to be that engaging in offensive cyber operations will have a deterrent effect on other countries, making them less likely to engage in cyber-conflict with us if they see how strong they are. It is difficult to be sure this is the exact strategic thinking because the relevant documents are highly classified, despite EPIC's attempt to secure public access to them through the Freedom of Information Act.  However, this idea is flawed, because cyber-warfare seems an ideal asymmetric tool for terrorists, non-attributable state actors, or attributable state actors who are too powerful for us to directly confront (China and Russia spring to mind). It seems a clear error of grand strategy to escalate a cyber arms race that could leave American infrastructure in shambles, with stunned Americans cast into sudden darkness, if we are attacked

The risk of a "cyber Pearl Harbor" to our critical infrastructure that we are frequently warned about is only exacerbated when we are constantly striking at the infrastructure of other countries. The politics of secret destruction in the name of national security are always easy--it is the politics of informed debate and creation in the name of democracy that are truly challenging.