Cyberspace in Peace and War
Marin C. Libicki
Overview: Cyber warfare is one of the key elements of 21st century conflict.
The influence of cyber is simply everywhere throughout the USAF, and the United
States as a whole. The risks of cyber warfare are magnified in large part because
cyber users have little or no understanding of how the system works, and what
activities might put them at risk. Because virtually every USAF professional interacts
with the cyber domain on a daily basis, they absolutely require at least a basic understanding
of how the cyber domain functions and interacts with the physical domain. This work provides
all of the grounding that Airmen need to make informed decisions and act responsibly in the
cyber domain, and does so in an interesting and often humorous fashion. Martin Libicki is
RAND’s foremost analyst of cyber conflict. He is universally regarded as one of the foremost
thinkers in the field of cyber warfare, and he has spent more than four decades examining the
role of cyber networks in future conflicts. This work is the distillation of his incredible
knowledge base, presented in an accessible format that is of utility to any USAF professional,
from the most knowledgeable cyber warrior to the absolute novice.
Part I, Chapters 1-6, provides the foundations of cyber warfare. It opens with a
discussion of what Libicki calls “emblematic attacks,” essentially the most prominent
and damaging cyber-attacks to date, from massive espionage campaigns to attacks on Iranian
nuclear reactors. Having captured the reader’s attention, it moves to a discussion of the
basic principles of the cyber world, and the most common means to compromise a computer network.
After supply an overview of the key elements of cyber defense and how each of those elements
can be exploited by an attacker, Libicki turns to the special challenges of defending against
major threats. This shows the fundamental difference between the dangers of an individual hacker
and the resources available to a nation determined to break into a secured system. He closes the
section with a discussion of what the government can and cannot do to secure computer systems, and
analyzes whether cyber security should be a government role. As you read, consider what you have
heard in the media about cyber-attacks—does Libicki’s explanation make you feel better or worse about
the future of cyber war? What is your role in securing computer networks, and how diligent are you
in performing that role? Why do people often assume that the government can and will defend them
Part II, Chapters 7-11, addresses the cyber policies of nations and the international arena.
Libicki examines the idea of what information must be classified and protected, and what information
can be left in open access. He spends a substantial amount of time explaining “Zero Day Exploits,”
which tend to be the biggest vulnerabilities on a cyber system. Having covered these key concepts,
Libicki then turns to a general analysis of the likely future developments within the cyber domain,
including offensive and defensive capabilities and how they might link to conflict in the physical
world. While reading this section, consider how you prioritize defending data if you have limited
resources. Do government agencies have a duty to point out Zero Day vulnerabilities to the companies
that created them, or should they feel free to exploit them? Is cyber going to be more or less
problematic in the future? Would you be confident in relying upon a cyber-attack as a critical
element of your operations? Why or why not?
Part III, Chapters 12-17, dives into the concept of cyber operations. It opens with a discussion
of cyber campaigns, and how professional cyber warriors behave differently from private hackers.
Libicki questions whether cyber should be considered a warfighting domain, and the strategic
implications of such a delineation, and then moves to a discussion of cyber stability. Currently,
offensive cyber operations tend to be more effective than defensive ones–which might lead to a
greater propensity for conflict, given that there is no benefit to waiting and no guarantee of
retaliatory success. Yet, if such attacks might lead to a larger conflict, perhaps they should
not be used. Why is the concept of a campaign, as opposed to an attack, important? What if
there are spillover effects beyond the cyber domain? Should the NATO Charter (an attack upon one
is an attack upon all) apply to cyberspace?
Part IV, Chapters 18-31, is dedicated to strategies in cyberspace. Libicki notes that there
is a fundamental difference between threats and actions in the cyber domain, and that the
latter might be less effective in many cases. He argues that popular misconceptions about
cyber have led many to believe the U.S. is behind its adversaries in cyber capabilities,
in part because the U.S. does not seem to engage in overt responses to incursions. Libicki
discusses the key aspects of cyber deterrence and retaliation, with an emphasis upon the
problem of attribution—how to be certain who launched an attack upon you in cyberspace.
He argues that a zero tolerance policy is a dangerous approach in the cyber realm, as it
might contribute to instability. Escalation and risk strategies are a key element in this
section, as is the idea of deterrence through defense. Controlling the narrative as a means
to provide strategic stability is the final element of this section. If offensive operations
are stronger in cyber, when is retaliation a bad idea? Why is attribution so difficult, and
how does this influence cyber escalation? How much ambiguity is tolerable? Why is controlling
the narrative and sending clear signals important?
Part V, Chapters 32-34, closes out the work with a discussion of the current norms in cyber
warfare. Libicki investigates whether the current laws of armed conflict are applicable in
the cyber domain. He devotes a chapter to the current U.S.-China relationship in cyberspace,
and proposes potential ways forward that do not escalate conflicts. His final chapter summarizes
the inherent challenges in cyberwarfare, namely, the difficulty in planning for an event with no
historical precedents. How are norms established in cyberspace? Is cyber fundamentally different
from other elements of ISR and espionage? Should it be? And how much is enough cyber defense? Does
the cyber domain increase the likelihood of a war between the U.S. and China? If so, how?