Cyberspace in Peace and War

Marin C. Libicki

Overview: Cyber warfare is one of the key elements of 21st century conflict. The influence of cyber is simply everywhere throughout the USAF, and the United States as a whole. The risks of cyber warfare are magnified in large part because cyber users have little or no understanding of how the system works, and what activities might put them at risk. Because virtually every USAF professional interacts with the cyber domain on a daily basis, they absolutely require at least a basic understanding of how the cyber domain functions and interacts with the physical domain. This work provides all of the grounding that Airmen need to make informed decisions and act responsibly in the cyber domain, and does so in an interesting and often humorous fashion. Martin Libicki is RAND’s foremost analyst of cyber conflict. He is universally regarded as one of the foremost thinkers in the field of cyber warfare, and he has spent more than four decades examining the role of cyber networks in future conflicts. This work is the distillation of his incredible knowledge base, presented in an accessible format that is of utility to any USAF professional, from the most knowledgeable cyber warrior to the absolute novice.

• Part I, Chapters 1-6, provides the foundations of cyber warfare. It opens with a discussion of what Libicki calls “emblematic attacks,” essentially the most prominent and damaging cyber-attacks to date, from massive espionage campaigns to attacks on Iranian nuclear reactors. Having captured the reader’s attention, it moves to a discussion of the basic principles of the cyber world, and the most common means to compromise a computer network. After supply an overview of the key elements of cyber defense and how each of those elements can be exploited by an attacker, Libicki turns to the special challenges of defending against major threats. This shows the fundamental difference between the dangers of an individual hacker and the resources available to a nation determined to break into a secured system. He closes the section with a discussion of what the government can and cannot do to secure computer systems, and analyzes whether cyber security should be a government role. As you read, consider what you have heard in the media about cyber-attacks—does Libicki’s explanation make you feel better or worse about the future of cyber war? What is your role in securing computer networks, and how diligent are you in performing that role? Why do people often assume that the government can and will defend them from cyber-attacks?
• Part II, Chapters 7-11, addresses the cyber policies of nations and the international arena. Libicki examines the idea of what information must be classified and protected, and what information can be left in open access. He spends a substantial amount of time explaining “Zero Day Exploits,” which tend to be the biggest vulnerabilities on a cyber system. Having covered these key concepts, Libicki then turns to a general analysis of the likely future developments within the cyber domain, including offensive and defensive capabilities and how they might link to conflict in the physical world. While reading this section, consider how you prioritize defending data if you have limited resources. Do government agencies have a duty to point out Zero Day vulnerabilities to the companies that created them, or should they feel free to exploit them? Is cyber going to be more or less problematic in the future? Would you be confident in relying upon a cyber-attack as a critical element of your operations? Why or why not?
• Part III, Chapters 12-17, dives into the concept of cyber operations. It opens with a discussion of cyber campaigns, and how professional cyber warriors behave differently from private hackers. Libicki questions whether cyber should be considered a warfighting domain, and the strategic implications of such a delineation, and then moves to a discussion of cyber stability. Currently, offensive cyber operations tend to be more effective than defensive ones–which might lead to a greater propensity for conflict, given that there is no benefit to waiting and no guarantee of retaliatory success. Yet, if such attacks might lead to a larger conflict, perhaps they should not be used. Why is the concept of a campaign, as opposed to an attack, important? What if there are spillover effects beyond the cyber domain? Should the NATO Charter (an attack upon one is an attack upon all) apply to cyberspace?
• Part IV, Chapters 18-31, is dedicated to strategies in cyberspace. Libicki notes that there is a fundamental difference between threats and actions in the cyber domain, and that the latter might be less effective in many cases. He argues that popular misconceptions about cyber have led many to believe the U.S. is behind its adversaries in cyber capabilities, in part because the U.S. does not seem to engage in overt responses to incursions. Libicki discusses the key aspects of cyber deterrence and retaliation, with an emphasis upon the problem of attribution—how to be certain who launched an attack upon you in cyberspace. He argues that a zero tolerance policy is a dangerous approach in the cyber realm, as it might contribute to instability. Escalation and risk strategies are a key element in this section, as is the idea of deterrence through defense. Controlling the narrative as a means to provide strategic stability is the final element of this section. If offensive operations are stronger in cyber, when is retaliation a bad idea? Why is attribution so difficult, and how does this influence cyber escalation? How much ambiguity is tolerable? Why is controlling the narrative and sending clear signals important?
• Part V, Chapters 32-34, closes out the work with a discussion of the current norms in cyber warfare. Libicki investigates whether the current laws of armed conflict are applicable in the cyber domain. He devotes a chapter to the current U.S.-China relationship in cyberspace, and proposes potential ways forward that do not escalate conflicts. His final chapter summarizes the inherent challenges in cyberwarfare, namely, the difficulty in planning for an event with no historical precedents. How are norms established in cyberspace? Is cyber fundamentally different from other elements of ISR and espionage? Should it be? And how much is enough cyber defense? Does the cyber domain increase the likelihood of a war between the U.S. and China? If so, how?