The rationale for offensive cyber capabilities

This article originally appeared on the Australian Strategic Policy Institute (ASPI) website. 

June 8, 2016

James A. Lewis

An early scene in the 1962 film Lawrence of Arabia shows German planes swooping back and forth to bomb the rebel camp and Prince Feisal, who’s heroically mounted on a white charger, chasing the planes with his sword in hand. Horses against aeroplanes aptly describes the circumstance for any nation that wants to defend itself if it lacks military cyber capabilities. You can’t reasonably expect to have a modern, effective military if you can’t carry out cyber operations. This isn’t a like-for-like match of cyber versus cyber—an astute opponent will use cyber techniques to paralyse command and control, interfere with the operation of weapons, and generally attempt to fatally expand the confusion that accompanies any armed conflict.

This isn’t a call for expanded cyber defence. Cyber defence usually means a bigger Computer Emergency Response Team, more technicians, essentially a Maginot line approach. We don’t talk about defensive tanks or defensive fighters. The best weapons can be used for either offence or defence. How they’re used depends on national intent and the risk of using them depends on how closely a nation adheres to international law and the laws of armed conflict—a peaceful nation that adheres to international law has nothing to fear from acquiring ‘offensive’ cyber capabilities. A purely defensive approach cedes the initiative to the opponent and leaves the defender in a reactive posture. No military would choose that.

Nor do we need to moan about the horrors of cyber war. People have let their imaginations run away with the consequences of cyber-attack. It’s not a weapon of mass destruction. It can have strategic effect, but that comes from its ability to precisely target crucial systems. Unlike nuclear weapons, cyber-attacks can have strategic effect without mass consequences.

Nations are experimenting with how to incorporate cyber capabilities into their military operations as they develop strategy and doctrine. The most advanced militaries are creating specific military cyber warfare entities. The growing military dimension makes cybersecurity an essential subject for discussion and for national strategy development.

It may be tempting to select from a menu of clichés—genies out of bottles or Pandoran boxes opened, but all are meaningless and result from the overestimation of the effect of cyber-attacks. Perhaps 30 nations are acquiring offensive cyber capabilities; some would say many more, and some of those are in Australia’s neighbourhood—it’s not just China. Eventually, all modern militaries will have offensive cyber capabilities, just as they have acquired jets, helicopters, missiles and, increasingly, UAVs. Nobody likes warfare, but declining to modernise, sticking to the cyber equivalent of horses and swords against airplanes, is a gift to opponents who will be quick to seize upon a careless attitude towards national defence.

Such developments have implications for both the public discussion and regional stability. On the first matter, the US position is slowly changing. The US first used offensive cyber operations (albeit primitive) in the second half of the 1990s. For more than a decade, there was no public recognition of this capability. Discussion is still limited, but in the last year or two the US has decided to be more open about offensive cyber capabilities. That may seem a bit odd given that PPD-20, the Top-Secret Presidential Directive for military cyber operations, including offensive operations, was leaked a few years ago and lives on The Guardian website. But the US has made strides in beginning a halting discussion of both capabilities and operations, albeit at a very general level.

Such secrecy is unhelpful. A question that outside experts have posed for a decade is, if we could have a robust discussion of nuclear strategy and capabilities, why can’twe have the same discussion of cyber capabilities? That’s slowly beginning to change but the absence of much information outside of classified channels means that much of the media and academic discussion is simply wrong. One possible reason the Obama administration has begun to slowly peel back secrecy is that it has been reminded of a scene in the film, Dr Strangelove, where the American President cautions the Russian ambassador that having a secret weapons capability does little to provide a deterrent or stabilising effect.

Secrecy damages stability. It’s better to have an open discussion of military doctrine and strategy—this openness was the intent of the April 2015 DOD Cyber Strategy(PDF)—than letting others make assumptions about policy and intentions. Transparency builds stability and confidence—that’s the reason confidence-building measures (CBMs) are valuable, and more progress on such measures in the ASEAN region would be helpful.  Australia’s done a good job of working with other ASEAN nations on CBMs, but the only region with adequate CBMs is Europe. That’s thanks to the work of the Organization for Security and Co-operation in Europe, which includes an exchange of military doctrines among members.

Having an offensive capability is nothing to be embarrassed about or keep secret, but it needs to be accompanied by diplomatic initiatives and transparency with voters. We want to normalise cyber capabilities and should treat them like any other military system, rather than as dark secrets from the world of SIGINT.