Brig. Gen.

Billy Mitchell
On September 12, 1918 at St. Mihiel in France, Col. William Mitchell became the first person ever to command a major force of allied aircraft in a combined-arms operation. This battle was the debut of the US Army fighting under a single American commander on European soil. Under Mitchells control, more than 1,100 allied aircraft worked in unison with ground forces in a broad offensiveone encompassing not only the advance of ground troops but also direct air attacks on enemy strategic targets, aircraft, communications, logistics, and forces beyond the front lines. Mitchell was promoted to Brigadier General by order of Gen. John J. Pershing, commander of the American Expeditionary Force, in recognition of his command accomplishments during the St. Mihiel offensive and the subsequent Meuse-Argonne offensive. After World War I, General Mitchell served in Washington and then became Commander, First Provisional Air Brigade, in 1921. That summer, he led joint Army and Navy demonstration attacks as bombs delivered from aircraft sank several captured German vessels, including the SS Ostfriesland. His determination to speak the truth about airpower and its importance to America led to a court-martial trial in 1925. Mitchell was convicted, and resigned from the service in February 1926. Mitchell, through personal example and through his writing, inspired and encouraged a cadre of younger airmen. These included future General of the Air Force Henry H. Arnold, who led the two million-man Army Air Forces in World War II; Gen. Ira Eaker, who commanded the first bomber forces in Europe in 1942; and Gen. Carl Spaatz, who became the first Chief of Staff of the United States Air Force upon its charter of independence in 1947. Mitchell died in 1936. One of the pallbearers at his funeral in Wisconsin was George Catlett Marshall, who was the chief ground-force planner for the St. Mihiel offensive. ABOUT THE MITCHELL INSTITUTE: The General Billy Mitchell Institute for Airpower Studies, founded by the Air Force Association, seeks to honor the leadership of Brig. Gen. William Mitchell through timely and high-quality research and writing on airpower and its role in the security of this nation.

ABOUT THE AUTHOR: Dr. Rebecca Grant is an airpower analyst with nearly 20 years of experience in Washington, D.C. She is a Senior Fellow of the Lexington Institute and president of IRIS Independent Research. She has written extensively on airpower and serves as director, Mitchell Institute, for the Air Force Association.

Published by Mitchell Institute Press 2008 Air Force Association Design by Darcy Harris

By ReBecca GRant

noveMBeR 2008
a Mitchell institute special RepoRt

TABLE OF CONTENTS
4
The Rise of Cyber War

appendices

22
Remarks by Air Force Secretary Michael W. Wynne C4ISR Integration Conference, Nov. 2, 2006

26
Remarks by Homeland Security Secretary Michael Chertoff Chamber of Commerce on Cybersecurity, Oct. 14, 2008

31
Foundational Doctrine Statement and Selected Definitions

Air Force Gen. Kevin P. Chilton, commander of US Strategic Command: I firmly believe well be attacked in that domain. Our challenge will be to continue to operate in that domain. (US Air Force photo)

Cyber warfare is already here, Deputy Secretary of Defense Gordon England remarked in early 2008. In October of that year, Homeland Defense Secretary Michael Chertoff warned that the threat is on the rise. The reality is that cyber attacks arent decreasing, said Chertoff. They are increasing in frequency, sophistication, and scope, and this has major implications for our national and economic security. Air Force Gen. Kevin P. Chilton, speaking with Pentagon reporters in Washington, D.C., expressed growing concern from a military standpoint. I firmly believe well be attacked in that domain, said Chilton. Our challenge will be to continue to operate in that domain.1 Call 2008 the year that cyberspaceits vulnerability, its defense, and its exploitationpassed the point of no return as a major issue for national security officials. International events and the confluence of several major government moves drove the subject of cyberspace higher up the list of priorities for Americans.

Overseas, an August 2008 conflict between Russia and the small neighboring state of Georgia saw a wave of Russian cyber assaults directed against the government of Georgia; civilian computer experts had to step in to restore services.2 There has reportedly been a series of foreign-origin attacks on networks at the State, Commerce, Defense, and Homeland Security departments over the past several years, known by the code-name Titan Rain.3 According to the Washington Post, US government officials and cyber-security professionals believe some large attacks dating from 2005 that targeted US nuclear-energy labs and large defense contractors, had ties to Chinese Web sites.4 At home, Washington launched a multi-step program to put cyber security on a more urgent footing. President Bush in early 2008 signed a directive expanding intelligence community powers to monitor Internet traffic and repel mounting attacks on federal government computer systems.5 The classified memorandumNational Security President Directive 54/Homeland Defense Presidential Directive 23applies to both agencies. It authorized a new task force, headed by the Director of National Intelligence, which now manages US efforts to identify the source of cyber-attacks against government systems. DHS will work to protect the computer systems; the Pentagon will prepare plans for counterattacks. The approval of the combined NSPD/HSPD marked the most far-reaching effort to date by the United States government to neutralize threats in cyberspace. Meanwhile, the Air Force and Navy both tightened their focus on cyberspace with key organizational changes to cyberspace commands, while NATO stood up a cyber response organization. In the area of cyberspace, both nation states and non-state actors continued to seek ways and means to counter the advantages we obtain from our use of in-

1. Cyber Warfare a Major Challenge, Deputy Secretary Says, John J. Kruzel, American Forces Press Service, March 3, 2008. Remarks on Cyber Security to the Chamber of Commerce Michael Chertoff, Office of the Press Secretary, Department of Homeland Security, Oct. 14, 2008. Gen. Kevin P. Chilton, transcript of remarks to the Defense Writers Group, March 4, 2008. 2. Tulip Systems Tries to Keep Other Georgias Web Sites Safe, Kristi E. Swartz, Atlanta Journal Constitution, Aug. 17, 2008. 3. Hackers Attack Via Chinese Web Sites, Bradley Graham, Washington Post, Aug. 25, 2005. 4. Bush Order Expands Network Monitoring, Intelligence Agencies to Track Intrusions, Ellen Nakashima, Washington Post, Jan. 26, 2008. 5. Nakashima, Washington Post, Jan. 26, 2008.

formation and to turn those same advantages against us in both conventional and unconventional ways, said Assistant Secretary of Defense Michael Vickers in testimony before a House subcommittee.6 The shock of such attacks scope and magnitude was a point of consensus among top government officials. The kind of attack that you would worry about is the kind of thing we saw in Estonia last yeara denial-of-service attack, where they flood the system with so many e-mail botnets. You dont shut the system down, but you slow it down to the point that its unusable, said Chilton.7 As England assessed the situation: I think cyber attacks are probably analogous to the first time, way back when people had bows and arrows and spears, and somebody showed up with gunpowder and everybody said, Wow. What was that?8 Despite unprecedented high-level government attention, cyberspace remains an area of dispute and mystery. Some critics contend it is not a bona fide domain of warfare.9 Others criticized what they claimed were questionable Air Force motives for its effort to organize and streamline its cyberspace capabilities.10 At the same time, allies and potential competitors are working to improve their own cyberspace capabilities. The past few years have been consumed with efforts to organize cyberspace and evaluate threats some to military and government systems, and many to the privately-owned infrastructure that extends cyberspace throughout US commerce and daily life. Whats missing is serious progress in understanding how to think about cyberspace as a new warfighting domain. Understanding and plans do not spring into being overnight. It took several decades to establish the place of airpower in national defense strategies and international rules for armed conflict. With cyberspace, the challenges will be similarity large and onerous. They range from mastering the forensic tasks of attack attribution all the way to much broader questions about proportionality of response and legitimacy of certain targets. Much remains to be done in terms of thinking through the implications of cyberspace as a warfighting domain. Doubtlessly, the most fascinating discussions occur behind a veil of secrecy. However, this has

always been the case with sophisticated weapons of war. Despite the secrecy, the broad outlines of key cyber uncertainties are plain enough to stir discussion. This paper addresses three of these areas. They are: n Definition of cyberspace as a domain of military operations. n Organization of the services, departments, and agencies to meet cyber challenges. n Development and assessment of theories of cyberspace power. Nothing written here is the final word on these subjects. In fact, the opposite is far closer to the truth. Debate is just now starting to pick up steam. That debate is necessary to pull together strong, sound national security policy for this newest domain: cyberspace.

a doMain oF electRons and consciousness

Over the last decade, cyberspace has become an essential integrating medium for military operations, one in which US armed forces want and need superiority. Indeed, US Strategic Command already treats cyberspace as a vital war-fighting domain. Weve found ourselves becoming dependent on it in the way we conduct ... military operations and so you would expect an adversary to try to counter those advantages that the United States has to bring to the fight, said Chilton, USSTRATCOM commander.11 The emergence of a new domain of combat is an exceedingly rare event. Warfare on land has always been with us. War at sea came along quite a bit later,

Russias conventionalforce attack on Georgia in Summer 2008 was accompanied by cyber attacks on that nations critical systems. (AP photo/ Darko Bandic)

6. Testimony of Michael Vickers, Assistant Secretary of Defense, hearing of the House Armed Services Subcommittee on Strategic Forces, Feb. 27, 2008. 7. General Lays Out Challenge of Defending Cyberspace, Jim Garamone, American Forces Press Service, March 14, 2008. 8. Cyber Warfare a Major Challenge, Deputy Secretary Says, John J. Kruzel, American Forces Press Service, March 3, 2008. 9. See for example William Matthews, US Cyber Commands Mission Remains Unclear, Defense News, April 8, 2008. 10. See for example Noah Shachtman, Air Force Will Fight Online Without Cyber Command, Wired, posted Oct. 9, 2008. 11. Gen. Kevin P. Chilton, transcript of remarks to the Defense Writers Group, March 4, 2008.

RiSE OF CyBER WAR

A Mitchell Institute Special Report

Michael Chertoff, Secretary of Homeland Security, warns that cyberadversaries can bring down a system in ways that, in the past, could be done only when you dropped bombs or set off explosives. (State Department photo)

though it happened so many millennia in the past that it doesnt really make much difference. Now, however, two such transformative events have taken place within just the past one hundred years. First came the arrival of the air domain, which emerged during 1908-18. That decade was a period that ranged from the first military flights at Ft. Myer, Va.in which the war potential of aircraft was demonstrated to allto the end of World War I, by which point national air services had earned their places in combined arms operations. Gen. James Cartwright, former USSTRATCOM commander and now Vice Chairman of the Joint Chiefs of Staff, had this to say about the event: When we started with air, it was sightseeing. Eventually, it became something important and, even further down the road, it became something that contributed to the other domains.12 Of course, man had for centuries dreamed of conquering the air. As a consequence, many thinkers had been pondering its possible military uses long before the invention of a functioning flying machine early in the 20th century. The second new domaincyberspacehas been only recently conceived, created, discovered, explored, and exploited. A great controversy rages over what it

really is. It is a physical sphere, clearly, but it is also, in no small part, a cognitive sphere. A close look at the brief history of cyberspace contains big clues as to why Washingtons national security apparatus still is wrestling with policy, organization, and resource-allocation issues. The cyberspace domain of warfare emerged in the 1990s. Dating it precisely is not easy. Trace elements of an emerging cyber-theater were present in Operation Desert Storm in 1991. In summer 1996, Gen. John Shalikashvili, the JCS Chairman, issued Joint Vision 2010, a paper presented as a conceptual template to guide planning for future warfare. It anticipated operations based on information superioritythe collecting, processing, and disseminating of an uninterrupted torrent of information while damaging or denying an adversarys ability to do the same.13 Major discussions of so-called net-centric warfare began to appear frequently in scholarly publications and in war college seminars.14 Military officers debated the laws, methods, and organizations for potential cyberspace operations. However, these largely amounted to forecasts of computer network attack (along with some warnings about the need for information assurance.) The real potential of fused intelligence and network operations appeared with a vengeance in Operation Allied Force, the NATO air war over Serbia in 1999. Cyberspace was exploited to direct attacking aircraft and shape the nature of an attack. Soon, more and more administrative and command and control operations were transferred to various cyber networks. Airmen, at least, became dependent on cyber-integrated communications and networks. This dependence was generated by a combination of the rise of rapid, expeditionary Air Force operations, the preference for precision, the need to rely on reachback systems, and the insatiable appetite for information domain dominance as a way to get maximum utility from smaller forces. The situation is more complicated than this, however. The pedigree of cyberspace has actually been a source of confusion as it has become a stand-alone domain. First, key cyber structures and organizations have lineages that predate the 1990s. The Internet itself was set up in the late 1960s and was functioning fully in the 1980s.15 The National Security Agency, the prime source of domain encryption, dates to the 1950s.16 The existence of such legacy agencies and en-

12. Gen. James A. Cartwright, Commander of US Strategic Command, interview with the author, Sept. 14, 2007. 13. Joint Vision 2010, Gen. John M. Shalikashvili, Office of the Chairman of the Joint Chiefs of Staff, July 1996. 14. See for example Vice Adm. Arthur K. Cebrowski and John J. Garstka, Network-Centric Warfare: Its Origin and Future, USNI Proceedings, January 1998. 15. A Brief History of the Internet, Barry M. Leiner et al, Internet Society (http://www. isoc.org/internet/history/brief/shtml). 16. About the NSA, National Security Agency Central Security Service memorandum, (http://www.nsa.gov/publications/publi00015.cfm) 

tities affects todays view of cyberspace as a domain. Second, cyberspace actually incubated within the US Intelligence Community, not the nations military forces, and was thus shaped by early Intelligence Community doctrine created for information warfare. In a way, these primordial features of the cyber world have actually made it harder to grasp the reality of cyberspace as a domain. On the one hand, it was investment in communications, intelligence, and information functions that laid the foundation of todays military cyberspace. On the other hand, we have yet to disentangle our modern cyberspace concepts from old-style information operations. These information operations and cyber operations are closely related, but they arent the same thing. There are key distinctions. Two stand out. First, information warfare hinges on use of refined contentdeception, psychological manipulation, counter-propaganda, influence operations, shapingto achieve desired results. All of these actions may be carried out in and through cyberspace and be greatly enhanced thereby. However, various information operations are really nothing more than a set of toolsinformation packages that support various strategies and policies in the real world. Cyberspace, on the other hand, is an actual domain, an arena for many different types of actions. That is the essential difference. Second, there are differences in the value of the transmitting medium. Most information operations are nothing more than age-old warfare techniques pioneered long before the rise of cyberspace. Deception, creation of operational security, some forms of electronic warfare, and similar techniques can be used without a resort to tightly integrated computerto-computer networks. True, use of cyberspace may greatly enhance the speed and power of these kinds of information operations, but dont let this confuse you. Cyberspace is a domain, a place, a theater. So-called information operations are just directed missions. Similar conceptual confusion grows out of the interrelationship of cyberspace and the electromagnetic spectrum. The intellectual linking of these two concepts is essential, of course. After all, being a warfare domain requires some sort of physical existence. The problem stems from trying to draw a distinction between the two things. This is a new problem. The line between land and sea is easy to determine. The line between air and space is more difficult to draw, but at least air and space have very obvious physical differences. That is

not the case with cyberspace and the electromagnetic spectrum. The Joint Staffs Joint Net-Centric Campaign Plan, published in October 2006, promulgated a definition of cyberspace as a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.17 In other words, the spectrum was declared to be the true physical location of cyberspace. This determination solved a conceptual problem that had bedeviled all thinking on the subject. It established that cyberspace was not limited to the Internet or defined by the number of routers or users or their protocols. It could be lots of other things, whose physical manifestation lay within the electromagnetic spectrum. However, some early attempts to help clarify cyberspace as a domain have almost done more harm than good by leaning too much on the electromagnetic spectrum. The false definition of cyberspace as being any type of moving energy led in some cases to arcane and essentially pointless debates about the cyberness of earlier electronic applicationsfrom teleCommand center at USSTRATCOM, Offutt AFB, Neb., which in recent years has been given a charter for global operations, including the offensive cyber mission. (DOD photo)

17. Joint Net-Centric Campaign Plan, Joint Chiefs of Staff, Washington, D.C., October 2006 (http://www.jcs.mil/j6/ c4campaignplan/JNO_ Campaign_Plan.pdf )

RiSE OF CyBER WAR

A Mitchell Institute Special Report

graphs to early signals intelligence. Because computer network operations do take place within the spectrum itself, it was easy to cast cyberspace as merely a set of enabling operations. Definition of cyberspace as a domain must recognize the centrality of electromagnetic phenomenon that are at the core of cyberspace operations. However, the control and use of electromagnetic phenomenon alone is not sufficient. Electronic signals have been around longer than the cyberspace domain. Electronic communications are supporting functions of other warfare domains, too. We have now arrived at the key. What is different about the cyberspace domain is that it takes the prevalent electromagnetic phenomena and assembles them into new, higher sets of value: Intranets, the Internet transport layer, data storage, and so forth. Virtual networks or knowledge bases then take on a value

Marine Corps Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, said of the cyber attacks in Georgia: What were trying to understand is, working our way back, what are the implications? He is pictured here with Deputy Defense Secretary Gordon England. (DOD photo/TSgt. Adam Stump)

that is uniquevital to their functions and distinct from being a mere collection of uncoordinated signals not integrated with each other. Compare, for instance, the value of a random set of telephone calls to that of chat room data assembled to underpin a rescue operation. You cannot sort out the difference merely on the basis of who uses electronic signals; they both do that. The difference is that, in the case of the chat room, we have refined the application into a useful, virtual creation. Evidence of cyberspaces domain-ness is nowhere more evident than in the tactical and operational networks built and used in cyberspace. Cyberspace definitions comprise computer networks and the elec-

tromagnetic spectrum, including some elements of both. Control of information from space assets is one example of this phenomenon. Satellite control of on-orbit communication and positioning is carried out mainly by radio frequency. However, communications among ground stations may move over the transport layer of the Internet. The ground stations are likely plugged in, in some form or fashion, to the Internet, explained Chilton.18 Thats how we move information around. So you have to think about cyber defense to assure that network. In this example, dominance in cyberspace and space go hand-in-hand. The tactical aspect of cyberspace abounds in the air domain. Reachback and precision effects often depend on cyberspace for a final refinement of an attack plan. For that single [joint direct attack munition] to achieve its effect, we rely on advanced technology to put weapons on targetcommand and control systems, global positioning system satellites, communication networks, and electronic warfare capabilities, according to joint commentary by Maj. Gen. William T. Lord, commander of Air Force Cyber Command (P), and Lt. Col. Stephen Matson, a member of the AFCYBER(P) team at Barksdale AFB, La.19 This wide and deep tactical and operational reliance on cyberspace produces what the Air Force has recently termed cross-domain dominance. Put in simplest terms, the successful execution of global expeditionary air and space operations depends on having unfettered access to the physical and virtual cyberspace networks. This reliance is best described as a cognitive feature of the networks, for it shapes the way operations are planned and conducted, and it shapes commanders intent and expectations. This has a major impact on how things are done in the other domains of air, space, land, and sea. In a 2007 interview, Air Force Lt. Gen. Robert J. Elder, commander of 8th Air Force, summed up the situation with these words: Cyberspace exists alongside the other warfighting domains and should be protected and exploited in a similar fashion. This reflects the need to gain and maintain operational freedom in cyberspace cyberspace superiorityas a predicate to achieving land, air, sea, and space dominance.20 Dealing with the cognitive aspects of the cyber domain is important, but difficult. The argument for it is tricky, and more philosophical than other aspects of the debate. In this respect, it is useful to examine earlier

18. Gen. Kevin P. Chilton, transcript of remarks to the Defense Writers Group, March 4, 2008. 19. 8th Air Force, AFCYBER Joint Forces to Provide the Right Tools for Cyber Success, Maj. Gen. William T. Lord and Lt. Col. Stephen Matson, Feb. 25, 2008. 20. Cyberspace Command Logs In, Henry Kenyon, SIGNAL Magazine, August 2007. 8

attempts to depict this domain visually. Typical images include colored representations of the Internet connections, images of people interacting with the Web through computers, and mergers of global images and Internet images. In each case, someone is trying to depict cognition. The Internet grid maps attempt to depict a domain. Images with people serve as symbols of interaction in this domain. Taken together, the ubiquitous themes mark a struggle to ascertain just what the domain is and what it means. In fact, using images in this way constitutes a classic Western philosophical way of dealing with a new reality. It marks an important step toward drawing cyberspace into the framework of social and political agreements that shape nations and the international system. Think of all the graphic artists images of cyberspace. They are trying to do two things: depict the domains phenomena and depict the human connection to it. The most famous of these images, seen on this page, is the photo of World Wide Web pioneer Tim Berners-Lee holding a glowing gold orb. Its an attempt to express our connection to the cyber domain. Another big thought entails viewing cyberspace as a new world commons. Think of Bruegels famous painting (shown opposite) of medieval merchants and peasants cavorting in the town square. Or, just think of New Yorks Times Square on any New Years Eve. The idea of the commonslike that of a city or a nation-stateoccupies a highly important symbolic position in international politics. It emanates from the relationships among nations and business entities, the people in them, and their commerce and security. All of our carefully drawn international rules flow from this concept of the global commons. Within nations, democracies look to the rules of the commons for their authority. This is part of the enormous challenge posed by cyberspace. As a physical, virtual, and cognitive domain, cyberspace creates a new commons, generating serious concerns about how to secure it and make it usable for all parties in the face of the pressures and dangers posed by nation-states. Surely, current international norms, practices, and law will help, but the nation-state issues are tough. The old concepts and standards of sovereignty do not function well in this cyber world, where the limits of national ownership and responsibilities are fuzzy and attack attribution can be so difficult to establish. We eventually will need a clearer understanding of how the new commons should function. It is imperative to develop it if we are to make further progress

on cyberspace policy, privacy, rules of engagement, differentiation between foreign and domestic issues, and develop military response options. If history is any guide, the only way to get there will be through intense discussion of theory as well as practice, for the theory of cyber security, ultimately, will express the will of the people. In a sense, the domain debate is a preoccupation of only one communitythe US defense community. Outside of it, thinkers have long since moved on to other matters. Agonizing domain debates do not occur in China, for example. There, cyberspace operations already have been incorporated into a sophisticated,

World Wide Web pioneer Tim BernersLee with his golden orb. (Getty image/ Catrina Genovese)

Pieter Bruegels concept of the commons.

RiSE OF CyBER WAR

A Mitchell Institute Special Report

layered national defense strategy, the point of which is to confuse Taiwans military reactions to any Chinese aggression and to slow down anticipated deployment of US forces in response. With budgets running into billions of dollars, the [Peoples Liberation Army] has assiduously prepared to fight a future war in cyberspace with Taiwan and the West, contended one defense analyst at the New Delhi-based Institute of Peace and Conflict Studies, an important defense think tank.21 Attacks on American, Japanese, and South Korean systems, among others, have been traced to China. The PLA has regularly simulated computer virus attacks in its military exercises and Chinese companies with strong links to the PLA have also acquired the latest computer technology from the US. He went on to say, Cyber warfare will

Airmen tend to their duties at the Air Forces Global Cyberspace Integration Center, located at Langley AFB, Va. (USAF photo/Amelia Donnell)

in the future, be as critical as air supremacy is today, in disrupting and destroying the enemys lines of communication and critical infrastructure. All signs are that the problem is spreading quickly. By late 2007, security and defense agencies in Washington, London, and Berlin all had been targets of sophisticated Chinese cyber attacks. According to various news reports, during her first official visit to China in late summer 2007, German Chancellor Angela Merkel confronted Chinese Premier Wen Jiabao over this matter.22 For its part, Beijing accuses Taiwan and the US of conducting hacking attacks and inserting

malware into its own computer networks.23 There can be no denying, however, that cyberspace is a domain that China wants to master, or that it has invested heavily in a program to develop this mastery. The specific doctrine governing its actions has been described as local wars under informationalized conditions.24 Over the past decade, PLA doctrine has shifted away from land force activity to center on forging capabilities in air, space and cyberspace. The Chinese high-tech doctrine that held sway in the period 1993-2004 has been refined to focus more heavily on Chinese dominance of the electromagnetic spectrum. Donald L. Fuell, a China expert at USAFs National Air & Space Intelligence Center at Wright-Patterson AFB, Ohio, notes that the changes were approved by the Central Military Committee in 2002 and announced in 2004.25 With this change, Chinas cyber warfare component is now more important than ever to Chinese doctrine. China aims both to improve its own integration of cyberspace with ISR components and sharpen tools for disrupting adversary use of cyberspace. According to Fuell, first strike computer network operations are part of Chinas current cyberspace training, along with a variety of hard and soft power options. Fuell noted that, in recent years, China has overtaken the US as the top exporter of information and communications technology goods. Clear statements of Chinas developing cyber power can be found in many different sources. One such is contained in the Defense Departments Annual Report to Congress: Military Power of the Peoples Republic of China 2008. It states: In the past year, numerous computer networks around the world, including those owned by the US Government, were subject to intrusions that appear to have originated within the PRC. These intrusions require many of the skills and capabilities that would also be required for computer network attack. Although it is unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC government, developing capabilities for cyberwarfare is consistent with authoritative PLA writings on this subject.26 Lt. Gen. David A. Deptula, USAFs deputy chief of staff for intelligence, surveillance, and reconnaissance, had this to say: In terms of computer network operations, the PRC remains the greatest state-sponsored

21. China and Taiwan Spar in Cyberspace, Jabin T. Jacob, Institute of Peace and Conflict Studies, New Delhi, November 2003. 22. Merkel: China Must Respect Game Rules, Christopher Bodeen, Washington Post, Aug. 27, 2007. 23. Chinese Official Accuses Nations of Hacking, Edward Cody, Washington Post, Sept. 13, 2007. 24. Chinas National Defense in 2004, a Whitepaper released by the State Council Information Office, Dec. 27, 2004. 25. Chinas Aspirations for Information Dominance, Donald L. Fuell, National Air and Space Intelligence Center, unclassified briefing, 2006. 26. Annual Report to Congress: Military Power of the Peoples Republic of China, Department of Defense, February 2008. 10

threat.27 Deptula went on to call attention to Chinas proliferating abilities to deny, degrade, and disrupt cyberspace operations, labeling it a major threat to joint force operations. In light of the actions of nations such as China, it is important to keep a weather eye on how the domain may evolve. Cyberspace as a domain will always comprise physical, virtual, and cognitive elements, but, already, day-to-day operations within the domain have been changed by the introduction of new technologies. New and disruptive shifts within the domain are virtually certain to occur. Some, such as major changes in where data resides, will have the potential to drastically alter the way militaries carry out operations in cyberspace. Now on the horizon is one such disruption called cloud computing. It marks a potentially large shift in the layout of the domain itself. To understand why, one needs to have a grasp of the Pentagons concept of a Global Information Grid, or GIG. The early definition of this GIG rested on assumptions about transport and application layers, one of which was that most processing of data would take place at user sitescommand post screens, individual desktops, or airborne systems. Analogies with a national power grid were aptboth input and output occurring at known locations. Data might be exchanged over the GIG, but it would in the end come to rest at a known site. In the worst case attack scenario, a terminal could be disconnected, but users would hold on to data at their work stations and continue to work until a connection was restored. The application resided in a specific computer, not in the GIG itself. However, cloud computing has begun to change that model. Cloud computing is a general term for what airmen might call offboard data. In this case, its best defined as activity using any collection of servers storing vast amounts of data and linking them together for applications. Theres no single cloud, since various companies and organizations assemble their own. The Internet is essential to the cloud and functions as its transport layer. For illustration, take the case of Google, the search engine megalopoly. Its cloud is a network consisting of possibly as many as a million cheap servers, each about as powerful as a home personal computer. Combined, they store staggering amounts of data, including numerous copies of the World Wide Web, and produce answers to billions of queries in a fraction of a second,

noted Stephen Baker, writing in Business Week.28 In every case, the cloud achieves the same purpose as the 1960s-era supercomputer. It increases search complexity and speed. However, a supercomputer is to the cloud as candles are to a bonfire. As Baker wrote, At the most basic level, its the computing equivalent of the evolution in electricity a century ago when farms and businesses shut down their own generators and bought power instead from efficient industrial utilities. The ramifications for national security are potentially enormous. The cloud computing concept transfers more value to the network itself. In a larger sense, it confirms that the domain is not necessarily

Among the biggest recipients of Pentagon cyber funding is the supersecret National Security Agency, the national cryptological and signals intelligence establishment headquartered at Ft. Meade, Md. (DOD photo)

F-15s go into action in the 1991 Gulf War. Trace elements of cyber war could be found even in that conflict. (USAF photo)

27. Lt Gen David A. Deptula, DCS/ISR, Global Threat Awareness Brief, Jan. 18, 2008. 28. Google and the Wisdom of the Clouds, Stephen Baker, Business Week, Dec. 13, 2007.

RiSE OF CyBER WAR

A Mitchell Institute Special Report 11

In Operation Allied Force, NATOs 1999 air war over Serbia, the alliance used cyber raids to disable Serbian defense systems and communications. (AP photo/Srdjan Ilic)

rooted in a specific set of relationships between workstations, servers, and software. For example, computing originally rested most of its value in large, distinct computer systems, with smaller numbers of terminals. The personal computer revolution in memory and software moved the center of gravity to the desktop. Over the last decade, the dominant model has been a gradual tilt from desktop to Internet as the content value of World Wide Web has risen. Business to business transactions moved additional value to the Internet for specific applications. Now, cloud computing is shaking out the relationships again. For now, there is no single cloud but groups of clouds. They are commercial, and they vary in size. Users can purchase time on a cloud from ever-entrepreneurial Amazon, among others. Markets for search and software will grow and revenue based on the cloud should follow. Taken to its logical extremes, the cloud offers new players more processing power for innovative projects. Cloud computing also has the potential to become a system of choice for data storage. Cloud applications are already beginning to replace the old system of storing and exchanging files. Virtual groups can connect into 24/7 work teams and keep their data in the cloud. As to the clouds, their size is not limited. Cloud computing reconfirms the definition of cyberspace as a domain. Relationships shift but the domain remains in force. This domain is a chameleon, capable of looking different under different configurations and applications. What does not change is the now-essential value proposition. If anything, the value grows every time cyberspace changes its colors. Cloud computing as a trend underlines why the Air

Force (and all military services) need to embrace cyberspace as a domain and pay close attention to their formal structures for maximizing it. Another decade could bring significant evolutions in the way cyberspace is used for data storage, exchange, and manipulation. Migration of computing functions from PCs and networks to a larger cloud structure could increase efficiency and facilitate remote applications; it will also place new demands on transport layers and on cloud and network security. Top military leaders, while they might disagree on some definitions and courses of action, are nevertheless firmly united in their appreciation of the threats in cyberspace. Few persons anywhere deny that cyberspace is a serious arena for competition, especially military competition.

oRdeR and disoRdeR in a Wild WoRld

The second question about the future of cyberspace might seem to bebut is nota pedestrian one: How should it be organized? The importance of this decision is not readily apparent, yet having a thorough understanding of the preferred structure of cyberspace and knowing where to set lines of responsibility will prove to be essential to the full exploitation of the cyber world. The rise of cyberspace has been haphazard, at best, with its development and modes of operation shooting off in many different directions at once. Some heterodoxy was inevitable and useful. At the moment, however, American activities are being managed and exploited by an polyglot assemblage of federal entities, some of which are working at cross-purposes with others. Its not that the United States has made no progress at all; over the last five years, the military services, defense agencies, and other federal government institutions have embraced significant organizational changes, all of which have created a tighter focus on securing the domain. For all that, though, cyberspace still is characterized less by order than by disorder. Unlike most other aspects of national defense, cyberspace considerations cross through several departments and permeate the interagency arena. In this, todays effort to manage cyberspace more closely resembles the communal approach of the Intelligence Community than it does the kind of detailed tactical control, operational control, and administrative control systems of the military services and joint commands. Today, there are many players in the cyberspace

12

domain, but they fall more or less neatly into five major categories. They are: n The US military services. n The 16-agency Intelligence Community (includes defense and service intelligence entities). n US Strategic Command at Offutt AFB, Neb. n Agencies of the Department of Defense. n Agencies of the Department of Homeland Security. Seen from a purely budgetary perspective, the Defense Department clearly dominates. Most of the funding that flows through the cyber world comes from the Pentagon and goes out to its military, civilian, or intelligence entities. Big recipients are the National Security Agency, headquartered at Ft. Meade, Md., and USSTRATCOM, which in recent years has been given a charter for global operations. The Department of Homeland Security also spends lots of money on cyberspace. Even a quick read of the map of US federal cyber entities shows glaring requirements for better organizational structures. Each service command has a different philosophy. USSTRATCOM has a clear mission, but liaison with the regional commands is still in the formative stages. Just to execute efficient cyber operations a refined organizational structure will be necessary. The biggest seams are those between the defense and intelligence worlds and between the government and private civilian worlds. Responding to crises and preparing sound long range fiscal and strategic policy will require a bridging of these gaps. It wont be easy. Of all these actors, USSTRATCOM is the newest and also one of the more active and powerful. Cyberspace is today a fighting domain, in the view of Strategic Command. You need to be able to operate, defend, and attack in the domain, and then cross-domain, said Chilton, and I think there are opportunities to do that.29 USSTRATCOM has taken an unusual role as a unified command. It leads the development of cyberspace warfighting capabilities, rather than merely organizing them, and is tied to various defense agencies in a way unlike other joint commands. The command became the agent for cyberspace when it took over responsibility for Joint Task Force-Global Network Operations. This JTF-GNO has front-line responsibility for cyber support operations. Since 2004, the Director of the Defense Informa-

tion Systems Agency has been the Commander of the JTF-GNO, with responsibility for operation and defense of the Global Information Grid. Information assurance, protection, and delivery are the main goals of the JTFGNO. At the theater level, JTF-GNO staffs and manages Theater NetOps Centers. These were created by mergers of the Defense Information Security Agencys Regional Network Operations and Security Centers, Regional Computer Emergency Response Teams, and Regional Satellite Communication Support Centers. The resulting centers establish, maintain, and provide theater-level situation awareness on the global grid. The centers offer several types of support to a combatant commander. They offer technical expertise as needed. They provide tactical control for theater net operations. While defense of the Global Information Grid falls under USSTRATCOMs authority, the individual services manage and defend their own enterprise-level cyber networks. Each maintains network operations centers and units able to assure critical network communications in deployed settings, whether this means at a major overseas base, with expeditionary forces at an relatively austere forward operating location, or (in the case of the Navy) aboard ships at sea. With thousands of airmen and billions of dollars long since committed to the mission, the Air Force has gone further than it ever before has gone, putting in place a numbered air force dedicated to cyberspace activities. Twenty-Fourth Air Force will become the Air Forces warfighting cyber element. It will handle network operations and develop offensive and defensive

Air Force Lt. Gen. Robert Elder (r), commander of 8th Air Force, was the first leader of USAF cyber efforts. Cyberspace superiority, he said, is a predicate to achieving land, air, sea, and space dominance. He is pictured here with Marine Corps Gen. James Cartwright. (USAF photo/SrA. Sonya Padilla)

29. Military Needs Hackers, Stratcom Chief Says, William H. McMichael, Army Times, Oct. 2, 2008.

RiSE OF CyBER WAR

A Mitchell Institute Special Report 13

cyberspace capabilities for presentation to the joint warfighting element, USSTRATCOM. Twenty-Fourth Air Force, a brand new organization, grew out of USAFs two-year effort to raise up a new major commandAir Force Cyber Command. The Air Force had some success in streamlining its capabilities under Air Force Cyber Command (Provisional.) The service has now decided against going for a new major command, but all of the preliminary effort will
Estonian Defense Minister Jaak Aaviksoo. His nation suffered a farreaching cyber attack last year, most likely from Russia.

roll into 24th Air Force, which will align under Air Force Space Command. Beyond creating this organizational structure, USAF must also develop cyber capabilities for Strategic Command and the regional theater commanders. The Air Force must provide forces to Central Command, Northern Command, and Pacific Command, whatever the mission might be, and this most definitely includes cyberwar capabilities. This is why it is vital for the Air Force to be a major stakeholder in the development of such capabilities and not just leave the task to others in the US intelligence and security organs. A future Joint-Force Air Component Command-

eror air bossin these regions may have to rely on cyber operations as part of an integrated campaign. USAF may find a need to focus on developing computer network attack capabilities within the air component to present to theater and regional commanders. The Air Forces cyberspace vision statement notes that to support theater objectives, we will develop cyberspace force packages as part of our expeditionary air and space forces. Ultimately, the JFACC and his staff will become adept at determining when to neutralize a target by using non-kinetic soft kill weapons and when to blow it to bits with a high-explosive bomb. Soon, the corporate Air Force will probably need to evaluate program funding for network attack to determine whether there is enough money to develop the needed capabilities. At a minimum, USAF needs a strong policy position relating development of network attack and defense capabilities for current and future warfighting responsibilities. The Air Forces efforts to consolidate its extensive cyberspace units and budgets under a new Air Force Cyber Command generated a violent reaction almost from the start, with some claiming it was an Air Force power grab at the expense of the other services. The charge was clearly bogus. Indeed, the Navy set up its Network Warfare Commandan analogous organizationin 2002, with nary a peep heard from the joint community, The Navy has the biggest and most widely recognized network operations command. Naval officers have long been masters of signals intelligence, with a history of excellence reaching back to World War I. Moreover, the service starred in major code-breaking operations in the Pacific during World War II. The Navy has built upon this heritage as it has developed its cyberspace expertise. Several recent reorganizations have integrated cyber and information functions, ranging from cryptological activities to communications with hand-held devices. Network Warfare Command, or NETWARCOM, is headed by a three-star admiral and is headquartered near Norfolk, Va., at the amphibious base at Little Creek. NETWARCOM now has more than 13,000 sailors assigned. The Navy subcontracts for its primary systems, notably the Navy-Marine Corps Internet. Commercial giant Electronic Data Systems built this system for the Navy. NETWARCOM also has component operations with the NSA at Ft. Meade. NETWARCOM is at the forefront of where the next fight will begin, or has perhaps already begun, out

1

there in cyberspace, said Vice Adm. H. Denby Starling II, its commander.30 Navy personnel, he added, are engaged in the fight against the enemy 24 hours a day, seven days a week, 365 days a year. In 2002, the Navy had quietly acknowledged the central role of cyberspace in its operations. The Chief of Naval Operations, Adm. Vern Clark, declared information operations to be a primary Naval Warfare Area, equivalent to the services air, land, maritime, space, and special operations mission areas. For the Navy, information operations cover five core capabilities: computer network operations, electronic warfare, psychological operations, military deception, and operations security. Vice Adm. James D. MacArthur Jr., who was NETWARCOMS second commander, described information operations as a major part of naval forces overall strategic planning and operations to shape and influence potential adversaries understanding and intent and a way to enhance deterrence and accelerate the pace of operations.31 NETWARCOM has evolved as what the Navy calls a type command, roughly equivalent to well-known three-star commands that control naval air forces or submarines and apportion them to numbered fleets. Like other type commands, the cyber command reports to the four-star Fleet Forces Command in its type role. NETWARCOM personnel monitor Navy network operations. The command is also the enterprise provider for current and future networks. However, NETWARCOM is about operationalizing cyberspace, too. The Navy has taken steps to incorporate cyberspace into its operations directorates. Information operations personnel are now organized under the operations or N3 divisions of major commands. The command added functions when it incorporated the fleet information warfare centers and naval security groups into Navy information operations centers in 2005. Going forward, NETWARCOM will be managing retirement of legacy systems and new bids for major network contracts for service-wide and afloat systems. Starling also hopes to increase the commands impact as a warfighting type commander to get a better view of whats going on in our ships, squadrons, and aircraft every day in the fleet in C4I [command, control, communications, computers and intelligence], potential conflict, and networks.32 The Army clearly lags the other services in the

race to organize, train, and equip for the cyber mission. However, the service has recognized the importance of attending to this matter. According to the 2008 Army Posture Statement, Cyberspace is a new battlefield, and new thinking on how to operate within this environment is required.33 The Armys Network Enterprise Technology Command (NETCOM) notes that it has the duty to provide, sustain, and defend the Network Enterprise in order to enable information superiority, and ensure operat-

German Chancellor Angela Merkel confronted Chinese Premier Wen Jibao about cyber issues during her first official visit to China. Berlin had been a target of Chinese attacks. (Getty Images/Guang Niu) On Nov. 2, 2006, Secretary of the Air Force Michael W. Wynne formally defined cyberspace as a USAF warfighting domain. (USAF photo/Josh Plueger)

30. Vice Adm. H. Denby Starling II, remarks during assumption of command of Naval Network Warfare Command, US Navy release, June 15, 2007. 31. Vice Adm. James D. MacArthur Jr., interview with CHIPS Magazine, US Navy, Fall 2004. 32. Command Swells with New Responsibilities, Maryann Lawlor, SIGNAL Magazine, December 2007. 33. 2008 Army Posture Statement, Information Paper: Cyber Operations.

RiSE OF CyBER WAR

A Mitchell Institute Special Report 1

An air operations center, such as this one in Southwest Asia, has become a nerve center of airpower, and highly dependent upon secure cyber networks. (USAF photo/SrA. Brian Ferguson)

ing and generating forces freedom of access to the network in all phases of Joint, Interagency and Multinational operations.34 The Army sees its primary cyber warfare role to be a strong force-providing component under USSTRATCOM. As part of the joint cyber force, the Army will focus primarily on information assurance and the protection of Army networks. By comparison with the Air Force and Navy, the Armys concept of cyberspace operations does not seem to be a good fit with the services self-perception. We have operations in cyberspace, not cyberspace operations, sniffed Col. Wayne Parks, Director of Army Information Operations and Army Computer Network Operation-Electronic Warfare Proponents at the Combined Arms Command, based at Ft. Leavenworth.35 That is a broad Army sentiment. Still, the Armys much-touted Future Combat System and other prospect Army programs depend on tactical and operational uses of cyberspace as enablers for maneuver, fires, and combat support. The skill and training needed to use and defend cyberspace will not be a nice-to-have, but rather a must-have. Ironically, this new domain of warfare is unaddressed in the laws, agreements, and codes that define service roles, missions, and functions. Two approaches will probably be required. First, each service will have to develop competency in cyberspace for its own administrative and tactical

networks. Assuring the availability of these networks is primarily the responsibility of usstratcom and disa. The responsibility for defending the tactical tie-ins with aircraft or ships or land combat vehicles will fall on the services operating the systems. Second, the military establishment will need to sort out the question of who, if anyone, will have primary responsibility for being the premier warriors of cyberspace. Since cyberspace is not part of Department of Defense Directive 5100.1the current blueprint for roles and missionsneither the Air Force nor any other service has a special claim on preparing for cyberwar. The organization questions exist not only in the military agencies. They also are cropping up in civilian departments, most notably the Department of Homeland Security. DHS picked up extensive new cyberspace duties and responsibilities in 2008. The Department was designated the lead organization for implementation of the Comprehensive National Cyber Security Initiative based on National Security Presidential Directive 54/Homeland Security Presidential Directive 23, signed by Bush in early 2008.36 We face a very serious challenge and one that is likely to grow more serious as time passes, said Chertoff, in an address at a 2008 conference in San Francisco.37 He added, Building on efforts today and reinforcing our cyber security initiatives, it would almost be like a Manhattan Project to defend our cyber networks. According to Chertoff, a criminal gang today can bring down a commercial or federal system in a way that in the past only came when you dropped bombs or set off explosives. However, Homeland Security faces an issue that makes some of the military challenges pale in comparison. Nearly 90 percent of cyberspace infrastructure has private ownership. Therefore, the DHS policy role, active as it may be, is limited to fostering cooperation and awareness among major players in the world of private industry, academia, finance, and so forth. Many of these private entities, particularly in the banking industry, already collaborate on threat awareness with industry partners. Truly securing the gates of domestic cyberspace will require new concepts of governance and public-private partnership. At some point, it may become necessary to reassess the division of labor between DOD and DHS.

34. Armys NETCOM/9th SC(A) mission statement (http://www.netcom.army.mil/) 35. Parks: No Distinct Cyberspace Command, SIGNAL Online blog posting by Robert K. Ackerman, Aug. 21, 2008. 36. Department of Homeland Security Fact Sheet: Protecting Our Federal Networks Against Cyber Attacks, April 8, 2008. 37. Remarks to the RSA Conference, Michael Chertoff, Office of the Press Secretary, Department of Homeland Security, April 8, 2008.

1

neW thReats, neW theoRies

With the maturing of the cyberspace domain, new visions of threats and theories of conflict have begun to emerge at a rapid pace. This is unsurprising. National competition and war in cyberspace are sure to bring new vexations, as well as some of the more-classical misfortunes of war as it has long been waged within the international system. The world got a glimpse of this in summer 2008, with Russias armed attack on Georgia. Russias conventional-force attack was accompanied by cyber attacks on that small nations critical systems. Russia attacked on the ground and in the air Aug. 9 and agreed to a ceasefire on Aug. 13. In mid-August, however, American officials were still attempting to assess and magnitude of the cyber attacks. On Aug. 14, Marine Corps Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, told Pentagon reporters: Most of what we have seen and been able to monitor and verify is the defacing of Websites, not really as robust as denial of service. And so, what were trying to understand is, working our way back, what are the implications? Can we really tie this to the military activities, or was this more of a separate group that had a more political agenda? Those are unknowns at this point.38 Some time later, Chertoff observed: The Georgia-Russia conflict ... [was] perhaps the first instance of a military action with a cyber component. Denial of service attacks launched from Russian IP addresses against Georgia occurred when we saw military action taken by Russians against the Georgian government. Large swaths of Georgians could not access any information about what was happening in their country. Government websites were defaced and the delivery of government information and services were curtailed.39 Not everyone was impressed with the Russian attacks. One who found it lacking was Maurice H. Sachs of the SANS (SysAdmin, Audit, Networking, and Security) Institute, a provider of computer security training and professional certification. Sachs dismissed the cyber component of the war as coincidence, saying that low-level intrusion activity was akin to cockroaches in a kitchenyou dont see them until you turn the light on. I realize that Im being very cynical here, and that the future prospects of real, no-kidding, nation-state cyber

warfare are very possible, Sachs wrote on Aug. 16, 2008, but, is a botnet or a Website defacement an act of war?40 Compared to Sachs, however, other observers were far more concerned. Cyberweapons are becoming a staple of war, noted Siobhan Gorman in the Wall Street Journal.41 The Georgian conflict is perhaps the first time they have been used alongside conventional military action. At least, it might be the first time for a nation other than the United States. The Georgia conflict gave rise to chilling questions. There is overwhelming physical evidence that Tbilisi suffered some serious denial-of-service cyber attacks. However, as we have seen, the attribution of such attacks to a culprit was uncertain at best. Most of the response was focused on restoring service to Georgian agencies and companies. The cyber attacks pointed out that the policy and procedure for legitimate, sanctioned response remains embryonic at best. As a Pentagon spokesman told WSJs Gorman, Its ultimately the perception of the country under attack as to whether an act of war was committed.42 Indeed, cyberspace raises a number of difficult and complex issues, starting with the unusually large array of threat actors that are now in play. Already, the types

Lt. Gen. David A. Deptula (l), USAFs deputy chief of staff for intelligencesurveillancereconnaissance, warned that Chinas growing cyber capabilities pose a major threat to joint force operations. (USAF photo)

38. Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, DOD press briefing, Aug. 14, 2008, Washington, D.C. 39. Remarks on Cybersecurity to the Chamber of Commerce, Michael Chertoff, Office of the Press Secretary, Department of Homeland Security, Oct. 14, 2008; 40. Thoughts on the Russia vs Georgia Cyber War, Maurice H. Sachs, Diary, Aug. 16, 2008 (http://isc.sans.org/diary.html?storyid=4903&rss). 41. Cyber Attacks on Georgians are Reigniting a Washington Debate, Siobhan Gorman, Wall Street Journal, Aug. 14, 2008. 42. Gorman, Wall Street Journal, Aug. 14, 2008.

RiSE OF CyBER WAR

A Mitchell Institute Special Report 1

of threats go beyond those that are canonical to the international system. They jump over, and render obsolete, centuries of understandings about sovereignty and national borders. Moreover, clear distinctions can easily be drawn in other domains between public and private sector attacks and responses. Not so in cyberspace. What motivates an attack in cyberspace? Chertoff, the chief of Homeland Security, and others have laid out in detail the various motivations of criminals and criminal groups seeking to profit from fraud and other cyberspace scams. We are all familiar with the apolitical but menacing recreational hacker, quasinerds whose creative powers have visited thousands of worms and viruses on the worlds computer networks. Simple curiosity and devilment play their own roles, too.

Self-portrait created by a massive Cray 1 supercomputer. Given the coming of many types of advanced computing, the supercomputer has become passe. (Cray Inc. image)

When it comes to national security, however, the range of motives is wide and more difficult to decipher. This poses a huge challenge to US officials. One USSTRATCOM leader, an officer whose professional duties require him to deal with these issues, divides external national security cyber threats into three tiers: Tier One. The denizens of this group are hackers who possess significant skills and can be found in every country. Most have a strong desire to demonstrate their skills by taking on the most attractive foe the United States. Were the biggest and baddest target in the world, so a lot of people want to come

at our networks, says Starling of NETWARCOM.43 A portionand perhaps a significant portionof these cyber attacks are best described as nuisance attacks, enabled and abetted by the relative anonymity of the Internet. For anti-war and anti-authority types, such attacks are attractive. In contrast, pranksters trying to sneak on base or protesters attacking aircraft with hammers face more risk, more inconvenience, and usually get caught. Tier Two. At this level are a range of groups that are organized or at least semi-organized, whatever their motivations. They possess cyber skills significantly higher than those of the lone hacker, but lower than those of major nation state players. This strata features most of the truly sophisticated criminal operations, groups that deal in bank fraud, large-scale computer theft, and organized crime activities. Political and terrorist groups are there, too. Michael McConnell, the Director of National Intelligence, Chertoff, and other officials have testified repeatedly about the cyber presence of al Qaeda, the predominantly Sunni outfit headed by Osama bin Laden, and Hezbollah, the Iranian-backed Shiite guerrilla group based in southern Lebanon. Other subnational militant groups also have stated their desires to use cyberspace for mass attacks. Tier Three. Here, one finds the militaries and non-defense security organizations of nation states. These cyber players have the manpower, physical sanctuary, cryptological know-how, and funding to generate dynamic and dangerous effects in the cyber domain. In early 2008, McConnell offered an unusually candid statement about these kinds of threats. According to McConnell, cyber exploitation activity has grown more sophisticated, more targeted, and more serious.44 He cited specific nation-state threats. We assess that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection, said the top US spy. This stratification of threats is itself something unique to the cyber domain among the various domains of international conflict. Beyond this, cyberspace adds a niche for insiderstyle attacks. McConnell defined the nations information infrastructure as the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.45 It is

43. Command Swells with New Responsibilities, Maryann Lawlor, SIGNAL Magazine, December 2007. 44. Testimony by J. Michael McConnell before Senate Select Committee on Intelligence, Feb. 5, 2008. 45. McConnell, testimony, Feb. 5, 2008. 18

a vast system. In the military and intelligence worlds no less than the commercial sphere, the dangers posed by disgruntled, vindictive, criminally motivated, or foreigndirected insiders is always a problem. Such attacks are much easier to carry out in the new wired world. In the past, the threat of the insider tended to focus on intelligence, and this has been a launching point for the cyber insider, too. Notorious turncoat spies have caused substantial damage to national security through the loss or compromise of sensitive information. For disgruntled or compromised employees or contractors, the technology of insider cyber espionage is close to hand. Chertoff said he was concerned about the lowest-tech threat, which he described as somebody coming with a thumb drive and downloading sensitive information, including passwords, or planting something [in a computer system] that enables someone to capture information and send it back over the Internet.46 According to the Homeland Security chief, That can cause as much damage as a classic hacking attack. Individuals with network access can be duped into providing personal data that compromises encryption. They might by accident insert into a computer a compromised thumb drive or other device and upload malicious code that damages the network. Intelligence workers and officials know better than to open suspicious, unfamiliar e-mailsassuming that any of these are even permitted to reach an individuals computer but they may visit World Wide Web sites which return malicious code to their systems. Awareness of the dangers is the vital ingredient for cyber security against this form of intrusion. To 8th Air Forces Elder, cyber safety begins with understanding network actions.47 Just as with flight safety or ground safety, cyber safety depends on operational risk management enforced by supervisors. Some believe the government should set approval levels in accordance with degrees of risk. One technique is whitelisting. In this, agencies do not ban visits to certain sites (blacklisting), but specify those specific sites which a worker may access, excluding all others. This technique, used in tandem with encryption, has come into increased use. All US armed services, agencies, commands, and operators agree they need more and better informa-

tion about rapidly metastasizing threats in cyberspace. Starling, of NETWARCOM, said the top service leaders are now aware of the importance of security, but getting the word out to uniformed service men and women sometimes is a slow and difficult process. NETWARCOMs commander, like others, has taken responsibility for closing that gap. Informing the fleet is a job that falls directly to me, said Starling. I think that education is something that we here at NETWARCOM have to do.48 The intellectual decision to treat cyberspace as a domain has created an obligation on the part of defense officials to explore its relation to, and impact upon, theories of conflict and power. Ultimately, the role of cyberspace in national security depends on how the domain and tools within it come to be regarded across the international community.

Statesmen, officers, academics, and thinkers have had many centuries to develop norms of behavior and rules of the road for the two oldest fighting domainsland and sea. The air (and space) domain is much younger; still, it has been around for 10 decades, and much thought has gone into devising international concepts to govern behavior there. In all three cases, nations have engaged in protracted periods of debate before they come to an ultimate settling of major concepts and laws. Next will come cyber space. To date, most of the effort has gone into attempts to describe and organize the domain. However, it should come as

Two airmen update antivirus software at Air Force Cyber Command (P), Barksdale AFB, La. (USAF photo/TSgt. Cecilio Ricardo Jr.)

46. Remarks on Cybersecurity to the Chamber of Commerce, Michael Chertoff, Office of the Press Secretary, Department of Homeland Security, Oct. 14, 2008. 47. Interview with Lt Gen Robert J. Elder, July 2007. 48. Command Swells with New Responsibilities, Maryann Lawlor, SIGNAL Magazine, December 2007.

RiSE OF CyBER WAR

A Mitchell Institute Special Report 1

no surprise to political scientists that there is a wide gap between domestic and international approaches to cyberspace. A hard part of developing military cyberspace norms will be determining rules of engagement. This in part stems from inherent difficulties such as attack attribution and assessing the impact of non-kinetic effects. However, the problem goes well beyond those two factors. Cyberspace power fits only awkwardly into the well-worn grooves of international rules governing use of force. Details about the state of US cyber capabilities and operations are shrouded in secrecy, though the veil has dropped on occasion. There was, for example, a bit of publicity about the 1997 US government exercise titled Eligible Receiver.49 It documented that the National Security Agency hackers who took part in the exercise could gain superuser access to military networks and some infrastructure elements. Other reports suggest that limited cyber offense operations were carried out in the Gulf War, Operation Allied Force, and the two more recent wars in Afghanistan and Iraq. Discussion of cyberspace has now raised an interesting but confounding question: Does the nations capabilities in the cyber realm constitute soft power or hard power? The definition of hard power is clear enough: national military and economic might. Soft power, on the other hand, is more difficult to pin down. The term was coined in 1990 by Joseph Nye, a Harvard professor who later served as a senior Pentagon official during the Clinton Administration. According to Nye, power is a means for altering the behavior of others to get what you want.50 He saw three types: coercion and payments, both of which were aspects of hard power, and attraction, which is the essence of soft power. At first glance, operations in cyberspace seem to be a natural fit for soft power because of the domains non-kinetic attributes and role in helping to shape information. However, the reality is more complex. In international politics, attraction translates into propensity to take favorable action toward US foreign policy intentions. It is a state of mind. A visit by a popular American president can produce huge soft power spikes, for instance. The other side of soft power hinted at by Nye lies in the arena of selective information and continues into propaganda and deception. Having the

means to control and shape information is a potential source of soft power in that it can directly affect the attraction element at its core. Said Nye: The ability to share informationand to be believedbecomes an important source of attraction and power.51 An alternative view holds that cyber space is, first and foremost, a domain of hard power. Hard power has many definitions, but most include acts of violence, acts of coercion, and acts of influence when they are generated and applied not as soft power attraction but as the result of military force deployment, for example. There is a presumption that cybers non-kinetic forms of action are immediate candidates for soft power in one form or another. However, the evolution of the cyberspace domain has inevitably introduced significant elements of hard power. Here it is important not to let the nature of the domain within the electromagnetic spectrum confuse the issue of what is hard and what is soft. Electronic countermeasures employed by aircrews on combat missions fit unquestionably into the realm of hard power. Location outside the visible spectrum does not make them soft in any way. Many non-kinetic actions are nonetheless aspects of hard power. For example, denial-of-service attacks are disruptive tools that fit the definition of coercion better than attraction. In later writings, Nye has linked hard and soft power into a concept of smart power in which the two power elements link up in appropriate ways. In an article focused on China, he wrote: In a global information age, soft sources of power such as culture, political values, and diplomacy are part of what makes a great power. Success depends not only on whose army wins, but also on whose story wins.52 With cyberspace, classic conflict problems remain, and in some cases, can be exacerbated by the nature of the domain. The rise of multi-polarity after the Cold War and shifts in economic power and ideological tides have given rise to numerous types of conflict. The plethora of multinational military interventions since the early 1990s illustrates the trend. It follows, then, that cyberspace builds on the potentially wider sources of conflict in the international system. Increasing competition and confrontation in cyberspace opens the door to re-examine causes of conflictout from under the shadow of the post-1945 nuclear peace. Because of the rise of cyberspace, there may be a need to reinvestigate the root causes of war to learn

49. Eligible Receiver, Global Security.org. 50. Think Again: Soft Power, Joseph S. Nye, Foreign Policy, March 2006. 51. The Benefits of Soft Power, Joseph S. Nye, Harvard Business School Working Archive, August 2004. 52. The Rise of Chinas Soft Power, Joseph S. Nye, Wall Street Journal, Dec. 29, 2005. 20

about tripwires and miscalculations in this new domain. Decades of superpower nuclear confrontation elevated the concept of miscalculation to the position of most-feared source of conflict. In the post-Cold-War world, it now seems that that title belongs to optimistic expectations that a particular war will prove to be easy, short, and not too destructive. Historian Geoffrey Blainey believes it is a factor in the outbreak of war. When the first nations formally declared war on one another, they were not consciously declaring the beginning of what came to be called the war of 1914-1918, wrote Blainey.53 They were rather declaring the beginning of what they hopefully believed would be the war of 1914, or at worst, the war of 1914-1915. What Blainey termed the complicated trellis of hope blunted fear of the destruction of war with the confidence of speedy victory. Unfortunately, there is no obvious reason to believe that war within cyberspace will be exempt from such bone-headed tendencies of human behavior. Competition in cyberspace may be even more subject to the sense that attacks can be swift, successful, and leave opponents reeling with confusion. Added to the incentive is the greater chance of escaping attribution. Even if the source of an attack can be determined, it is still possible that the presence of innocent bystanders or even friendly forces along the cyber pathways will deter armed reaction. The danger of damage from friendly fire would be too great. Competition in the cyberspace domain may be more likely than in other domains simply because the threshold is low. Many have noted this, but usually without fully exploring the consequences. One of the most common observations is that barriers to entry are extremely low. There is no need to build expensive expeditionary joint forces. With the Internet in place as the transport layer of worldwide communications, the attack arena is already in place near to hand. War is easier to characterize in hindsight than to predict, but the ongoing level of intrusion attacks signals that
53. The Causes of War, Geoffrey Blainey, (The Free Press,1988) p. 35-36.

cyberspace even now is up for grabs. Once begun, conflict in cyberspace could carry some traditional and very nasty baggage, just in new forms. One of these is the dreaded stalemate, as seen most bloodily in World War I. Stalemate among too-evenly matched powers is not a far-fetched or improbable prospect for cyberspace. Multiple top-tier competitors already exist. The hope that cyberspace may spread the rationality of commerce and therefore impede war-making should also be taken cautiously. Thinkers from Machiavelli to Norman Angell have observed periods of flourishing commerce and communication and promulgated theories of peace with enlightened self-interest at their center, the idea being that nations with so much wealth at stake would never risk it for something primitive like power or ambition. In fact, there are those today who see the rise of cyberspace as brokering a new medium free of kings and conquests. However, history suggests the most likely path is that cyberspace becomes one more arena of war, unfortunately.

In 1990, Harvard Professor Joseph Nye (center, in 2004 photo) coined the term soft power non-military and non-economic means for altering the behavior of others to get what you want. Is cyber power an element of soft power? (Harvard News Office photo/ Rose Lincoln)

RiSE OF CyBER WAR

A Mitchell Institute Special Report 21

APPENDiCES
Michael W. Wynne secretary of the air Force Remarks as delivered to the cisR integration conference nov. 2, 200, crystal city, va.
(http://www.airforce-magazine.com/documentFile/speeches/pages/wynne_spch11020.aspx)

I want to discuss with you today a subject I regard as extremely critical: the freedom of cyberspace. Just last week, Deputy Secretary of Defense Gordon England, speaking before a major network warfare audience, listed the attempts of hackers, cyber-vigilantes, terrorists, and even hostile nation-states to degrade our fighting networks as the single issue that he spends more time thinking about in the middle of the night, than any other. Before addressing cyberspace directly, I want to set some context, first as to the mission of the Air Force, then as to the topics of this conference, and also as to what we are learning from current combat. The mission of the Air Force is to deliver sovereign options for the defense of the United States of America and its global intereststo fly and fight in air, space, and cyberspace. This was defined a year ago, and then codified a month later, on December 5, 2005. Delivering sovereign options means operating across the joint spectrum so that we provide to the President scalable choices that are unlimited by distance and time, and span the entire range from humanitarian assistance to nuclear strike, kinetic, and non-kinetic. In short: global reach, global vigilance, global power. This includes the powerful option to use timely information to deter and to avoid use of kinetic weaponry. General Curtis LeMay emphasized this when he said, Peace is our profession, making it the slogan of the Strategic Air Command. All these options have one common foundation persistent, lethal, overwhelming air, space, and cyberspace power massed and brought to bear anywhere, anytime. Thus, the Air Force serves by being prepared to set strategic, and then, if needed, also tactical conditions for deterrence, dissuasion, or defeat, and in this way offer to our commanders options throughout the spectrum of conflict. Air Force Chief of Staff General Moseley likes to say, The soul of an Air Force is range and payload.
22

I would salt and pepper persistence in there as well. That is why, after 53 years, we are again seeking 21st century parallel strategic assets in the form of new tankers and global strike to meet our responsibilities in the air domain, emphasizing expeditionary, as well as persistent strategic options, to ensure the robustness of the nations global power; and recognizing that the replacement of our satellite constellation is at hand, to fulfill our global vigilance task. Now, consider how cyberspace stands in relation to the topic of this conference. The topic is C4ISR. For many in the military and certainly for others in the daily walk of life, it helps to take a moment and parse the elements of the acronym. There are four Cscommand, control, computers and communication, then, intelligence, surveillance, and reconnaissance. It started with command and control, an old military studies term. Nowadays the two words are separated as being two individual items, subject to debate. There was even sometimes confusion as to whether the I is intelligence or information. Here are some things to notice. First, the whole term C4ISR has the mantle of familiaritywe dont step back and pick it apart. Second, each component is a functionnot a battle domain, but a functiona form of activity or service. Third, the six functions are a grab-bag, bundled over the years. While connected in a sense as functions that move data, they are disparate as to physics. But by common assent, we group them for conversation. This facilitates research in the varied areas of sensors, electronic attack, and access and compiling of commander-level information extracted from gathered data. Finally, the functions all are vital flows within each of the battle domains of land, sea, air, space, and, as we shall see, in cyberspace. I have brought a video that illustrates the flows of C4ISR functionsthat means, the flow of datain battle, today. As you watch the video I ask you to consider

two questions: First, now that we have enhanced the application space for networked operations and really moved communications trust and reliability to a prominent position in our concept of operations, how do we defend the net on which all our capabilities depend? Second, what new habits of thought do we need to adopt in order to create the capacity to deter, guard, rescue, strike, and assess in what will probably be the cyberfight of the 21st century? [video segment] The video illustrates the components of what I call the information mosaic. The whole data netanalog and digital, pixels and composites, imagesfrom all sensors that can be collected and downloaded and crossloaded for use by all in the fight. By filtering critical data from the information mosaic to the strategic planner and right out to the weapon system itself, we increase flexibility and lethality. This requires common gateways such as cursor-ontarget to maximize data usage. As assistant Secretary of Defense John Grimes recently put itit is about the data, and maximizing access. All the information flow moves in the cyber domain, meaning the entire flow can be vulnerable to a cyberspace attack. Lets look at the two questions I asked before the video: First, how shall we defend the communication net on which all our capabilities depend? This question is critical. Our ability to fight in ground, sea, air, and space depends on communications that could be attacked through cyberspace. The capital cost of entry into the cyberspace domain is low. The threat is that a foe can mass forces to weaken the network that supports our operations in any battle domain. The other side of the coin of netcentric operations is cyber vulnerability. Defending and fighting in the cyber domain is absolutely critical to maintain operations in ground, sea, air and space. The second question is, what new habits of thought do we need in order to create and develop technology, and to fight in the 21st century? The answer is to go back to my comment at the start, and think in terms of trust. Our operations in each of our services all rely on trust. That is, the pilot can trust information that a target is the foe, not innocent inhabitants of a school building or hospital or embassy. The ground fighter with a communication device can trust that the device is not being tracked by a foe, potentially exposing the ground force unnecessarily. This new way of war is data-dependent. So we need to think in terms of trust and securing trust.

So, now let us turn to the imperatives our country confronts in the cyber domain and the actions which the Air Force is taking. Here are some scenarios that emphasize the imperatives: Right now, a terrorist lies on his belly in a dusty ditch. He holds a radio transmitter to detonate an improvised explosive device, to kill Americans as they convoy across a stretch of broken asphalt. His use of cyberspace is currently being contested, but not always. Right now a drug trafficker sits under a tarp in a boat, bobbing off a Caribbean beach, setting up, potentially, a cocaine drop for nightfall. He gets GPS coordinates on a SATCOM phone from a controller a continent away. His use of cyberspace is practically uncontested. Right now a finance technician is moving US dollars via laptop to support terrorist ops, while sipping coffee in an internet cafe. His use of cyberspace is practically uncontested. Right now a foreign government engineer is in the net using stolen American technology to build radar and navigational jammers to counter American air superiority. His use of cyberspace is uncontested. Right now a foreign hacker is crashing an American server that holds a web site with data he does not like. His use of cyberspace is uncontested, though subject to pursuit. Right now rogue securities traders, sex traffickers, and data thieves are poised at computers worldwide, reaching into the American net. In a speech just last week, Attorney General Alberto Gonzales voiced his concern about the predators who range through cyberspace, accosting our children. Their access to cyberspace is uncontested, though, again, they are subject to some pursuit. Each of these examples is real. I could name many more. What we are seeing is that the cyberspace domain contains the same seeds for criminal, pirate, transnational, and government-sponsored mischief as we have contended with in the domains of land, sea, air, and now contemplate as space continues to mature. This reminds us of the history that it is military capabilities that long ago helped make it possible to free the Barbary Coast of pirates, so that our world of commerce and ideas could enjoy freedom of the seas, and that freedom of the seas continues to be sustained thanks to the US Navy and Coast Guard partnership with the appropriate authorities in coastal jurisdictions. This refers also to the idea that Americas operations in air and space set the strategic conditions for world commerce to enjoy freedom of the skies.
RiSE OF CyBER WAR

A Mitchell Institute Special Report 23

I am told that by far the larger portion of the goods in commerce worldwide, by value, travel by air. The remainder moves by sea, mostly bulky commodities. Freedom of the skies is undergirded by the US Air Force, more than by any other power or force, just as freedom of the seas is undergirded by the US Navy and Coast Guard, again in partnership with the right authorities. In sum, in cyberspace our military, America and indeed all of world commerce face the challenge of modern day pirates, of many stripes and kinds, stealing money, harassing our families, and threatening our ability to fight on ground, air, land and in space. The National Strategy to Secure Cyberspace states: A spectrum of malicious actors can, and do conduct attacks against our critical information infrastructures. Of primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to our Nations critical infrastructures, economy, or national security. The strategy calls upon national security planners specifically to: Improve capabilities for attack attribution and response. Improve coordination for responding to cyber attacks within the US national security community. Foster the establishment of national and international watch-and-warning networks to detect and prevent cyber attacks as they emerge. Now, my duty as the Secretary of the Air Force is to put the nations most technologically capable force on a path to do our share of the task of presenting to our combatant commanders, and so to the President and the nation, the trained and ready forces they may need to ensure the same security and freedom of cyberspace that Americans and indeed many in the world already enjoy in the oceans, in the air, and also in space. This duty is joint, and, as I have noted, it is interdependent. The duty is to bring to the fight what the Air Force has to offer, and to exercise good stewardship of the Air Force personnel and resources that are in some cases already devoted to operations in cyberspace. This does not mean control of cyberspace, any more than the other domains of ground or maritime. It does mean making our contribution to securing the benefits of cyberspace for our military and, indirectly, for our national and even world commerce. This means recognizing that the idea of freedom of cyberspace may in time be the same kind of principle as freedom of the seas and freedom of the skies. This means that cyberspace is a domain on which many rely
2

and in which warfighting can, and, actually by some definitions already, takes place. One rough and ready demonstration that cyberspace is a true domain on a par with land, air, space, and sea is to apply the basic questions of the principles of war. For example, Can one mass forces in cyber? Yes. Does surprise give an advantage in cyber? Of course. Simplicity? Economy of force? Clarity of objective? Yes, yes, and yes. Here is a call for the professional military. The domain is new, but the trained mind of the uniformed warfighter is needed to wage this fight. Just as the air domain is governed by aerodynamic forces, and the space domain by orbital mechanics, cyberspace has mathematical, and electromagnetic principles at work. Due to the size of the global information grid and easy access to the electromagnetic spectrum, effects in cyberspace can take place nearly simultaneously at many places. Effects can be massive or precise, lasting or transitory, kinetic or non-kinetic, lethal or non-lethal. The definition of cyberspace must be broad enough to enable us to integrate the vast possibilities that the electromagnetic spectrum offers now and for the future. Last month, the Joint Chiefs of Staff defined cyberspace as: A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. This definition is being codified in The National Military Strategy for Cyberspace Operations. Today I am announcing the steps the Air Force is taking towards establishing an Air Force Cyberspace Command. The aim is to develop ultimately a major command that stands alongside Air Force Space Command and Air Combat Command as the providers of forces on whom the President, combatant commanders and the American people can rely for preserving freedom of access and commerce in air, space, and, now, cyberspace. Let me summarize the major developments weve undertaken in the past year and the plans for developing the capability to contribute to do our job in ensuring freedom of cyberspace. In December 2005, General Moseley and I restated the Air Force mission Statement to include cyberspace as a domain where the Air Force delivers sovereign options. This step simply recognized the existing fact that significant Air Force personnel and technology have

long been engaged in fighting in cyberspace. Good stewardship means attending to the systematic training, organizing, and equipping that is our job. This includes especially attending to the career progression of the airmen involved in cyberspace, including our guard, reserve, and civilian professionals. The step included consultation with General James Cartwright, the commanding general of US Strategic Command, for he is a principal commander to whom I have the duty to present organized, trained and equipped cyberspace forces. We stood up a cyberspace task force in January, led by military strategist Dr. Lani Kass.... The task force, composed of officers from across the Air Force, has spent the past ten months gathering data, researching options. We addressed cyberspace extensively at the fourstar level during a major warfighting meeting in July. General Moseley and I have subsequently tasked the commanders of Air Combat Command and Air Force Space Command to submit a proposal for establishing an operational command for cyberspace. We tasked the commander of Air Education and Training Command to develop a training plan and the commander of Materiel Command to analyze the resourcing plans with Air Staff assistance to support an operational cyberspace command. The new cyber command is designated as the 8th Air Force, with a long and strategic deep strike heritage, under the leadership of Lieutenant General Robert Elder. He will develop the force by reaching across all Air Force commands to draw appropriate leaders and personnel. The 67th Wing and other elements under 8th Air Force provide the center of mass for this startup activity. General Elder remains as a force provider to combatant commanders. Simultaneously, General Elder has been asked by General Moseley and me to develop a roadmap that could be used to grow the cyberspace command upwards and have the framework of a full major command, a peer with Air Combat Command and Air Force Space Command. We expect that this work will stretch out for the bulk of this next year. The mission of bombers now within the 8th Air Force will remain. It is fitting that this historic step, the elevation of cyber to major command status, will take place from the heart of the 8th Air Force. The 8th Air Force is a home of heroes. In World War II, it was a breakthrough

force, bringing a new strategic dimension to the fight. It was the vision of such leaders as Hap Arnold, Ira Eaker, and Curtis LeMay. In this century, the Eighth Air Force will be the home of new breakthroughs. This is a noble home for the mission of ensuring freedom in a whole new domain. As I close, here are key points to bear in mind: The focus is to make the Air Force mission complete on an organize, train, and equip basis. Properly presenting trained and ready forces offers the right sovereign options in this domain. This is a battle domain in which the Air Force operates with, and supports our sister services, first responders, and many times non-government organizations and the many non-military authorities who also work to keep cyberspace secure. There are many partners across this domain. There will be careers and a strong future for the airmen whose work is in the cyberspace domain. Air Force personnel experts are at work now forming the career and schooling paths that ensure a full career with full opportunities for advancement to the highest ranks of the Air Force, for our military and civilian professionals. When planning and fighting in cyberspace as a battle domain, the task is one for the professional warfighter, that is, the trained military professional who lives, and breathes, and thinks the principles of war. The Air Force has long had these professionals in uniform, and I honor them for their service to our country. As I look across this room, I marvel at the harnessing of technology, the invention of applications, and the representation of the strength that each of you embody. It gives me confidence that freedom of cyberspace will be secured. The technological innovations that many of you are directly responsible for, plus the courage and bravery of our networked force, from missile defense to tactical commanders and the men and women they command, defend every day the freedoms we enjoy in all five domains. And now, I turn to you and conclude with this question. I hope that each of you can ponder it and help our services and our country find the best answers: In this 21st century, how shall we best carry out the C4ISR functions in the cyberspace domain? Thank you for your service, for your continued support; and may God continue to bless the United States of America. Thanks for allowing me the honor to provide the keynote address for this important forum.

RiSE OF CyBER WAR

A Mitchell Institute Special Report 2

Michael Chertoff Secretary of Homeland Security Remarks to the Chamber of Commerce on Cybersecurity October 14, 2008, Washington, D.C.
(http://www.dhs.gov/xnews/releases/pr_1224091491881.shtm)

I would like to thank the Chamber for inviting me to discuss one of the most important initiatives we have ever undertaken at the department, and in the country, in the domain of homeland security. This, of course, has to do with the issue of cybersecurity: the protection of our information technology and its networks.... This is a major priority for this administration and I am convinced will be a major priority for the next administration. In fact, this month is National Cyber Security Awareness month. In recognition of this particular moment in time, the President has actually asked me to share a message from him to you. As follows, I send greetings to those observing Cyber Security Awareness Month. Americans and American business rely on the Internet and protecting its infrastructure is essential to our economy, security, and way of life. This month is an opportunity for citizens to learn how to guard themselves and their families, businesses, and information against online threats. My administration has taken important steps to strengthen our defenses against cyber attacks. In 2002 the Department of Homeland Security was created to help protect America, including online. In 2003 the National Strategy to Secure Cyberspace created a framework to help prevent cyber attacks against Americas infrastructure, reduce vulnerability to cyber attacks, and minimize damage and recovery time from cyber attacks that do occur. In January this year, my administration implemented the National Cyber Security Initiative to protect federal networks, and explore ways to assist industry in securing their infrastructure. I appreciate all those dedicated to securing the Internet. Your efforts play a key role on an important front of our nations security.... Unquestionably, cybersecurity is the issue that touches all of us both in our business capacities and as individuals in terms of the way our families deal with our own home computers. It is an issue that will continue to be on the front burner through the next administration. Unlike some other areas of homeland security, how2

ever, cybersecurity is not exclusively, or even largely, a federal responsibility, or something the federal government can impose on the rest of the nation. The federal government does not own the nations IT networks or communications infrastructure, nor would we want to force a burdensome and intrusive security regime on what is, clearly, one of the most fluid, dynamic, and reliable engines of our economy. On the other hand, that doesnt mean that cybersecurity is solely a private sector responsibility either. While the vast majority of the nations cyber infrastructure is in private hands, the reality is that its benefits are so widely distributed across the public domain, and so integrated and interdependent in the various different sectors of our economy, that we face clear national security risks and consequences with respect to its protection. No single person or entity controls the Internet or IT infrastructure. There is no centralized node, or database, or entry point. No single person, or company, or government can fully protect it. On the other hand, the failure in even one company, or one link of the chain, can have a cascading effect of everybody else. That is why protecting our IT systems and networks has to be a partnership in which all of us have to bear our share of responsibility. If you wanted an illustration on how important protecting interdependent systems are, and how important a partnership is with respect to trust, just look at what is going on in the financial area. This has not been an IT problem, but it has been an all too dramatic illustration of what happens when there is a failure of trust across a large domain of institutions. Much of the solution to this crisis is one that requires a partnership between the private sector and public sector. I would argue that as we, hopefully, preempt any crisis in the area of our IT networks and the Internet, the only way do that is a joint effort in partnership between the private sector and all elements of government. Let me say there is also a very strong business

case to be made for cybersecurity apart from the national security case. Most companies understand their own interest in investing in security measures that will help shield them from attacks or disruption or will give them resilience to recover quickly if an attack occurs. I would also venture to say customers trust can easily be lost in this day in age if the systems through which people do business with companies become degraded, or inoperable, or corrupted. This element of trust and confidence, which is the very DNA of the Internet, is really the highest value of what allows us to function and take advantage of the very fluid and beneficial qualities of having a network 21st century world. Today I would like to talk about the specific actions the federal government is proposing to take to protect cyber infrastructure. The private sectors role in this effort and what you can do to help us protect cyber systems and cyber infrastructure. First, lets talk about threat. You know, the Internet has been around for about two decades. For about the same amount of time we have been dealing with cyber attacks. Some people might be tempted to suggest that cyber attacks are merely a cost of doing business, a nuisance we have dealt with in the past and can deal with in the future, and there is no real reason to treat this as a concerted national priority. I think that would be a very misguided approach and I am sure everyone here understands why. The fact is, because in the 21st century and our reliance on the Internet for everything we do, whether is the homework our kids do at school, or the business transactions we engage in multi-billion dollar financial institutions, we have invented an era of new threats and greater vulnerabilities in the cyber domain. I am sure everyone here understands the consequences of failure have become correspondingly greater and that is why we are at a moment now where we have to act with greater urgency and purpose than ever before. The intelligence community has publicly stated its assessment that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure, or to use that infrastructure to collect intelligence and other kinds of information. Nation states and criminal groups target our government and private sector information networks in order to gain competitive advantage in the commercial sector, as well as in the area of security. Terrorist groups, including Al Qaeda, Hamas, and Hezbollah have expressed the desire to use cyber means to target the United States. Criminal elements continue to show a growing and alarming sophistication in

technical capability and targeting, and today operate a pervasive, mature economy in illicit cyber capabilities and services that are made available to anybody who is willing to pay. As we have seen recently, cyber threats can impact both individuals and nations alike. Let me give you two examples. First, the Georgia-Russia conflict of earlier this year, perhaps the first instance of a military action with a cyber component. Denial of service attacks launched from Russian IP addresses against Georgia occurred when we saw military action taken by Russians against the Georgian government. Large swaths of Georgians could not access any information about what was happening in their country. Government websites were defaced and the delivery of government information and services were curtailed. A similar denial of service attacked was perpetrated in 2007. On the criminal side of the house, earlier this summer in August I announced the largest ID cyber theft in history. This was a Secret Service case involving 40 million credit card numbers that had been stolen from nine major retailers through a sophisticated, international scheme perpetrated through what they call war driving. This involved capturing the wireless transmission of this information from point to point so it could then later be converted into data that could be used for criminal purposes. This scheme led to millions of dollars being withdrawn from the bank accounts of innocent consumers all around the world. As I said, it is the worst case of identity theft in US history. The reality is that cyber attacks arent decreasing. They are increasing in frequency, sophistication, and scope and this has major implications for our national and economic security. So, how do we protect ourselves from malicious activity whether it is criminal in nature, whether it is an extension of state power, whether it is government or commercial espionage, or whether it is routine hacking by people who are interested in showing their cyber hacking skills to their friends. The answer is a comprehensive cybersecurity initiative. From the governments perspective, the first thing we need to do is to ensure that our own house is in order, that our federal civilian networks are adequately protected. That means we have to be able to look across the government and civilian domains, just as the Defense Department looks across the military domains, and assess what the vulnerabilities are, reduce the points of vulnerability, put into effect the kinds of tools and regimes that will reduce or eliminate the possibility of attack, and then, using a 24/7 monitor-

RiSE OF CyBER WAR

A Mitchell Institute Special Report 2

ing capability, make sure that we are constantly staying ahead of an evolving adversary. I want to make it clear that, although people tend to think about this issue from the [standpoint of the] most sophisticated hacking attacks or assaults launched over the Internet, in fact, there is a wide variety of places from which the threat can be mounted. To be sure, hacking and penetration over the Internet is an important part of the threat and therefore something we need to tend to in terms of defense. We also have to continue supply chain security, what is being embedded in our hardware or our software at the time it is created and before it is sold to us. This is particularly difficult in a global environment where the various components of what make up a finished product might be produced at various places around the world where quality control is not 100 percent. There was a story in the newspaper over the weekend about people whose bank account information was being stolen because, embedded on some of the computers being used was ... a code that was [not] put there by hackers but was manufactured into the boards and the chipslittle trap doors that allowed the collection of information and the rerouting of it overseas. So, that is the second potential attack vectorthe hardware and software that is part of the architecture of our systems. Finally, we need to be concerned about the insider threat. It is the lowest-tech threat, ... somebody coming with a thumb-drive and downloading sensitive information, including passwords, or planting something that enables someone to capture information and send it back over the Internet. That can cause as much damage as a classic hacking attack coming over the Internet itself. With all these things in mind, the [goals] of our cyber initiative are: establishing good lines of defense over the Internet; defending against all these threats, whether they come through the network, by way of the supply chain, or an insider; and shaping the future environment by educating the next generation of cyber professionals and producing leap-ahead technologies that allow us to stay ahead of the adversary. I also want to emphasize, because we are dealing with communications and the Internettraditionally a very open architecture and a culture of freedomwe have to be exceptionally focused on the need to make sure privacy and civil liberties considerations are at the center of our efforts. We are not interested in what is done in some parts of the world where the government sits over the Internet and tries to control what
28

people see. That is not the model we are seeking to emulate here, and that is why we want to be very clear in everything that we do. Perhaps in more than any other domain, we need to be [sensitive to] privacy and civil liberties. Let me talk about the major elements of the strategy bearing in mind these major focus elementsestablishing lines of defense, defending against the full range of threats, and shaping the future environment. First, as it relates to the government, we recognize there are, literally, a thousand connection points between our government domains, civilian domains, and the Internet, and we need to limit that number of access points so we can begin to get a handle on the threats that are coming through those access points and build a series of capable defenses. So, even now we are in the process of reducing the number of connections over timethe number of connections between government systems and the Internet so we can better secure and reduce the vulnerabilities in a much smaller number then say we had six months ago. We need to expand our US capability and our national cybersecurity capability to provide oversight, accreditation, and validation across the government civilian domains to make sure everybody has in place the appropriate levels of security, both in terms of what they permit into the Internet and also how they handle their systems in their own departments and agencies. We have established a National Cyber Security Center to coordinate across a number of individual agency cybersecurity centers to provide crosscutting situational awareness and to make sure were coordinating among the various cyber centers that operate in various kinds of government domains. Once we have reduced the number of entryways, we need to find better ways to mount defenses at these bridges. We currently have an intrusion detection system called Einstein. I might use an analogy from the physical world. If you think of television programs like CSI New York or CSI Miami, our current system is a passive intrusion detection system that comes after the fact. In other words, we learn there has been a malicious intrusion, we get the information about what we can about the signature and the code, and then we disseminate that information. It is a little bit like sending your crime scene investigators in after the crime has been committed to try and collect the evidence and give warning the next time. We need to move to the next level, which is Einstein 2.0, which we are currently in the process of beginning to deploy. That is a real-time intrusion detection capability. It doesnt wait until after the crime is committed. Using information and tools

we were able to get from across the federal government, it enables us to detect, in real time, if an attack is underway. It is a little bit like moving from policemen who investigate the crime after the fact to the policemen who is actually standing, watching people go by on the road and the highway, and when the policemen sees a suspicious character he or she calls into the potential target and warns them there is a suspicious character on the way. Youre asking me here: You have a cop who sees a suspicious character? Why doesnt he just stop him and arrest him on the spot? That is Einstein 3.0. That is where we move from intrusion detection, to intrusion prevention. That is a system that we are currently working to develop which would allow us when we see and detect malicious code, or other indications of an attack, to actually stop it cold before it permeates and infects our systems. That is the first element of creating lines of defense. Reducing the entry points and building better capabilities to protect, and ultimately prevent, penetration. The next focus area, which is defending against full spectrum threats, includes protecting the global supply chain, working with the private sector to have better validation about the source of critical elements of software and hardware, particularly for those systems where we have high value information that we want to protect and secure. At the same time, [we need] old-fashioned counter intelligence, working with our government systems to make sure we are preventing people from committing old-fashioned espionage against usstealing our data, stealing our passwords, stealing our capabilities, or implanting in our systems trap doors that can be used against us. Finally, the third focus element [is] shaping the future environment. We are working across the government domain to help recruit and build the next generation of cybersecurity professionals. That is going to mean, in particular, working with the private sector to boost cyber education, training, and recruitment, as well as working to fund leap-ahead technology and game changing capabilities that will enable us to increase our cybersecurity. Some months back I was out in Silicon Valley. Someone was saying to me that part of the problem is, when people graduate from college or graduate school, their focus tends not to be on technology, but developing new systems that are faster, move more readily vertically and horizontally, and are quicker at processing data. It seems that cybersecurity has become a little bit of a stepchild. I am going to suggest that that is going to change in the very near future, if it hasnt changed already. Ultimately, the value

of the Internet and all the commerce and activity that occurs on the Internet, will only succeed in multiplying if people are confident that they will not lose their crown jewels when they play in cyberspace. It is easy to manage the systems for purchasing goods or getting on eBay, or exchanging information would become much less appealing if there were more and more stories about people losing their most secure information, their most secure financial data every time they get onto the Internet. So, my belief is that, more and more, the issue of cybersecurity is going to be a cutting-edge area in which smart kids are going to realize there is a great future, because there is going to be an incredible demand to keep security up with the increasing exponential growth of the Internet as a tool of commerce, as well as a tool of social networking. Here is where private sector cooperation is particularly critical. A lot of this work is going to be done with you and we want to make sure you are focused on this.... How do we work with the private sector to secure not only our own networks but also to help you to secure your networks? We have a structure in place that allows us to do this at DHS and as you all know it is the National Infrastructure Protection Plan. It is a model in which we have 18 sectors of the national economy we have identified, we work with sector coordinating councils, representatives of industry, and government coordinating councils to set goals and priorities and exchange information about security as it relates to the particular sector we are talking about. Recognizing, for example, the needs of the financial community are very different from that of the commercial real estate sector or the communication sector. What we have done is go back to these sectors and we have asked under each of these plans that industry and government look at cyber risks and mitigations. We are going to bring all this together through our cross-sector Cyber Security Working Group, looking in particular at interdependencies, information sharing, and cyber issues that affect multiple sectors or cut across all the sectors. We are going to explore options to share Einstein, or similar capabilities including capabilities drawn from across the entire government, with interested industry partners. I want to be clear; this is an invitation, not a mandate. We are not in the business of telling the private sector you must do this, you must let us in, we are going to sit on top of you. That would be the easiest way to alienate most of the people who use the Internet. What we are going to do is offer a service, offer an invitation. For those in the private sector who want to take us up

RiSE OF CyBER WAR

A Mitchell Institute Special Report 2

on this, we are going to work to see how we can best mesh with your particular industry architecture to give you some of the benefit of our capabilities, but in a way that doesnt interfere with your basic processes or ... alienate the trust of your customers and your consumers and get them to be concerned about their own privacy and civil liberties. We need to work with the private sector to put together metrics to make sure we can chart our progress and to particularly focus on how we can mitigate the risks that are apparent in the globalization of the commercial technology industry. How do we help you build standards that enable the private sector to gauge the integrity of which systems you are buying, a way that doesnt impede the flow of commerce but gives business consumers and even private consumers the confidence that they know what they are getting? Just as we are increasingly concerned in a global environment about the food we eat, and the toys we give to our childrenand you all know what I am talking about, because it is in the news all the timeI submit to you that we have to be equally concerned about the software and hardware we are bringing into our homes and our businesses, for precisely the same reason. Therefore, we have to have precisely the same kind of approach to ensure we are validating what it is we are buying and what are the ingredients of the systems we are bringing into our own places of business and homes.

In short, we have put together a comprehensive strategy to address cyber threats. The president has strongly endorsed it and has pushed us very hard in moving forward to implement it. This will not happen overnight. It is a multi-year effort. It will require a great deal of interagency and private sector coordination. We have made a lot of progress, both in getting our own house in order and in consulting with the private sector, and we stand ready to work with you to get this done as rapidly as possible. We encourage you to continue to work with us through established channels we have used in securing infrastructure in the physical world. Namely, the Critical Infrastructure Advisory Council and the Cross Sector Cyber Security Working Group and the individual sector coordinating councils we have under the net. The bottom line is: We have a common interest. Time is short. The people who want to interfere with our systems have been very busy. They will continue to refine their tools. We have some very good tools in our defense, but theyre not going to do us a lot of good if they sit on the shelf. We ought to make sure we polish them up and deploy them as effectively as possible. I know your being here is a [testament] to your understanding and dedication to this issue. I think it is a front burner issue, clearly, for the next administration. I ask for you help and support as we move this forward as rapidly as possible. Thank you.

30

Cyberspace Operations Air Force Doctrine Document 2-11 [extract] Draft 2008

Foundational doctRine stateMents

Foundational doctrine statements are the basic principles and beliefs upon which AFDDs are built. Other information in the AFDDs expands on or supports these statements. Cyberspace is a global domain within the information environment consisting of the interdependent network of information technology (IT) infrastructures, including the internet, telecommunications networks, computer systems, and embedded processors and controllers. Friendly use of cyberspace needs to be protected and an adversarys use countered in support of US objectives. The vastness, complexity, volatility, and rapid evolution of cyberspace place a premium on continuous intelligence preparation of the operational environment (IPOE). Ensuring freedom of action in cyberspace is a complex undertaking that requires comprehensive situational awareness, understanding of relevant network segments, and an exceptionally fast decision cycle to dominate command and control within the domain. Cyberspace superiority is the degree of dominance in cyberspace of one force over another that permits the conduct of operations by the former and its related land, air, sea, space, and special operation forces at a given time and place without prohibitive interference by the opposing force. Defensive operations seek to deter adversaries from intruding on friendly networks, detect and deny access when attacks are attempted, minimize the effectiveness of attacks, and determine their source(s). Offensive operations deny, degrade, disrupt, destroy, alter, or otherwise adversely affect an adversarys ability to use cyberspace in support of US objectives. Once cyberspace superiority is achieved, offensive operations take advantage of cyberspace freedom of action by creating effects in other domains. Operations to achieve cyberspace superiority can be integrated with the operational rhythm of the

appropriate air and space operations center (AOC). Gaining and maintaining access is a critical first step to achieving effects in other domains and countering adversary use of cyberspace. US forces should be capable of operating through a cyberspace attack. They should recognize and isolate an attack while continuing to perform critical actions. Following an attack, they should be able to reconstitute and regenerate capability rapidly. Operations in cyberspace can have significant effects in other domains. To be successful in this new era of cyberspace operations, life-long learning is paramount. Cyberspace professionals are individuals trained to establish, control, and project combat power in and through cyberspace.

selected deFinitions
computer network exploitation. Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CNE. (JP 1-02) cyberspace. A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. (AFDD 2-11). cyberspace superiority. The degree of dominance in cyberspace of one force over another that permits the conduct of operations by the former and its related land, air, sea, space, and special operation forces at a given time and place without prohibitive interference by the opposing force. (AFDD 2-11). defensive cyberspace operations. Actions taken to create, sustain, and defend friendly use of cyberspace. (AFDD 2-11). electronic attack. Division of electronic warfare involving the use of electromagnetic energy, directed energy,

RiSE OF CyBER WAR

A Mitchell Institute Special Report 31

or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability and is considered a form of fires. Also called EA. (JP 1-02) electronic protection. Division of electronic warfare involving actions taken to protect personnel, facilities, and equipment from any effects of friendly or enemy use of the electromagnetic spectrum that degrade, neutralize, or destroy friendly combat capability. Also called EP. (JP 1-02) electronic warfare. Military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy. Electronic warfare consists of three divisions: electronic attack, electronic protection, and electronic warfare support. Also called EW. (JP 1-02) electronic warfare support. Division of electronic warfare involving actions tasked by, or under direct control of, an operational commander to search for, intercept, identify, and locate or localize sources of intentional and unintentional radiated electromagnetic energy for the purpose of immediate threat recognition, targeting, planning and conduct of future operations. Also called ES. (JP 1-02) electromagnetic spectrum. The range of frequencies of electromagnetic radiation from zero to infinity. It is divided into 26 alphabetically designated bands. Also called EMS. (JP 1-02). information operations. The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influ-

ence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own. Also called IO. (AFDD 2-5) kinetic. Actions or effects that physically alter the material characteristics of a target. Kinetic actions may have lethal or nonlethal results. (AFDD 2-11). malware. Software such as viruses or Trojans designed to cause damage or disruption to a computer system. (AFDD 2-11) network attack. The employment of network-based capabilities to destroy, disrupt, corrupt, or usurp information resident in or transiting through networks. Also called NetA. (AFDD 2-5). network defense. The employment of network-based capabilities to defend friendly information resident in or transiting through networks against adversary efforts to destroy, disrupt, corrupt, or usurp it. Also called NetD. (AFDD 2-5). network operations. Activities to operate and defend the Global Information Grid. Also called NetOps. (JP 102). nonkinetic. Actions or effects that do not physically alter the material characteristics of a target. Non-kinetic actions may have lethal or nonlethal results. Examples include use of cyberspace weapons, information operations, or electronic warfare. (AFDD 2-11) offensive cyberspace operations. Actions taken to deny, degrade, disrupt, destroy, alter, or otherwise adversely affect an adversarys ability to use cyberspace in support of US objectives. (AFDD 2-11).

32

About the Air Force Association

The Air Force Association, founded in 1946, exists to promote Air Force airpower. We educate the public about the critical role of aerospace power in the defense of our nation, advocate aerospace power and a strong national defense, and support the United States Air Force, the Air Force family, and aerospace education. AFA is a 501(c)(3) independent, nonpartisan, nonprofit educational organization, to which all donations are tax deductible. With your help we will be able to expand our programs and their impact. We need your support and ongoing financial commitment to realize our goals. AFA disseminates information through Air Force Magazine, airforce-magazine.com, the General Billy Mitchell Institute for Airpower Studies, national conferences and symposia, and other forms of public outreach. Learn more about AFA by visiting us on the Web at www.afa.org.

1501 Lee Highway Arlington VA 22209-1198 Tel: (703) 247-5800 Fax: (703) 247-5853