On Martin Libicki’s Cyberdeterrence report (or now I know why the Air Force Cyber Command is such a mess)
Last Updated on Friday, 27 November 2009 08:23 Written by Jeffreycarr Thursday, 15 October 2009 08:57
UPDATE 27 NOV 2009): Richard Bejtlich of TaoSecurity posts an excellent review of Libicki’s paper identifying problems from a different perspective than my own.
—-
There’s no question that the Rand Corporation has a long and distinguished history as a think tank and I am one of its many satisfied customers. In fact, I highly recommend James Mulvenon’s work to everyone engaged in the Cyber domain in a law enforcement, intelligence, and/or military capacity because his work reflects his broad and deep grasp of his area of study – the military affairs of the People’s Republic of China in the area of Information Warfare.
Unfortunately, that is not the case with Martin C. Lubicki’s latest Rand report Cyberdeterrence and Cyberwar wherein he argues that “strategic cyber warfare” shouldn’t be a priority for the U.S. Armed Forces. Considering the history of cyber conflict to date, such a position requires building a well-documented case with integrated what-if scenarios if it hopes to be taken seriously. Nowhere does it do that. Instead, Libicki opts to examine the question of cyberdeterrence by casting a cyber attack as a stand-alone strategy rather than as part of a larger military operation. Libicki’s straw man argument paints cyber war as a stand-alone strategy while completely ignoring those times when nations have combined a military action with a cyber attack:
- Russian Federation: Chechnya 2002 and 2009; Kyrgyzstan 2005; Georgia 2008
- Georgia: (Russia 2008)
- Israel: Gaza war against Hamas/Palestine (2008,2009)
- Palestine/Hamas: (same as above)
There’s no mention of RF Information Warfare doctrinal writings anywhere in this report, nor is any time spent on China’s well-documented IW strategy. In fact, a check of the references in the back of this book shows only one Chinese document, the sensationalistic “Unrestricted Warfare”, written by two former PLA Colonels, neither of whom enjoyed much success in their military careers. Lubicki does look at the Gaza war of Dec 2008-Jan 2009 but completely ignores its cyber component (which Project Grey Goose explored indepth in its Phase Two report). That’s pretty astounding considering that both Israel and Palestine (through Hamas) utilized overt State-sponsored hacker attacks in addition to the noisy and mostly ineffectual mayhem caused by non-state actors.
This lack of depth regarding critical understandings about how cyber warfare has been conducted over the years continues into Appendix A where Libicki dedicates all of two pages to the topic “What Constitutes an Act of War in Cyberspace?” 2 pages? Are you f’n kidding me? Why even bring it up if you’re going to gloss over all of its complexities?
Bottom line – if you can’t show me that you understand what cyber war is and how it is being used by Nation States today and in the last 10 years; that you haven’t read those States’ important military thinkers’ writings on Information Warfare or its other iterations (CNO, IO, etc.), and either do not know or ignore the ongoing build-up of IW applications by our potential adversaries, then “how in the name of Zeus’s butt hole” (courtesy of Nicolas Cage’s character in The Rock), can you write about cyberdeterrence and expect to be taken seriously?
As a side note, the fact that this monograph was sponsored by the U.S. Air Force says a lot about the Air Force’s own sad history in trying (and failing) to claim cyberspace as its own warfighting domain.
Jeff,
In his introduction, Libicki explictly states that operational cyberwar, i.e. ‘attacks’ designed to support/augment/choose-your-verb kinetic operations, may be of far more relevance than what he calls ’strategic cyberwar’ i.e. that conducted entirely ‘in cyberspace’. He explictly sets out his remit, and does not stray from that. Just because you might not like the fact that he hasn’t addressed all the issues – there’s definitely more scope for that, of course – is no reason not to take the report on its own terms.
As regards USAF, it actually speaks well of them that they a) appointed RAND, b) didn’t editorialise (that we know of), and c) haven’t attempted to quash the report. Whilst I agree that USAF may be a service in search of a mission, this is exactly the sort of exercise that might usher them towards the sort of acceptance of their limitations that you suggest, rightly, would be more productive.
The main thrust of your argument is that Libicki doesn’t understand and that he doesn’t support his case with deep histories of known cyberwar. His cyberwar-alone scenarios are therefore a straw man. Would you be similarly inclined to dismiss 60 years of nuclear strategic theory on the basis that it isn’t evidence-based? Of course not. Libicki’s methodology is sound, even if his theoretical stance and report structure is not to your liking.
Thanks for your counter argument, Tim. The fact that Libicki framed his case really doesn’t change the flaws that I pointed out, and many more that I didn’t just due to time limitations.
If you’re going to provide guidance to the DoD on the relative merits of cyber deterrance, then you need to adequately cover the domain wherein it would be applied.
Regarding your point about whether I would dismiss 60 yrs of nuclear strategic theory because it isn’t evidence-based, I don’t see that as analogous. First, there are no examples of a nuclear war to point to. Not even a nuclear “skirmish” or a non-state nuclear terrorist attack. That’s not the case with cyber.
And what about his Appendix A? Can you help me understand why he would even include that when legal experts have written hundreds of pages on the subject and its still hotly contested?
As to the USAF, they’ve sponsored other, better Rand studies but these last few years have revealed seriously and deeply embedded problems in leadership in that service. I wonder if Lord even read this report before it went out the door?
Hehe. That’s an interesting final question. Maybe he did. It’s not like Libicki’s said that USAF has no role; just that it needs to be better defined. We’d both agree with that, I’m sure.
The Appendix A is curious, agreed. Let’s try a counterfactual heuristic here though: what if he’d simply left it out? merely said it’s an unresolved issue and left it at that? Libicki didn’t set out to write the definitive guide to cyberwar, cyberdeterrence, or the laws of war. It’s not doctrine, operational guidance, or policy. It is what it is: an extended think-piece that I think is a valuable addition to the canon.
I’ll leave you with the final word on this, Tim, since I have a great deal of respect for your own contributions. Thanks again for the debate.
Likewise, of course. I think the most interesting thing about this is how USAF will react. I haven’t yet seen any official response to this, although I confess I haven’t looked hard yet.
[...] scenarios to great effect in his recent RAND report, Cyberdeterrence and Cyberwar (for the record, Jeff Carr did not). The difference being that Libicki used them to examine strategic theory, not fuel procurement [...]