On Martin Libicki’s Cyberdeterrence report (or now I know why the Air Force Cyber Command is such a mess)

Last Updated on Friday, 27 November 2009 08:23 Written by Jeffreycarr Thursday, 15 October 2009 08:57

UPDATE 27 NOV 2009): Richard Bejtlich of TaoSecurity posts an excellent review of Libicki’s paper identifying problems from a different perspective than my own.

—-

There’s no question that the Rand Corporation has a long and distinguished history as a think tank and I am one of its many satisfied customers. In fact, I highly recommend James Mulvenon’s work to everyone engaged in the Cyber domain in a law enforcement, intelligence, and/or military capacity because his work reflects his broad and deep grasp of his area of study – the military affairs of the People’s Republic of China in the area of Information Warfare.

Unfortunately, that is not the case with Martin C. Lubicki’s latest Rand report Cyberdeterrence and Cyberwar wherein he argues that “strategic cyber warfare” shouldn’t be a priority for the U.S. Armed Forces. Considering the history of cyber conflict to date, such a position requires building a well-documented case with integrated what-if scenarios if it hopes to be taken seriously. Nowhere does it do that. Instead, Libicki opts to examine the question of cyberdeterrence by casting a cyber attack as a stand-alone strategy rather than as part of a larger military operation. Libicki’s straw man argument paints cyber war as a stand-alone strategy while completely ignoring those times when nations have combined a military action with a cyber attack:

• Russian Federation: Chechnya 2002 and 2009; Kyrgyzstan 2005; Georgia 2008
• Georgia: (Russia 2008)
• Israel: Gaza war against Hamas/Palestine (2008,2009)
• Palestine/Hamas: (same as above)

There’s no mention of RF Information Warfare doctrinal writings anywhere in this report, nor is any time spent on China’s well-documented IW strategy. In fact, a check of the references in the back of this book shows only one Chinese document, the sensationalistic “Unrestricted Warfare”, written by two former PLA Colonels, neither of whom enjoyed much success in their military careers. Lubicki does look at the Gaza war of Dec 2008-Jan 2009 but completely ignores its cyber component (which Project Grey Goose explored indepth in its Phase Two report). That’s pretty astounding considering that both Israel and Palestine (through Hamas) utilized overt State-sponsored hacker attacks in addition to the noisy and mostly ineffectual mayhem caused by non-state actors.

This lack of depth regarding critical understandings about how cyber warfare has been conducted over the years continues into Appendix A where Libicki dedicates all of two pages to the topic “What Constitutes an Act of War in Cyberspace?” 2 pages? Are you f’n kidding me? Why even bring it up if you’re going to gloss over all of its complexities?

Bottom line – if you can’t show me that you understand what cyber war is and how it is being used by Nation States today and in the last 10 years; that you haven’t read those States’ important military thinkers’ writings on Information Warfare or its other iterations (CNO, IO, etc.), and either do not know or ignore the ongoing build-up of IW applications by our potential adversaries, then “how in the name of Zeus’s butt hole” (courtesy of Nicolas Cage’s character in The Rock), can you write about cyberdeterrence and expect to be taken seriously?

As a side note, the fact that this monograph was sponsored by the U.S. Air Force says a lot about the Air Force’s own sad history in trying (and failing) to claim cyberspace as its own warfighting domain.