Despite what the media likes to believe, there are no watersheds in the history of cyber conflict. Offensive cyber operations simply don’t work that way. You don’t irreversibly leap over the Rubicon, but crisscross it a couple of times to derive reasonable threshold estimates of power projection.
Cyber operations — as the militarised, regimented form of hacking is often called — don’t manifest themselves as precision-guided munitions. They’re more like a game of probability.
Cyber operations thrive on the very architectural ambiguity which plagues the Internet. You hope to tame the unstable cyber weapons while deploying them in a complex adversarial environment, almost entirely uncertain about the results. Retaining the initiative during an ongoing mission is like solving a jigsaw puzzle where half of the pieces lie with the adversary.
You catch a glimpse of this terrifying uncertainty in the wild-eyed glint of cyber operators throughout the globe – from those who breathed life into the Stuxnet computer worm, to retired ‘mercenaries’ like me! It’s for this reason that cybersecurity strategists like Bruce Schneier, Dan Geer and Dave Aitel believe that the Internet is both — a firing range and a war zone.
How The Cyber Domain Came To Be Militarised
This has had a remarkable effect on the eventual militarisation of the cyber domain. It’s only by trial and testing that armies could recalibrate their thresholds of war, their options for proportional response, and their rules of engagement. Since the setting up of the first cyber-enabled information warfare squadron in 1996, it took the US more than two decades to arrive at the barely-working threshold estimates.
The escalatory matrix, manifesting over the Persian Gulf in the ongoing US-Iran confrontation, fluctuates between the use of cyber and kinetic military options, to project power.
Coercive Power of Cyber Weapons Could Be Used to “Reset Diplomacy”
While weaving cyber operations into different levels of conflict escalation (that are still dominated by kinetic options) is unique and challenging, the playbook of the US generals, in this case, dates back to the early days of the militaristic cyber domain. It was General James Cartwright, former head of the US Strategic Command, who prophesied that the coercive power of cyber weapons could be used to “reset diplomacy”.
In the nineties, he framed an ideological footing for what is now known as the US Cyber Command (USCYBERCOM). Cartwright further believed that “the tools available to a president or nation in between diplomacy and military power, were not terribly effective.”
Chiselling such tools involves a lot of trial and error. Jacquelyn Schneider of the US Naval War College studied cyber wargames for over six years. She came to the realisation that US commanders — due to some imagined fear over cyber retaliation by the adversary — were extremely reluctant to dispense cyberweapons even after extreme provocation that tipped the nuclear threshold. A similar stasis gripped the US government during the Russian interference in the 2016 presidential elections. Due to such inaction, the US got cyber deterred before it even thought of launching a counter strike against Russia.
The USCYBERCOM emerged from self-perpetuated paralysis, only after Trump signed the National Security Presidential Memoranda 13, which loosened the Obama-era legal shackles around the preemptive hacking of the overseas networks.
Malleability of Cyber Domain
Cyber intelligence analysts like Haroon Meer and Grugq believe that the dynamic switch between ‘kinetic’ and ‘cyber’ becomes even more effective in persistent and below-threshold hot war. In cases where the conventional military of an adversary heavily outweighs your own, retaliatory cyber operations as a tool of power projection may open a crucial window of negotiation.
In a recent article, Lt Gen (retd) DS Hooda, who led the 2016 ‘surgical strike’ in Pakistan, also hinted at a cyber-kinetic synergy in integrated war-fighting efforts. He went on to cite the 4 May Israeli airstrike on a Hamas safehouse, which was acting as a launchpad of cyber operations. While Hooda’s allusion makes sense, it is slightly misplaced.
In my opinion, the Israeli operation borrowed from an older, more mature but overlapping playbook — targeted assassinations. Nonetheless, it highlights the malleability of the cyber domain, to fit any tactical or strategic paradigm.
I am reminded of Nate Fick’s aphorism: “Governments would be tempted to hack more killers, and kill more hackers.” Fick is a Marine Corps officer, and the founder of cyber countermeasures firm ‘Endgame’.
Cyber operations are massively cascading in terms of their effects, which could cause extreme but invisible damage to national security and sovereignty. Neutralising hackers, as in the case of nuclear scientists, is a viable option that has been suitably expended in the past.
How Does Pre-Emptive War Work?
The recent cyber attack against Iranian missile systems wasn’t the first instance of its kind. The New York Times correspondent David Sanger has dedicated a whole chapter of his book The Perfect Weapon to the ‘Left of Launch’ cyber strategy of the US. It was put to extensive use against the North Korean ballistic missile programme. ‘Left of Launch’ points to a perplexing paradox of cyber operations — pre-positioning cyber implants within foreign military networks is legally a case of pre-emptive war, that could further strengthen the enemy’s resolve to physically attack you first.
Such were the dichotomies highlighted in a seminar I gave to senior military commanders in March, many of whom belonged to the newly minted Defence Cyber Agency (DCyA).
Very Few Of Our Decision-Makers Have Actual Operational Experience in Cyber
I agree with Hooda that the DCyA would have to work around stovepipes built by the Indian Army, Navy and Air Force. The Vivekananda International Foundation, a think-tank of the ruling RSS-BJP combine, also released a white paper on “credible cyber deterrence” this May. Its thesis is so elaborate and overambitious, that it seems as if the Indian national security establishment can’t see the woods for the trees, or the gazillions bits that make up the cyber bombs.
The reality is that very few of our decision-makers have actual operational experience in the cyber domain.
It’s a problem that gets exponentially magnified at the topmost echelons, as the underlying ambiguity of cyber operations becomes even more potent and crippling. Over-generalisations, misplaced assumptions, and grandstanding could translate to the complete weakening of the command structure.
‘In the Cyber Domain, Institutional Memory is Institutional Capability’
In the same seminar, I laid stress that ‘jointness’ is the foundational pillar of a modern, integrated and cyber-enabled military. Unlike conventional paradigms, such jointness doesn’t manifest itself in file-noting or orchestrated inter-services bonhomie, but is embedded deep within the source code of military’s cyber tool-chains — the complex software frameworks that drive and manage cyber exploitation. The synergy is intricate and deeply enmeshed within the operational arteries.
I rued that, while the post-Pulwama exhilaration has inspired us to mull over jointness, not even the senior-most commander in the room knew that the first ever joint Indian cyber operation happened almost a decade ago.
You build cyber capabilities and expertise over decades, hinged around generations of disciplined cadres of hackers. You hope that one day, the brightest among them would become a commander. This is true in the case of Gen Paul Nakasone, the current head of the USCYBERCOM.
During the Iraq and Afghanistan wars, tacticians ran amok in the US cyber machinery. Nakasone brought back the focus on the strategic cyber domain and the results are evident in Russia and Iran. Jason Healey, the earliest of US cyber veterans, presciently highlighted how the “roots of digital warfare date back to the birth of the US Air Force.” In the cyber domain, institutional memory is institutional capability. Sadly, we have cultivated none here in India.
(The writer is a cyber intelligence specialist and has worked with the Indian government and security response teams of global companies. He blogs at www.pukhraj.me. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses, nor is responsible for them.)