and information lie at the heart of victory in war. The ability to communicate securely and ascertain the movements of the enemy correctly are the foundation of the safety of troops and the confidence of leadership. With the need to communicate over vaster and vaster distances, however, came hidden risks – the adversary could more easily access that information. Well-known examples are those of the Allied advantage in World War II with the successful breaking of both the German and Japanese coded battle information – the Ultra and the Magic intercepts.
Today, we have entered an even more dangerous era, an era that will call upon our entire nation’s resources – material, to be sure, but moral and intellectual as well. Very small numbers of persons utilizing modern computers can deal devastating losses to advancing armies and to civilian populations. Some experts in cyberwarfare have conjectured that there may never be a final victory in cyberwars. Rather, victory may well involve merely avoiding defeat.
In the history of warfare, the initial periods when new weapons were developed were often the most dangerous. The possessors of the new technology saw themselves as having a unique advantage, but one that was fleeting, creating a “use it or lose it” mentality. It was also the period when the technology and its consequences were least understood. The result was devastation unequaled for the time.
John Arquilla’s Bitskrieg: The New Challenge of Cyberwarfare, an eloquent and lucid study, peppered with relevant historical examples worthy of a book themselves, provides a valuable analysis that will inform both a general audience and the cyber expert. Arquilla argues that: “Cyberwar would entail changes in each of these areas: e.g., from larger formations to smaller, nimbler, highly networked units; from mass-on-mass engagements to supple swarm battle tactics; and to the larger strategic goal of ‘knowing more’ than the enemy – about the composition, disposition, and intentions of the forces on both sides.” He brings the reader up to date on the latest advances in cyberwar – against an enemy that is anonymous, projecting force disproportionate to its size, strength, or wealth.
Arquilla acknowledges that the United States projects a confirmed military superiority in its aircraft carriers and the planes that they carry, as well as a nuclear arsenal of the highest quality. But the easy access of information power on the Internet changes this advantage. A country like Iran with gunboat swarming tactics, or North Korea with cyberwarfare, can neutralize this seemingly invincible force. In the cyber domain, even small non-state actors can challenge the superpowers.
These challenges were known and feared when I served as Director of the CIA and Secretary of Defense (2009–13). Seven years, however, in the cyber era is more like a century of change in former times. So, in a manner of speaking, Arquilla picks up where my responsibilities left off. He focuses on the latest developments in cyberwarfare and the need for: secure connectivity and information; a major change in the US military and its organizational design and configuration; and a commitment to arms control negotiations related to cyber.
Regarding the security of connectivity and information, he makes a strong case for encryption and utilization of Cloud computing. In the area of military and security affairs, he argues convincingly about swarm tactics (small networked teams on the ground, connected with each other and attack aircraft) successfully engaging a larger enemy. He also emphasizes the necessity to move from a hierarchical to a networked perspective regarding information flows and organizational forms that were tailored for the industrial age, but are no longer effective today. Finally, he argues convincingly for international meetings that take seriously the idea of cyber arms control.
Indeed, Arquilla argued for cyber arms control negotiations as early as the 1990s, to no avail. At the time, the United States led the world in cyber and it was presumed that that edge would last. While the United States still has the edge offensively in the world of cyber, the Russians and the Chinese lead defensively. In fact, Arquilla argues that Iran’s and North Korea’s defensive capabilities in cyber are more advanced than those of the United States. And he discusses the reasons why open societies have been at a disadvantage in developing secure cyber defenses.
These are only a few of the ideas and revelations presented in this fast-paced, lively study. There is much, much more that will add depth and breadth to the reader’s understanding of the cyber challenges that face the United States and the world. As Secretary of Defense, I warned that the United States was vulnerable to a cyber “Pearl Harbor.” The threat of a cyber attack that shuts down our electric grid, and financial, government, chemical, transportation, and other infrastructure systems, is real. Arquilla’s handling of this complex subject is deft and clear-eyed. His love of the United States, and his work toward keeping us safe and secure, place him among the leading national security thinkers of our time. He is presenting a wake-up call to the nation that will determine whether we are prepared to deal with the cyber threats to the security and safety of our democracy.
Leon E. Panetta
Preface
In the wake of the devastating Japanese attack on Pearl Harbor in December 1941, and the rain of hard blows that soon followed, American Secretary of the Navy Frank Knox mused publicly that “modern warfare is an intricate business about which no one knows everything and few know very much.” Yet, within just six months, the tide turned against Japan at the Battle of Midway; and by the end of 1942 the Germans were decisively defeated in grinding land battles at El Alamein and Stalingrad. The Allies quickly learned to use aircraft carriers as the “tip of the spear” in sea fights, and that tank–plane coordination was the key to Blitzkrieg-style armored breakthroughs in land battles. Diffusion of the best warfighting practices happened quickly during World War II, and the methods developed in that great conflict have continued to shape much of military strategy in the more than 75 years since its end.
But swift adaptation has hardly been the case in our time, an era of emerging “postmodern” warfare. For decades, the dark, predatory pioneers of cyberwar have proved consistently able to overcome defenses and enjoy sustained freedom of action. In terms of cyberspace-based political warfare, for example, the Russians have proved masters, hitting at electoral processes in the United States and across a range of other liberal societies. Faith in the accuracy of the voting processes so vital to democracy has been undermined. China, for its part, has developed a high degree of skill at accessing and absconding with the cutting-edge intellectual property of a range of firms around the world. Mid-level powers such as North Korea have also shown considerable muscle in what might be called “strategic criminal” aspects of cyberwar, the proceeds of such larceny used to support their governments’ nefarious activities, not least in the realm of nuclear weapons proliferation.
Even non-state actors of the more malevolent sort, from terrorists and militants to hacker cliques, have used cyberspace as a kind of virtual haven from which to operate. All have, one way or another, learned how to “ride the rails” of advanced technological systems, exploiting their vulnerabilities and using them as launching points for infrastructure attacks, theft of money, and more. Emergence of the Internet of Things (IoT) has only strengthened these disruptors – both hostile nations and dark networks – as now they can mobilize hundreds of millions of connected household devices to serve in their zombie networks. The current situation, far from seeing an equilibrium arise in which offensive and defensive capabilities are balanced, is one in which attackers retain the advantage because defenders rely overmuch on the least effective means of protection: Maginot-Line-like firewalls and anti-virals that are always a step behind advances in malicious software.
Clearly, one of the principal challenges today is to improve defenses. In my view, this would be by ubiquitous use of strong encryption and regular movement of data around and among the Clouds – that is, others’ data systems. The Fog, consisting of the available portions and lesser-mapped areas of one’s own information space and capacity, can also provide improved security, easing the fundamental problem that “data at rest are data at risk.” But even a very robust remote storage and movement system cannot substitute for strong encryption;
