from the way poor cybersecurity leaves societies open to having both their politics and their prosperity undermined, there is another risk: that disruption of Net- and Web-connected military communications will lead to wartime disasters – in the field, at sea, and in the aerospace environment. Future battles between advanced armed forces will be incredibly fast-paced, replete with weapons empowered by artificial intelligence and coordinated to strike in networked “swarms.” A military whose reflexes are slowed by the kinds of disruption computer viruses, worms and other cyber weaponry cause will find itself at risk of being outmaneuvered and swiftly defeated. This aspect of cyberwar – focused on “battle” – is the successor to World War II’s Blitzkrieg doctrine; I call it Bitskrieg to draw the analogy with that crucially important previous inflection point in military and security affairs.
The dangers posed by the more familiar aspects of cyberwar, from political disruption to criminal hacking and potential infrastructure attacks, pale next to the consequences of failing to see that military operations can be fatally undermined by information insecurity. That is why the need to start paying serious, effective attention to armed-conflict aspects of cyberwar is urgent. But the scope and variety of cyber threats are daunting, making it difficult to address all, especially given the attention-grabbing nature of the latest incident of one sort or another. This suggests that there is one more important, also unmet, challenge that should be taken up alongside efforts to improve cybersecurity and prepare to wage Bitskrieg-style field operations: arms control. Since virtually all advanced information technology is “multi-use” – employable for commerce, provision of services, social interaction or war – the nuclear model of counting missiles and controlling fissile material will no longer do. This has led many (well, most) to scoff at the very idea of cyber arms control. But there is another paradigm that is based on behavior, rather than “bean counting.” It has worked well, for many decades, with the Chemical and Biological Weapons Conventions – covering types of deadly arms whose basic materials can be fabricated by countless countries – whose signatories have covenanted never to make or use such devices. A similar, behavior-based approach to cyber arms control is possible as well.
The need to protect individuals, intellectual property, infrastructures and elections from cyber attack is hardly new; the way to meet challenges to them that I advance is. “New” in the sense that the current approach to cybersecurity, so reliant on firewalls and anti-virals, should for the most part be jettisoned in favor of the strongest encryption and the widespread use of Cloud and Fog computing. The failure of existing security systems is so overwhelming, as the reader will see, that the need to shift to a new security paradigm is now well beyond urgent. As a wise American chief of naval operations once said to me about cyber threats, “The red light is flashing.”
And, with armed forces and armed conflict in mind, I argue herein that the direct, warfighting implications of advanced information technologies – including artificial intelligence – have received too little attention for far too long. The fundamental problem is that a wide range of these new tools have simply been folded into or grafted onto older practices. Thus, the shift from Blitzkrieg to Bitskrieg has not yet been made. My goal is to make sure that aggressors don’t make this leap first. The painful lessons inflicted by the Nazi war machine from 1939 to 1941, at the outset of the Mechanization Age, should sensitize us to the potential cost of failing to parse the profound implications for warfare posed by the Computer Age. A cost that will surely be imposed should cyber challenges to society and security remain unmet.
Aside from illuminating the current challenges that must be met and mastered if peace and prosperity are to have a reasonable chance of thriving as we look ahead, I also “look back” in two principal ways. One aspect of this retrospection focuses on linking current – and future – issues in military affairs and information security systems to what has gone before. The best example of this tie to earlier history is the manner in which, during World War II, the Allies, using the world’s first high-performance computers, “hacked” the Axis and won critical victories in desperate times, often when the odds were stacked heavily in favor of the aggressors, as at the Battle of Midway in June 1942. The knowledge advantage that the Allies possessed over the Axis played a crucial role in the latter’s defeat. Clearly, mastery of the information domain has long mattered; it matters just as much to victory today, and will only grow in importance over the coming decades.
The second way in which I engage in retrospection reflects my own experiences and ideas in this field over the past 30-plus years, in war and peace. As I look back, from early debates about the strategic implications of the Information Age circa 1990 to very recent times, I find that, Forrest-Gump-like, I have been present at many high-level American policy debates about the various dimensions of cyberwar, and have sometimes played an active role in events.
The reflective passages, the reader will find, offer a range of first-time revelations about: how the information advantage over Saddam Hussein enabled General Norman Schwarzkopf to opt for the daring “left hook” plan that was the heart of Operation Desert Storm; why the 78-day air campaign during the Kosovo War did so little damage to Serbian forces; what went on at the first Russo-American meeting of cyber experts; and where the current debates about the military uses of artificial intelligence are, and where they are headed. It has been a privilege to be involved in these and a range of other cyber-related events over the years. But having a privilege is hardly the same as witnessing real progress, and of the latter I have seen far too little. Perhaps this book will stimulate a renewed, and broader, discourse about cyberwar before the Age of Bitskrieg opens with a thunderclap upon us. I hope so.
John Arquilla
Monterey, December 2020
1 “Cool War” Rising
The German philosopher of war, Carl von Clausewitz, described armed conflict as “a true chameleon” whose three base elements are “primordial violence . . . the play of chance,” and, ultimately, its “subordination as an instrument of policy.”1 He had no way of knowing, some two centuries ago, how prescient his notion of the chameleon-like character of warfare would prove to be in its Information-Age incarnation. Echoing Clausewitz, strategist Martin Libicki has described cyber conflict as a “mosaic of forms” ranging across the various modes of military operations, and having significant psychological, social, political, and economic aspects as well. As to Clausewitz’s element of primordial violence, Libicki has contended that cyberwarfare slips the bonds of traditional thinking about armed conflict. Of its many manifestations, he has argued, “None of this requires mass, just guile.”2 This poses some very major challenges to those who would defend against cyber attacks, given that the lack of requirement for mass means that small nations, networks of hackers, even super-empowered smart individuals unmoored from any Clausewitzian notion of a guiding policy, can wage a variety of forms of warfare – operating from virtually anywhere, striking at virtually any targets.
Cyber attackers, whoever and wherever they are, can opt to disrupt the information systems upon which armed forces’ operations increasingly depend – on land, at sea, in the air, even in orbit – or take aim at the control systems that run power, water, and other infrastructures in countries around the world. This mode of attack can also foster crime, enabling the theft of valuable data – including cutting-edge intellectual property – from commercial enterprises, the locking-up of information systems whose restoration can then be held for ransom, or simply the exploitation or sale of stolen identities. The democratic discourse can easily be targeted as well, allowing a whole new incarnation of political warfare to emerge in place of classical propaganda – as demonstrated in the 2016 presidential election in the United States,3 but which can be employed to disrupt free societies anywhere in the world. And for those attackers of a more purely nihilistic bent, controlled or stolen identities can be conscripted into huge “zombie” armies deployed to mount distributed denial-of-service (DDoS) attacks aimed at overwhelming the basic ability to operate of the targeted systems – institutional,
