The Washington Post editorial page has recently been promoting development of a U.S. cyber-strategy through robust public debate. Today’s editorial continues that argument: It begins by saying that “A recent report by a task force of the Defense Science Board on cyber-conflict makes clear that all is not well in preparing for this new domain of warfare.” The editorial then makes some substantive points about what such a strategy should include, such as a major offensive cyber-attack capability. Finally, it concludes with a process point, which it attributes to the Defense Science Board task force report:
[T]he task force offered an important caution: In the past, on nuclear weapons, counterterrorism, counterinsurgency and all manner of conventional military missions, we’ve had decades of policy debate. “In contrast,” they said, “relatively little has been documented or extensively debated concerning offensive cyber operations.”
This is a worrisome facet of how the United States is entering the age of cyberconflict. President Obama has signed off on a new doctrine, but it remains classified. There’s a new national intelligence estimate of cyber-espionage and its economic costs, but it remains under wraps. Until now, most of the offensive cyber program has been hidden entirely under the cloak of intelligence. That secrecy is necessary for specific operations, but the public needs an informed, robust debate about policy in this expanding realm.
Will there be public sacrifices or costs — say, a regional electric-grid blackout or a stock-exchange crash? Who decides whether to launch an offensive cyberattack? Under what conditions? These are the type of questions that the administration and Congress ought to be talking about with the American people. We ought not wait until a disaster has arrived to address the policy implications of cyberwar.
In general I favor debate and public transparency on national security matters, and strong public backing is sometimes an important element to long-term strategy, but I have no idea what specifically the editorial page has in mind here in terms of how best to develop such a strategy (which of course it should do) and to integrate offensive cyber capabilities (which of course it should do). I did, though, look up the DSB report to which they attribute this idea of robust public debate on offensive cyber strategy, and I don’t read its recommendations the same way at all. Taken in context, the report says something different.According to the report:
U.S. policy must clearly indicate that offensive cyber capabilities will be utilized (preemptively or in reaction; covertly or overtly), in combination with other instruments of national power, whenever the National Command Authority decides that it is appropriate. The recent DoD Cyber Strategy leaves this option open and discusses potential U.S. responses to cyber attack. The appropriate authorities must exist with those responsible to protect U.S. interests.
The intellectual and empirical underpinnings for strategy and doctrine for kinetic, nuclear, counterterrorism, counterinsurgency, and other missions have been extensively documented and debated for decades. Most modern militaries have adapted these underpinnings to their own situations and have implemented them within their own contexts. In contrast, relatively little has been documented or extensively debated concerning offensive cyber operations. This is especially true with respect to the use of offensive capability as a component of a larger strategic deterrence that, to be effective, must achieve visible results against the adversary but not reveal enough about the capability for an adversary to create a defense. DoD should expect cyber attacks to be part of all conflicts in the future, and DoD should not expect adversaries to play by U.S. versions of the rules (e.g. should expect that they will use surrogates for exploitation and offensive operations, share IP with local industries for economic gain, etc.) USCYBERCOM, and its supporting Service Component Commands, must be the driving force to surface the doctrine, organization, training, materiel, leadership and education, personnel and facilities (DOTMLPF) /Unity-of-Effort gaps and advocate for requisite gap-closure actions. The Intelligence Community and other United States Government Departments and Agencies, with distinct and overlapping authorities, also have key supporting responsibilities. Given the nation’s cyber defensive posture, time is of the essence in developing a broader offensive cyber capability.
While there may be good government and democratic reasons to have one, and I agree that Congress (and especially certain committees) should be deeply engaged on this issue, this is not a call by the Task Force for public debate as the path to effective offensive cyber strategy. To the contrary, the past debates to which it refers have mostly been internal to the government, sometimes for better and sometimes for worse, and the Report talks about the need for secrecy that goes far beyond what the Post’s editorial call “necessary for specific operations.”
The DSB Task Force report quote here does, however, point to a different problem for which some form of debate and and sustained discussions may be critical: the fact that opponents may play by different rules of the game. Diplomacy with adversaries and allies alike — some of which must be shielded from public scrutiny — will be part of the solution to that.