AFIT alumni Capt Isaac Nacita (M.S. Space Systems, 2018, DG) and Lt Col Mark Reith (M.S. Computer Systems, 2003) wrote an article titled “Cyber War and Deterrence - Applying a General Theoretical Framework” published in the Air & Space Power Journal, Volume 32 Issue 2, Summer 2018. The full article can be read on pages 74-83 here.  An excerpt of the article is below.

Disclaimer: The views and opinions expressed or implied in the Journal are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government. This article may be reproduced in whole or in part without permission. If it is reproduced, the Air and Space Power Journal requests a courtesy line.

Introduction
Military history, when superficially studied, will furnish arguments in support of any theory or opinion.
—Paul Bronsart von Schellendorf

In September 1870, after just six weeks of what many thought would be a prolonged war, Prussian bystanders jeered Louis-Napoléon Bonaparte as he was carried to captivity in what is now Kassel, Germany. It was a fitting portrait of French national disgrace.¹ Their military structures before the war and lack of strategic planning were partly to blame. National archivist Dallas D. Irvine points out, “it (the
French system) was almost completely effective in excluding the army’s brain power from the staff and high command. To the resulting lack of intelligence at the top can be ascribed all the inexcusable defects of French military policy.”² Nevertheless, influenced by the idea that France had lost due to its lack of morale that an offensive approach would have provided, the military regrouped and refocused itself, this time adopting “attaque á outrance.” This doctrine was French military strategy entering World War I, and it was almost immediately proved spectacularly wrong. The French lost 300,000 soldiers in the first month of war. Yet “the legacy of the adoption of the offensive was even more terrible in another sense. The wanton slaughter it spawned produced a similar reaction in all those who lived through it—a grim determination never to allow such slaughter again.”³ Once again, they turned to the defensive, and in the years leading up to World War II constructed the Maginot line. The Germans simply bypassed its strong points and broke through a weaker French line in unexpected terrain. The Maginot line is now a metaphor for something that creates a false sense of security.

There is a saying that politicians and generals are always fighting the last war, which is emphasized when the weapons and characteristics of warfare are changing rapidly. However, if this is true, it is often not due to an inability to learn lessons from previous conflicts, but to “overlearn” or overcompensate for the failures and experiences of the past. In reality, this is not a learning problem but one of forming poor implications from historical events, which leads to poor applications of doctrine the next time around.

The DOD now acknowledges that warfare has extended into cyberspace, and it is my central thesis that the military often suffers from a lack of meaningful conversation concerning the problems it faces in that domain. The lack of discourse is due partly to poorly adopted metaphors and analogies pulled from other domains of warfare and historical examples, and in general to a lack of rigorous strategic framing of the problem and its potential solutions.

The Problem
What problem doesn’t the United States face in cyberspace? The online world reflects the totality of human societal issues. Is there a cyberwar occurring? Cyberspace is a “contested environment,” but so is the global business market. Karl Von Clausewitz called war a clash of wills, a political act carried out by other means, yet also characterizes it with physical force that seems to require a physical domain.⁴ Some, therefore, argue that acts of sabotage, espionage, and subversion occur, conducted through a different medium, but not warfare.⁵ Martin C. Libicki suggests the possibility of “sub-rosa” warfare, implying the general population may be totally unaware of what is occuring.⁶ Others downplay the terminology because what we have faced so far is overhyped and does not merit the title. In many cases the actual effects due to malicious cyberspace attacks are less than those that occur due to natural or accidental events. There is a somewhat humorous incident in which, a year after alleged Russian cyber attacks in Georgia, a 75-year-old woman accidentally cut a cable with a shovel and knocked out internet access in all of Armenia, outdoing Russia in terms of total effect.⁷ All of this is also compounded by the tendency to treat all of America’s social problems using warfare terminology. We are fighting a “war against poverty” and a “war on drugs.” There is winning, and there is losing but rarely a clear winner or loser.

These things notwithstanding, the DOD has already recognized cyberspace as a war-fighting domain. But the nature of the problem is central to the question of deterring or prevailing in cyberspace. One source says, “stop debating on what to call the problem and get us some help!”⁸ The point is understood, but if the problem is not, we should not expect to receive any meaningful help.

The Defense Science Board (DSB) presents some examples of cyber attack that may be used to frame the problem. It points to Iran’s denial of service (DoS) attacks on Wall Street in 2012–13, North Korea’s hack of Sony Pictures, Chinese intellectual property (IP) theft, and Russia’s alleged involvement in the 2016 presidential elections. The document also refers to attacks by nonstate actors like Anonymous or New World Hackers, acknowledging that all of these represent only a small sampling. Fears include the ability of these nations to hold US critical infrastructure at risk, to thwart American military response via the cyber domain, and to use a wide range of lowerintensity attacks that collectively take a toll on the foundations of national power.⁹

The DSB’s recommendations for cyber deterrence read like a Cold War deterrence playbook and not without acknowledgement. Its first initiative, planning tailored deterrence campaigns to cope with a range of attacks, unmistakably resembles flexible response, the concept that moved US nuclear policy away from massive retaliation toward something more proportional. Its second initiative, creating a cyber-resilient “thin line” to key US strike systems, even uses the term “second strike” in a clear acknowledgement of its nuclear deterrence forbearers. Even “countervailing” appears in the document, a term used during the Carter administration years to convey a particular nuclear deterrence strategy.¹⁰ The analogy is not limited to the DSB, presumably because the cold war itself is often invoked in discussions of the relationship between countries over their interactions in cyberspace.¹¹ A recently cited case described the suggestion to leak our cyber offensive capabilities, which takes the idea from nuclear deterrence, that is, a secret weapon cannot be a deterrence.¹²  Even the question posed for this article seems to echo President Reagan’s speeches on “prevailing” over the forces of communism and the Soviet Union.

In 2012, Defense Secretary Leon Panetta used the term “cyber Pearl Harbor” to convey the danger the US faced in the cyber domain;¹³ others have similarly used “Cyber 9/11.” In contrast, John Arquilla and David Rondfeldt suggested (more than a decade earlier) a “manifest destiny for the information age.”¹⁴ Others call cyberspace the new “wild, wild west” or harken the era of pirates and privateers, weak governments, and inexplicit or unenforced international norms.¹⁵ All of these have something in common: the desire to explain something new in understandable terms by reminding us of the past. Cyberwar is complicated because it covers a range of attacks; DoS attacks and leaking of Democratic National Party documents represent two very different types of attacks and two very different strategies. The only thing they really have in common is that both were conducted using cyber domain tools and directed at the US.

Scholars have noted that metaphor is an essential part of how humans rationalize and understand the world, not just in language, but also thought processes.¹⁶ Christopher R. Paparone argues that “management of meaning” is a primary task for leaders.¹⁷ They are often the best way to frame the narrative, but with the obvious problem of oversimplification. A naïve translation of nuclear deterrence principles into cyberspace, therefore, obscures the real problems we face.¹⁸ Metaphors “carry with them, often covertly and insidiously, natural ‘solutions.’ ”¹⁹ Computer viruses resemble biological viruses, so some have suggested a cyber version of the Center for Disease Control.²⁰ Online piracy, like real piracy, is a problem of establishing international norms and compelling nations to enforce them.²¹ These are perhaps two of the better ideas, but they also show that the method of framing the problem affects the way the solution is formulated. Winston Churchill’s iron curtain description painted a visceral image in Western minds that helped to shape the policy of containment under the Eisenhower administration. References to an “information curtain” or “tearing down this firewall” lack the same vitality.²²

Paparone discusses categories of metaphor used by leaders: Newtonian, post- Newtonian, and Humanities and Arts.²³ Newtonian metaphors are based in the hard sciences, and tend to be deterministic in character. Military doctrine derives many of its concepts from Newtonian terminology, such as mass, friction, center of gravity, and power, which carry a quantitative quality. In contrast, post-Newtonian metaphors allude to the complexity and mutual interaction of a system, based in fields like biology, medicine, and quantum mechanics, in which probabilistic effects characterize outcomes rather than linear, deterministic ones. The terms are used extensively in the cyber domain; network, virus, infection, and worm all draw parallels to the “post-Newtonian” world. They are also used to explain things like terrorism and insurgency. Finally, the humanities and arts provide metaphors and analogies from historical, literary, and cultural references. In one of the better war metaphors, Clausewitz likened it to two wrestlers striving for dominance over one other.²⁴

In summary, the cyberwar discussion is taking place within a language context that is as congested as the internet itself. This problem has some precedent. Lt Col Peter Faber, USAF, retired, argued that airpower theory and doctrine suffered inside a similar “prison house of language” during its development that mixed rationalist ideals, antirationalist thought, and army terminology.²⁵ In response, Lieutenant Colonel Faber suggested a framework originally conceived by Dr. Robert Pape and expanded by several works at the Air University.²⁶ This framework was intended to generalize the ideas of airpower, but without locking it into a particular linguistic context. Particularly, the goal of any strategy is to link ends with means. It is this framework that I propose can be utilized to help understand how to address the cyberspecific threats to national security that the US faces.

Read the remainder of the article here.