Beruflich Dokumente
Kultur Dokumente
To cite this article: David C. Gompert & Martin Libicki (2015) Waging Cyber War the American
Way, Survival, 57:4, 7-28, DOI: 10.1080/00396338.2015.1068551
Download by: [International University of Japan] Date: 22 April 2017, At: 02:15
Waging Cyber War the American
Way
David C. Gompert and Martin Libicki
War is cruelty, and you cannot refine it, said William Tecumseh Sherman.1
As we have previously argued in this journal, cyber war is war.2 Whether it
is cruel and unrefined depends on the manner in which it is waged.3 While
this is not solely up to the United States, US policy can have big effects. Yet,
if US policy on offensive cyber war is influential, it is also inchoate. While
some vagueness about when and how the United States would conduct
offensive cyber operations is necessary, its general policy on this matter
warrants debate. This article is meant to inform such a debate.
In part, US circumspection betrays an instinctive aversion to offensive
cyber war. Notwithstanding its unsurpassed abilities to disrupt computer
systems, the United States has approached the subject warily. The US
Department of Defense, for example, recently called the increase in cyber
attacks a dangerous trend in international relations.4 Official statements
have consistently stressed that US goals concerning cyber war are defence
and deterrence. For a power that has repeatedly engaged in offensive con-
ventional warfare since the end of the Cold War, such wariness is striking
and merited.
US ambivalence toward cyber war is both strategic and normative, the
implication being that what is bad for the United States is also bad for the
world. Washington insists that any cyber operations it might conduct would
David C. Gompert and Martin Libicki are Distinguished Visiting Professors at the US Naval Academys Center
for Cyber Security Studies. They thank the Academy and the Center for their support during the drafting of this
article, though they stress that the views expressed are their own.
limit cyber war internationally, while keeping its options open, it must offer
an example. For that matter, the American people deserve to know what
national policy on cyber war is, lest they assume it is purely defensive or
just too esoteric to comprehend.
Whether to set a normative example, warn potential adversaries or foster
national consensus, US policy on waging cyber war should be coherent. At
the same time, it must encompass three distinguishable offensive missions:
wartime counter-military operations, which the United States intends
to conduct;
retaliatory missions, which the US must have the will and ability to
conduct for reasons of deterrence; and
coercive missions against hostile states, which could substitute for
armed attack.12
Four cases serve to highlight the relevant issues and to inform the elab-
oration of an overall policy to guide US conduct of offensive cyber war.
The first involves wartime counter-military cyber operations against a
cyber-capable opponent, which may also be waging cyber war; the second
involves retaliation against a cyber-capable opponent for attacking US
systems other than counter-military ones; the third involves coercion of a
cyber-weak opponent with little or no means to retaliate against US cyber
attack; and the fourth involves coercion of a cyber-strong opponent with
substantial means to retaliate against US cyber attack. Of these, the first and
fourth imply a willingness to initiate cyber war.
Retaliation
While the United States should be ready to conduct cyber attacks against
military forces in an armed conflict, it should in general otherwise try to
avoid and prevent cyber war. (Possible exceptions to this posture of avoid-
ance are taken up later in the cases concerning coercion.) In keeping with
its commitment to an open, secure, interoperable and reliable internet that
enables prosperity, public safety, and the free flow of commerce and ideas,
the United States should seek to minimise the danger of unrestricted cyber
war, in which critical economic, governmental and societal systems and ser-
vices are disrupted.20 Given how difficult it is to protect such systems, the
United States must rely to a heavy extent on deterrence and thus the threat of
retaliation. To this end, the US Defense Department has stated that a would-
be attacker could suffer unacceptable costs if it launches a cyber attack on
the United States.21 While such a warning is worth issuing, it raises the ques-
tion of how these unacceptable costs could be defined and levied. Short
of disclosing specific targets and methods, which we do not advocate, the
United States could strengthen both the deterrence it seeks and the norms it
Waging Cyber War the American Way | 15
the line between intensely harmful theft and cyber war is woolier in reality
than in theory. But the points stand that not all hacking is cyber war; that
when it comes to espionage, states will be states; and that retaliation should
be broadly in kind.
Attribution is a thornier problem, requiring a more subtle solution. On
the one hand, retaliating with less than absolute certainty that the target
state was the attacker obviously runs the risk of harming the innocent. On
the other, declaring that retaliation depends on absolute certainty would
weaken deterrence, especially if an attacker thinks it can use a roundabout
attack path or rely on deniable agents to do the attacking. If this dilemma
seems insoluble in the abstract, there may be a prac-
tical solution: the identity of the state responsible
for an attack on the United States serious enough Attribution is a
to justify retaliation might be obvious by virtue of
the context for instance, tension, confrontation
thornier problem
or armed hostilities and the fact that few actors
would be capable of such an attack. One cannot exclude the possibility
that a capable third party might try to exploit a crisis to conduct an attack
for which another state would suffer retaliation; however, counting on US
misattribution would be a huge gamble to take. Deterrence is, after all, in
the eye of the would-be attacker. A 4-in-5 chance of knowing who attacked
produces a 1-in-5 chance of the attacker getting away with it.
While circumstantial evidence does not rule out mistaken identity and
thus mistaken retaliation, neither does it require the United States to retali-
ate. How the United States actually reacts to a specific attack, and what it
says about its standard for retaliation in order to create strong deterrence,
are two related but significantly different matters. It is best to limit declar-
atory policy to the effect that the United States would be confident of its
attackers identity before retaliating.23 To buttress this, it could also convey
confidence in its ability to identify the culprit.
In sum, US policy to support the legitimacy of retaliation for a cyber attack
might include making known that the United States can and may conduct
devastating retaliation for a cyber attack;24 concentrating the development
of options, doctrine and plans on the goals of disrupting and degrading the
18 | David C. Gompert and Martin Libicki
cyber aggressors state (as opposed to its population), thus allowing compli-
ance with norms of discrimination and proportionality while also enabling
escalation control; treating all state systems, including security systems,
as within the target set, with the exception of systems for nuclear C2; and
retaliating in kind against a state deemed responsible for a destructive cyber
attack, but not for stealing secrets. These policy provisions would apply not
only in the event of attacks on the United States, but also on allies with
which it has binding common defence ties, such as NATO and Japan.
US policy would make a sharp distinction between counter-military
offensive cyber war during armed conflict and the conduct of wider cyber
war, whether or not during an armed conflict. For the former, it would be
prepared to act as required by militaryoperational demands; for the latter,
it would show great restraint unless attacked, in which case it could unleash
major assaults on the attacking state.
cyber war during an armed conflict and would retaliate if deterrence failed,
it is silent about using or threatening cyber war as an instrument of coer-
cion. Such reticence fits with the general US aversion to this form of warfare,
as well as a possible preference to carry out cyber attacks without attribu-
tion or admission.
Notwithstanding US reticence, the use of cyber war for coercion can
be more attractive than the use of conventional force: it can be conducted
without regard to geography, without threatening death and physical
destruction, and with no risk of American casualties. While the United
States has other non-military options, such as economic sanctions and sup-
porting regime opponents, none is a substitute for cyber war. Moreover, in
the case of an adversary with little or no ability to return fire in cyberspace,
the United States might have an even greater asymmetric advantage than it
does with its conventional military capabilities.
However appealing cyber war may be as an alternative to armed con-
flict, especially where there is no fear of retaliation, the United States
must consider whether the use or, by extension, the threat of cyber war
for the purpose of coercion is consistent with norms it values, especially
its opposition to cyber war in particular and support for the laws of war
in general. As noted, coercion implies the possibility of first use, which
could be viewed as aggressive, unless of course the adversary is itself
already engaged in some other form of aggression. Arguably, cyber coer-
cion amounts to intervention in another states internal affairs. If directed
at civilian or multipurpose systems, it could be considered indiscriminate.
And in the absence of both armed conflict and enemy cyber attack, propor-
tionality could be hard to defend.
This raises the question of whether the laws of war should apply to coer-
cive cyber war (and cyber war in general). Specifically, must the target of a
cyber attack be a military capability? Because cyber war is war, the answer
would be yes if cyber attacks worked the same way that kinetic attacks do.
But they do not. In theory, cyber war can destroy things; but in actuality,
attacks rely on computer instructions that can cause things to destroy them-
selves. Stuxnet broke centrifuges because the centrifuges were built to execute
potentially self-destructive sequences. Otherwise, cyber attacks are essentially
20 | David C. Gompert and Martin Libicki
disruptive: they keep things from working. In this sense, cyber war is gener-
ally not violent. Moreover, its direct effects can be reversed, and far more
quickly than those of physical war. An attack against the computer systems of
military forces that are not at war may be troublesome, but any degradation
is temporary, and physical hardware is left intact.26 Unless cyber attacks are a
prelude to armed conflict, and hence more pre-emptive than coercive, there
is time to mend any ruptures, so long as the country being threatened is not
itself at war with a third party. Hence, the threat of a cyber attack on military
forces is unlikely to be very persuasive or produce much coercive leverage.
By contrast, many systems that support
civilian and economic needs produce services
People living on the every day around the clock, in peacetime no
less than in war. If electric power is out for
edge may go hungry a week, that would be a week during which
little economic activity took place (not to
mention a very uncomfortable week, unless the weather cooperated). If
bank records are scrambled, people lose access to their money, possibly
forever if accurate records cannot be recovered. If government payments
are delayed, people living on the edge may go hungry. Being comparatively
accessible and vulnerable, civilian systems are more inviting targets than
military ones.
The advantage of targeting civilian rather than military systems to max-
imise the peacetime impact of a cyber attack immediately raises a yellow
card about using cyber war for coercion. This is especially so for countries
that claim the moral high ground and seek to discourage cyber war in
general, such as the United States. Still, if the alternative to conducting or
threatening a cyber attack on civilians is a choice between using kinetic force
and doing nothing in the face of enemy aggression or other hostile behav-
iour, then coercive cyber attack on civilian services is merely a bad option
among worse ones.
Apart from such normative considerations, the coercive value of the threat
of cyber war is diminished by the difficulty of brandishing offensive capabili-
ties, either by describing or demonstrating them. There is currently no state
that regularly boasts about its cyber-war capabilities; indeed, states regularly
Waging Cyber War the American Way | 21
works. The case of Russian attacks on Estonia suggests that even a sophis-
ticated, computer-reliant target might get its back up rather than succumb
in the face of cyber attacks. Moreover, there are not many states that are at
once US adversaries, incapable of retaliation, and so computer-reliant that
they would yield to coercion even if attacked. Iran may be one; however, the
United States would be taking a large gamble in expecting Iranian leaders to
cower in the face of US cyber war.
The dynamics of cyber coercion reflect the ambiguity of information asso-
ciated with any cyber attack, quite possibly to the advantage of the target.
The attacker may know what systems it has penetrated and what first-order
effects might be generated from such a penetration; but its information on
whether the penetrated system is still usable may be iffy, particularly if the
system under attack has no real-time connection with the attacker. The target
may not know exactly what was penetrated or how, but it should have a
better idea than the attacker about the failure modes of the likely targets. It
should also have a better idea than the attacker about how resilient its systems
are, what the recovery path and lead times may be and, most importantly,
how well it can withstand the systems being down. Alternatively, it may be
that neither side has much clue about resilience and recovery, because cyber
attacks of the sort that call for resilience and recovery have so far been quite
rare.29 But such opacity could work to the disadvantage of the attacker.
One of the reasons that a target might believe that it can ignore a US threat
to carry out a cyber attack is because it knows that such an attack would not
be costless for the United States. Any cyber attack carries risks, especially if
carried out in peacetime, and not in retaliation. For instance, it might attract
world opprobrium. If the attack and attacker were publicised or obvious a
given in any cyber attack that followed a threat responsibility would also
be obvious. In addition, an attack risks angering and mobilising populations
of the target state in ways that render concessions politically less likely than
if a threat had been made without an attack. If cyber-war retaliation is infea-
sible, the target may respond in other, harmful ways. Again, think of Iran,
with its network of terrorist proxies, agents and extremists.
Sometimes, coercion is a matter of pounding away until the target state
complies. Examples include economic sanctions, blockades, support for
Waging Cyber War the American Way | 23
and thus the utility of using, much less threatening, cyber attack. In general,
pin prick cyber war offers doubtful benefits in return for avoiding the viola-
tion of norms the United States favours. In the case of a capable adversary,
moreover, low-grade cyber attacks risk not only retaliation but escalation,
presumably outweighing the benefits. As a general proposition, if the United
States were to wage offensive cyber war, it should do so robustly, and for
major purposes and effects. Against an adversary capable of both retaliation
and tightened defence, such cyber war would be most imprudent.
* * *
26 | David C. Gompert and Martin Libicki
Cyber war is war, even if more refined and less cruel than Sherman could
have imagined. Being both vitally dependent on and a champion of an open,
secure, interoperable, and reliable Internet, the United States should have
and seemingly has a general aversion to cyber war, on both normative
and strategic grounds. In keeping with that aversion, as well as with the dif-
ficulty of controlling cyber war once begun, the United States should resort
to such warfare only when failure to do so could have grave consequences.
If cyber war is war, the United States should observe the laws of war gov-
erning discrimination and proportionality, just as it has a profound interest
in others observing them. At the same time, because the effects and course of
cyber war are not entirely controllable or predictable, the United States must
recognise that these norms, in particular, are difficult to monitor and police.
Therefore, while US policy should be to promote these norms internationally
which implies living by them their application cannot be unrealistically strict.
Cyber war against military targets during armed conflict or in retaliation
for cyber attack meets the standard of treating cyber attacks as acts of war,
to be conducted only when not doing so would have grave consequences.
Such warfare would also be broadly consistent with the norms of discrimi-
nation and proportionality. At the same time, if the resort to cyber war is
indicated by such circumstances, the United States should be prepared to
act robustly, inasmuch as tentative or pin prick cyber war may entail less
gain than risk, including the risk of failure.
Accordingly, for cyber war on military targets during armed conflict, the
United States should attain and maintain offensive superiority in order to
offset its cyber vulnerabilities, retain its overall militaryoperational advan-
tage and gain escalation control. For retaliation, the United States should
have and be ready to use capabilities to visit unacceptable costs on systems
critical to the operation and control functions of the attacking state, while
attempting to avoid any damage to wider societal and economic well-being.
For the sake of deterrence, the United States should effectively indicate that
the confidence it feels in its own attribution capabilities is sufficient to
justify retaliation when warranted.
The US use of cyber-war threats for purposes of coercion could do vio-
lence to the general US opposition to cyber war, the position that such war
Waging Cyber War the American Way | 27
is genuine war and the standard that only grave circumstances warrant it.
Moreover, cyber war for the purpose of coercion is on the whole an unprom-
ising concept against weak adversaries: it might fail, undermine beneficial
norms, lead to international scorn (whether coercion works or not) and
cause non-cyber responses. Against strong adversaries, it could also lead to
damaging retaliation and escalation, from which there could be no winner.
In sum, general US offensive policy should be to avoid cyber war except
as a military operation carried out against enemy forces during armed con-
flict or in retaliation for attack. For these two purposes, the United States
should be second to none in its ability to wage cyber war, and to make it
count when no choice remains.
Notes
1 William Tecumseh Sherman, letter to for both vertical and horizontal
the mayor and city council of Atlanta, escalation is addressed in depth
12 September 1864, available at http:// in Cavaiola, Gompert and Libicki,
history.ncsu.edu/projects/cwnc/items/ Cyber House Rules.
show/23. 8 See, for example, Vice Admiral Ted
2 Lawrence J. Cavaiola, David C. N. Branch, A New Era in Naval
Gompert and Martin Libicki, Cyber Warfare, Proceedings, vol. 140/7/1,337,
House Rules: On War, Retaliation, July 2014, http://www.usni.org/
and Escalation, Survival, vol. 57, no. 1, magazines/proceedings/2014-07/
FebruaryMarch 2015, pp. 81104. new-era-naval-warfare.
3 Broadly speaking, we define cyber 9 The US government has never admit-
war as being destructive or harmfully ted that it was in collaboration with
disruptive; thus, it would not include Israel in attacking the computer
cyber espionage or cyber theft. program that controlled Iranian ura-
4 US Department of Defense (DoD), nium-enrichment centrifuges.
The Department of Defense Cyber 10 Chinese Defense Ministry spokes-
Strategy, April 2015, p. 2, http:// man Geng Yansheng, as quoted
www.defense.gov/home/fea- in Joshua Philipp, China Wars
tures/2015/0415_cyber-strategy/ of Internet Arms Race as US
Final_2015_DoD_CYBER_STRATEGY_ Military Starts Fighting Back in
for_web.pdf. Cyberspace, Epoch Times, 30 April
5 Ibid. 2015, http://www.theepochtimes.com/
6 See Oona A. Hathaway et al., The n3/1340042-china-warns-of-internet-
Law of Cyber-Attack, California Law arms-race-as-us-military-starts-fight-
Review, vol. 100, 2012, pp. 81786. ing-back-in-cyberspace/.
7 The difficulty of control potential 11 See Cavaiola, Gompert and Libicki,
28 | David C. Gompert and Martin Libicki