Proceedings, Oct. 2012
How likely is it that a conflict between two combatants involving both kinetic and cyber operations would be an asymmetric one? And does the answer to that question depend on who the combatants are? In a kinetic scenario, the creation and “massing” of forces is often possible to observe. Whether it is the number of troops, warheads, or aircraft, one can physically monitor the activity. The buildup can be measured in days or weeks. Such a scenario involving state-of-the-art kinetic weaponry also needs a high level of expertise that only comes from years of education and training. One needs a well-funded organization to support this kind of activity.You can trace the kinetic matériel fairly accurately to its source, and the effects of a kinetic attack unfold over an observable period of time. You can watch and react to it. Defense is possible as long as you are sufficiently diligent and prepared with a response.
The cyber battlefield is different. First, you don’t need a factory or a military base or physical materials. You don’t need the same sort of education, training, and expertise. All you need is a computer, Internet connection, and the time and patience to learn about software, hardware, and network vulnerabilities. Anyone can learn about and create effective cyber weapons. That’s why non-nation-state combatants are the most common potential adversaries. The development of offensive cyber weapons is very hard to actually “see.” It might be occurring in the room next to you, and you’ll be unlikely to know it.
The task of attribution is also very difficult. The skills required to create a cyber weapon are the same as those that can make an attack nearly impossible to trace. Cyber operations are asymmetric in that the build-up to a confrontation may be undetectable, and once it has occurred, it could be impossible to determine its origin.
In cyber warfare, attacks occur at nearly the speed of light. You get little warning or time to react. The initial strike is likely to eliminate any effective defense, counter attack, or human response; only an automated defense would work quickly enough to have any effect.
Additionally, the viable lifespan of a kinetic weapon can be years, while a particular cyber weapon is only useful as long as the vulnerability in the target system remains in place. Once “patched,” the weapon becomes useless, at least on that target. So, again, the situation is asymmetric. Cyber weapons must be developed in secret and are in essence a “one-use-only” kind of weapon. Their mere existence is a carefully guarded secret. It’s hard to defend against a weapon you have not seen in action, nor been warned of the vulnerability that it is intended to exploit.
The actors in a cyber conflict need not be the usual nation-state groups, and even if they are, the build-up and execution of an attack would be difficult to detect. This form of combat is accessible to many potential adversaries—including those who have no kinetic capabilities. The combatant who dominates the kinetic arena does not necessarily do so in the cyber domain, and without the latter, it’s not clear who has the advantage. In short, the introduction of cyber capabilities to a conflict can render nearly any situation an asymmetric one.
What does all this mean for the United States? Are we in a perilous position with respect to our cyber capabilities? We belong to an elite group regarding our ability to initiate offensive capabilities. However, we are vulnerable when it comes to defense: If we are attacked first, the asymmetric nature of cyber warfare could limit our ability to prevail.
Why? Because the United States depends more heavily on network-centric systems—military, economic, personal—than do most other countries. We rely on networks for banking, electricity, air and rail travel, consumer goods distribution, communications, and defense command and control. A cyber attack on the United States would have devastating effects.
What’s to be done? We need to educate and develop a new generation of cyber warriors—experts who are much better at navigating the cyber battlefield than anyone else. We can’t know who will initiate the next major cyber attack or what it will be. But it will come. When it does, we’ll all be asking the same thing: How did this happen, and who’s going to “take care of it”? We need to educate the people who can tip the balance of the asymmetric nature of cyber warfare in our favor—and give them the tools and authority to do it. And we need it right now.