Why the cyber debate needs retired admirals and generals to stay out

OK, so the title may be a bit insensitive. A bit. But only until you read, yet again, what some of the best and brightest military minds have to say about cyber security:

In the early 1980s cyber fiction film, “War Games,” a young hacker played by Matthew Broderick almost managed to start World War III when he accidentally nearly launched nuclear strikes against the Soviet Union. It seemed unlikely in those relatively primitive days before the widespread use of the Internet, but it foreshadowed the emerging era of the profound intersection of national security and the cyber world.

Yes. War Games. Next thing you know Die Hard 4 is going to be used as an example of what state-backed organised crime can do right now! But fear not: “cyber threat” as understood by many outsiders is deeply divided in terms of capability and capacity.

On the one hand, it’s an volatile and unstable super-villain. A super-villain that can in mere seconds (not nanoseconds or even milliseconds: you’ve got to include network latency, you know) reduce modern, connected societies to medieval societies with hulking monuments to industrialisation and post-industrialisation. Those monuments, just before this catastrophic event, would’ve been known as factories, power plants, banks, …

On the other hand it is seen to be in its infancy: supposedly devoid of international rules, no treaties on how it should be used, no laws and regulations around the abuses and standard operating procedures, etc. At least in military mind’s view:

If we think of cyber as we did of aviation a little more than 100 years ago, we are just now on the beach at Kitty Hawk. In the cyber world, we have much yet to finalize. While some nascent structures and norms exists, we do not have functional equivalents for: precisely developed and institutionalized norms for air traffic control; airports operating under national and international regulation; well-defined international civil aviation routes; methods and means for military uses of air power; a civilian Federal Aviation Authority with broad jurisdiction and powers; or a Transportation Security Administration.

Thankfully most of us don’t think of “cyber” as we do of aviation, despite many trying to draw analogies between the two. The reason we don’t think of “cyber” as anything analogous to aviation is perfectly clear once the two are compared beyond surface details where supposed similarities lie:

  • Aviation takes place in space “owned” and controlled by nation states; cyber takes place in space “owned” and controlled by privately-owned organisations, publicly-owned organisations, universities, etc.
  • Aviation takes place in wide open spaces with no infrastructure that supports it. Cyber requires infrastructure and cooperation by infrastructure owners. Airplanes don’t just suddenly fall from the air because the owner of the space that they’re currently in decided to reboot the airspace.

If we subscribe to the thinking that “ownership is nine tenths of the law” we see why this analogy is going to fall flat on the face. Oddly enough it is generally military thinkers that draw analogies between aviation and cyber. Everyone else understands the constraints of the operating environment.

Let’s take a look at the rest of the article:

It is time we considered the creation of a US Cyber Force for many of the same reasons we needed a US Air Force.

First, it would immediately improve command and control in the cyber sphere.

This “deus ex machina” (some would say circular argument) is quite amusing. It betrays a “build it and they will come” thinking that assumes that just because there’s a team created suddenly the reality of the environment the team will operate in changes to meet the requirements of the team.

Second, the personnel systems that are used by the services — initial entry at a low level, uniformity of appearance, low pay, and an aversion to individuality — are a poor match for recruiting those most likely to have the skills and experience in the cyber world. A separate service would have the ability to train, equip, and organize cyber specialists.

Just how that will happen is left as an exercise for the reader. No, seriously, just more wishful and “build it and they will come” thinking. A separate service will require uniformity just as much as the current ones. Uniformity, coordination, team work. Nothing different to existing needs.

 Third, a focused and dedicated service, reporting to civilian leadership, would create true singularity of strategic purpose in respect to military operations — defense, intelligence, surveillance, and potentially offense — in the cyber world. Today, each of the services has a different approach in all these missions, and combining to a single service would allow unified operational focus.

So, about that need to appeal to those that have the aversion to “uniformity, low pay, conformity” … where did that disappear to between first and third point? There is a good reason that intelligence, offence, defence and surveillance are kept separate: because putting them together would result in a sum that’s lesser than the individual components. If it wasn’t so they would have been combined already.

Fourth, a US Cyber Service would be a single point of contact for the many and varied interagency and private-sector entities involved in the cyber world. As part of US Cyber Command, these professionals would have a shared culture, background, and sense of environment with the civilian partners, both public and private.

And we are back to the good old uniformity of thought, background, culture, and “sense of environment” thinking. The reason that military dabbling with cyber security fails is just that: lack of fresh thinking. So long as the western military thought leaders on cyber remain rigidly linked to uniformity they will lag behind those that have a more flexible approach.