Start your day with intelligence. Get The OODA Daily Pulse.
In Gaza, a tentative ceasefire has been declared. But the war in cyberspace continues. Israel and its adversaries have taken to the global cyber commons to wage cyberwar against each other, deploying crowdsourced information militias. The Israeli Consulate and the Israeli Defense Forces (IDF) extensively utilize Youtube and Twitter to make their case, boiling complicated questions of war and peace into 120-character bursts. A group of Israeli supporters set up a botnet that allows users to add their computers to a sheer mass of zombies attacking enemy servers.
On the other side, a pro-Hamas group with the rather unfortunate moniker “Team Evil” carried out lightning raids against pro-Israeli hacker groups using distributed denial of service attacks. Abroad, anti-Israeli protests are organized through Facebook, Twitter, and other participatory social networks. Nations and sub-state movements are increasingly using the Internet as a means of harnessing and weaponizing the patriotic rage of the common people—a rage that grows with each vitriolic blog post and mySQL hack.
Just as Napoleon channeled the revolutionary fervor of France to form a popular army capable of waging total war, combatants are increasingly creating a cyber levée en masse that mobilizes the power of the people to fight information warfare. Many of the Chinese hackers conducting “cyber-reconnaissance” of American networks are groups of hackers in service to the state as well as military personnel. Likewise, groups of patriotic Russian hackers, not the Kremlin, apparently carried out the massive cyber-attacks on Georgia.
With movements massing force in cyberspace for viral propaganda and debilitating denial of service attacks, Antoine-Henri de Jomini’s long-obsolete theories of mass and concentration have paradoxically been revived in cyberspace. Cyber-mobilization is a process of massing force against decisive points. Above all, cyber-mobilization is a popular form of conflict, not a bunch of elite soldiers typing away in cubicles trying to increase their unit’s Google pagerank. It thrives on public participation and dies without it.
Cyber-mobilization offers state and non-state actors three important advantages: movement-building, reach and discretion. Propagandizing or carrying out crude hacking attacks gives followers unable to pick up a rifle an ability to contribute and further emotionally bonds them to the cause. By incorporating the efforts of many different geographically dispersed users, cyber-mobilization also allows states and movements to multiply the combat effectiveness of their attacks.
And since civilians do all the hacking, states are insulated from retaliation. Should, say, Russia disable a crucial Pentagon network, it could always claim that the actions were carried out by a group of patriot hackers who got a little carried away. Given the dispersed nature of the Internet and the relative ease of anonymity, attributing attacks to specific individuals—and connecting those individuals to groups—will be difficult. Most importantly, there is a lack of consensus as to what constitutes cyberwar to begin with—the biggest barrier to cyber-deterrence.
If cyber-mobilization is a throwback to the era of Jomini, current military thinking about cyberspace is reminiscent of naval theorist Alfred Thayer Mahan. He argued in The Influence of Sea Power Upon History that victory goes to those who control the sea, and the method of controlling the sea is frontal battle with the enemy fleet. It is hard not to see the parallels to cyberspace here, as the ocean and the digital sea have many similarities, as today’s hackers are reminiscent of corsairs of old who raided from secure bases in hidden island atolls.
Like the sea, the digital ocean is a source of commerce, communications, and human connection. It also a launch point for attack. Navies used to carry out coastal raids called “descents” on port towns, and hackers try to use the Internet to launch raids of their own against vulnerable corporate and government servers connected to the global digital sea. Like Mahan, current military thinking focuses on controlling the information commons, achieving “information dominance” through an integrated combination of tactical, operational, and strategic capabilities.
But the concept of information dominance reflects a basic strategic misconception about the nature of cyberspace. As military analyst Robert Bunker writes, cyberspace exists in a different dimensional space than regular warfare. The fluid and dispersed nature of cyberspace makes it impossible for one power to dominate, as power in cyberspace ultimately derives from information and perception–much more malleable variables than traditional military measures of effectiveness. With everyone with an Internet connection theoretically capable of exercising influence over cyberspace, multilateralism is built into the infosphere’s balance of power. While it is possible to mass forces in cyberspace, as hacker militias demonstrate, maintaining mass and momentum is difficult.
Bloggers, hackers, and coders also tend to intensely skeptical of government organizations and have a habit of rebelling against even the slightest attempts at control. Ham-handed attempts to manage information degrade credibility in the infosphere—the currency of exchange for anyone seeking to exercise even the most basic forms of digital influence. Governments and militaries automatically start on the defensive whenever they engage in cyberspace due to their lack of credibility among users.
Perhaps the best example of the fallacy of information dominance is the idea of “carpet-bombing in cyberspace.” One thinker within the Army seeks to create a military botnet network that can be mobilized as a means of cyber-deterrence, overwhelming an enemy network with massive retaliation. In a narrowly tactical sense a military botnet might be effective. But upon closer reflection the idea collapses when faced with the attribution challenge and the FBI and Interpol’s legal responsibility for cybercrime. Georgia also defeated a botnet attack by simply hosting its government servers in the US, transporting its valuable data to friendly territory. Lastly, the brute force of a military botnet does nothing to win the battle of perception—a key part of information war.
Command and control warfare–military deception, computer network attacks, psychological operations, and electronic warfare–are absolutely essential to maintaining tactical and operational advantages. But an information strategy should not be predicated around destruction, which will be difficult in an era of dispersed, non-attributable hacker groups. Instead, cyberstrategy—like naval, air, and land power—must be integrated into an all-of-power grand strategy to advance American international objectives. This strategy must be one of positive ends.
Nearly a hundred years ago, T.E. Lawrence described the guiding principles of the Arab revolt against the Turks: “[S]uppose we were (as we might be) an influence, an idea, a thing intangible, without front or back, drifting about like a gas? Armies were like plants, immobile, firm-rooted, nourished through long stems to the head. We might be a vapour, blowing where we listed.” To succeed in the infosphere, America must turn away from information dominance and become an influence—a guiding current in the digital sea.