You have heard the saying a thousand times, from friends in a local bar to inspirational management consultants justifying their $10k-per-day insights: if it walks like a duck, quacks like a duck, and looks like a duck, it must be a duck.

News sources and government officials tell us we live in a world of constant cyber attack. The Chinese attack us. Someone is attacking Iran. North Korea is being struck by Anonymous. America has an entire military command devoted to computer network defense, exploitation and attack. You’d think we are at Cyber DEFCON One, ready to launch our bots into the great cyberspace. After all, we are being attacked. We act like we are being attacked. Therefore, we must be at cyber war, right?

No one loves rhetoric and hyperbole more than me. Hell, that’s one of the great sets of tools in DC. In cyber world, however, this kind of talk is harmful and obscures the new world in which we really exist. We are not at war – we are in conflict, and some of the tools we are using cross interesting and controversial 20th-century political lines.

How the Duck Talks

The language you use to describe a situation reflects where you are in your thinking about it. We use Cold War language to bluntly describe our actions in cyber world. In fact, the Cold War thinking was much more subtle.

As a result of the clearly asymmetric Vietnam War and our loss there, an office exists in the bowels of the Pentagon called the Office of Special Operations and Low Intensity Conflict (SOLIC). While that sounds like the usual Pentagonese doublespeak, it is quite descriptive of what it does. It oversees and guides how we deal with physical wars that aren’t quite wars. They are likely guerrilla actions, perhaps done by small groups in small engagements over a long period of time.

From both a doctrinal and strategic standpoint, Herman Kahn, one of the founders of RAND and a great “Cold War thinker.” was always dubious about the use of the word war. He liked the idea of low-intensity conflict. He parsed it rather carefully, describing the 44 steps a nation might take before it arrives at total nuclear war. A fair portion of these steps have little to do with direct violence and more to do with feints, maneuvers, and small scales assaults of low-intensity conflict. Perhaps it is time we start thinking about conflicts in cyber space in the same way.

What the Duck Looks Like

So let’s start again. First of all, we are not at war. The current belligerence in cyber space ranges from the graffiti vandalism of blocking sites or defacing them to actually shutting down systems and ruining computers. This is not nuclear war. This is not conventional warfare. No one has yet to lose their life and the damage is usually fixable, if time consuming and expensive.

However, make no mistake, we are in multiple and constant states of low-intensity conflict in cyber space. The attack can be slow or fast, like guerilla strikes. They can differ by level of intensity from denial of service to the destruction of computers and their systems. And they are generally asymmetric, conducted with little cost, high publicity and often by non-nation state players.

This low-intensity conflict aspect has been the crux of the challenge of cyber space. Is this work for law enforcement or the military? And in the spirit of no border/boundaries in cyber space, is an attack on businesses and individuals a national security issue – even if committed by a nation state? For example, does China stealing documents from a space contractor constitute conflict with the United States?

How Do You Fight A Duck?

Early in the cyber conflict dilemma, an unnamed general at the Pentagon said we would put a bomb down the chimney of anyone who attacked our computers. A nice 20th-century sentiment; however, as I sit at my computer this morning, I cannot find an app for a chimney. Too bad – I like the smell of smoke.

In reality, the computer network attack (CNA) is harder than it sounds. You may drop a cyber bomb (a bot, for instance) somewhere and find its after effects reach far beyond its original attack point – collateral damage. The question remains, however, when to use it. That is a much more difficult question that still has the great cyber minds in the area of military and intelligence tied up. At what point is CNA too aggressive – beyond low-intensity conflict?

Finally, who is doing the CNA? So far, the vast expertise resides in the NSA, and there are excellent reasons for it given the complexity of the field and NSA’s superb base of people who understand the tactics and strategies.

A few of us are wondering, however, when is CNA a covert action? In other words, by our current standards, a covert action is a secret action taken by the President to carry out political, military, intelligence and law enforcement goals with plausible deniability as to where they originated. That has been CIA’s responsibility under the National Security Act of 1947. Is this now different in cyber space?

What Are Our Intentions Here?

The Cold War – the height of conventional, mechanical war – lasted for nearly fifty years. The first few years were a mess, with conflicting thoughts and actions on what to do when total destruction would dominate from a false move badly played. Yet, we developed doctrine and strategies that eventually framed the issue and led to some form of stability.

We need to think about cyber space the same way to make any headway toward providing stability in it. How do we frame this problem?

First, we need to develop a doctrine for America in cyber space. What is it America wants? Freedom of thought? Freedom of access? Freedom of use? America as protector of its people or projecting its power into cyber space?

Second, we must stop using the rhetoric and framework of 20th-century war. We need to think of conflict in cyber space as low-intensity conflict – bubbling hard but never boiling.

Third, we need to develop measured levels of response to cyber actions, including the use of law enforcement, intelligence and military – and sometimes the use of all three simultaneously.

Let’s hope somewhere there is a cyber-Herman Kahn who knows a duck when he sees one. Otherwise, we are going to continue to waste a lot of money, time and effort to no avail.

  • Dan Verton

    A reasonable doctrine seems like a long shot given that the way this issue is treated in Washington is largely based on the budget environment. During the surplus, Richard Clarke took on the cyber role and everybody kind of thought it was a demotion. Today, with every program potentially on the chopping block, all we here are tales of cyber Armageddon. Cyberwar = budget insurance. But the current messengers aren’t skilled enough to sound the right alarms without giving their hand away.