Friday, September 5, 2008

CyberWar: A Threat Worth Considering

In the May 31 issue of the National Journal there was a report that speculation is growing throughout defense and security establishments that the recent blackouts in Florida and the Northeast, which occurred shortly after the US Navy demonstrated its ability to shoot down a satellite, was in fact caused by hackers emanating from China, specifically the PLA.

One can never be certain whether reports such as this are simple hysteria, or are based upon real evidence. Another rumor that circulated recently in the Pentagon was that the Southern California wild fires that destroyed so much near San Diego were actually set by Al Qaeda. As someone who spends a fair amount of time looking at terrorism data, I’d place that rumor in the possible but unlikely bin.

But the hacking rumor seems like it may have more substance. According to Tim Bennett, former president of the Cyber Security Industrial Alliance, U.S. intelligence officials have claimed that the PLA gained access to a network that controlled electric power systems serving the Northeaster U.S. Forensic systems analysis had confirmed that the sources was indeed the PLA.

Bennett’s claim was corroborated by a second information security expert, who said that the intention was probably to map the power system, but accidentally triggered the blackouts when they succumbed to a “what happens if I pull on this moment.”
Map the power system? Now why would they want to do that? The less paranoid may say that it’s because the Chinese have large infrastructure problems of their own and wish to learn how we do it. I suppose that’s reasonable enough, but it seems to me there’s plenty of ways to get our help on that legitimately. What’s more, then why would it be done by the PLA?

The Chinese have a tradition of asymmetric warfare, and have invested heavily in cyberwarfare initiatives. DoD and other government agencies have reported huge spikes in cyber attacks on all of their systems, as hackers attempt to gain access and compromise security. This is information that I can personally verify in that I’ve heard these claims come directly from the senior leadership of the Air Force.

But this information is not compartmentalized in the halls of the Pentagon. Representative Jim Langevine said that his staff has examined several hacker networks and claims that the results have shown that China is the primary concern for invasive hacking on American systems.

But the handiwork of Chinese hackers has not been limited to government. The private economic sector has been hit especially hard by cyber attacks. Businesses have related stories in which their Chinese counterparts already knew all of their bottom line positions and would open negotiations there. In 2007, while visiting Beijing, clandestine spyware programs were discovered on devices used by Commerce Secretary Carlos Gutierrez that were designed to remove information from those systems.

Stephen Spoonamoore, CEO of Cybrinth, a computer security firm, claims that executives from the Fortune 500 companies had document stealing code planted on their computers while traveling in China.

The attacks on the civilian sector have not gone unnoticed in Washington either. Because most of the infrastructure in the U.S. is privately owned, the government finds it difficult to compel operators to better monitor systems. Of further concern is that much of the security software unitized is designed by others, often off-shore. The concern is that the existence of backdoors or other problems may not become known until after the damage has been done.

The defense department declared for the first time in 2007 that attacks against U.S. Government sites have come largely from China. In March, Air Force General Kevin Chilton, chief of U.S. Strategic Command claimed that the Pentagon has its own cyberwar plan. In a statement to the Senate Armed Service Committee he asked appropriators for an “increased emphasis” on cyberwarfare in order to conduct “network warfare.” Currently the Air Force is in the process of setting up Cyberspace Command, comprised of 160 individuals at a handful of bases.

The issue has not escaped notice by the President. President Bush has crafted an executive order to layout out a broad plan to shore up government network defenses. This ambitious plan comes with an ambitious price tag of 30 billion dollars (the entire budget of Homeland Security is 50 billion).

Unfortunately, “The U.S. government doesn’t really have a policy on the use of these techniques,” says Michael Vatis, former director of the FBI’s National Infrastructure Protection Center. “They take place, and people have strong suspicions…. But as long as they’re not able to prove it, there’s very little that they can do about it. And so there’s often not as much outrage expressed.” I think this attitude is unfortunate, but it’s common. Because I spent a dozen years doing professional programming, I know several well placed IT professionals in industry and government. Few if any feel that there’s a significant threat.

Yet, if Chinese hackers are able to map our energy grids, and then shut them down by hacking into our systems, one has to wonder what else they’ve accomplished. It seems foolish that this threat should be taken as lightly as it is by the civilian sector especially.

In their now infamous book Unrestricted Warfare, by PLA Colonels Qiao Liang and Wang Xiangsui, the point is made unequivocally that cyberwarfare is an essential part of Chinese conflict planning with the United States. Russia has also shown the effectiveness of Cyberwarfare in their recent trysts in Eastern Europe. All of this begs the question, why is Cyber Command composed of only 160 people?

In the last round of SBIR RFPs issued by the DoD, there are several initiatives to find ways to train people on the threats of hacking and cyberwarfare. But unfortunately, no initiatives were present for training on how to combat it, or, more importantly, how to incorporate offensive and defensive cyber warfare measures into doctrine, planning, or strategy. So far it seems that the approach to cyber warfare is underdeveloped at best, criminally negligent at worst.

To relate all of this to wargaming, it seems to me that if the old SPI were around today, this is a warfare topic they’d be tackling. Joseph Miranda has made some efforts to design abstract games on the topic, but few seem that interested. This is unfortunate. Cyberwar may in fact be the number one warfare methodology in the 21st century, affecting us economically and socially, not to mention militarily. And, given the technological dependence of today’s armed services, it seems to me it should be a top concern for those involved in defense planning.

Lately I’ve seen several talented designers show interest in designing new games on NATO/Warsaw Pact conflict of the 1980s. I don’t get it. We stand on the verge of new vistas in the development and advancement of modern conflict doctrine, yet our best minds are preoccupied with the war that never happened. Our hobby has a legacy; one that placed our best designers of the 1970’s and ‘80s into professional positions of planning the real thing. Where is that legacy of designers today?

Cyberwar, it appears, is a reality, and one that is much more significant and threatening than most of us probably imagined. I encourage you, whether designer or player, to think about how we can incorporate cyberwarfare into our gaming lexicon. Someone, clearly, has to do it. Why not us?

Wednesday, September 3, 2008

Fourth Generation Warfare and All That

There is a debate out there as to whether the notion of Fourth Generation Warfare (4GW) as a theory is of any value. Dr. Antulio J. Echevarria, II recently published an article entitled Fourth-Generation War and Other Myths (http://www.strategicstudiesinstitute.army.mil/Pubs/display.cfm?pubID=632), in which he criticizes the idea quite emphatically. I contend that he and others miss the point.

I’ve read a fair amount of the 4GW literature, and to be honest, I’ve never considered it to be a theory, and by the strictest definition, it isn’t. From my perspective, it’s little more than a mnemonic used to describe general yet significant changes in the way warfare is conducted given the evolution of the international system (to include such things as globalization, modernization, proliferation, and whatever other “ations” you care to include). I think as a definition for that sort of concept, 4GW fares well enough.

To my mind, this is where Echevarria really falls down in his analysis. By elevating 4GW to the status of theory, from which, supposedly, we can derive propositions, generate hypotheses, test, and thus infer new conclusions, he undermines his own critique.

Broadly speaking, the crux of his argument is that 4GW as a theory (which it isn’t) is flawed primarily because is rests upon a poor understanding of history; the fallacy of nontrinitarian warfare, and the myth of Westphalia. To my mind this is sort of like saying that the theory of relativity is flawed because it rests upon the misconception of Newtonian physics. My point being that for relativity, the conception of Newtonian physics is irrelevant.

Echevarria claims that nontrinitarian warfare is a non-concept because trinitarian warfare is present in all forms of conflict and therefore is a non-concept in and of itself. The problem here is that the context from which Clausewitz was coming was that the only entities that mattered in the international system were states, who behaved as unitary actors (this concept is obviously borrowed from Realism, but it is applicable nevertheless). When he is referring to directing war towards some end, he is discussing war qua war in the political context. What 4GW conceives of as nontrinitarian warfare is the violation of the concept that war is being conducted for the political ends of the state. What people thinking in terms of 4GW are seeing in this context is the combination of weak governance and globalization/modernization pressures that have allowed the advent of non-state actors who conduct warfare in the transnational arena for transnational ends. While this sort of thing is not so new in the broad construct of history, it is certainly new to our era.

Echevarria then goes on to say that 4GW fails because it apparently relies on the notion that the modern state system sprung from the loins of Westphalia overnight. Why it would depend upon this being so he doesn’t explain. What’s more, I’m not aware of any such claim in the 4GW literature that I’ve read. I think this point is, frankly, a bit silly.

But the thing is, aside from the two cases above, Echevarria really doesn’t seem to have much to say about what 4GW is actually doing wrong. He makes the wild claim that anyone using the term is undermining their own credibility, but he makes no real case to substantiate it, and frankly the statement smacks of pettiness. He makes a brief case for the inaccurate prediction of 4GW analysts that non-state actor groups, rather than executing “Judo throws” are instead providing public goods to the groups they claim to represent. Somehow he seems to think that this very act he describes as contrary to the 4GW claim that non-state actor groups try to undermine government, does not in fact undermine government. Frankly, I can’t think of a better “Judo throw” than for a non-state actor group to provide a public good that the established regime cannot or will not provide.

In one paragraph he describes the use of traditional weapons used in Rwanda and Sudan as things that 4GW fails to account for. Yet this failure in accounting is simple to explain when you consider that 4GW as a concept is strictly Amerocentric, which is to say that it is addressing the asymmetric threat environment of the US, not the symmetric environment internal to third world countries. He also makes, what I think, is a serious gaff when he tries to say that 4GW’s assertion that US capabilities are designed to operate in the nation-state framework is incorrect because in the past the US has successfully operated under the constraints of alliances. It is clear that Echevarria does not understand that this is a level of analysis issue, and that alliances are part of the nation-state construct. What 4GW is saying here is that the US capabilities are ill-suited to deal with non-state actors, which they are, largely due to political constraints, but also due to issues involving the military industrial complex.

In his discussion of the third incarnation, he describes the sequencing of generations of warfare as artificial. Of course it is. If we were to take that as invalidation, then every theory we’ve ever held would be invalidated. But what he seems to misunderstand is that the generational concept is largely applicable to the evolution of doctrine more than anything else, and I think that evolution is quite distinguishable.

Finally, Echevarria makes several statements as counters to 4GW that are, frankly, empirically questionable. His insinuation of the relationship between terrorism and globalization has not panned out in empirical work, he seems to conflate globalization with modernization, which are different concepts, and he seems convinced that a theory is set in stone the moment it is conceived.

I suppose by now you see that I’m not a big fan of this paper. That said, I think he makes one good point, which is that there are some who are trying to operate within the construct of 4GW as something separate from traditional insurgency. I believe this is a mistake. In fact, I think it is a mistake to promote 4GW beyond simple mnemonic device for describing the conditions of modern insurgency and terrorism, and thus the need to address them from a new doctrinal point of view. Constrained to that, I think 4GW is an important concept. But it does not rise to the level of a theory, in my opinion.