Army Gen. Keith B. Alexander, commander of the U.S. Cyber Command, center, arrives on Capitol Hill in Washington, Sept. 23, 2010, to testify before the House Armed Services Committee hearing on cyberspace operations.
"The Coming Cyber Wars"
Op-Ed, Boston Globe
July 31, 2011
Author: Richard Clarke, Faculty Affiliate, Belfer Center for Science and International Affairs
Belfer Center Programs or Projects: Explorations in Cyber International Relations; Information and Communications Technology and Public Policy; Science, Technology, and Public Policy
Obama's cyber strategy is missing the strategy
IMAGINE IF President Kennedy issued a nuclear war strategy in the 1960s that omitted the fact that we had nuclear weapons, B-52 bombers, and long-range missiles. What if his public strategy had just talked about fallout shelters and protecting the government? As absurd as that would have been, that is similar to what the Obama administration just did with regard to the nation's cyber war strategy. The strategy doesn't even admit that we have cyber weapons.
Under pressure from Congress and commentators to provide a strategy for how the new US Cyber Command will use its "cyber war fighters," the administration recently issued a strategy that was met with barely stifled yawns from cyber experts and military strategists. Apparently, that was the intent. The State Department wanted to avoid charges that the United States was "militarizing" cyberspace, or that we were the first to conduct cyber war (the attack on the Iranian nuclear facility at Natanz). And the White House wanted to avoid any public discussion of cyber war or our strategy to fight one.
What got issued were five "strategic initiatives." First, the United States will "treat cyberspace as a domain," but only for the purposes of organizing, training, and equipping. There is nothing in the initiative about treating it as a domain for war fighting.
Second, the Pentagon will employ new defense concepts "to protect" the Department of Defense. Apparently, those new concepts won't protect the rest of us. Third, Defense will partner with other departments and the private sector "to enable a whole of government cyber security strategy." It's not a "whole country" strategy, just government.
Fourth, the Pentagon will build "robust relations" with other countries.
Finally, Defense will "leverage ingenuity" to create an exceptional workforce and make rapid technology advances.
While it may be difficult to object to those platitudes, it is also hard to call them a strategy. For one thing, they don't even mention that the United States has an offensive cyber war capability. Somehow that was omitted from the 13-page unclassified document dribbled out by the Pentagon.
Retiring General James E. Cartwright, the vice chairman of the joint staff, worked on the strategy and has since said that current approach of just trying to plug the holes in our networks does not punish attackers for their rampant cyber espionage against us. As head of US Cyber Command, General Keith B. Alexander has talked about a strategy of "active defense" that suggests that the United States engage in preemptive cyber attacks. Both generals have bemoaned the inability of the civilian departments and the private sector to defend critical US networks (like banking, electricity, and transportation) and have suggested the military may have to defend those networks.
Congress should demand answers to questions like: What is the role of cyber war in US military strategy? Is it acceptable to do "preparation of the battlefield" by lacing other countries' networks with "Trojan horses" or "back doors" in peacetime? Would the United States consider a preemptive cyber attack on another nation? If so, under what circumstances? Does US Cyber Command have a plan to seize control and defend private sector networks in a crisis? Do the rules of engagement for cyber war allow for military commanders to engage in "active defense" under some circumstances? Are there types of targets we will not attack, such as banks or hospitals? If so, how can we assure that they are not the victims of collateral damage from US cyber attacks?
That last question, about collateral damage, is no longer theoretical. The so-called Stuxnet cyber weapon, which attacked and destroyed nuclear centrifuges in Iran, escaped into cyberspace. This sophisticated cyber weapon was then captured by many computer experts around the world and is now freely available for anyone to download. It raises the specter of whether non-state actors will soon be able to engage in cyber war.
During his confirmation hearings, Secretary of Defense Leon Panetta voiced concern about the possibility of a "digital Pearl Harbor" that would cripple our electric power grid, banks, and transportation networks.
Now that he is in the Pentagon, he might want to suggest to the State Department and the White House that it is time to treat the American people like adults and have a real public discussion of our cyber war strategy.
Richard Clarke, an adjunct faculty member at Harvardís Kennedy School, is author of "Cyber War." He was special adviser on cyber security to President George W. Bush.
For more information about this publication please contact the Belfer Center Communications Office at 617-495-9858.
Full text of this publication is available at:
For Academic Citation: