Reading J.C. Wylie’s Military Strategy (the best book on strategy after The Art of Warfare that can be read in one sitting without a bladder of steel) inspired these scattered thoughts on cyber warfare:
Wylie argues that, “The aim of war is some measure of control over the enemy“:
The primary aim of the strategist in the conduct of war is some selected degree of control of the enemy for the strategist’s own purpose; this is achieved by control of the pattern of war; and this control of the pattern of war is had by manipulation of the center of gravity of war to the advantage of the strategist and the disadvantage of the opponent.
The successful strategist is the one who controls the nature and the placement and the timing and the weight of the centers of gravity of war, and who exploits the resulting control of the pattern of war toward his own ends.
The “strategy of the war” is the “pattern of action by which this control is sought”. I suspect there are three levels of control in cyber warfare. Each provides an increased degree of control over the enemy. Each moves the center of gravity further into the enemy’s turf. Each acts as a stepping stone towards greater levels of control. Following Unix’s lead, these levels of control are:
- Read: the power to get knowledge from knowledge infrastructure.
- Write: the power to modify the knowledge within knowledge infrastructure.
- Execute: the power to control given by control of knowledge infrastructure.
These leads to six sub-levels of control, three negative and three positive. The negative and defensive sub-levels are:
- Prevent the enemy from getting knowledge from your knowledge infrastructure.
- Prevent the enemy from modifying the knowledge within your knowledge infrastructure.
- Prevent the enemy from controlling you through control of your knowledge infrastructure.
The positive and offensive sub-levels are:
- Get knowledge from the enemy’s knowledge infrastructure.
- Modify the knowledge within the enemy’s knowledge infrastructure.
- Command the enemy through control of their knowledge infrastructure.
On all of these levels, control is won by manipulating the center of gravity. The center of gravity may be the knowledge that is kept. The center of gravity may be shaping knowledge in ways that yield advantage. The center of gravity may be the degree to which knowledge infrastructure, if subverted, controls the capacity to act.
Wylie identifies two types of strategy:
- Sequential: “war as a series of discrete steps or actions, with each one of this series of actions growing naturally out of, and dependent on, the one that preceded it. The total pattern of all the discrete or separate actions makes up, serially, the entire sequence of the war. If at any stage of the war one of these actions had happened differently, then the remainder of the sequence wold have been interrupted and altered.”
- Cumulative: “a type of warfare in which the entire pattern is made up of a collection of lesser actions, but these lesser or individual actions are not sequentially independent. Each individual one is no more than a single statistic, an isolated plus or minus, in arriving at the final result…No one action is completely dependent on the one that preceded it. The thing that counts is the cumulative effect”.
The examples that Wylie gives of a sequential strategy and a cumulative strategy are both from the War in the Pacific during World War II. The first example is the island hopping campaigns conducted by Chester W. Nimitz in the central Pacific and Douglas MacArthur in the western Pacific. These followed a sequential strategy that started on the periphery of the Greater East Asian Co-Prosperity Sphere and inexorably moved island by island toward the Japanese home islands. The second example is the successful U.S. submarine campaign in which individual ship by individual ship and torpedo by torpedo the Japanese merchant marine was sent to the bottom of the sea, strangling the economy of the Home Islands, was a cumulative campaign.
Since Wylie is a naval officer, he discusses maritime strategy at some length, enumerating two phases that must be passed through in order to achieve control over the enemy:
- “The establishment of control of the sea.”
- “The exploitation of the control of the sea toward establishment of control on the land.”
There are two levels of control that must be achieved in the first phase:
- “Ensuring one’s own use of the sea”.
- “Denial of the enemy of his use of the sea”.
The second phase can be exploited by projecting land forces ashore, the use of economic means such as blockade or interdiction of commerce, or through the enabling of political pressure, bribery, and fomenting internal rebellion in the enemy camp. Wylie uses Britain’s maritime strategy against the Corsican Ogre as an example of this. He argues that Britain won because of three factors:
- British pressure never let up. It was continuous around the periphery of the French Empire and any crack in Continental System was economically exploited to the full.
- If the French were militarily vulnerable somewhere, the British would take military advantage of it. Wylie cites two examples: that of the Peninsular Campaign in Spain and Portugal, supplied from the sea, and that of James Saumarez, who surreptitiously negotiated a peace agreement with Sweden that freed the Russians to go to war against Buonaparte in 1812.
- Britain never made a single overarching plan to beat the French. It always kept flexibility and was able to exploit new opportunities as they arose.
Operating from the base of her firm control at sea, Britain and her allies continued their penetration of every crevice in [Buonaparte’s] armor until finally his structure fell at his heels. [Buonaparte] himself seems never to have realized that it was the ubiquity of Britain’s sea power that lent the repeatedly resurgent and finally victorious strength in the defeating of [Bounaparte].
Wylie argues that the close-in game is decisive (shades of Information Dissemination):
With respect to naval forces, a careful pondering of this question could, I believe, lead to a shift of emphasis from the blue-water reaches of the sea to the inshore soundings…I believe that a large proportion of our naval effort, particularly in the exploitation phase of the next war, must be put into tools and techniques that can seize and exploit control of the shoal and restricted waters along the enemy littoral and penetrating into the enemy territory…The problem concerns the a maintenance and exploitation of control on inshore waters, a matter that I think was handled better [during the British War to Liberate Europe from Buonaparte] than it is today.
I see parallels between Wylie’s exposition of maritime strategy and cyber warfare fought within the current Internet architecture. This architecture is summed up in three principles:
- dumb core
- smart edge
- mesh network
The core network of the Internet is dumb. Core Internet routers are oblivious to the content of the traffic they’re carrying. They don’t care if it’s network diagnostic information, voice, pirated movies, the Great American Novel, or teens chatting. One packet is as good as any other. It’s not the router’s job to care. All that matters is routing the packet to its next hop.
The edge gets to decide what to do with all of these packets. A host connected at the edge can determine if, when, and how it will respond to incoming requests. Once it decides, it establishes a virtual connection over the network with other hosts. It’s up to those host then to reassemble the packets it receives into a web page, an email message, VoIP, or whatever else the end user desires. If packets are missing it can request them from the host it’s chatting with. Quality assurance and interpretation of data is left to the discretion of the edge.
The Internet is a mesh network. It has no central hub like some network topologies and it isn’t a single string of connections where if one link goes down the links after it go down (hello 10Base2). It is a network where a substantial number of machines on the network are connected to each other by more than one route. Routing packets through the network is in many respects a hop to hop process. The packet never knows the entire circuit it will follow through the network (like ATM). It reaches a spot and only at that point is the next hop decided upon. This means that a break somewhere in the network is usually detected and the nodes connected to it route traffic around it.
This suggests a few possible principles of cyber warfare:
- First, ensure your access to the core network.
- Second, deny your enemy access to the core network.
- After these yield control of the core network, exploit that control to gain the necessary degree of control over the enemy’s own network and knowledge infrastructure.
- The core network is blue water and the edge is brown water. Blue water cyber warfare capability can get you too the edge but only brown water cyber warfare capability can keep you there.
- Due to the mesh, the core network may be susceptible to sequential strategies of control but the edge is probably only susceptible to cumulative strategies of control.
- Command of the core network will enable ubiquitous projection of power into enemy networks.
- Command of the core network enables constant pressure on a enemy network and allows constant penetration of the enemy network.
- The ultimate form of cyber warfare may be strategically deploying smarts in the dumb core.