Cyberpower as a Coercive Tool in 2035

Although coercion by cyberpower alone may be limited today, if appropriate steps are taken, by the year 2035 cyberpower will be a useful coercive instrument of power. This essay explores the reasons why cyberpower is not coercive today, and ways it may become more coercive in the future. The cyber attacks employed against Estonia and Iran provide evidence cyberpower is currently not coercive, as do today‟s unique cyber attributes. Subsequently, many experts criticize the coercive ability of cyber tools, arguing the ability to quickly deploy countermeasures to a cyber attack, imprecise cyber tools, and lack of attribution; are all reasons why cyber may not be coercive. However, as technology continues to improve and proliferate, and cyber tools are further explored, just as in the early days of airpower, cyberpower may provide increasingly precise tools. Furthermore, increased attribution and weapons providing repeatable and reliable effects may emerge from a concerted investment effort. Therefore, the essay concludes, the United States should invest in forensics, repeatable tools, defense, and cyber models, simulations, and analysis to ensure dominance is maintained as cyber progresses toward a more coercive power. Introduction and Overview This essay explores the coercive force of cyberpower. Although coercion by cyberpower alone may be limited today, by the year 2035 cyberpower will be a useful coercive instrument of power. To describe the way cyberpower might become a coercive force, this essay is structured into three major parts. First, an overview provides key definitions, coercion concepts, and a coercion framework. Second, the current unique attributes of cyberpower are explored to provide the reader with a set of key cyber attributes applicable to cyber coercion, followed by some of historical examples, and current arguments to explain why cyber is not a coercive force today. Finally, counterarguments are proposed, and the paper concludes with a few conditions that might indicate how cyberpower will become more coercive, concluding with some recommendations. Cyberspace is increasingly important and complex. By one estimate, 95 percent of all United States government and military communications traffic is carried on private commercial communication lines. 1 In addition, 97 percent of the United States Gross Domestic Product (GDP) exists as “cybercash”, or virtual money, represented only by ones and zeros in cyberspace. 2 Cyberspace increasingly defines and controls key services such as communications, electricity, banking, military command and control, entertainment, information and news, supply chain management, business to business transactions, and government services. In fact, it is hard to imagine a single organization within the United States Air Force that could function efficiently for more than a day without access to cyberspace. For purposes of this essay, cyberspace is defined as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” 3 The definition of cyberpower is “the ability to use cyberspace to create advantages and influence events in all the operational environments and across the instruments of power,” where operational environments include air, land, sea, and cyberspace. 4 Furthermore, for the purposes of this essay, the “coercer” is the actor attempting to coerce another, and the “target” is the subject of the coercion attempt. Figure 1 below provides an overview of the coercion framework selected for this essay. Coercion is differentiated from “control” because coercion requires willing adversary cooperation, and control does not. Furthermore, coercion consists of both deterrence and compellence, with their associated definitions depicted in Figure 1. Since much has been written regarding cyber deterrence, this essay will focus more on compellence, but will not exclude deterrence considerations. Also, from Figure 1, coercion can be achieved using three methods; inducement, punishment; and denial. Since coercion requires a rational decision by the target of the coercion, a cost benefit calculus is provided at the bottom of Figure 1. If the target perceives the value of complying to be greater than the value to defy, the target is coerced. For each method of coercion, Figure 1 describes the aspect of the target calculus impacted. For example, denial affects the benefits of defiance by reducing these benefits. This taxonomy is usually not so clear in the “real world.” For example, one state may attempt to coerce another state by simultaneously using deterrence, compellence, inducement, punishment, and denial. Subsequently, given a specific “real world example” the type of coercion may be difficult to classify. However, the intent of the framework is not to provide a method to classify all cyber incidents, but rather to provide a mental framework with which to discuss cyber coercion in general terms. To provide a more complete framework, some differences between today and 2035 are described. Figure 1: Coercion Framework Technological Advancements Creating a Unique Environment in 2035 Key technologies are advancing at exponential rates, and will create a unique strategic environment in 2035. Hardware, bandwidth, nanotechnologies, and biotechnologies are appearing and available at accelerating exponential rates. 5 As a result, prices for new and advanced technologies continue to decrease, proliferation of these technologies continues to expand, barriers to entry continue to decrease, and as Thomas Friedman predicted, globalization expands. 6 Subsequently, capabilities once only available to powerful, well financed states are now increasingly available to small groups and even individuals. Therefore, several aspects of human life in 2035 may look unrecognizable from today‟s perspective. For example, given the rapid pace of technological innovation, as well as decreasing prices, it is conceivable that every manufactured or processed item (food package, clothing, accessory) may have an implanted, networked chip, and may provide services for tracking, information, and intelligence. These devices may provide instantaneous, integrated information to the user, but also may collect information on the daily activities of the user, making this information available for tailored experiences, data mining, or nefarious uses. Furthermore, information increasingly becomes a commodity in 2035, accessible to all through various methods and formats, and trending toward cyber omniscience: “the ability to conduct comprehensive intelligence collection on any [potentially] threatening cyberspace activity followed by near-simultaneous processing, exploiting and disseminating of the information.” 7 Subsequently, cyber “Familiars” or “Digital Twins” will be important to assist users to sift through large volumes of data, or provide decision aids. 8 Furthermore, as mankind nears Kurzweil‟s Singularity 9 , cyber coercion may be required at the state, group, individual, and artificial intelligence levels; requiring deterrence and compellence of both man and machine. To further determine how the cyber domain might look different in 2035, it is first useful to consider the unique aspects of the cyber domain today. Cyber as a Unique Domain At present, cyberspace is recognized as a unique domain with singular attributes. 10 These attributes describe the current aspects of cyber tools, but do not describe future implications for cyber tools, which will be explored later in this essay. There are seven unique characteristics of current cyber tools that should be considered. First, cyber tools are unique because they are highly perishable, rely upon system vulnerabilities which limit them to single-use use weapons and provide confusion between intelligence and attack. 11 Perhaps more than other weapons, cyber weapons rely upon system vulnerabilities to exploit. Consequently, many cyber tools used for attack are limited to a single use, or at best only a few uses. Once the tool has been used, the target of the attack can identify the vulnerability and take measures to correct it. Even if a tool has not been used, it is still possible for the vulnerability to be discovered and corrected, rendering the tool useless. As a result, cyber tools have very limited life spans. Therefore, attack options available to a commander may change from day to day, and from microsecond to microsecond as systems continually patch vulnerabilities. Furthermore, to gain an accurate understanding of current system vulnerabilities, intelligence gathering is critical, both Computer Network Exploitation (CNE) and Battle Damage Assessment (BDA). In some cases the same cyber tools can be used for intelligence collection and attack. This adds confusion over cyber intentions, and can expose vulnerabilities, which may then be corrected, negating the effect of the cyber tool. In addition, attacks can take place at near light speed, or lay dormant in wait at the risk of being rendered useless before they can be employed. These characteristics can dramatically shorten the commander‟s observe-orientdecide-act (OODA) loop. 12 Therefore, cyber weapons, because they are based on vulnerabilities, are highly perishable and present complications to the commander attempting to employ cyber tools. A second unique cyber attribute is the difficulty of attribution, and consequently, deterrence. 13 Attributing cyber attacks is difficult because attackers can spoof identities and tamper with electronic evidence. Furthermore, some cyber attacks are indistinguishable from standard system errors. A leading cyber strategy expert from RAND, Dr. Martin Libicki, describes the likelihood that an attack is visible as a function of the visibility of the effects, and the likelihood the effects will be assigned to a cyber attack. 14 Regardless of whether attribution is difficult because the coercer has taken steps to avoid detection, or the attack has been misattributed to another actor (or system error), attribution challenges lead to deterrence challenges. If the attacker is confident their identity cannot be known, or will be misidentified, they may also be confident retribution, if any, will be difficult. Therefore, in the attacker‟s calculus, if there is little risk of retribution, there is little risk the attack will result in unacceptable costs. A third unique cyber attribute is the strength of offense over defense. 15 In the other domains, defense normally has the advantage. In cyber, the cost of attack is relatively low compared to the cost to defend. 16 Therefore, over time, the offense can wear down the defense, or this cost-imposing strategy may cause the defense to expend disproportionate resources. A fourth unique cyber attribute is one it shares with early airpower; cyber can operate at the tactical, operational, and strategic levels simultaneously, however cyber effects are sometimes uncertain. 17 Because cyberspace consists of interconnected networks and systems, a change in one aspect may cause unintended effects in other parts of the “system” at all levels (many of which cannot be modeled or predicted). Therefore, cyber tools may not always be precise, and collateral effects may be hard to estimate. Similarly, obtaining cyber Battle Damage Assessment (BDA) may be more difficult than obtaining BDA in other domains due to less certain cyber effects. Fifth, cyberspace barriers to entry are low, so anyone, including non-state actors and even individuals can become major players in the cyber domain. 18 Dr. Libicki lists only five requirements: “talented hackers, intelligence on the target, exploits to match the vulnerabilities found through such intelligence, a personal computer of any comparable computing device, and any network connection.” 19 Since the entry costs are so low, counter proliferation is exceedingly difficult. 20 Therefore, once a vulnerability is exploited, it may be possible for many different actors to quickly gain access to tools used to exploit any real or perceived vulnerability. These tools may present strategic advantage, and coercion options once only available to the most powerful state actors may now also be available to individuals, presenting a myriad of asymmetric threats to challenge cyber defenses. A sixth unique cyber characteristic involves the difficulty to obtain dominance. 21 In fact, cyber dominance may not be possible, allowing only limited and transient superiority in and over specific areas. Similar to airpower, cyberpower does not permit the occupation of territory. 22 Furthermore, cyberpower is limited to a discrete segment of cyberspace, for a limited time (perhaps measured in nanoseconds). As previously discussed, the rapid correction of vulnerabilities presents additional challenges to maintaining cyber dominance. The final characteristic is that cyber is today primarily a weapon against cognition. 23 Cyber is primarily a man-made domain. 24 Although some initial indications of physical destruction are emerging, 25 to date no one has been killed by a cyber attack. Cyber As a Coercive Force Considering the current unique cyber attributes and limitations, today cyberpower is not coercive by itself. However, it may be possible by 2035 for cyber to reach a tipping point where cyber becomes coercive, similar to the rise of airpower over time. This section will begin by exploring two current historical examples, Estonia and Iran, which elucidate the limitations of cyber coercion 26 , followed by some generic coercion considerations, a few common criticisms of cyber coercion, and some possible ways cyber might become coercive in 2035. In 2007, Estonia relocated a statue, “The Bronze Soldier of Tallinn,” dedicated to former Soviet Union World War II war dead. 27 Although the resulting April 2007 Distributed Denial of Service (DDoS) attacks were never officially attributed to the Russian Government, most sources attribute the attacks to Russian patriotic sympathizers: one Estonian has been convicted in the attacks, 28 and at least one Russian Nashi youth leader, Konstantin Goloskokov, who was also the assistant to State Duma Deputy Sergei Markov, has admitted involvement. 29 Regardless of who was responsible, and although the DDoS attacks disrupted access to Estonian banks, parliament, ministries, and communication outlets, in the end the attack did not coerce the Estonian Government to replace the statue. An even more recent example of the limitations of cyber coercion is the 2010 Stuxnet attack on the Iranian nuclear development program. 30 Targeting the uranium enrichment centrifuges located at Natanz for what many believe to be a clandestine nuclear weapon development program, the Stuxnet virus attacked the Siemen‟s frequency converters, causing the centrifuges to spin faster than intended, causing damage. 31 Although many nations desire to disrupt the Iranian nuclear program, and although the attack was rather complex, exploiting four “zero day” vulnerabilities (vulnerabilities previously unknown), the attack has not yet been attributed. Again, regardless of the attacker, the end result may have delayed Iran‟s nuclear program, but did not convince the Iranian Government to stop spinning the centrifuges. 32 One compelling theory for why previous cyber attacks have not yet yielded the desired coercion: the attacker has not yet attacked all three aspects of Clausewitz‟ trinity. 33 This theory posits coercion is successfully only when all three elements of Clausewitz‟s paradoxical trinity are attacked: the people, the government, and the military. Applying this theory to the two historical examples seems to reach similar conclusions. Although the attack in Estonia targeted the Estonian Government, and the people to a lesser extent, the military was not directly targeted. Similarly, the Iranian Stuxnet attack was very tactical, and did not directly target the will of the people, the rationality of the Iranian Government, or the Iranian military. Consequently, in both cases at least one element of the Clausewitzian trinity was not impacted, subsequently coercion was unsuccessful. Furthermore, referring back to Figure 1, successful coercion consists of “capability X will X perception” in the perceived cost-benefit calculus of the coercion target. 34 For successful coercion, the coercer must have the capability to induce, punish, or deny, and the will to use its capabilities. In addition, the coerced must perceive the attacker‟s capability and will in a way that creates the desired cost-benefit. Even if an individual has the capability and the will to coerce a state, the state must correctly perceive the individual has the capability and the will, or else the state will not be coerced, perhaps out of ignorance if for no other reason. Given the difficulties with cyber attribution, and the perishability of cyber tools, cyber coercion today is a very difficult proposition. Criticisms of Cyber Coercion Many academics view cyberpower playing only a supporting role to the other instruments of national power (diplomatic, informational, military, economic), or as a supporting domain to the other domains. 35 Several arguments, including the ease of countermeasures to a cyber attack, imprecise cyber tools, and lack of attribution frame their perspective. Each of these arguments will be presented and countered. First, one reason critics believe cyberpower cannot be coercive is because countermeasures can be quickly created. For example, for a state to coerce another state, the threat must be made known in an understandable way. Once the coercion target is aware of the threat, associated vulnerabilities are revealed, and actions can be taken to create countermeasures to correct the vulnerability, negate the attack, or reduce the cost of the attack. 36 Therefore, proponents of this argument think cyberpower cannot be coercive as the very act of communicating the capability allows the coerced to discount or counter the foundation of the coercion. The ability to quickly mount countermeasures is a cogent argument as long as the underlying assumptions remain valid. This argument assumes that communicating coercive intent also gives away the underlying attack vector. While this may be true in some cases, precise communication, which is understood by the coerced without revealing specifics, may ameliorate some of these risks. In addition, this argument assumes the cyber quiver will remain as sparse as it is today. As technology continues to improve, and as cyber prowess increases, it may be possible to create a “system” capable of recommending and executing multiple attack vectors for the commander, to reduce the effectiveness of countermeasures. A second argument against cyber as a coercive force predicts the imprecision of the current tools will make cyber effects difficult to achieve. 37 As previously described, today‟s cyber tools are imprecise, and collateral effects are often difficult to predict given the interconnected, and ever changing, aspect of cyberspace. Therefore, this argument posits coercion will be difficult since linking a specific coercive cyber action with a specific effect is difficult. Furthermore, although the coercer may be able to link the action with the effect, if the target cannot make the same linkage, they will not be aware they are being coerced, may not engage in a rational coercion calculus, and probably will not respond as desired. For example, if a target misreads a coercive attack as simply a system error, the target will not perceive the coercion, and not respond to the coercer‟s demands. Again, if the underlying assumptions remain valid, this argument is very persuasive. However, as improved cyber technologies become available, it may be possible to increase the precision of cyber tools. For example, in the early days of airpower, attacks were also very imprecise. Over time, new technologies became available, such as the Norton Bomb Sight and precision guided weapons, which allowed ever increasing levels of precision. Consequently, if in 1920 the United States had attempted to threaten to sink another state‟s Navy using only airpower, the United State‟s lack of precision capabilities would likely have undermined its coercive intent. However, after Brig Gen Billy Mitchell demonstrated the sinking of the battleship Ostfriedsland on 21 July 1921, and subsequent technological improvements in the following decades, no nation doubts the United State‟s precision bombing capabilities in 2020. Although speculative at this point, a similar path may be possible for cyber tools. Over time, innovation by cyber warriors may increase accuracy, contain damage, and permit more precise effects. The third argument against a coercive cyberpower hinges on the difficulty of attribution. Currently attribution in the cyber domain is difficult, and so is deterrence. Since attributing attacks is difficult, the “perception” of the effects of an attack, or an impending attack, by the coerced becomes difficult as well. Similar to the argument regarding imprecision, if the mind of the target is unable to tie an event to the coercer, it will be difficult to affect the target‟s decision calculus, and thus coercion will fail. Again, as with the other arguments, over time technological improvements may negate some of these underlying assumptions. For example, forensic capabilities will likely improve, and so will attribution. Once attribution improves, the target will be able to link the coercion to specific events. However, technological improvements alone may not be required. A state may choose to divulge their actions to ensure the target will “connect the dots.” Although a declaration of responsibility does not always guarantee all parties will perceive the connection, a state may choose to publicly state their actions to manipulate the target‟s perceptions. Furthermore, the ability of a target to convincingly prove the linkages between the coercer and the coercive vectors may not always be required. For example, although Estonia has not been able to prove Russia was behind the April 2007 cyber attacks, if Estonia has enough evidence to convince itself Russia orchestrated the attacks, perfect attribution may not be required to push Estonia to take action. Factors Improving Cyber’s Coercive Power Therefore, after considering the arguments and counterarguments regarding the coercive aspects of cyberpower, transparency, improved attribution, and technological improvements seem to increase cyber‟s coercive power. In addition, several key indicators may elucidate the increase in cyberpower‟s coercive effects including the increase in transparency and attribution, better cyber technology, and an enhanced ability to simultaneously target all aspects of Clausewitz‟s paradoxical trinity. With improved transparency and attribution, an actor could improve punishment and denial, and deterrence in general. Furthermore, deterrence can be increased if bad actors understand they are being monitored 24x7x365. For example, the Angel Fire program provides a tactical battlefield commander with near continuous surveillance of the battlefield and TIVO-like ability to record and “rewind” the battlefield. 38 Likewise, extensive video cameras in major cities such as London might deter crime if the criminal assumes they are under constant surveillance and will be caught. 39 If a similar program existed for cyberspace, it might deter those who otherwise believe they can act with impunity, or at least collect the evidence required for prosecution, retribution, or private negotiations. 40 Over time, influence operations and other forms of cognitive influence may become easier as technologies improve, costs are reduced, and more people are able to “plug-in.” As more people have access and use the cyber domain, it will inculcate their lives. Increase in usage, and reliance upon, the internet, cell phones, and satellite radio and television, all provide avenues to conduct influence operations. As technology continues to increase and Cyber Familiars become pervasive, additional opportunities open for coercion and influence. Consequently, trust in the information presented continues to be a major issue. Another indicator cyberpower may increase its coercive abilities is the recent demonstration of the cyber domain influencing the physical domain. In March 2007, the Departments of Homeland Security and Energy conducted a test where researchers attacked the control mechanism of a power generator, causing physical damage and failure. 41 Although some of these specific vulnerabilities are no doubt being addressed, the test showed that cyber tools alone can reach beyond cyberspace into the physical domain. Further, as the world becomes increasingly reliant upon cyberspace, and even electricity in general, the tie between the cyber and physical domains will grow stronger, with ever increasing vulnerabilities. Forstchen‟s cautionary tale, One Second After, depicts a world immediately after an Electromagnetic Pulse attack destroys almost all electrical devices in the United States. Although not a cyber attack, effects could be similar. For example, with a loss in refrigeration, insulin supplies can run out putting diabetics at risk. Indeed, all the major comforts of modern life such as air conditioning, running water and sewer, and communications, could be disrupted for extended periods, even years. Since all of these technical innovations have expanded mankind‟s life expectancy, the removal of these items subsequently shortens life expectancy, and the very young and the elderly are likely the first casualties. As the world increasingly becomes more interconnected, it is not hard to imagine a blurring between the cyber domain and the physical domain, and the effects caused by the interaction between the two