As we move into the era of 5G networks and the Internet of Things, the challenges of keeping online systems safe and secure is growing ever-more daunting. In parallel, the question of cyberwar is looming larger and larger.
But this is not a new problem. John Arquilla, distinguished professor of defense analysis at the United States Naval Postgraduate School, originally coined the term “cyberwar” over 20 years ago and remains one of the world’s leading experts on the threats posed by cyber technologies to national security. His recent book, “Bitskrieg: The New Challenge of Cyberwarfare” discusses the state of cyberattacks and cybersecurity – and he finds the U.S. critically underprepared for the age of cyberwarfare.
In this interview, Arquilla discusses the future of cyberwar, the potential for cyber arms control, and how best to respond to cyberattacks.
You’ve been discussing cyberwar for 30 years — you even coined the term. But obviously the technologies involved, for both offense and defense, have evolved dramatically since the early 1990s. How has the cyberthreat landscape changed in the past few years, as the Internet of Things and 5G connections become the new normal?
Certainly the scale, pace, and complexity of cyber operations have increased exponentially since the early 1990s. And greater connectivity, especially of physical infrastructures built before the Web and the Net but now connected to them, makes them particularly vulnerable to disruptive malware and other, ever more subtle and hard to detect cyber weapons.
What hasn’t changed, however, is the fact that attackers still have a considerable edge over defenders, which foretells a period of more active, destabilizing cyberwarfare.
Cyberwarfare is sometimes thought of as an alternative to traditional warfare, but it could be a powerful force booster in a real-world conflict. As you outline, we’ve already seen glimpses of this, for example, in U.S. operations in Iraq and Afghanistan. Can you describe some of the ways cyber operations could be used alongside kinetic operations in a future war?
One use of cyberwarfare in a traditional armed conflict would likely be undertaken by adversaries of the United States and its NATO allies. War in waters off East Asia, for example, would see American aircraft carrier strike groups being struck by smart, often automated weapons – supersonic missiles, artificially intelligent mobile mines, and more – all while the sophisticated battle management systems upon with the U.S. Navy relies are hacked, crippling the operational tempo of the fleet.
It’s a bit like what happened in the “Battlestar Galactica” reboot; the battlestars that were “on the net” were rendered virtually inoperable by cyberattack as prelude to their destruction by the Cylons. Galactica only got away because it was disconnected.
You argue that cyberwarfare necessitates a rethink of the U.S. military: its strategies and tactics as well as even more basic elements like its organization. In your vision, what would a U.S. military adapted to cyberwarfare look like?
Instead of a military designed to operate with a small number of big things – carrier groups, air wings, army and Marine divisions and brigades – it would be a military of many small formations. Look at what just 11 Green Beret A-Teams (just under 200 soldiers) did in the fall of 2001: they drove the Taliban and al-Qaida from power in Afghanistan. Things only went awry in that sad land later on when the allied force got bigger, stodgier, and decided to remake the Afghan forces in the Western image. A fatal mistake, as we turned some of the world’s best natural warriors into one of the world’s worst armies, as we have recently seen.
My preference for a military of the “many and the small” is based on the belief that an information advantage – the true heart of cyberwar – coupled with swift, accurate weaponry coming from aircraft and other sources of supporting fires is the key to victory in the future.
What are the hopes for cyber arms control, especially as there are acute tensions between major players like China, Russia, and the United States? How can arms control initiatives deal with the role of non-state actors, who would not be bound by any treaty?
Twenty-five years ago, as I describe in the book about my meetings with the Russians, they were eager to engage in behavior-based cyber arms control. When I went to my Pentagon masters in support of this idea, the response was, “They only want this because we’re so far ahead.” Well, that situation has changed. Radically.
I’m glad that President Biden has rekindled the idea of exploring cyber arms control with President Putin. And I believe that President Xi, who discussed this idea with President Obama in 2015, can be brought on board as well. If the Big Three come to a behavior-based cyber arms control agreement, many other nations will fall in line as well.
With regard to nonstate actors, a world in which there is a “Cyber Arms Convention” is one in which they will no longer have safe havens in which to operate as, for example, the Internet Research Agency has had for years in Russia. There is only upside to the pursuit of cyber arms control.
How can states meaningfully respond to cyberattacks – like, say, the recent hack of Microsoft Exchange – in order to both mitigate the damage and deter future attacks?
It troubles me to hear a lot of loose talk about retaliatory cyberattacks. What if we’re wrong about who really mounted an attack? And even if we’re right, an escalatory series of cyberattacks can only hurt the United States more, as we have the most open and richest set of targets in the world.
I’m even more concerned about the talk regarding using traditional military force in response to cyberattacks, something to which even President Biden alluded recently when he said that a sufficiently serious incident might get us into a “shooting war.” Most dangerous. Far better to realize, as I argue in the book, that the United States is the world’s most imbalanced cyber power. We have terrific offensive capabilities but terrible defenses. Recent hacks and ransomware attacks should prompt serious redesign of our cyber defenses, not prompt counterproductive and highly destabilizing retaliatory attacks.