«Workshop held 9-10 January 2008 in Arlington, VA Prepared for US Strategic Command Global Innovation and Strategy Center (USSTRATCOM/GISC) Prepared ...»
Complexity theory as a branch of mathematics provides the means for analyzing and understanding the cyber domain. The elements of complex systems can be understood through engineering analysis of its infrastructure and social analysis of people’s behavior with cyber technology; these observable elements can be modeled in agent-based simulations to gain insight into how and why cyber technologies spread and what their likely effects on other social phenomena may be. Simple explanations and clear predictions about the cyber domain will not likely be forthcoming, but understanding the range of possible effects is. Another issue identified in the course of the workshop is that the cyber domain is both a manifestation of globalization (it would not be possible without globalization) and a facilitator (cyber connectedness clearly contributed to the globalization process). The cyber domain provides a self-reinforcing feedback loop that amplifies interconnectivity.
Deterrence in a Complex Environment The complexity of the cyber domain presents several challenges to deterrence, including identifying threats, the scope of deterrence and feasible effects.
The cyber domain is vast and multi-faceted. Consequently, potential threats one may wish to deter are many and to some extent unknown. This presents an unprecedented challenge to deterrence, especially when contrasted with Cold War objectives of deterring Soviet nuclear aggression. The next section, on possible cyber-based typologies, coupled with Chapters 3 and 5, outline the range of potential threats. These threats can be divided into two categories: threats in and to the cyber domain, and use of the cyber domain in a threatening manner.
Consequently, deterrence objectives can range from deterring certain uses of the cyber domain (e.g. for recruiting, passing information, attacking the cyber domain) to deterring attacks outside of the cyber domain, which may involve use of the cyber domain (surveillance, strategic communication, etc.). An important theme that emerged from the workshop was the need for policy makers to provide better guidance to operators in terms of what activities require deterrence. The knowledge of academic and government experts is vast and the talents of operators are formidable, but they require focus on the behaviors the USG wishes to deter.
Deterrence in the cold war was not only focused on a particular threat (nuclear war) from a particular enemy (the Soviet Union), but it was also based on a decision calculus that involved identifying what an adversary valued and holding it at risk so that an adversary would find greater value in avoiding actions we wished to deter (Zagare 2004). Given the range of adversaries and their differences in strategic calculus, such a straightforward approach to deterrence is no longer feasible (Bodnar 2003).
Deterrence now appears to lie on a continuum from traditional threats on an adversary’s values to influence operations aimed at denying adversaries support to shaping the battlespace so that Deterring VNSA in Cyberspace potential adversaries do not become threatening (Chesser 2007; USSTRATCOM 2006). This follows the idea of a Deterrence 2.0 presented in the opening summary of the report. Not only does such a range of possible activities present challenges for operations, but organizational coordination across military specialties (deterrence, information operations, PSYOPS, civil affairs) and agencies (DoD, Dept. State, others) will be necessary.
However, if the desire is to avoid reactive responses to crises, then it will be necessary to work proactively upstream of problems before they materialize. The concept of deterrence will have to be broadened and new working relationships will have to be forged to accomplish these new missions. We see this as consistent with former doctrinal approaches to preparing the battlespace (Joint Chiefs of Staff 2000) and newer concepts of preparing the operational environment (for example, Joint Intelligence Preparation of the Operational Environment, JIPOE).
Given that the cyber domain is a complex phenomenon in the context of a complex globalization process, and given that potential threats are ill-defined and to some degree unanticipated, it is fair to ask, “What feasible deterrence effects can one expect?” Globalization as a process and the spread of the cyber domain are complex, bottom-up processes. Therefore, they are probably largely out of any direct control (see Sub-Chapter 2B, by Robert Axtell). In fact, Axtell noted that VNSA as they are currently defined in this study “represent simply the latest stage in the development of a long line of technologically-enabled combatants with interests opposed to the system of states in which the actors find themselves.”9 Axtell also noted that “as global-reach of low-cost production brings high performance computing and fast Internet connections to great numbers of households around the world there is increasing confrontation of globalization’s urgencies with traditional cultural systems.” Such a clash aggravates both complexity and the likelihood of continued use of the Internet by VNSA to further their causes.
However, to the extent that their complexity is realized and appropriate analyses are employed, more effective means of dealing with specific problems can be designed. A useful analogy would be trans-oceanic sailing – success is defined not by controlling the ocean but by its successful navigation. We anticipate that successful deterrence in the cyber domain will involve strategic communication focused on specific, timely issues designed to influence audiences and potential adversaries; all of these elements, the issues, audiences and actors are likely to change.
As such, deterrence in the cyber domain will have to be sustainable (maintained through time) and adaptive (ready to change focus to address a new threat and prepared to employ new methods).
It is even possible that the US will expand the Deterrence 2.0 continuum to include building out and protecting cyberspace as part of its goal of staying “to the left of boom!” The United States is uniquely qualified in history to accomplish such an effect. Contributor James Fallows recounted from interviews of French, German, British and Danish officials in recent years when he asked them why America had less to worry about the dangers of home-grown terrorism.
Axtell further notes that the “cyber-domain and global economic integration lead to status disparities, and knowledge of such disparities, and this fuels anti-global movements.” This potentially fuels the fight of both disruptive forces and the use of the Internet and globalization to further the causes of VNSA.
Deterring VNSA in Cyberspace “America has absorbed most of its Muslim immigrants. It had been open to them. It had assimilated them. They didn’t feel estranged from American opportunity and the whole of the American idea. We could not possibly pay enough to provide the deterrence that the openness of our society does.” (Fallows, 2008) Despite the multiplicity of threats, expansion of the deterrence concept and varieties of effects, workshop panelists and participants did focus on several issues and guidelines for cyber deterrence in the 21st Century.
Guidelines Panelists discussed several substantive issues likely to be timely and useful for informing current cyber deterrence. These issues concern the transference of traditional communication to the cyber world, the juxtaposition of local and global issues, constraints on individual information processing, and future forces and untapped resources for cyber deterrence.
Panelists noted that in many ways, people use cyber technology to continue and even extend traditional means of communication; this is apparent as families use email and singles use online dating services to conduct the age-old business of respectively taking care of family and finding mates. Related to this continuity with traditional life is the fact that themes in cyberspace often are decidedly local – people discuss personal and political issues of the day that concern them in their corner of the world. For this reason, demography (e.g., young males with frustrated ambitions often flock to the Web to find direction and like-minded friends) and economics continue to be root drivers of Internet use and themes (Atran 2006; Conway 2007; Gruen 2007).
However, the anonymity and globalism of the cyber domain also provides unprecedented contact with people from around the world. This has led to the proliferation of universalist themes, such as global jihad or White supremacy, on the Internet (or even globalization in a more positive vein).
With so much information available in the cyber domain, issues of bounded rationality are more relevant than ever in analyzing how information is perceived and processed by users. Given the constraints on cognition, people will be forced to filter much information and decide and act upon only a small portion of it. Furthermore, with attention divided between traditional communication (which always goes on), cell phones, pod casts, and multiple email accounts, the time people have to deliberate on options is likewise more constrained than ever. Therefore analyses of decision making behavior in the cyber domain need to move away from traditional rational choice paradigms and their assumptions of complete information. In the highly interconnected cyber world we face, complexity almost guarantees that decisions will be made under conditions of incomplete information.
Finally, new forces are likely to play a profound role in shaping the future cyber domain, and new sources of expertise will be necessary for dealing with it. China contains a quarter of the world’s population and is rapidly modernizing. Concomitant with their development is increasing integration with the cyber domain by Chinese citizens, despite Chinese governmental efforts to control access. Future interests, trends and economic developments in China and elsewhere (e.g., India) are therefore likely to have a profound influence on the future of the cyber domain.
Deterring VNSA in Cyberspace Attendees to the workshop noted that middle-aged analysts and operators are unlikely to possess the cutting edge expertise on what is happening in the cyber domain or more important, what approaches may be useful for deterrence in this emerging world. However, our military (and even the US State and Justice Departments) already has many “Generation Y” young adults who were socialized with cyber domain savvy, and they and their civilian counterparts need to be more a part of discussions of deterrence in the cyber domain.
Example: The Cyber domain in the Arab World
The adoption of the Internet in the Muslim world has occurred in three phases: Phase 1, 1980s – Initial use by “technological adepts”, which included computer engineers, technicians, students and other professionals of the Muslim Diaspora in Western societies; Phase 2, 1990s – Activists engage the Internet for debate on religious texts, both fundamentalist and moderate; and Phase 3, Late 1990s – Engagement of both official religious spokespersons and audiences through blogs, etc., (Anderson 1997a, 2003a, 2007). Conway (2007) adds to this a fourth, post-911 Phase spearheaded by radical Islamic fundamentalists.
Anderson’s work is important because he identifies who the majority of Muslim users of the Internet are and what issues bring them to the net. In short, most users of the Internet are middle class professionals and students who seek the Internet for advice on being Muslim in a modern world. This includes many Muslims living in Western societies where they do not have a local Islamic community with which to interface, and what he terms the “internal diaspora” of Muslim professionals within Muslim societies who have few peers with which to interface (Anderson 2007). Anderson (2007) also stresses the complex alliances and networks that have been forged as Muslims have adopted and supported the Internet in uniquely non-Western ways. These alliances include governments (which are becoming less important), business and religious entrepreneurs, and a class of mobile elites with a global perspective.
As participants in the workshop noted, the primary users of the Internet continue to be middleclass folk with middle-class concerns that tend not to be radical, although they may be conservative. On the whole they will be receptive to messages that reinforce their conservative goals of maintaining the well-being of their lives and families in a manner consistent with the values they hold. This is an opportunity for positive strategic communications, provided that they are sensitive to the culture-specific and non-violent goals of much of the Muslim world.
This brief history of the Internet in the Arab world illustrates the complex nature of cyber domain adoption and the dynamic relations between key players. Consequently, the cyber domain in the Arab Muslim world, threats that may emerge from it, and deterrence measures will necessarily be fluid and changing.
Extending the Typology of Deterrence with Cyber Actors and Cyber Threats
Identifying who may use the cyber domain, what drives their motives, and how they go about using it requires collecting the right kind of information. This task is challenging for the cyber domain for several reasons. First, the military and intelligence communities do not typically collect information relevant to the broad range of technological, social and cultural variables related to non-state actors. Second, the complexity of the cyber domain, those that use it and Deterring VNSA in Cyberspace why, challenges any straightforward attempt to “get one’s arms” around the problem. Third, the cyber domain has emerged so recently that there is no canon of literature that adequately defines it. As part of this and other SMA efforts, we have developed a general social typology that at least guides analysts toward asking the right questions. A few examples of the diverse approaches to understanding cyber terrorism will illustrate how multifaceted this problem is.
The typology below illustrates how key variables identified by cyber terrorism researchers can be identified.
Non-state political activists have learned to use the Internet adroitly for a variety of purposes (Arquilla, et al. 1999; Lesser 1999). Conway characterizes terrorist use of the Internet in the
following 4 ways (Conway 2004:276):
• Use – simple use of communication and recruitment