The Cyber Peril
The United States is completely unprepared to fight a cyberwar.
Richard Clarke's Cyber War may be the most important book about national-security policy in the last several years. It's about a threat that almost everyone has heard of, that almost no one understands, and that the U.S. government hasn't begun to address very seriously.
The threat, as the title suggests, is cyberwar, which Clarke—the White House counterterrorism chief under Presidents Bill Clinton and George W. Bush—defines as "actions by a nation-state to penetrate another nation's computers or networks for the purpose of causing damage or disruption."
The militaries of more than 20 nations, including the United States, Russia, and China, have set up special cyberwarfare units. The consequences of such a war, Clarke and his co-author Robert Knake maintain, could "change the world military balance" and "fundamentally alter political and economic relations."
And yet, they persuasively argue, the United States—which has by far the most sophisticated offensive cyberwar capabilities—would almost certainly lose the war, because our economic and military infrastructures are so dependent on computer networks and because we have done so little to protect those networks from a cyberattack.
The situation is reminiscent of the early years of the atomic age, when scientists had harnessed new technology to build a massively destructive new weapon but before a new kind of military strategist figured out how to think about that weapon in a rational way—which is to say, how to deter a nuclear war from breaking out in the first place and how to limit the war's damage if it can't be deterred.
Clarke means for his book to serve the same role in the cyber era that those strategists' works—Bernard Brodie's The Absolute Weapon, Albert Wohlstetter's "The Delicate Balance of Terror," Herman Kahn's On Thermonuclear War, Thomas Schelling's The Strategy of Conflict, and William Kaufmann's (still-classified but much-discussed) "Counterforce" briefings—served during the nuclear era.
He says as much explicitly. Clarke came up with the idea for the book in February 2009, when he attended a memorial dinner for one of those strategists, Bill Kaufmann, who'd been one of Clarke's graduate school professors at MIT. (The book is dedicated to him.) A few dozen of Kaufmann's former students from over the decades were at the dinner and, at one point, discussed how best to honor his legacy. Clarke decided that he would try to apply the principles of his thinking to the age of cyberthreats.
At this point, I should note that I was at this memorial dinner, too. Clarke and I were both students of Kaufmann's in the mid-1970s. Lest readers charge me with conflict of interest, I should add that, though we've stayed in touch off and on, we've never socialized. (I don't know his home phone number, where he lives, or anything else about his personal life.) Nor does Clarke—a justly best-selling author (for his exposé-cum-memoir Against All Enemies), unlikely folk hero (for his candid testimony before the 9/11 Commission), and presumably well-off security consultant—need me to boost his book sales.
In 1983, I wrote a book called The Wizards of Armageddon about the nuclear strategists, their ideas, and their influence. So Clarke and I do share an "interest" in exploring whether their intellectual concepts and legacies have relevance in post-Cold War conflict (cyber or otherwise). Clarke's book makes the case that they do, very much so.
Cyber War is two books in one, as reflected in its subtitle, The Next Threat to National Security and What To Do About It. Part of it is a frightening description of what cyberwar might look like and the potentially self-fulfilling steps that a couple of dozen countries are taking to prepare for it now. (Some accuse him of exaggerating; he might be, a little, but I see no reason to doubt the basic thrust, and it's worth noting that many in the Bush White House dismissed his warnings about al-Qaida in the first eight months of 2001.) The other part is a cool, methodical analysis of how to deter cyberwar from erupting and how to limit its damage if it can't be deterred—in short, an attempt to parallel what Kaufmann, Kahn, et al., were thinking while gazing into the abyss of nuclear war.
A little history. In the late 1940s and all through the '50s, the official American war policy was this: If the Soviet Union invaded Western Europe, even if it didn't use any nuclear weapons in the process, the United States would launch its entire arsenal of nuclear bombers and missiles against the USSR, its Eastern European allies, and Communist China. By 1960, when the Strategic Air Command formalized its first systematic nuclear-war plan—the Single Integrated Operational Plan, or SIOP—this assault would have involved firing 3,423 nuclear bombs and warheads, totaling 7,847 megatons of explosive power, against 654 targets (a mix of military bases and urban-industrial factories), killing an estimated 285 million people and injuring 40 million more in the Soviet Union alone. If a president wanted to launch a smaller-scale nuclear attack, the command-control procedures in place at the time made it nearly impossible for him to do so. (These numbers come from a once-Top Secret document that I obtained, while researching Wizards, under the then-vibrant Freedom of Information Act.)
The civilian strategists, many of whom worked at the RAND Corp. (which, at the time, was an Air Force-funded think tank), were appalled. Herman Kahn told a group of SAC generals after they briefed him on the SIOP, "Gentlemen, this isn't a war plan, it's a war orgasm." The problem wasn't just its immorality but also its irrationality.
By this time, the Soviets were building their own nuclear arsenals (even if not as rapidly as U.S. intelligence agencies thought). If we launched an all-out attack, killing hundreds of millions of civilians and destroying their industries, they would retaliate by launching their own all-out attack with whatever weapons they had left; or, perhaps anticipating our attack, they would launch one pre-emptively.
Similarly, today, the U.S. Cyber Command (which was set up just last fall) has put forth a "National Military Strategy for Cyber Operations," which emphasizes "dominance" in "offensive capabilities," in order to "maintain the initiative" (in other words, to "strike first") and ensure "strategic superiority."
Clarke asks the same questions that the nuclear strategists asked back in the 1950s: What if the nation we were attacking in cyberspace struck back or pre-emptively struck first? We'd be hurt at least as badly. So, what can we do as an alternative to avoid the nightmare choices of surrender or suicide?
Fred Kaplan is Slate's "War Stories" columnist and author of the book, The Insurgents: David Petraeus and the Plot to Change the American Way of War. He can be reached at email@example.com. Follow him on Twitter.