The Cyber Peril
The United States is completely unprepared to fight a cyberwar.
Richard Clarke's Cyber War may be the most important book about national-security policy in the last several years. It's about a threat that almost everyone has heard of, that almost no one understands, and that the U.S. government hasn't begun to address very seriously.
The threat, as the title suggests, is cyberwar, which Clarke—the White House counterterrorism chief under Presidents Bill Clinton and George W. Bush—defines as "actions by a nation-state to penetrate another nation's computers or networks for the purpose of causing damage or disruption."
The militaries of more than 20 nations, including the United States, Russia, and China, have set up special cyberwarfare units. The consequences of such a war, Clarke and his co-author Robert Knake maintain, could "change the world military balance" and "fundamentally alter political and economic relations."
And yet, they persuasively argue, the United States—which has by far the most sophisticated offensive cyberwar capabilities—would almost certainly lose the war, because our economic and military infrastructures are so dependent on computer networks and because we have done so little to protect those networks from a cyberattack.
The situation is reminiscent of the early years of the atomic age, when scientists had harnessed new technology to build a massively destructive new weapon but before a new kind of military strategist figured out how to think about that weapon in a rational way—which is to say, how to deter a nuclear war from breaking out in the first place and how to limit the war's damage if it can't be deterred.
Clarke means for his book to serve the same role in the cyber era that those strategists' works—Bernard Brodie's The Absolute Weapon, Albert Wohlstetter's "The Delicate Balance of Terror," Herman Kahn's On Thermonuclear War, Thomas Schelling's The Strategy of Conflict, and William Kaufmann's (still-classified but much-discussed) "Counterforce" briefings—served during the nuclear era.
He says as much explicitly. Clarke came up with the idea for the book in February 2009, when he attended a memorial dinner for one of those strategists, Bill Kaufmann, who'd been one of Clarke's graduate school professors at MIT. (The book is dedicated to him.) A few dozen of Kaufmann's former students from over the decades were at the dinner and, at one point, discussed how best to honor his legacy. Clarke decided that he would try to apply the principles of his thinking to the age of cyberthreats.
At this point, I should note that I was at this memorial dinner, too. Clarke and I were both students of Kaufmann's in the mid-1970s. Lest readers charge me with conflict of interest, I should add that, though we've stayed in touch off and on, we've never socialized. (I don't know his home phone number, where he lives, or anything else about his personal life.) Nor does Clarke—a justly best-selling author (for his exposé-cum-memoir Against All Enemies), unlikely folk hero (for his candid testimony before the 9/11 Commission), and presumably well-off security consultant—need me to boost his book sales.
In 1983, I wrote a book called The Wizards of Armageddon about the nuclear strategists, their ideas, and their influence. So Clarke and I do share an "interest" in exploring whether their intellectual concepts and legacies have relevance in post-Cold War conflict (cyber or otherwise). Clarke's book makes the case that they do, very much so.
Cyber War is two books in one, as reflected in its subtitle, The Next Threat to National Security and What To Do About It. Part of it is a frightening description of what cyberwar might look like and the potentially self-fulfilling steps that a couple of dozen countries are taking to prepare for it now. (Some accuse him of exaggerating; he might be, a little, but I see no reason to doubt the basic thrust, and it's worth noting that many in the Bush White House dismissed his warnings about al-Qaida in the first eight months of 2001.) The other part is a cool, methodical analysis of how to deter cyberwar from erupting and how to limit its damage if it can't be deterred—in short, an attempt to parallel what Kaufmann, Kahn, et al., were thinking while gazing into the abyss of nuclear war.
A little history. In the late 1940s and all through the '50s, the official American war policy was this: If the Soviet Union invaded Western Europe, even if it didn't use any nuclear weapons in the process, the United States would launch its entire arsenal of nuclear bombers and missiles against the USSR, its Eastern European allies, and Communist China. By 1960, when the Strategic Air Command formalized its first systematic nuclear-war plan—the Single Integrated Operational Plan, or SIOP—this assault would have involved firing 3,423 nuclear bombs and warheads, totaling 7,847 megatons of explosive power, against 654 targets (a mix of military bases and urban-industrial factories), killing an estimated 285 million people and injuring 40 million more in the Soviet Union alone. If a president wanted to launch a smaller-scale nuclear attack, the command-control procedures in place at the time made it nearly impossible for him to do so. (These numbers come from a once-Top Secret document that I obtained, while researching Wizards, under the then-vibrant Freedom of Information Act.)
The civilian strategists, many of whom worked at the RAND Corp. (which, at the time, was an Air Force-funded think tank), were appalled. Herman Kahn told a group of SAC generals after they briefed him on the SIOP, "Gentlemen, this isn't a war plan, it's a war orgasm." The problem wasn't just its immorality but also its irrationality.
By this time, the Soviets were building their own nuclear arsenals (even if not as rapidly as U.S. intelligence agencies thought). If we launched an all-out attack, killing hundreds of millions of civilians and destroying their industries, they would retaliate by launching their own all-out attack with whatever weapons they had left; or, perhaps anticipating our attack, they would launch one pre-emptively.
Similarly, today, the U.S. Cyber Command (which was set up just last fall) has put forth a "National Military Strategy for Cyber Operations," which emphasizes "dominance" in "offensive capabilities," in order to "maintain the initiative" (in other words, to "strike first") and ensure "strategic superiority."
Clarke asks the same questions that the nuclear strategists asked back in the 1950s: What if the nation we were attacking in cyberspace struck back or pre-emptively struck first? We'd be hurt at least as badly. So, what can we do as an alternative to avoid the nightmare choices of surrender or suicide?
The concern, as Clarke sees it, is not that the Chinese or whoever will, one day, out of the blue, set off the "logic bombs" that they've embedded throughout our computer-dependent electrical power grids, financial networks, and military communications systems, thus shutting us down as a modern economy and superpower—any more than the strategists of the 1950s and '60s thought that the Russians might, all of a sudden, launch a nuclear first strike.
The real issue is how potential foes might leverage their cyberwar assets to their advantage in a crisis—and what the United States needs to do, ahead of time, to nullify that advantage and to keep a cyberwar from severely damaging our economy or spilling over into a bombs-and-bullets war.
For instance, let's say China takes military action against Taiwan. Clarke asks, "What president would order the navy into the Taiwan Straits … if he or she thought that a power blackout that had just hit Chicago was a signal and that blackouts could spread to every major American city if we got involved?"
In this sort of crisis, the nuclear era's basic concept of "deterrence"—a threat of retaliation in kind—would have little effect, because America's power grid (like everything else electronic) is much more dependent on cyberspace and thus more vulnerable to a cyberattack.
What we need, Clarke writes, is "a credible defense," designed to cast doubt in the minds of potential attackers that their cyberattack will knock us out or paralyze the president with fear—at least enough doubt to dissuade them from launching the attack to begin with.
Taking our critical infrastructure offline is impossible at this point, but Clarke calls for a few reasonable steps. Among them: requiring the half-dozen largest Internet service providers to monitor traffic for logic bombs and other signs of intruders, tightening access to the power grid, and isolating Defense Department networks. These steps would involve federal regulations, which ISPs have resisted and all recent presidents (including, so far, Barack Obama) have eschewed.
He raises other intriguing possibilities: a no-first-use agreement on cyberattacks (at least for as long as a shooting war hasn't broken out); an extension of the Geneva Accords to ban attacks on purely civilian targets (such as power grids); and an international forum, similar to nuclear-arms-control talks, designed to reduce distrust, outlaw certain types of cyberattacks, and require "obligations to assist" in finding and punishing nations or private hackers who violate the code.
Meanwhile, Clarke calls on President Obama to find out what his Cyber Command generals are up to. In the early Cold War days, Gen. Curtis LeMay, the head of Strategic Air Command, had a plan to strike first if he saw the Soviets engaging in suspicious behavior, no matter what the president's policy might be. If Cyber Command is "preparing the battlefield" by laying logic traps all over the Chinese power grid, a step that Clarke thinks only eases the path to cyberwar in the event of tension (in the same way that German and French mobilization plans greased the skids to escalation in 1914), Obama should at least know about this, understand the implications, and stop the practice if he so desires.
When John F. Kennedy entered the White House in 1961, his secretary of defense, Robert McNamara, hired several RAND strategists as his assistants and had them prepare a memo to the Joint Chiefs of Staff, asking 96 questions about the nuclear-war plan. (The list became known as the "96 trombones.")
On the basis of the answers, he rewrote the SIOP in a way that tightened command-control procedures and, at least theoretically, allowed a president to avoid hitting cities and take "pauses" for possible negotiations to end the war. (Practically speaking, these efforts were probably chimerical, as McNamara and others eventually realized. Nukes are so destructive that it's a bit nuts to envision leaders calmly engaged in "controlled escalation" while megatons burst, fallout spreads, and communications links get zapped by an electromagnetic pulse. With cyberwarfare or, for that matter, conventional war, the idea of control isn't so loopy.)
Clarke, who knows very well about the 96 trombones, similarly asks 20 questions about cyberwar, among them: "What do we do if we wake up one day and find the western half of the U.S. without electrical power as the result of a cyber attack?" and "Do we envision the use of cyber war weapons only in response to the use of cyber war weapons against us?" and "How do we signal our intentions with regard to cyber weapons in peacetime and in crisis? Are they ways that we can use our possession of cyber weapons to deter an opponent?"
These are, as he notes, "pretty obvious questions," but, as he also admits, they're "not easy to answer," which might be why no American in a position of power has even begun to ask them. The big message of Cyber War is that it's time to start asking.
Fred Kaplan is Slate's "War Stories" columnist and author of the book, The Insurgents: David Petraeus and the Plot to Change the American Way of War. He can be reached at email@example.com. Follow him on Twitter.