The problem with the two wars is the same: We don’t have a monopoly of the weapons. At least by the early 1960s, if the United States had attacked the Soviet Union with nukes, the Soviets would have had enough nukes left over to strike back, if not precisely “in kind,” then with a degree of damage that any sane person would deem unacceptable. This was the heart of nuclear deterrence: You kill me, I kill you; therefore, you won’t kill me.
Actually, the situation for us is worse with cyberwarfare. Because our social and economic structures are far more dependent on computer networks than those in any other country, a major cyberattack would do far more damage to us. Therefore, the situation in the cyber domain is more like this: We hurt you; you cripple us. That being the case, an offensive cyber strategy amounts to a suicidal trap.
Two years ago, Richard Clarke, the former White House counter-terrorism chief, wrote a book called Cyber War that dealt precisely with these dilemmas. At the time, I wrote that it “may be the most important book about national-security policy in the last several years,” and I’d say it again, more forcefully, today.
Clarke meant the book, explicitly, as an attempt to apply the classic principles of nuclear deterrence—as laid out in such works as Bernard Brodie’s The Absolute Weapon, Albert Wohlstetter’s famous Foreign Affairs article “The Delicate Balance of Terror,” Thomas Schelling’s The Strategy of Conflict, Herman Kahn’s On Thermonuclear War, and William Kaufmann’s “Counterforce” briefings—to the impending cyber era.
His worry wasn’t (and isn’t) that the Chinese (or whoever) will one day, all of a sudden, set off the “logic bombs” that they’ve embedded throughout our computer-dependent power grids and financial networks—any more than the more sophisticated strategists of the 1950s and ’60s thought the Russians might, out of the blue, launch a nuclear first strike.
Rather, the issue is how foes might leverage their cyberwar assets to an advantage in a crisis—and what the United States needs to do, ahead of time, to nullify that advantage. For instance, let’s say China puts a move on Taiwan or the South China Sea—and threatens to trigger a power blackout in every American city if we interfere. In this sort of crisis, threatening to “retaliate in kind”—that is, to unleash John McCain’s “offensive capabilities”—would have little effect. What we need, Clarke wrote in his book, is “a credible defense,” which would cast doubt in the minds of potential attackers that their cyberattack would knock us out or paralyze the president with fear.
Clarke devised some modest proposals: for instance, requiring the largest Internet service providers to monitor traffic for logic bombs and tightening access to the power grid. Those seemed like no-brainers. Other, more ambitious ideas: negotiating a no-first-use agreement on cyberattacks; extending the Geneva Accords to ban attacks on purely civilian targets, such as power grids; establishing an international forum outlawing certain kinds of cyberattacks and requiring “obligations to assist” in finding and punishing those who had violated the code.
For the moment, none of this matters: Iran doesn’t have the cyberware to retaliate against “Olympic Games.” But it might someday, and meanwhile other nations do, as many as 20 of them according to Clarke, including potential foes that some future president might feel tempted to target with a cyber assault. Then these kinds of issues will matter, and it would be good to have thought them through and prepared.
According to Sanger’s book, Obama did think through some of these issues, attempted to limit the damage—not just for humanitarian reasons, but also to set a pattern, to send a signal, that if warfare is to start creeping across the other side of the cyber line, there should be limits. The targets should be strictly military and very precise, and here are some ways—he was showing everyone by his actions—to keep things limited.
There was no putting Einstein’s genie back in the bottle, and there’s no putting back the cyber genie, either. But the early nuclear strategists had ideas on controlling this genie, ideas that have relevance for the new one, too—except for one thing: nearly everything about the cyber genie is very highly classified. Everything was classified about the nuclear game, too, and the RAND strategists all had top-secret security clearances. But back in the late 1950s, if you were into nuclear strategy, there weren’t many job options that didn’t carry a security clearance. Now, though, the people who might have the most creative ideas on cybersecurity are making very big money in the commercial wings of the computer business. The best ideas aren’t going to come from large defense corporations; they’re going to come from a smattering of 25-year-old geeks fresh out of MIT or CalTech. The government has to draw their minds in, and the only way to do that is to ease up on the security regulations. Obviously, operational details have to be kept secret, but the ideas need to flow freely. Cyber Command needs to open up.
Here’s another area where John McCain is missing the point. He’s recently been pushing for hearings to investigate the leaking of Operation “Olympic Games” to David Sanger. It would be more useful—for McCain’s expressed goals—to hold hearings on how to lure the next Gates, Jobs, and Zuckerberg not just to expand the world of cyberspace but to help keep it secure.