Why the United States Can’t Win a Cyberwar
And our political leaders need to understand this—fast.
Photograph by Paula Bronstein/Getty Images.
Sen. John McCain rarely ceases to boggle the mind. He did it again today, highlighting a provision that he inserted in the defense authorization bill requiring U.S. Cyber Command “to provide a strategy for the development and deployment of offensive cyber capabilities.”
“I am very concerned,” he stated, “that our strategy is too reliant on defensive measures in cyber space, and believe we need to develop the capability to go on the offense as well … I believe that cyber warfare will be the key battlefield of the 21st century, and I am concerned about our ability to fight and win in this new domain.”
Two strange things stick out in this statement—which, by the way, was not an off-the-cuff remark but a formal appendage to a report on the defense authorization bill by the Senate Armed Services Committee, where McCain is the top-ranking Republican.
First, where has McCain been for the last week or so? Newspapers and cable shows have been screaming with reports of President Obama’s cyber campaign to wreak havoc on Iran’s nuclear program. A new book, Confront and Conceal, by New York Times reporter David Sanger, reveals that the campaign is code-named “Olympic Games” and that it’s been going on for quite a while. That is to say, we have “offensive cybercapabilities” in spades. Since the establishment of U.S. Cyber Command, in 2009, the generals in charge have sought offensive capabilities explicitly.
Second, what does McCain mean by “our ability to fight and win in this new domain” of cyberwarfare? Does he have any idea what he’s talking about? Here, McCain is not alone in his vagueness; this is something that very few higher-ups seem as yet to have grasped.
McCain may be overstating matters in calling cyberspace “the key battlefield of the 21st century,” but it’s no exaggeration to view Obama’s cyber campaign against Iran—which has aimed to disrupt the country’s uranium-enrichment program through logic bombs, viruses, and other manipulations of its computer networks—as crossing a new threshold in modern warfare.
According to Sanger’s account, Obama was well aware he was treading new ground when he made his first breach, obtaining assurances from his commanders that the cyberassault on the centrifuges would have no effect on nearby hospitals or other civilian enterprises. This is good to know. It’s reminiscent of nuclear war games in the late 1950s and early ’60s, when the players tried to limit the attacks and retaliations so that the bombs and warheads landed only on military targets, not on population centers.
There are differences, of course. For one, nukes would have killed millions of people, no matter how “limited” the attack, whereas logic bombs at worst destroy enterprises (which, depending on the enterprise, can indirectly kill lots of people, but still, there’s a big difference). For another (and this is an astonishing thing), for the first decade of the nuclear age, the people in charge—from the White House to the Pentagon to the Strategic Air Command on down—had no interest in limiting the damage. As late as 1960, this was the official U.S. war plan: If the Soviets launched an attack on Western Europe or some other part of the Free World, even if they did so only with conventional armies, even if they didn’t fire a single atomic weapon, the United States was to unleash its entire arsenal of nuclear weapons against every target—civilian and military—in the Soviet Union, Eastern Europe, and China. This amounted to 3,423 nuclear bombs and warheads, totaling 7,847 megatons (or 7.8 billion tons) of explosive power, against 654 targets (a mix of military bases and urban-industrial factories), killing an estimated 285 million people and injuring 40 million more in the Soviet Union alone. (These numbers come from official documents that I got declassified while researching my 1983 book, The Wizards of Armageddon.)
This was the deadly math of what President Dwight Eisenhower called “massive retaliation.” In the late ’50s, a group of defense analysts, many of them at the RAND Corp., thought about ways to reduce the likelihood of nuclear war—specifically, to make a nuclear attack less tempting for the enemy to contemplate—and to limit the damage of such a war if it erupted anyway. When President John F. Kennedy took office in 1961, his secretary of defense, Robert McNamara, filled key positions with some of these RAND analysts—the “whiz kids,” as they came to be called—and translated their ideas into policy.
Some results: burying ICBMs in underground, blast-resistant silos, to make them less vulnerable to attack (thus making a nuclear first-strike less tempting in the minds of enemies); changing the war plan, to give the president a variety of options (for instance, enabling him to hit only the other side’s missiles and airbases, while avoiding its cities); and, later on in the decade, creating U.S.-Soviet forums where “confidence-building measures” and “rules-of-the-road” could be discussed (thus relaxing a broad spectrum of suspicions).
Cyberwar is very different from nuclear war: less destructive but also less tangible. Yet they’re similar in one important way: It is illusory to talk about “winning” either.
And this is where McCain’s vague talk of fighting and winning in the cyber domain gets a bit loopy. It’s not unlike the talk, common among Air Force generals in the 1950s and ’60s (and a few hyperactive civilian defense intellectuals in the Reagan era of the ’80s), of fighting and winning a nuclear war. (Think Gen. Buck Turgidson in Dr. Strangelove: “I’m not saying we won’t get our hair mussed, but 10 to 20 million [dead] tops!”)
Fred Kaplan is Slate's "War Stories" columnist and author of the book, The Insurgents: David Petraeus and the Plot to Change the American Way of War. He can be reached at firstname.lastname@example.org. Follow him on Twitter.