War Stories

Why the United States Can’t Win a Cyberwar

And our political leaders need to understand this—fast.

Wht role does cyberwarfare play in America's military future?
Wht role does cyberwarfare play in America’s military future?

Photograph by Paula Bronstein/Getty Images.

Sen. John McCain rarely ceases to boggle the mind. He did it again today, highlighting a provision that he inserted in the defense authorization bill requiring U.S. Cyber Command “to provide a strategy for the development and deployment of offensive cyber capabilities.”

“I am very concerned,” he stated, “that our strategy is too reliant on defensive measures in cyber space, and believe we need to develop the capability to go on the offense as well … I believe that cyber warfare will be the key battlefield of the 21st century, and I am concerned about our ability to fight and win in this new domain.”

Two strange things stick out in this statement—which, by the way, was not an off-the-cuff remark but a formal appendage to a report on the defense authorization bill by the Senate Armed Services Committee, where McCain is the top-ranking Republican.

First, where has McCain been for the last week or so? Newspapers and cable shows have been screaming with reports of President Obama’s cyber campaign to wreak havoc on Iran’s nuclear program. A new book, Confront and Conceal, by New York Times reporter David Sanger, reveals that the campaign is code-named “Olympic Games” and that it’s been going on for quite a while. That is to say, we have “offensive cybercapabilities” in spades. Since the establishment of U.S. Cyber Command, in 2009, the generals in charge have sought offensive capabilities explicitly.

Second, what does McCain mean by “our ability to fight and win in this new domain” of cyberwarfare? Does he have any idea what he’s talking about? Here, McCain is not alone in his vagueness; this is something that very few higher-ups seem as yet to have grasped.

McCain may be overstating matters in calling cyberspace “the key battlefield of the 21st century,” but it’s no exaggeration to view Obama’s cyber campaign against Iran—which has aimed to disrupt the country’s uranium-enrichment program through logic bombs, viruses, and other manipulations of its computer networks—as crossing a new threshold in modern warfare.

According to Sanger’s account, Obama was well aware he was treading new ground when he made his first breach, obtaining assurances from his commanders that the cyberassault on the centrifuges would have no effect on nearby hospitals or other civilian enterprises. This is good to know. It’s reminiscent of nuclear war games in the late 1950s and early ’60s, when the players tried to limit the attacks and retaliations so that the bombs and warheads landed only on military targets, not on population centers.

There are differences, of course. For one, nukes would have killed millions of people, no matter how “limited” the attack, whereas logic bombs at worst destroy enterprises (which, depending on the enterprise, can indirectly kill lots of people, but still, there’s a big difference). For another (and this is an astonishing thing), for the first decade of the nuclear age, the people in charge—from the White House to the Pentagon to the Strategic Air Command on down—had no interest in limiting the damage. As late as 1960, this was the official U.S. war plan: If the Soviets launched an attack on Western Europe or some other part of the Free World, even if they did so only with conventional armies, even if they didn’t fire a single atomic weapon, the United States was to unleash its entire arsenal of nuclear weapons against every target—civilian and military—in the Soviet Union, Eastern Europe, and China. This amounted to 3,423 nuclear bombs and warheads, totaling 7,847 megatons (or 7.8 billion tons) of explosive power, against 654 targets (a mix of military bases and urban-industrial factories), killing an estimated 285 million people and injuring 40 million more in the Soviet Union alone. (These numbers come from official documents that I got declassified while researching my 1983 book, The Wizards of Armageddon.)

This was the deadly math of what President Dwight Eisenhower called “massive retaliation.” In the late ’50s, a group of defense analysts, many of them at the RAND Corp., thought about ways to reduce the likelihood of nuclear war—specifically, to make a nuclear attack less tempting for the enemy to contemplate—and to limit the damage of such a war if it erupted anyway. When President John F. Kennedy took office in 1961, his secretary of defense, Robert McNamara, filled key positions with some of these RAND analysts—the “whiz kids,” as they came to be called—and translated their ideas into policy.

Some results: burying ICBMs in underground, blast-resistant silos, to make them less vulnerable to attack (thus making a nuclear first-strike less tempting in the minds of enemies); changing the war plan, to give the president a variety of options (for instance, enabling him to hit only the other side’s missiles and airbases, while avoiding its cities); and, later on in the decade, creating U.S.-Soviet forums where “confidence-building measures” and “rules-of-the-road” could be discussed (thus relaxing a broad spectrum of suspicions).

Cyberwar is very different from nuclear war: less destructive but also less tangible. Yet they’re similar in one important way: It is illusory to talk about “winning” either.

And this is where McCain’s vague talk of fighting and winning in the cyber domain gets a bit loopy. It’s not unlike the talk, common among Air Force generals in the 1950s and ’60s (and a few hyperactive civilian defense intellectuals in the Reagan era of the ’80s), of fighting and winning a nuclear war. (Think Gen. Buck Turgidson in Dr. Strangelove: “I’m not saying we won’t get our hair mussed, but 10 to 20 million [dead] tops!”)

The problem with the two wars is the same: We don’t have a monopoly of the weapons. At least by the early 1960s, if the United States had attacked the Soviet Union with nukes, the Soviets would have had enough nukes left over to strike back, if not precisely “in kind,” then with a degree of damage that any sane person would deem unacceptable. This was the heart of nuclear deterrence: You kill me, I kill you; therefore, you won’t kill me.

Actually, the situation for us is worse with cyberwarfare. Because our social and economic structures are far more dependent on computer networks than those in any other country, a major cyberattack would do far more damage to us. Therefore, the situation in the cyber domain is more like this: We hurt you; you cripple us. That being the case, an offensive cyber strategy amounts to a suicidal trap.

Two years ago, Richard Clarke, the former White House counter-terrorism chief, wrote a book called Cyber War that dealt precisely with these dilemmas. At the time, I wrote that it “may be the most important book about national-security policy in the last several years,” and I’d say it again, more forcefully, today.

Clarke meant the book, explicitly, as an attempt to apply the classic principles of nuclear deterrence—as laid out in such works as Bernard Brodie’s The Absolute Weapon, Albert Wohlstetter’s famous Foreign Affairs article “The Delicate Balance of Terror,” Thomas Schelling’s The Strategy of Conflict, Herman Kahn’s On Thermonuclear War, and William Kaufmann’s “Counterforce” briefings—to the impending cyber era.

His worry wasn’t (and isn’t) that the Chinese (or whoever) will one day, all of a sudden, set off the “logic bombs” that they’ve embedded throughout our computer-dependent power grids and financial networks—any more than the more sophisticated strategists of the 1950s and ’60s thought the Russians might, out of the blue, launch a nuclear first strike.

Rather, the issue is how foes might leverage their cyberwar assets to an advantage in a crisis—and what the United States needs to do, ahead of time, to nullify that advantage. For instance, let’s say China puts a move on Taiwan or the South China Sea—and threatens to trigger a power blackout in every American city if we interfere. In this sort of crisis, threatening to “retaliate in kind”—that is, to unleash John McCain’s “offensive capabilities”—would have little effect. What we need, Clarke wrote in his book, is “a credible defense,” which would cast doubt in the minds of potential attackers that their cyberattack would knock us out or paralyze the president with fear.

Clarke devised some modest proposals: for instance, requiring the largest Internet service providers to monitor traffic for logic bombs and tightening access to the power grid. Those seemed like no-brainers. Other, more ambitious ideas: negotiating a no-first-use agreement on cyberattacks; extending the Geneva Accords to ban attacks on purely civilian targets, such as power grids; establishing an international forum outlawing certain kinds of cyberattacks and requiring “obligations to assist” in finding and punishing those who had violated the code.

For the moment, none of this matters: Iran doesn’t have the cyberware to retaliate against “Olympic Games.” But it might someday, and meanwhile other nations do, as many as 20 of them according to Clarke, including potential foes that some future president might feel tempted to target with a cyber assault. Then these kinds of issues will matter, and it would be good to have thought them through and prepared.

According to Sanger’s book, Obama did think through some of these issues, attempted to limit the damage—not just for humanitarian reasons, but also to set a pattern, to send a signal, that if warfare is to start creeping across the other side of the cyber line, there should be limits. The targets should be strictly military and very precise, and here are some ways—he was showing everyone by his actions—to keep things limited.

There was no putting Einstein’s genie back in the bottle, and there’s no putting back the cyber genie, either. But the early nuclear strategists had ideas on controlling this genie, ideas that have relevance for the new one, too—except for one thing: nearly everything about the cyber genie is very highly classified. Everything was classified about the nuclear game, too, and the RAND strategists all had top-secret security clearances. But back in the late 1950s, if you were into nuclear strategy, there weren’t many job options that didn’t carry a security clearance. Now, though, the people who might have the most creative ideas on cybersecurity are making very big money in the commercial wings of the computer business. The best ideas aren’t going to come from large defense corporations; they’re going to come from a smattering of 25-year-old geeks fresh out of MIT or CalTech. The government has to draw their minds in, and the only way to do that is to ease up on the security regulations. Obviously, operational details have to be kept secret, but the ideas need to flow freely. Cyber Command needs to open up.

Here’s another area where John McCain is missing the point. He’s recently been pushing for hearings to investigate the leaking of Operation “Olympic Games” to David Sanger. It would be more useful—for McCain’s expressed goals—to hold hearings on how to lure the next Gates, Jobs, and Zuckerberg not just to expand the world of cyberspace but to help keep it secure.