Released 27 April 2022.
The lessons of counterinsurgency have deeper implications for cyber conflict than previous research has identified. Two decades of experience in Iraq and Afghanistan provide insights into the cyber strategy of defending forward including treating major cybersecurity and technology companies as host-nation partners and focusing on winning the hearts and minds of global netizens.
Click here to read the original article.
Keywords: cyber conflict, counterinsurgency, Iraq, Afghanistan, cybersecurity
Stephanie Crider (Host)
Welcome to Decisive Point, a US Army War College Press production featuring distinguished authors and contributors who get to the heart of the matter in national security affairs.
The views and opinions expressed on this podcast are those of the podcast guests and are not necessarily those of the Department of the Army, US Army War College, or any other agency of the US government.
Decisive Point welcomes Dr. Jason Healey, author of “A Bizarre Pair: Counterinsurgency Lessons for Cyber Conflict,” featured in the autumn 2020 issue of Parameters. Healey is a senior research scholar at Columbia University School for International and Public Affairs, specializing in cyber conflict, competition, and cooperation. This episode of Decisive Point reexamines Healey’s article through the lens of Russia and Ukraine.
The guests in speaking order on this episode are:
(Guest 1: Jason “Jay” Healey)
Welcome back to Decisive Point, Jason. Let’s talk about your 2020 article “A Bizarre Pair: Counterinsurgency Lessons for Cyber Conflict.” That is a bizarre pair. Can you lay the groundwork for us, please?
Sure, absolutely. Cyber has long been realized, back to at least the early 90s, as an interesting method of irregular warfare.
Some of the very first writing on this—people like John Arquilla and Dorothy Denning and Winn Schwartau—would write about how technology-dependent societies are going to be open to asymmetric attack because of these cyber vulnerabilities and cyber capabilities—especially the United States, which has historically had these oceans, and we didn’t have to worry about direct attack—that adversaries could use cyber as irregular warfare to affect us. In fact, we could use cyber as irregular warfare against them. We could have advantages by being a high-tech power.
And so that aspect had been relatively well written about. The effects of it were maybe exaggerated; we thought maybe cyber would have more impact then, in the 90s, than we do 20-odd years later. But the ideas were relatively well baked.
What I was trying to do with this article is to flip that around—to say, we’re 20-plus years into fighting irregular warfare ourselves, especially counterinsurgency and civil wars, so what can we take from those hard-won lessons? To think and apply them to fighting and winning in cyberspace.
You laid out some pretty specific lessons. Can you walk us through those? What lessons can cyber take from counterinsurgency?
The lessons that I took—of saying, “Boy, what can we learn about how to win in cyberspace based on the lessons from irregular warfare”—really fit in three areas.
The least interesting, I thought, was on deception: For both cyber and irregular warfare, the attackers are relying on deception to succeed. That was a parallel, but I wasn’t quite sure what we take from that. The other two, I thought there were stronger recommendations.
First is that cyber conflict really depends on the host nation. Now, the host nation in this case isn’t an actual nation; it is the technology companies, the main cybersecurity companies that are out there. And they are creating and maintaining the terrain of cyberspace. I had helped set up the very first cyber command back in 1998. One of my friends from there went on to Verizon. And he said, “Jay, every day at Verizon and the other big tech companies and carriers, we are creating new cyberspace. We can bend cyberspace if we need to.” And governments and militaries can’t do that.
The US military is great at spying and shooting back and maybe sharing information that we’ve learned from spying. But that’s about it. Whereas these companies—the Verizons, the AT&Ts, Deutsche Telekom, PCCW, CrowdStrike, Mandiant, Microsoft, Google—they have this incredible role that they can play that is really—you could think about it as supported command, or, with a different mindset, as the host nation. They can do things. And it’s almost always better for them to do it than for the military to do it themselves.
So one lesson was on deception. The other was the role of the private sector as host nation. The third was to me less clear, but, I think, suggestive. And that’s the role of firepower.
In a normal military fight, such as in Ukraine in 2022, more firepower is a pretty good thing. For example, for the Ukrainians, more firepower leads to better battlefield outcomes. And yet we’ve learned over 20 years that’s not always true when you’re in a civil war or you’re in an insurgency. Applying more firepower might create more enemies than you’re taking off the battlefield. It’s not always true; we don’t always know where it’s true or not. And that may be true for cyber conflict.
It might be true that if we say, “Oh, look at what the Russians are doing; look at what the Chinese are doing. This is unacceptable”—our unleashing the military, our giving fewer rules or looser rules of engagement, fewer points and fewer reasons for them to have to check into the White House for oversight, less having to check back to say, “Hey boss, I’ve got this shot. Do you want me to take it?”—that might help us impose friction on our adversaries, which is the current military strategy. Defend forward, persistent engagement: That might be successful in winning particular tactical engagements. But it might not be correlated to actually winning in cyberspace. And in fact, past a certain point, it might be negatively correlated, and, by taking these shots, we are causing them to just build back better. Because in cyberspace, it looks like offense is relatively inexpensive. So by pushing back hard, it might just engender a reaction where they come back worse. Or we’re taking these shots, and the shots we’re taking are on allies. We’re taking down Russia, but they happen. Now, in the military, we call it gray space. But gray space means computers in Germany and Amsterdam and Thailand and Japan or in India—countries that we would like to be on our side. But by using the euphemism of gray space and applying military power, by taking these shots and by defending forward, we might not be convincing these countries that we have their best interests at heart.
Thank you. You also offered several recommendations for going forward. Can you address those for us here?
The first one is a point that I’ve been making for a while.
I had written the first military history of cyberspace, the kind of thing I would have liked when I was a military officer. One of the ways we learn how to be good at what we do is by learning history. I mean, that’s what makes institutions like yours so great: We look back at history to teach officers today. What would you do if you were walking the fields of Gettysburg? How would you handle this?
So, I did this military history of cyber conflict, and it astounded me that almost zero cyber conflicts were ever decisively resolved by government—any government anywhere, much less by militaries. The only exceptions were where it was only the military or government itself that was being affected. Every other case where it was a larger cyber conflict, it was always the private sector—and I’ll stick by the word “always”—that was able to decisively resolve the issue.
So, to me, we’ve got a significant lesson to learn: How can the military, if it wants better solutions than this, how can it work with buy-in through the host nation of these technology companies that are in the position? To switch the metaphor, there are nine players on the field; when the ball is hit, it’s almost always going be a company in the private sector that’s in the position to make the play.
Now they might not be able to see the ball very well when it’s hit to them. We can help with intelligence. They might not have the skills to make the play. We can help with that. We can do exercises. We can help. They might not have a glove. That’s OK. We can help them with capabilities.
But what we shouldn’t do—and this is what (the National Security Agency or) NSA did for years and (United States) Cyber Command did for years—was trying to push them out of the way and say, “I’ve got it. I’ve got it. The US government, the US military is here. And we will make the play. This play will be made at Fort Meade, Maryland, and your job is just to share information with us and tell us about the problem.”
Now, that gets to a big civil-military relations issue. Because in the military we are not trained to think about civilians, the private sector, in a way that says they play a critical role in fixing this. It just doesn’t fit into that (Samuel P.) Huntington role of what a professional officer does and what the role of the military does. So we’ve got this substantial civil-military issue to try and get our enlisted, our officers, and especially our general officers to see this issue differently and to see the private sector as allies; to not denigrate them as just, “Well, they only want profit. But we in the military, our values are better because we’re out for national security, and they’re just out for profit.” It’s not a helpful attitude.
Let’s apply your article and all the things that we’ve talked about to Russia and Ukraine, China and Taiwan. What are your thoughts on that?
The article, I think, is a bit less useful for Russia and Ukraine. Because there, it’s not irregular war; it’s real war. So, we have to switch to the mindset of saying, “OK, under what circumstances can cyber be effective on the battlefield? What missions is it able to do well, and what can we expect next?”
Many of my colleagues have been a bit mystified that cyber hasn’t played a better role, more of a role, on the Russian side. And for the most part, I think that mysticism of why the Russians haven’t been better at cyber is pretty similar to why they haven’t been effective at anything. It’s not like they’ve been so great in Ukraine, and their air forces work, and their armor is working. Well, no, they’ve been suboptimal—which is academic speak for “They stink”—across almost every single one of their missions. Maybe artillery would be an exception.
And so, perhaps it’s no surprise that cyber hasn’t been as effective as we would have thought. They didn’t do the preparation necessary for cyber capabilities to have the effect. They didn’t do that preparation because many of them didn’t know a war was coming. And even if they did think a war was coming, they thought it was going to be fast.
So now where I think you’re seeing many of the cyber experts looking is, “OK, we’re waiting for the other shoe to drop,” now that the sanctions are hitting, now that Russia’s economy is disentangled from that of the West. Beforehand, why would Putin ever want to disrupt the energy markets of the West or the financial system of the West? Well, now, he might as well do it. Because there’s not going to be any blowback on him.
So, I think if we don’t see those kinds of attacks in the next three to six months, we’re going to have to really question whether cyber has the potency that we thought it did—at least in 2022. Now, for those that argue cyber is irregular warfare or for cyber as irregular warfare, boy, there’s a ton to learn on this. The Ukrainian (information technology or) IT army, one of their digital ministers is daily coming out and nominating targets for Ukrainians and non-Ukrainians to attack. And many of those targets aren’t just Russian; they’re grocery stores that are still operating in Russia. Wow, a lot of lessons for people that want to study cyber as a tool for asymmetric warfare!
What about China and Taiwan?
Well, I think the arguments that I make in that article are best under certain geopolitical conditions. Because whenever we look at “OK, is cyber escalatory or not? Is cyber effective or not? Does it help you coerce an adversary or not?” It comes down to “OK, well, are you in a state of crisis or a state of relative peace?” And I think we as scholars haven’t been good at analyzing those conditions. So I think there’s a lot of case there on how China has been using cyber as a tool of asymmetric warfare against Taiwan.
Are there lessons based on my article for can Taiwan succeed, you know, being informed by irregular warfare and how they respond? Possibly. I think the argument, for example, about the host nation—they have got a different relationship with their companies than we do. A lot of the companies that matter in this space are American and not Taiwanese, though the Taiwanese have a lot in that space. So yeah, I do think there would be quite a bit in the article to study that.
Do you have any final thoughts before we go?
Yes, and this gets down to firepower. Remember I said, “I think it’s pretty definite, on the evidence, that we can see the private sector as the supported commander, as the host nation.” That’s pretty established. What’s less established is whether or not there’s a point where more firepower leads to worse national security results. And I think this really comes into how the White House and others can look at (United States) Cyber Command’s missions of defend forward, of persistent engagement. If I were back at the White House, I would have said, “OK, we’ll will give you these additional authorities. We’ll give you the agility you ask for so that you can defend forward. But you have to tell us, you have to be very clear, how will we know this is winning? If we give you these new authorities, this new agility, these looser rules of engagements, what are the results going to look like? And are we going to see the results in two years? Are we going to see the results in four years? Are we going to see the results in 20 years?”
Because it has been four years. This happened in 2018. I suspect they ought to have something to show for it by now and not just successful engagements, not just “We took this action, and we disrupted this adversary operation,” right? We’ve learned from 28 years of Iraq and Afghanistan, you can win all the tactical engagements you want; that doesn’t relate to the national security results that you promised the policymakers.
And so, I think we really need to do better. (United States) Cyber Command needs to do better, at least than it seems to be, about what’s the criteria for success. How long should we expect results? And that way, we can more definitively answer, “What’s this impact of firepower, of increased cyber capabilities, on the national security results of security and stability that we said we were going to do this for? We said we were going to do this to defend forward for persistent engagement.”
Thanks so much, Jay, for your time and for sharing your insights on this topic. This was a real pleasure.
Hey, thank you.
If you have enjoyed this podcast and would like to hear more, look for us on Amazon Music, Spotify, Apple Podcasts, Stitcher, and any other major podcast platform.
About the author: Jason Healey, senior research scholar and adjunct faculty at Columbia University’s School for International and Public Affairs, is the editor of A Fierce Domain: Conflict in Cyberspace, 1986 to 2012.