A new RAND Corporation report suggests the U.S. may be better off playing defense and pursuing diplomatic, economic, and prosecutorial efforts against cyberattackers, instead of making strategic cyberwarfare an investment priority.
The study comes as the U.S. military fires up its new unified Cyber Command (USCYBERCOM) program this month. The new outfit will be responsible for network-related operations, defense, and attacks and will operate under the U.S. Strategic Command.
Cyberwarfare is better at bothering an adversary than defeating it--given that permanent effects are illusive, author Martin C. Libicki wrote in the report, titled "Cyberdeterrence and Cyberwar."
On offense, cyberwar might be better relegated to support roles, and then only "sparingly and precisely," according to the report. A one-shot strike to silence a surface-to-air missile system, allowing aircraft to penetrate defenses to destroy a nuclear facility, is the example given.
"Attempting a cyberattack in the hopes that success will facilitate a combat operation may be prudent; betting the operation's success on a particular set of results may not be," Libicki wrote. One question planners should ask is whether strategic cyberwar would induce political compliance comparable to what could be produced by, say, strategic air power.
Even retaliatory attacks could risk sending the wrong message, since treating cyberattacks as acts of war could be construed as indemnifying owners of private infrastructure from third-party liability. Why spend money on cybersecurity if your losses are covered a la FEMA, for example?
Libicki doesn't downplay the threat. Damage from recent cyberattacks is estimated to cost the U.S. up to hundreds of billions of dollars a year.
However, the threat of punishment has never done much to prevent cyberattacks on either civilian or military networks, another reason to concentrate on prevention, according to the study. After all, cyberattackers can only get through doors that are left open.
"Deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace," wrote Libicki.
Meanwhile, the military has hinted that it's ready to skip the games and deal with cyberattackers in the real world--provided they can find them.
"The Law of Armed Conflict will apply to this domain," Air Force General Kevin P. Chilton told Stars and Stripes. "You don't take any response options off the table from an attack on the United States of America. Why would we constrain ourselves on how we would respond?"