Be Prepared: Cyberwar is Coming - Or Maybe Not

Interview with John Arquilla, the inventor of "the great cyberwar"

John Arquilla, the guy who came up with the term cyberwar ten years ago, talks about the real implications of his geistesblitz and about ways to avoid the "great cyberwar of 2002".

John is a long-time consultant for the Pentagon think-tank RAND in Santa Monica as well as a professor of information warfare and special operations at the Naval Postgraduate School in Monterey, California. He has published several books together with RAND researcher David Ronfeldt about cyberwar, most famous is "In Athena's Camp: Preparing for Conflict in the Information Age". His scenario "The Great Cyberwar of 2002" which was published in Wired magazine in early 1998 belongs to the classics of "science-fiction" literature. But 2002 is close now, so you better listen...

Is it correct that you and your RAND colleague David Ronfeldt invented the term cyberwar over a couple of beers?

John Arquilla: Well, it's true that I came up with the name during our time at RAND. It's ten years ago now. At that time, the information revolution was just starting to change societal interactions, and it occurred to us that this would equally be true for military affairs.

We were looking to understand the projected shift. It was after a long day that I stepped into David's office and shouted, 'I have one word for you: cyberwar!' And he simply said, 'Yesss!' So it was then that we started writing our paper 'Cyberwar Is Coming!'

What do you think about the career the term made? These days, if there is any larger hacker intrusion, it's for sure to be called a 'cyberwar' by officials or by the media.

John Arquilla: We think that's a mistake. Both David and I believe very strongly that what we have called cyberwar has something to do with technology, but just as much -- if not even more -- to do with organization and military doctrine. The 'cyber' comes from the Greek root word 'kybernan,' from which we get cybernetics, control, steering, governance. And what we realized ten years ago is that if you can control information flows, an opposing military cannot function. We saw this in the Gulf War and we've seen it in a variety of actual events as well as in advanced military experiments. So, our notion of cyberwar was intended to refer basically to military interaction. Hacking today, that is conflated with cyberwar, is a small part of it. But it can be the part that strikes directly at a country's infrastructures.

The simplest way to understand this is to think about the rise of air power 80 years ago. In the wake of the 1st World War, the theorists of air power said, 'there are basically two things you can do. One is to use air power on the battlefield to decisive effect. The second is, you can use it to strike at a homeland without having to engage forces in the field first.'

With cyberwar it's the same thing. I like to think that -- as with air power -- cyberwar techniques will transform military operations in the 21st century as much as the aircraft immediately transformed warfare both on land and at sea in the early days of the 2nd World War, and then for the rest of the 20th century. In fact, the blitzkrieg doctrine is a careful marriage of tactical air power and mechanized military power. That is something that unfortunately gets less emphasis. And instead, on the more strategic side, what General Billy Mitchell and other theorists of air power said, that you would just destroy another society without having to engage their army -- that was a much more attractive concept to air power theorists like Bomber Harris in Britain.

It's now 86 years since the Zeppelin started dropping sticks of bombs on Britain, and in these 86 years of strategic bombardments there's almost no case of a successful strategic air campaign against civilians. And I think this will be true also for the kind of cyberwar associated with hackers knocking out power grids and things like that. You simply won't compel people to surrender by just these means.

I think, this parallel with air power is both interesting and troubling at the same time. It is interesting because it suggests that we have a new form of war that has both strategic and battlefield implications. The troubling part is that it suggests that we are focussing way too much on the strategic part, of which the hacker attacks are a subset, and not focussing enough on the military implications on the battlefield. I think that's a terrible problem for our military, if we remain unwilling to reform and redesign our military institutions based on the implications of these information technologies. This is the struggle that David and I, together with some others, fight all the time, to try to help the military see what they do in a different way. And we are succeeding, but only very slowly.

There is quite a lot of confusion who's really engaging in information warfare. Who's on the offensive side -- are these nations, individual hackers, terrorists ...?

John Arquilla: Well, you don't need nations. You can have individuals. They can be in the hire of countries, much as it was thought in the Cold War that actually a lot of terror was sponsored by the Russians. And today the American government still has a list every single year of which nations sponsor terrorism. So, there is little doubt in my mind that nation states will sponsor cyberspace-based attacks.

It seems to me that we are going to see the rise of such attacks from those who feel troubled by American power in the world and see this as one way to strike back effectively and anonymously. Terrorism is going to be attractive in the coming years. Most countries can't build aircraft carrier battle groups and main battle tanks and challenge the Unites States in a conventional way. So we have to expect unconventional challenges. And that's the direction in which they'll move, I believe.

Are there any other nations than the U.S. which have an official offensive information operations strategy?

John Arquilla: I think, mainly the Chinese have articulated strategy and doctrine and have built forms of organization for cyberwar both on the battlefield as well as in a more strategic dimension of striking at infrastructures. But here is the contrast between the U.S. and the Chinese: They are looking at forms of organization and strategies even before they have the technology needed to pursue this. We in the United States have the capabilities -- but are not ready to use them.

It's quite fascinating. In the case of China, it's a little bit like Germany during the 2nd World War, where they had modern warfare concepts, but not quite the capabilities to implement them, as the German military was only thinly mechanized. But on the other hand, the cyberwar technologies are easy to acquire and easy to implement, and it will not be long before these concepts are going to become a reality.

There are also a variety of other countries who have world class facilities. And if they don't have these capabilities yet, they will be easily able to buy them.

In the U.S., there is quite a lot of confusion about who is in charge of defending the country and its infrastructure from cyberwar attacks. Parts of the military struggle with the or other government agencies about who should be in control.

John Arquilla: Yes, there is a great deal of confusion in the civil and the military departments of our government. It's like anything else: Policy will be the result of bureaucratic processes and compromises. Right now we have an edgy cooperative relationship between military and law enforcement departments. The idea, however, to build a National Infrastructure Protection Center was, to my mind, misguided. I think that we have to develop for the military our own protection systems after all the incidents in the last few years, like "Moonlight Maze." It's pretty clear that we have to build a more secure military network on our own.

Concerning the infrastructure, there are a variety of designs. One is a big government design that tries to take care for everything. The other is a marketplace design to let, for example, an insurance industry spring up against hacking events or to rely on framing lawsuits to recoup damages. The market would prove a powerful instrument for improving information security, nationwide and maybe worldwide. Unfortunately, for much of the past seven years the U.S. government has obstructed the best opportunities to give us the strongest security -- which would be to allow the strongest encryption possible to be sold openly. And there has been a great reluctance to do this by the very law enforcement bodies that are trying to protect the information infrastructure.

So, one of the tensions is between civil and military, and the other is between public and private. But I think that we are now winning the war to get strong encryption to everybody. Worldwide, we will all be much better off. And for the first time in history, the technology of code making and code breaking sees the advantage in the hands of those who encrypt (because of the great key length available), and not of those who break encryption.

You talked about the important role of the market place, but what exactly is the role of the military?

John Arquilla: It's really about the great advantages that information technologies give to the military on the battlefield. Much as the rise of the "Stuka" gave the Germans great advantages in the early part of World War II. And it seems to me that we're still missing that opportunity. Instead, the military is trying to wade into the bureaucratic battle over infrastructure protection. And I think that this is terribly misguided.

There is a lot of talk about the possibility that cyberwar could be a less risky and less lethal form of armed conflict.

John Arquilla: The idea of a clean war is a terrible mess. First of all, you cannot quite simply extract cyberwarfare from more conventional methods of waging a war. What you can do is to use cyberspace-based means of attack and prove their capabilities. So you may win a war with fewer losses on your own side, and you may be able to win by disabling the other side's information processing capabilities without forcing many soldiers to march into field. So, in this context, war could become less bloody in the future.

But I think the most faulty notion today is that advanced technologies will allow us to fight war totally in cyberspace. What people are missing here is that information technologies allow you to get precise knowledge of your opponent's actions on the field, enabling you either to kill more accurately from afar, or even to get in very close to your enemy. And this is counterintuitive to the so-called sensitivity to casualties of the American public.

Will we ever see a ground war waged by the Americans again?

John Arquilla: I'd say that there are probably about 30 ground wars going on in the world today. The U.S., for example, is helping the Colombians to fight a ground war. I think, what we will not see is another Persian Gulf War. Instead, we will see a variety of small wars across the global grid, in which the units of maneuver are of very small size. And I think, that these in many ways will be far more troubling problems to solve when compared to the War in the Gulf.

During the Kosovo War there were some cyberwarfare elements played out -- others were only discussed, mainly due to political, ethical, and legal issues.

John Arquilla: The plan for cyberwar in Kosovo went well beyond the idea of hacking into Milosevic's bank accounts. There were many special forces deployed nearby the field of operations. And they had the full operational capability to work with the KLA in small units to help identify where the Serbs where and to wage a campaign in small bands that would flush out the Serbs. And in fact, the rough terrain gave tremendous advantages, as our sensors would have an easy time watching the movements of Serbs tanks along the few transportation channels available. Again, this is about battlefield-waged cyberwar, where we would have known much about the enemy, and would have been able to strike him at will, again and again.

About the hacking into Milosevic's bank accounts: First, this is quite a silly idea, because money can be quickly moved to very safe places. Secondly, if you were to begin doing such things, this would only encourage others to emulate it. So I think there's a great policy concern in the United States about being the first mover. It's a little bit like the question whether to bomb cities during World War II. Both Churchill and Hitler tried to avoid this. And what started the bombing of cities was actually an accident: A German bomber pilot on his way home drops his bombs due to bad weather conditions over what he thinks is the Channel. But they actually fall on a city. And the British strike back against Berlin, and then the war of the cities begins.

I think, we are worried about starting something like that today, so there's great reluctance. And by the way, it's very, very hard to do. A self-respecting dictator like Milosevic is not going to leave his major assets in a place where they can be easily targeted, not even today as he is a hunted war criminal. So the reasons for avoiding this kind of cyber-attack were, on our part, both practical and ethical.

In general, we should be very, very reluctant to begin the business of using cyberspace-based techniques to strike at individuals or countries' infrastructures. This is something that's addressed in the United Nations General Assembly Resolution 58/70 which the Russians co-sponsored. There is a great deal of concern about this.

Your recent book -- that you co-authored once again with David Ronfeldt -- is about noopolitik. Could you please explain the term and its relationship to cyberwar?

John Arquilla: What I have to say about this, is: 'Sell all your stock in hacking and buy noopolitik!' Because noopolitik is about the message, hacking is about the medium. And if you have a message -- such as the industrial democracies have -- about free markets and free peoples, you have information content with the potential to reshape the entire world. And I think, that's the great and most hopeful dimension of the emerging information age, this possibility of the diffusion of values worldwide to create a system that moves beyond the old hard-power politics of threats, sanctions, and the use of force towards something that looks at the power of ideas, about what is right. I think we will prosper in this, we'll do good, and we'll do well if we create a world like this.

In one of the recent presidential debates, the one where Vice President Al Gore wore a blue tie, he said, 'what should America be doing in the world? Sharing its values with others. That should be the first element in American security strategy.' So, we're beginning to get a lot of the ideas that Teilhard de Chardin brought up about the creation of a noosphere, a realm of the mind. And for us it means the creation of a noopolitik in which advanced information technologies allows like-minded people around the world to band together very quickly in pursuit of high aims. I think that this is a wonderful possibility.

Noopolitik and cyberwar are two sides of the same story. Noopolitik, so to say, is the bright side, cyberwar is the dark side. It depends upon us which side we are going to pursue.

Do you really think that everybody is going to buy this idea?

John Arquilla: The reason why noopolitik will be resisted is that it takes power away from nation states, in particular from the United States. But I believe it's our destiny to create a system that does not require us to be overlords above it. In effect, it would be the withering away of American superpower, if I can paraphrase from Marx. And I think this is perhaps the most useful and beneficial contribution that the United States can make to the future.

But isn't soft power, as you and David Ronfeldt name this information force, isn't it mainly a stronghold and an asset of the United States? Isn't it just a new word for the powers of the film, PR, and media industries?

John Arquilla: I don't know if these are just American values. They certainly are American values. But the idea of free peoples and free markets is not uniquely American. It's hard to look at any of the industrial democracies and say that their values don't coincide with these ideas.

But I take your point. When we first unveiled a short version of our book, a number of American academics were there and said: 'Ah, Arquilla and Ronfeldt now have a formula for American domination of the world.' But our point here is not domination, not commanding, but leading.

I think that the very fact that we would create the fabric of a system that would constrain American power is a very powerful signal that we're not simply trying to gain American benefit. It is unfortunate, though, when we see inconsistencies such as the United States not being willing to be held liable in international courts. And of course it feeds the view that we are only doing this for American advantage. So, it's a criticism that is an important one and one that Americans -- particularly our policy makers -- should take to heart and should act upon.

We are balanced on a knife's edge as to which direction we should go with a world perceiving that the United States might be trying to pursue the information revolution for its own social, political, and economic advantage. We have the opportunity to show the world that we feel otherwise. And I think it's our duty to pursue that other course -- even if it means the road away from superpower.

Soft power is also about psychological operations. Do you see Psyops as the most important component of information warfare? And what's the difference to classical propaganda?

John Arquilla: Classical propaganda has to do with shaping someone's opinion to one's own advantage in pursuit of hard-power goals. Minister Goebbels, for example, did a very good job of inflating the strength of the Luftwaffe in the 1930s as to deter other powers from getting in Germany's way as it rebuilt itself after the war and engaged in a series of tremendous diplomatic triumphs in the mid-1930s.

Noopolitik is not to be used for the winning of great diplomatic triumphs or to deter potential adversaries from confronting us when they disagree. I guess there is a fundamental difference between the two.

What both are about is the message rather than the medium. And cyberspace-based hacking and other activities are all about disrupting the medium, or at least the conduits of information. Noopolitik and perception management -- this whole psychological dimension -- is actually possible only if you keep all the infrastructure up, not take it down. And so our position would be that we think, in a marketplace of ideas, that we have valuable products relating to the concept of freedom. And that this has a global appeal that is worth pursuing in a strategic way. That is: both in a way that benefits the United States and its allies, but also in a way that benefits the whole world. It is hard to see who loses. The world of hard-power politics is one where one person's gain is another person's loss. In the world of noopolitik, of soft power, of ideas, of perceptions, all can gain.

Do you see this as a turnaround from your former writings? For example, you've published this dark scenario in Wired with crashing planes, manipulated media, power outages, stumbling politicians and all that.

John Arquilla: I don't see it as a departure. I think that the great cyberwar is indeed a possibility in the future. And the part of it that is more important than knocking out power is the ideas. What really creates the crisis, is not knowing who's behind it, thinking, another country is. And the idea here is that by creating a world of noopolitik, you take this sting out of that other kind of war. Because you build a kind of mutual trust among nations and non-governmental actors. But, ja, the scenario in Wired was mostly about psychological effects, not about technical issues.

The context of this is that the story is as important as the conduct of a conflict. It shows that people who fear overwhelming American power in the world strike back in the only way they know how to. That's what I fear, that the attitude of the United States to go around the world saying, 'we are the indispensable nation, we are the great leader of the world,' will only spark this kind of attack. And what that story showed also is how psychologically vulnerable the American people are to such a thing.

Isn't all this scenario building around the big cyberwar a dangerous play with fire?

John Arquilla: If you look at the history of warfare you will see that it's all about scenarios. That's true for the rise of air power as well as for H. G. Wells foretelling the 2nd World War. Thinking about scenarios will actually help us to wage a war if we have to.

But doesn't it also create a mindset that is eager to engage in cyberwar? Do scenarios help to create a specific reality?

John Arquilla: This question has already been answered. Cyberwar is coming, it's here. The only question remaining is how to prepare for it. Of course it is good to avoid cyberwar, but we have to be prepared in any case. You know this old Roman saying, 'Si vis pacem, para bellum. If you want peace, prepare for war.' That is still true in the information age. (Stefan Krempl)