“If a crippling cyber attack were launched against our nation, the American people must be protected.” – Defense Secretary Leon Panetta

In a speech on October 11, 2012 on Pentagon responses to evolving cyber threats, Defense Secretary Leon Panetta, revealed both the strengths and shortcomings of United States public policy on issues of national cyber defense. The forum for the speech was not necessarily the place where Panetta might have been expected to give a full exposition of policy, yet in his need to brief and to summarize complex issues of his audience of Business Executives for National Security, the Secretary allowed a glimpse into where the United States is and where it is going.

Panetta set the scene by mentioning the threat of a “crippling cyber attack” every bit as serious as the terrorist attacks of September 11. He addressed three tracks the Pentagon is following: new capabilities, policies and organization at DoD level, and alliance building with other countries and with the private sector. The section on capability revealed some important insights but also contained some challenging implications. First, Panetta highlighted the centrality of the people factor – what he called “our most important investment.” Pledging to invest serious money in getting the right cyber warriors, Panetta failed to mention that many of these are civilians, rather than in the uniformed services, and many are not even DoD employees but contractors.

Apart from the fact that this represents a broader trend in national military operations of contracting out to private military firms, of the sort seen in Iraq and Afghanistan, it also says something very different about the character of the best soldiers in the information age. They will most likely not be uniformed personnel but rather people of a very different mindset who would be very uncomfortable in a disciplined service. They need not even meet the normal physical standards for entry into combat arms.

For example, a Stephen Hawkins, wheel-chair bound astro-physicist would be a better cyber warrior than a fully mobile Rambo. The “civilianization” of a strategically significant (if numerically small) portion of the front line warriors in United States military effort has important implications both for discipline and command control. Another side of this coin is that to a degree, civilian cyber warriors are less expensive than uniformed warriors. They do not have the same training costs to be borne by the DoD or the same logistic tail.

Is Information Superiority the Goal?

The United States makes no secret of its intention to be cyber dominant. It is racing to stay in front of other countries. There has been little public discussion by U.S. government leaders of whether that is a good policy. In the Cold War, the United States accepted – rhetorically at least – the logic of strategic parity and mutual assured destruction as an important foundation for détente and easing of military tensions with the USSR.

By contrast, Panetta declared that in cyber military policy it is the U.S. intention “to stay ahead of other nations.” It probably is time for some debate about whether an un-nuanced quest for superiority enhances U.S. security or reduces it.

No Secret about Chinese Cyber Capabilities?

The most challenging statement Panetta made was that “It’s no secret that Russia and China have advanced cyber capabilities.” As a researcher of Chinese cyber policies using only unclassified sources, but with occasional resort to conversations with senior United States intelligence figures, I would dispute the statement. First, it is impossible to find a comprehensive assessment of China’s military cyber capabilities on the public record. There are several useful sources, some of which in their titles sound like they fit the bill.

For example, a report prepared by Northrop Grumman for the United States China Commission with the sub-title of “Chinese Capabilities for Computer Network Operations and Cyber Espionage” released in March 2012, is a stunningly detailed overview of aspects of the problem. But it offers almost no credible assessment of Chinese military capability. It documents a series of doctrinal writings and reports at a very general level of Chinese information warfare activities, citing mostly examples of espionage activity. A useful article by Brian Mazanec, “The Art of (Cyber) War” from 2009, cites a senior State Dept official to the effect that Chinese capabilities “have evolved from defending networks from attack to offensive operations against adversary networks.” But there is no Chinese equivalent of Stuxnet yet.

The European Defence Agency has been sponsoring a survey of the military capabilities of European Union countries in cyber defense. Their methodology gives some insight into what is missing in public assessments of China’s military cyber capabilities. It has been following a systematic model with the acronym DOTMLPF, which stands for doctrine, organization, training, means (ie budget), leadership (chain of command), personnel, and facilities. The study has also expanded this model to include interoperability, a fundamental characteristic of cyber warfare at the strategic, operational and tactical levels of war. Interoperability between different branches of the armed forces is one of the hardest organizational challenges facing any country. The extant public studies on Chinese capability are strongest on doctrine but really don’t have much to say in any detail on the other aspects beyond identifying the names of units involved, the names of some of the commanders, and the facilities.

In addition, China has had relatively poor performance when it comes to interoperability. Another significant aspect of assessing military capability is the net assessment: how well would the forces of one side (say China) perform against an adversary (say, the United States, Taiwan or their military allies, such as Japan, the United Kingdom and Australia). For people familiar with the high level of detail available on Chinese conventional and nuclear force capabilities available in the public domain, the current state of public knowledge of Chinese military cyber capability is still a secret.

The public record in Chinese cyber espionage capabilities is slightly better. There is a long list of authoritative reports describing various intelligence victories attributed to the Chinese government. This is in itself significant in terms of cyber military capability, since according to United States sources, well targeted and sustained intelligence collection is an absolute precondition for advanced cyber offensive operations. So China’s espionage capability is a part of the capability assessment overall. Yet even here the picture is incomplete. Well placed sources in Washington with access to the intelligence record have concluded that the United States can see enough to worry us but not enough know with confidence the full picture.

United States Pre-emptive and Deterrent Capability?

Panetta talked of some amazing and hitherto unrevealed capabilities. He said that US agencies could now “hunt down the malicious code before it harms our systems.” The statement has surprised specialists in the United Kingdom. If true, and perhaps we should not doubt it, this gives the United States some useful capability and should impact the net assessment of U.S. and Chinese military cyber capability. In a similar vein, and equally surprising to some analysts, he said that the United States has made “significant advances” in solving the attribution problem. He said that this made it “far less likely” that adversaries of the United States would attack it: “Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions.”

Pre-emptive Capability and Nuclear Deterrence?

Panetta specifically talked of the need to be able to pre-empt “an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens.” He said that DoD has “developed that capability to conduct effective operations to counter threats to our national interests in cyberspace.” Since cyber operations include the full gamut of digital command and control arrangements for strategic nuclear forces, we probably could use some explanation form Panetta whether this pre-emptive capacity and policy affects the nuclear deterrence calculation of potential adversaries of the United States, such as China, or a country like Russia, which while less likely to be an adversary, still maintains a large military nuclear force. China will be looking to Panetta to offer some clarifications on this in the talks he discussed in his speech. Panetta said he “underscored the need to increase communication and transparency” on both sides.

New Rules of Engagement

The DoD foreshadowed some time ago that it would produce a new set of rules of engagement to cover cyber operations. Panetta has characterized this as “the most comprehensive change to our rules of engagement in cyberspace in seven years.” He said that these would make the “department more agile and provide us with the ability to confront major threats quickly.” He foreshadowed strengthening of Cyber Command, a move reported by US sources to include having it stand alone as an independent unified command compared with its current position under Strategic Command. This will be a positive move since it will disassociate it from its current co-location with the command responsible of strategic nuclear forces, a relationship that has caused China some considerable consternation.

Cyber Allies

This one is tough. Cyber military operations involve some of the most sensitive intelligence secrets and operating methods of the United States. As good and as trusting as many U.S. alliance relationships maybe, even the special intelligence community called the five “Is” (eyes) that brings together the United States, UK, Canada, Australia and New Zealand, or the United States-Israel alliance, the secrets of the most important U.S. cyber operations and capabilities cannot be shared with them. Moreover, some allies lag far behind. NATO for example is at a very early stage, now just strengthening its defensive arrangements.

Yet military alliances do need to be updated for the information age. One reason cited by Panetta is the shared alliance obligations to protect the common international infrastructure on which they all rely. The current pathway outlined by Panetta for alliance building was fairly modest: “deepening cooperation with our closest allies with the goal of sharing threat information, maximizing shared capabilities and determining malicious activities.” This is well short of the concept of combined operations involving the military forces of alliance partners.

One small fact offered by Panetta underlines the importance of alliance building in cyber space and the centrality that cyber operations now have in U.S. military planning. Panetta disclosed that “the president, the vice president, Secretary of State and I have made cyber a major topic of discussion in nearly all of our bilateral meetings with foreign counterparts.”

Offensive Cyber Actions by the Private Sector?

Since he was speaking to an audience of business leaders, the Secretary’s plea for business leadership in the common nation cyber defense may appear to some to be a predictable gambit. Yet it reveals a deepening concern and an intensify call to arms by the Obama administration for private sector action against threats that have a national security character.

Appealing to business interests in a “safe, secure and resilient global, digital infrastructure,” Panetta canvassed classic defensive needs: “to develop baseline standards for our most critical private-sector infrastructure, our power plants, our water treatment facilities, our gas pipelines.” Yet he also echoed recent calls by the Commander of Cyber Command, General Keith Alexander, and the Deputy Director of the National Security Agency (NSA), Chris Inlgis, to “take proactive measures to secure themselves against sophisticated threats.” These calls have been interpreted in Washington policy circles to mean that companies should use offensive cyber action to take down threats at the source rather than just building defenses against them. Such action, as Inglis made plain, would need to be coordinated with the authorities. (The command of Cyber Command the NSA is a double-hatted post held by Alexander.)

U.S. Vulnerability: the Cyber Defense Gap

The United States feels its vulnerability in cyber space deeply. It does not always recognize that this is an inherent characteristic of the domain and too often seeks to address the anxiety by resort to exaggerated assessments of the potential adversaries. Striking this balance in United States strategic policy is no less of a problem than now than it was in preceding decades: the bomber gap (1950s), the divisions gap (late 1960s), the missile gap (1960s), the civil defense gap (1970s) and so on. The September 11 attacks and a decade of war in Afghanistan, following the long Iraq campaign, have incubated a sense of insecurity. In spite of exhibiting strong confidence in American cyber superiority, Panetta noted about the private sector that “too few companies have invested in even basic cybersecurity.” He called for support for administration legislative and regulatory efforts because without them “we are and we will be vulnerable.”

Invoking the September 11 attacks, and lack of effective anticipatory defense against them, he went on to say about cyber space that “the attackers are plotting.” Well yes they are. But we all need a much clearer sense of how big the cyber defense gap is. What are the relative capabilities, and more importantly, how do capabilities fit into overall concepts of deterrence for countries like China, Russia and Iran?

Panetta acknowledged that U.S. systems will never be impenetrable. The same is true of Chinese systems. The vulnerabilities are now shared. The global infrastructure to which Panetta referred is shared by China. An ITU report released last week observed that two thirds of global telecommunications capacity is now located in eight countries: the United States, Japan, China, India, Russia, Germany, France and South Korea. These eight states have a common interest in protecting it. DoD strategies for common security inside this new Group of Eight do pick up the existing U.S. allies. The United States international strategy for cyber space released last year makes much of the need to shore up its traditional alliances but we do need to see clearer U.S. strategies and more progress in building a common security in cyberspace that includes India, Russia and China. These countries have to play their part as well.