2 July 2016

*A NOT-SO SECRET HISTORY OF CYBER WAR

JUNE 30, 2016

The first rule of Cyber Club is that you don’t talk about Cyber Club.

This is for all the usual reasons: mission security, a culture of secrecy, some operators’ preternatural shunning of the spotlight, and — sometimes — the importance of the strategic goals at stake. Without the first rule, many cyber operations simply wouldn’t be effective.

But the first rule of Cyber Club, strictly enforced, poses challenges. It dictates that the expansion of intelligence collection, the development of new means of sabotage and attack, and the use of capabilities in what the Pentagon calls a new domain of warfare, all must take place out of view.

In the post-Snowden age, and with additional transparency from the U.S. government and incident reports from major cybersecurity companies, it goes without saying that the first rule hasn’t been consistently obeyed. But, even so, much remains undisclosed. There is much the public doesn’t know about how cyber operations work, both historically and today.

Fred Kaplan’s Dark Territory aspires to fill at least part of this gap, promising “A Secret History of Cyberwar.” The book, which begins its treatment of the topic in the early 1980s, aims to provide a sweeping account of the field’s development. It chronicles a variety of cases, from President Reagan’s WarGames-inspired worries to Stuxnet’s destructive power, and tries to fit them together into a broader narrative.


In so doing, it proves that the first rule of Cyber Club still holds some weight. The resulting narrative is less a secret history of cyberwar and more an inside-the-Beltway history of the perception of cyberwar. The battles depicted in the book are frequently not those of the network intruder and the network defender, but of warring bureaucrats with conflicting interests. Key points in the narrative are competitions between the NSA and the CIA, between conventional military forces and those convinced that cyber operations had a role to play, between the post-Snowden review commission and the agencies sometimes less than fully transparent about their activities. Kaplan’s key sources seem to be senior policymakers and high-level documents, rather than cyber operators, though it is not entirely clear because he frequently does not attribute claims to specific interviews (a frustration in what is supposed to be a history).

At one level, this is still a valuable account. Bureaucracies and the people within them matter. In the same way that the doctrine-shaping tales of Billy Mitchell and John Boyd have reached near-canon status amongst aviators, the early turf battles and conceptual struggles in cybersecurity will have lasting impact. With the benefit of hindsight, future historians might look back and identify the thinkers in the field who spotted the nuance in cyber operations and drove their organizations to adapt. At its best, Kaplan’s history aids this effort and ties these emerging ideas to early field operations, such as those against Serbian President Milosevic and a planned effort in Haiti.

But his history falls short in other respects. Much of what he shares is hardly secret. Stuxnet, Chinese hacking, the post-Snowden review, and a great deal more of Kaplan’s narrative have all been splashed across the front pages of newspapers many times. Kaplan’s effort serves to summarize these cases, but other sources provide a far more definitive and nuanced treatment, such as Kim Zetter’s Countdown to Zero Day and Thomas Rid’s Rise of the Machines. Especially for incidents within the past 15 years, his version adds few new facts to the established narrative.

Sometimes the work seems to have a misplaced focus. For example, the chapter on NSA’s elite Tailored Access Operations unit, which breaks into foreign networks, discusses the adoption of that name at length, but says much less about the process of actually carrying out network intrusions. Likewise, the book stays far away from any kind of technical discussion, except for an oddly detailed overview of network security monitoring (a component of network defense). Most bafflingly, with a few exceptions, Kaplan habitually ignores the content of the Snowden trove, passing over some of the most revealing information about operations and declining the opportunity to further report out the documents with his sources; he is similarly sparse when it comes to using incident reports put out by cybersecurity companies. The individuals who wrote these passed-over documents or served in operational roles are mostly absent from the narrative.

Perhaps as a result, as Kaplan lays out the story of various bureaucracies adapting themselves to cyber operations, it is only the most elementary ideas that come to the fore. The history is often a recounting of how bureaucracies slowly learned about concepts that have long been considered self-evident. Chief amongst these is the realization, repeated no fewer than seven times, that cyber operations are — like everything else — a two-way street: What the United States could do to others, others could perhaps do to the United States. Other refrains include the transition from analog to digital communications, the role of encryption, and the interconnectedness of many systems online.

These are fundamental themes, and are rendered time and again as Kaplan recounts a dizzying array of reports and Washington commissions. But, presented only by themselves, these themes belie the complexity and challenge of cyber operations. To give just a few examples, readers would have been better served by sections on why cyber operations fail, on the limits of operational integration, or on the technical nuances that determine what works and what doesn’t.

In light of the sometimes-reductionist portrayal, there are two possibilities. The first is that the agencies and thinkers involved just don’t get the more complex ideas, even after several decades of adapting to the cyber domain. The second is that those individuals who do understand more didn’t cooperate with this book, and Kaplan did not find enough material to add this needed heft to his discussion. While it surely is a combination of both, the latter seems to hold more weight..

In other words, if the government world of cyber operations has a Billy Mitchell or John Boyd, he or she is probably still following the first rule. Instead, as Kaplan’s interviews and reporting implicitly reveal, it is those less likely to know — often more removed from the action and the insights — who are more likely to talk.

Ben Buchanan is a Postdoctoral Fellow at Harvard University’s Belfer Center for Science and International Affairs, where he conducts research on the intersection of cybersecurity and statecraft. He received his PhD in War Studies from King’s College London, where he was a Marshall Scholar, and masters and undergraduate degrees from Georgetown University. His first book, The Cybersecurity Dilemma, will be published this fall.

No comments: