The Rand Corporation recently published a monograph on cyberwarfare Cyberdeterrence and Cyberwar (240 pages).
Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought.
The research was commissioned as a result of the Air Force's new responsibilities in cyberspace: "The establishment of the 24th Air Force and U.S. Cyber Command marks the ascent of cyberspace as a military domain. As such, it joins the historic domains of land, sea, air, and space."
The report summarizes the following points:
- Cyberattacks Are Possible Only Because Systems Have Flaws
- Operational Cyberwar Has an Important Niche Role, but Only That
- Strategic Cyberwar is unlikely to be Decisive
- Cyberdeterrence may not work as well as nuclear deterrence
- Responses to cyberattack must weigh many factors
- Military cyberdefense is like but not equal to civilian cyberdefense
The report includes a few tidbits, such as: "Every digital cellphone can be a door into cyberspace" [and thus the host for a 'bot']; "the divergence between design and code is a consequence of the complexity of software systems and the potential for human error"; "They [cyberattacks] are better suited to one-shot strikes (e.g., silence a surface-to-air missile system and allow aircraft to destroy nuclear facility under construction) than to long campaigns..."; and to put the whole question into context the report states "no one has yet died in a cyberattack."
The report concludes that cyberwarfare is not strategic (although that does not preclude some operational value) because unlike traditional methods which will make things worse over time,
"With cyberattacks the opposite is more likely. As systems are attacked, vulnerabilities are revealed and reported or routed around. As systems become more hardened, socieities become less vulnerable and are likely to become more, rather than less, resistant to further coercion."
Makes one wonder if the persistent and unrelenting attacks on Windows are not a part of some broader sub rosa vaccination scheme.