In early 2009 I began thinking about a decisional model for the conduct of “strategic cyberwar.”  By “strategic,” I’m talking about a level of decision-making several layers above the technical particulars that dominate most of today’s discussions about cyberwarfare.  The particular vulnerabilities of today’s information networks, and the morphology and lifecycle of today’s worms, viruses, and botnets, are interesting and important, but I regard all of these matters as essentially tactical in character.  Some attributes of today’s cyberweapons will become irrelevant as the underlying technology inevitably changes; other attributes are more fundamental and will tend to persist regardless of technological change.  It’s the latter category that I’m most interested in, because those factors will continue to shape strategy and doctrine beyond the next operating system release.

Until I stopped work due to other real-life priorities, I had articulated a crude set of general principles which addressed, among other things:

• A basic model of a strategic cyberattack weapon (what I’m tentatively calling a “logic attack weapon” or “LAW”)
• The minimum intelligence requirements for a strategic LAW
• The essential need to reliably predict a LAW’s effects on a complex target system
• The notion of a “shelf-life” of a given LAW against a given target system
• The need for a wide array of supporting “live” interactions with the enemy in cyberspace (for intelligence, testing, and strategic pre-positioning purposes)

I also sketched out a physical map concept intended to describe the strategic geography of the battlespace, with discrete “terrain” elements denoting civilian non-critical infrastructure, civilian critical infrastructure, and military infrastructure.  Naturally, the map wasn’t intended to portray physical distance, but rather an “attack distance” determined by weapon effectiveness, network architecture, defensive arrangements, and so on.  I borrowed from the safecrackers’ view of the world and decided that the appropriate metric of attack distance for these purposes was time.  Predictably, the mechanics get a little bit complex with a two-dimensional paper map since the attack distances between different elements might change at different rates — and, after getting a headache, that’s about where I left things.

In any event, I had all but forgotten about this shelved work until I recently ran into Bruce Costello (designer of the First Strike and Dropshot I/II/III strategic nuclear wargames) on the consimworld forums.  Bruce also has been thinking about cyberwar concepts for a number of years (and in fact is working on a new game design).  This inspired a conversation about these topics, and I’ve been inspired to pick this effort up again.  Strategy is a timely subject, with the U.S. DoD taking its first baby-steps toward articulating a doctrine of cyber-retaliation.

My objective over the next few months is to think about and articulate a complete set of principles for this strategic model of cyberwar.  I don’t know that this will result in a playable “game,” per se (I have no game design experience and really am only a fledgling wargamer).  However, if it provides some useful vocabulary and concepts to the broader discussion, I think it will have been a worthwhile exercise.  Let’s see where this all goes.

Tags: cyberwar