In my last post I mentioned that the focus of our model would be on “strategic cyberwar,” and then, inserting a handful of marbles in my mouth, I mumbled something unintelligible about “a level of decision-making” residing “several layers above” all of that horrible technical stuff that somehow always involves doing something obscure to the Windows registry.

Of course, there is a good reason for such evasiveness:  trying to be too precise about whether a certain form of cyberwar is “strategic” rather than “operational” or “tactical” leads us straight into a definitional swamp.  I won’t try to drain the swamp here; however, it strikes me that it might be useful to spend some time getting a little more resolution on what we mean by “strategic” (and, correspondingly, what will be directly addressed in our model, and what will be abstracted away).

The traditional rule of thumb about the levels of war (drawn from the world of kinetic violence) is that tactics are about battles, operational art is about campaigns, and strategy is about wars. Unfortunately, this amounts to more marble-mouthed garble when it comes to the gray zone that cyberwar inhabits.  None of the traditional military intuitions of time, scale, or geography really apply here:  is a sustained DDoS attack conducted over several days against the servers of a dozen companies a battle, a campaign, or a war?

To try to address this, we can adapt the old aphorism to the technical particulars, which would produce something like this:  If tactical cyberwar is about attacks on a particular network, and operational cyberwar is about attacks on a system of related networks, then strategic cyberwar is about attacking the adversary’s system of systems.

But that does not seem any more helpful.  Depending on how one chooses to define “network” and “system,” that proposition could mean anything (or nothing) at all.  Part of the problem is that there is no particular relationship implied between the scale of the “network” or “system” and the size of the strategic actor.  Indeed, taken literally, nothing prevents any operator of a “system of systems” from becoming a strategic actor.  Intuitively, this is not what we mean.  An iPhone is a complex device with many different component systems.  But we do not generally view the teenager who has “jailbroken” her iPhone as having committed an act of strategic cyberwar.

Where do these intuitions come from?  I think that the answer is found not in “strategic,” but in “cyberwar.”  In the end, cyberwar is still war. There may be plenty of strategic behavior in cyberspace, just as there is plenty of strategic behavior in the kinetic world, but only a subset of that strategic behavior pertains to a prosecution of a war.

That declaration, of course, does not wholly solve the problem; questions of exactly what constitutes a war in our age of global terrorism, insurgency, international sanctions, etc., continue to vex academics and lawyers.  But we need not decide the precise boundaries of war and peace; our purpose is only to set up a scale for our model.

So, to put it all together:

• In the levels-of-war hierarchy, the strategic layer sits atop the operational layer, which in turn rests on the tactical layer.
• At that top level, the applicable scope of concern is attacks upon a “system of systems.”  This implies high complexity and subspecialization near the top level of organization  — in effect, the “macroinfrastructure” of the affected strategic actor.
• Cyberwar is still war.  War implies violence.
• Nation-states continue to enjoy a monopoly on legal violence.  The entities that purport to wage war are either nation-states or those who aspire to the sovereign status of nation-states.
• Therefore, “strategic cyberwar” relates to attacks upon the macroinfrastructure of either (a) nation-states; or (b) entities that aspire to the sovereign status of nation-states.

This is not to say that other actors will not have important roles; in fact, I expect to see nation-states employ “tactical delegates” to a much greater extent than is the case in the kinetic world.  And there will be no shortage of “non-aligned” marauders roaming through the substrategic (operational and tactical) levels of cyberspace; most crime, for instance, is an essentially tactical endeavor.  But I believe the nation-states and their aspiring peers will set the strategic agenda.

Admittedly, there is a circular feel to some of this reasoning:  cyberwar is war; by definition, only nation-states can wage war; ergo it must be that nation-states constitute the important level of analysis.  Part of this may also be the result of the Westphalian bias that afflicts students of modern military history.

But I think that there is at least one other reason to believe that nation-states, rather than private subnational entities or even public transnational entities, will continue to occupy the seat of decision when it comes to cyberstrategic warfare.  I believe that the nature of cyberweapons — or at least the kind we can reasonably call “strategic” — will be such that they will effectively require the sovereign authority of a nation-state to develop and maintain.  This is not so much because national governments have abundant financial and technological resources (wealth and genius are not the sole province of national governments).  Rather, it is because the intelligence requirements to design, construct, test, and maintain a strategic cyberweapon may be so extensive (and require such intrusive and likely illegal measures to collect) that only a sovereign entity will be capable of doing it on a competitive scale.  We will consider this issue in a future post on the nature of strategic cyberweapons.

Tags: cyberwar