Part of the “total cyber warfare” series

I see deterrence against cyber is basically: cyber, diplomatic, kinetic

• cyber: only works if both sides have similar exposures and vulnerabilities to a cyber attack. It is hard to do a proportionate Cyber response to Laos, for example.
• diplomatic: all of the usual international levers of coercion, like sanctions, and so on. For both Iran and DPRK, there really isn’t much room left there.
• kinetic: bombs and boots on the ground. Unlikely to be the initial response to a Cyber attack, most likely it’s an existing state of affairs. So for example if the US started bombing Iran, an Iranian Cyber response wouldn’t cause an escalation in kinetic conflict.

So countries have symmetric cyber capabilities but have asymmetric exposure to deterrence. What does that mean for total cyber war? This is all hypothetical, but… what does cyber warfare look like during warfare? What are viable theories of “strategic cyber”? That is, how would cyber be used strategically (rather than tactically or operationally) to wage war?

I know, it is very stupid “cyber Pearl Harbor” bollocks, but honestly I find the concept of “total cyber warfare” very fascinating. For example, many of the actual impacts are going to be felt by US civilians. People who on the whole haven’t been exposed to consequences from war (not in a long long time)… how will people react when a war means more than just something on the TV, when maybe it means the TV stops working?

As one example, DPRK has a history of using cyber as a direct means of implementing policy (see: Sony.) DPRK has capability, and there is little to deter them, so what could they do?

I’m not proposing “the sky is falling, DPRK are going to Cyber the US into the Stone Age”. I’ve used the example of DPRK and the US, but I’m not interested in what exactly the US could do to deter DPRK – not unless it is a real credible deterrent for cyber in general, of course.

My interest is what wartime conflict in the cyber domain means for everyone. Cyber is very weird as a domain of conflict. Civilians are more exposed than the military, and much of civilian cyber infrastructure is better protected than “real” critical national infrastructure.

Instagram is more secure against cyber attack than hospitals, but is itself a cyber weapon for conflict in the cognitive domain. What does that mean, and how would that be incorporated into doctrine? I have some ideas.

Why this matters:

I have an unorthodox view on cyber (frequently described as “wrong”). There are roughly three realms of conflict: kinetic, cyber, cognitive. The deep connection between cyber and cognitive leads me to blur them together as “information processing systems,” which fortunately includes organisations and groups as well as individuals and computers.

Having a flexible and broad view of cyber + cognitive is a vital part of thinking about total cyber warfare. Almost every player in the Great Cyber Game has a different way of clustering capabilities and thinking about cyber offence and defence. The One True view (CNO, IO, PSYOPS, EW, etc.) wasn’t particularly useful at defending against Facebook ads and email spools in 2016.

In my view a lot of the boundaries on Western cyber thought are the results of budgetary battles from decades ago, and various political legal authorities. Internal US politics from the Cold War era do not a relevant framework for comprehending cyber make. But that’s what they’re stuck with as we all enter a world where total cyber warfare is entirely possible.