Military Review English Edition May-June 2014 | Page 32
clear, comprehensive cyberspace policy may take
longer.31 Multiple interests collide in cyberspace,
forcing policy makers to address concepts that
traditionally have been difficult for Americans to
resolve. Cyberspace, like foreign policy, exposes
the tension between defaulting to realism in an
ungoverned, anarchic system, and aspiring to the
liberal ideal of security through mutual recognition of natural rights. Cyberspace policy requires
adjudicating between numerous priorities based on
Defending against cyberattacks takes more than
firewalls.
esteemed values such as intellectual property rights,
the role of government in business, bringing criminals to justice, freedom of speech, national security
interests, and personal privacy. None of these issues
is new. Cyberspace just weaves them together and
presents them from unfamiliar angles. For example,
free speech rights may not extend to falsely shouting
fire in crowded theaters, but through cyberspace all
words are broadcast to a global crowded theater.32
Beyond the domestic front, Internet access creates at least one significant foreign policy dilemma.
While it can help mobilize and empower dissidents
under oppressive governments, it also can provide
additional population control tools to authoritarian
leaders.33 The untangling of these sets of overlapping issues in new contexts is not likely to happen
quickly. It may take several iterations, and it may
only occur in crises. Meanwhile, the military must
continue developing capabilities for operating
through cyberspace within current policies.
Defend in depth—inner layers. Achieving
resilience requires evaluating dependencies and vulnerabilities at all levels. Starting inside the firewall
and working outward, defense begins at the lowest
unit level. Organizations and functions should be
resilient enough to sustain attacks and continue
operating. In a period of declining budgets, decision
makers will pursue efficiencies through leveraging technology.34 Therefore, prudence requires
30
reinvesting some of the savings to evaluate and
offset vulnerabilities created by new technological
dependencies.35 Future war games should not just
evaluate what new technologies can provide, but
also they should consider how all capabilities would
be affected if denied access to cyberspace.
Beyond basic user responsibilities, forces providing defense against cyberattacks require organizations and command structures particular to their
function. Martin van Creveld outlined historical
evolutions of command and technological developments. Consistent with his analysis, military
cyberdefense leaders should resist the technologyenabled urge to centralize and master all available
information at the highest level. Instead, their organizations should act semi-independently, set low
decision thresholds, establish meaningful regular
information reporting, and use formal and informal
communications.36 These methods can enhance
“continuous trial-and-error learning essential to
collectively make sense of disabling surprises”
and shorten response times.37 Network structures
may be more appropriate for this type of task than
traditional hierarchical military structures.38 Whatever the structure, military leaders must be willing
to subordinate tradition and task-organize their
defenses for effectiveness against cyberattacks.39
After all, weapons “do not triumph in battle; rather,
success is the product of man–machine weapon
systems, their supporting services of all kinds, and
the organization, doctrine, an BG&