Should We Prepare for a Cyber War? A Response to Seymour Hersch

The following is a special guest post:

About two weeks ago, The New Yorker published Seymour Hersch’s article “The Online Threat:  Should We be Worried About a Cyber War?”   Reflecting on Hersh’s controversial views which question the legitimacy of the national – indeed global response – to the cybersecurity threat, I recognized an incongruent juxtaposition of my own conclusions from my direct participation in this global effort versus Hersch’s conclusions.  Because I believe Hersch’s views, extolled in a national publication, are both wrong and destructive, I am offering my observations and conclusions as a counterbalance.

In 2005, while participating in a planning event for the first-ever BULWARK DEFENDER Exercise – a Department of Defense exercise designed to test the military’s preparedness against cyber attack – a lively debate ensued between military attorneys, senior civilians and military planners.  There was considerable disagreement concerning military authorities and permissible response actions to defend against such an attack.  A persistent theme of the dialogue centered on the frequency in which attacks could not be attributed – that is, the inability to identify the source responsible for launching or sponsoring the attack.  Under prevailing nation-state sovereignty rubric of international law, such attribution is widely regarded as a condition precedent to invocation of self-defense principles

Other legal issues also emerged, such as whether a cyber incident amounted to an “armed attack” – the critical factual trigger for self-defense authority.  There was also debate over whether the Department of Defense was even authorized to respond to a domestic cyber incident, and if so what amount of harm and  national security nexus were required.  The most common cyber threats in 2005 were denial of service attacks, network intrusions, and data extraction from sensitive networks.  Against this cyber incident factual background, an espionage analogy emerged: because espionage had occurred throughout the history of the Nation with no perceived necessity nor authority for a military response to espionage threats.  Accordingly, some asserted  a military response was equally inappropriate in response to the standard fare of cyber threats in 2005.

Since 2005, the world has witnessed a tangible change in the known risks from cyberspace, which have morphed from hypothetical to actual.  Indeed,  the security posture of a nation has now actually been threatened from cyberspace.  In 2007, hackers attacked the vestiges of government legitimacy and economic viability in Estonia – occurring at a time of increased tension between Estonia and Russia.  Georgia’s critical communications and other key resources were disabled in 2008 in concert with a Russian armed attack of Georgia.  More recently, the highly sophisticated worm Stuxnet – widely reported as produced by a nation – targeted industrial control systems associated with the nuclear industry in Iran.  And, just a week ago, the entire country of Myanmar was knocked offline just as the nation’s elections were to start.

This all indicates that we are in an era when cybersecurity threats pose a genuine national and economic security threat to the nation.  Unlike espionage, the nature of this threat justifies the implementation of comprehensive risk mitigation strategies.  It is equally imperative, however, that such plans ensure protection of core American values so that security will not trump liberty.  Rational observers surely cannot doubt the documented incidents that have already occurred.  Nor should anyone fail to recognize the lessons from all the cybersecurity challenges emerging daily:  cyberspace can be used either as a direct vector to deliver an attack; or it can be used as a supporting vector – disabling first responses – to deliver a conventional attack.  Notwithstanding the growing severity of incidents and their implications, in some important and influential corners of society, the Doubting Thomas continues to question the Government’s response to threats from cyberspace.

The article posits the thesis that “cyber war” is nothing more than a Defense Department and defense industry ploy to trump up fear about threats from cyberspace in order to bolster increased defense spending during a period of feared spending cuts.  In truth, the author engages in a little fear-mongering himself by conjuring images of Eisenhower’s “Defense Industrial Complex” message with Hersch’s characterization of a new “military-cyber complex”.  He also implies that former senior government officials who now have government consulting businesses are over-inflating cybersecurity risks to benefit their businesses.  Indeed, in one cited instance, Hersch implies the government influence extended to the former official’s Senate testimony, stating that his firm received a lucrative defense contract shortly after his testimony.  The implication that the former official compromised his integrity under oath is wholly unsupported in the article, and therefore is unjustified.

Hersch further writes:

American intelligence and security officials for the most part agree that the Chinese military, or, for that matter, an independent hacker, is theoretically capable of creating a degree of chaos inside America. But I was told by military, technical, and intelligence experts that these fears have been exaggerated, and are based on a fundamental confusion between cyber espionage and cyber war.

Hersch repeatedly references sources inside government, but Hersch fails to offer competing views or explain whether the sources’ views are themselves extreme.  Indeed, Hersch overtly states that  “[B]lurring the distinction between cyber war and cyber espionage has been profitable for defense contractors…”  There can be little confusion over Hersch’s intended purpose for the article:  to cast doubt over the legitimacy of the threats from cyberspace.

Later in the article, Hersch offers some insightful comments, quoting some recognized cybersecurity leaders.  He offers some discussion regarding whether America’s core strategic interest is associated with defense or economic competitiveness.  Certainly that is a worthwhile topic for discussion and debate.  What Hersch misunderstands, however, is that risk mitigation entails planning for two scenarios:  the most likely scenario, and the most deadly scenario.  The military must necessarily plan for both.  And, it does a disservice to society to minimize or sensationalize all the efforts that are needed in society and government to create effective security frameworks using a public-private partnership model that the country has never implemented on the scale needed in a post-9/11 environment.

Hersch also offers a legitimate critique of the role of the National Security Agency in the emerging cybersecurity plans of the Federal Government.  However, his message is lost by his ad hominem attacks, and rhetoric – such as noting that the NSA facility that houses some cybersecurity capability, FANX, is known as “Friendship annex”.  This new global threat and America’s response strategy requires serious debate, not glib references that might appeal to a reader’s emotion rather than to his intellect.

Reading The New Yorker article, I became frustrated that a large and reputable media outlet was oversimplifying an extremely complex and critical issue.  The ascendence of the Internet has presented society with a revolutionary, complex societal challenge – one that poses grave threats to civil society, government and business interests.  A mobilizing of a “Cyber Citizenship” responsibility among all Internet users is needed – as users have become increasingly targeted.  The comprehensive risk mitigation response called for necessitates societal awareness of the threat and of individual responsibility as first steps toward cultural modifications to society’s interaction with the Internet.  Yet, Hersch undermines this central “Cyber Citizenship” approach by raising questions about the legitimacy of the cyber threat.

Since 2005, the Federal Government has taken many steps to address the issues we debated at BULWARK DEFENDER planning in 2005.  The Government has improved interagency authorities and coordination through promulgation of the CNCI program under NSPD-54/HSPD-23, issuance of the White House 60-day Cyberspace Policy Review, creation of the White House Cybersecurity Coordinator, and a host of initiatives at multiple federal departments.  While these improvements are welcome, there is much work to be done.  Indeed, many of the central points debated in 2005 remain:  the proper role of government, assessing attribution for purposes of application of the Law of War and international law, and privacy considerations.  What is no longer a legitimate point for debate, however, is whether cyberspace poses a threat that might rightfully be called “cyberwar,” and whether the Government has a core responsibility to plan for it.  Whether the term “cyberwar” itself is objectionable is beside the point.  Threats from cyberspace pose serious risks to society, government and economic interests.  The media, sometimes referred to as the “Fourth Branch of Government”, should more studiously approach this challenge, and use its impressive resources to help society address the changes that are afoot.


Doug DePeppe is a cybersecurity attorney, having advised Army cyberspace operations, the National Cyber Security Division, and US-CERT.  He now advises both commercial and government clients concerning cybersecurity legal risks, governance and public-private partnerships.

You may also like...

6 Responses

  1. Adam says:

    While I too think Hersch’s tone is regrettable, a charitable reading of his arguments presents issues that Mr. DePeppe chooses to avoid. First, Mr. DePeppe trots out the often invoked instances of hacks against Eastern European states involved in diplomatic conflicts with Russia. What he leaves out, however, is the nature of these hacks, which, I submit, are crucially important given Mr. DePeppe’s acknowledgment in this article that some attacks are not serious national security threats. The attacks on Estonian government websites were just the kind of denial of service attacks along with some hacks that redirected visitors to sites expressing an anti-Estonian or even a false message about the location of a statue. While these websites are extensions of the government in a loose sense, they are not an extension of the government’s sovereignty or national security interest. I hope Estonia doesn’t record its troop movements on its public access servers of course. Similarly, the Russian attack on Georgia in 2008 is improperly characterized in this post. Hacking Georgian websites to portray information comparing Georgian leaders to Adolf Hitler or denial of service attacks did not affect Georgia’s inability to provide for its national security during the South Ossetia crisis. Not only was the Georgia hack the work of Russian nationalists acting privately, not the Russian government, it in no way attempted to assist Russia’s military. If Mr. DePeppe is suggesting that national security is weakend by such attacks, he must present some justification for how that would occur divorced from those attacks which gather information in a traditional espionage activity.

    It is most telling that this article starts with an exercise in which Mr. DePeppe and others assumed particularly bad outcomes resulting from hacks without any discussion of what outcomes fall into the realm of possibility. We could prepare for all nuclear weapons to launch because they are connected to computers which may be exposed to flash-drive based viruses like Stuxnet that could have a heretofore unseen characteristic of being able to allow people set a timer for doomsday that can’t be overridden without Dennis Nedry’s “white rabbit” backdoor password, but that layers speculation upon speculation. What we know is possible now lies far more in the realm of espionage than military attack.

    I’ll also admit that Hersch resorts to ad hominem attacks that have no bearing on the truth of the issue. But ad hominem attacks do call into question the authority of people who make claims premised upon that authority. And if individuals make significant profits from advocating particularly extreme, absolutely unheard of, and supremely unlikely hacks against the United States, that calls into question their position. It does not independently prove the opposite position but it does weaken the impact of the advocacy which the opposite position seeks to rebut. Taken alone, an ad hominem attack on the authority which is used as the premise for a claim is not sufficient to undermine an argument. But it is probative if the ad hominem attack actually relates to how much trust should be placed in an authority figure.

    I don’t dispute that intelligent people do work on these issues and do bring their considerable intellect to bear in their deliberations. But it is akin to arguing that coming up with a strategy guide for getting the top score at SimCity is a good use of time for HUD and other federal agencies. Cyberwar is preposterous without a showing of a real-world effect. That real world effect must involve the kinds of rights/interests/privileges/etc. that exist sans Internet. If someone creates a virus that allows them to blow up my computer when I’m sitting in front of it thereby clearing the way for them to challenge John McClain to a macho duel, then Mr. DePeppe has a reason to spend his time doing this kind of work. Otherwise, if viruses keep stealing information alone in the name of small-scale fraud against private individuals, Mr. DePeppe’s paean to the Cassandras of cyberwar will remain hollow.

  2. Logan says:

    Not that your necessarily wrong in your argument but given your job seems to depend on there being a substational cyber threat, I find it funny that your complaining about Hersch’s assertation that the threat isn’t as large as some might argue. Not to mention you also oversimplfy the same topic but come to a different conclusion. If you really want to debate the on the exact nature of cyberthreats and what we should do about them, how about getting another symposium going so both sides can be fairly heard because neither has been as of yet.

  3. Frank Pasquale says:

    I think a critical cyberthreat comes from global finance. Mike McConnell has recognized this, and the Pentagon has already “war gamed” various scenarios involving unconstrained global capital flows. (See, for instance, the March 17, 2009 exercise at the Johns Hopkins University Warfare Analysis Laboaratory.) If traceable and clear financial flows could (as demosntrated in this exercise) seriously undermine US economic activity, imagine what unattributed algorithms and other surreptitious manipulation of flash trading could do.

    By the way, amazingly enough, the head of the SEC was on cable news shying away from the idea that the agency would want to have full attribution for all algorithms in electronic trading markets. Given that Jack Goldsmith has called the attribution problem one of the most critical ones for cybersecurity, this was disappointing to say the least.

    Given the global resistance to QE2, many actors will probably be eager to engage in a kind of “financial warfare” against the US…an area of force we have pioneered (see Virtually all modern finance is computerized and internet enabled. Whereas a utility can in principle be “taken off the grid,” we can’t relocate finance decisions to real space.

    Finally, I would like to note the “politics” of the issue. The ACLU and liberals generally have protested “militarizing” the internet. I also worry about this, but I think massive surveillance is just a matter of time. Given that reality, we need to rechannel privacy advocacy toward an equality of (non)privacy before the law. Nancy D. Edwards once wrote that “Drug testing in nontherapeutic settings will remain and unfair and unjust ‘new surveillance’ scheme until the day when the poor begin drug testing the rich.” I would add that cybersurveillance of average people should only go ahead once the activities of those who can wreck economies with hot capital flows are under constant monitoring.

    @Logan: I’d be up for another symposium.

  4. Jason W. says:

    Hersh. Seriously.

  5. Hersh’s article is levelheaded, fair, and quite perceptive both about the nature of recent hacking and computer espionage issues, and about the difficulties of fitting them into a “warfare” frame (as opposed to an existing “computer security” frame or some new model yet to be invented). Doug, you disagree with him about his overall argument and about his interpretation of some of the evidence. Fair enough; this is a difficult subject where the policy answers are far from clear. Smart people can and do disagree here.

    That said, I am troubled by the tone of this post. You assert that Hersh’s views are out of the mainstream, that no rational person could disagree with your assessment of the situation, that Hersh’s article is biased and makes ad hominem attacks, that the article is destructive, and that Hersh is undermining responsible citizenship just by asking questions. These allegations, especially taken together, attempt to shut down the debate by portraying Hersh’s views as so extreme that they’re not acceptable for responsible people to hold. In areas of uncertain policy, though, we need as robust a debate as possible.

    I am disappointed that Concurring Opinions lent its space to a post so out of step with the academic ideals of open exchange and respect for other points of view. Who invited this “special guest?”

  6. Doug DePeppe says:

    In response to some comments here, my purpose was to criticize Hersch’s narrow focus on cyberwar as emblematic of society’s failure to appreciate the true nature of cyberspace-borne threats. The post’s title unfortunately conveyed a perception that I was primarily focused on the legitimacy of cyberwar, but my larger premise is that cyberspace threats are fundamentally changing traditional notions of security and societal roles in security – yet society does not sufficiently understand or appreciate the changes afoot. The prospect of cyberwar is just one component of the changed dynamic. In my judgment, Hersch’s article failed to understand the core issue, and instead took up and trivialized the risk of cyberwar in a way that further complicates the need to educate society.

    Contrary to Hersch’s view that cyberwar has been trumped up and over-hyped, I believe greater exposure should be devoted to raising awareness of the changed nature of the Internet. The potential of cyberwar should be part of a broader discussion. Unfortunately, some say – as did Hersch – that the very notion of cyberwar is a baseless agenda promoted by parties having vested interests in increasing government spending. Indeed some questioned the motivation for the post; yet, my ‘call to arms’ comes from many angles – professional interests, academia, and the nonprofit perspective (I have ties to all three). So, other than perhaps penning a different title for the post, it’s entirely appropriate to criticize the content of Hersch’s failings in his article. And, to those suggesting a symposium to get at the hard issues – you are spot on. The threats posed from cyberspace are like none other ever faced by society, with harmful risks to governments, industry, and individuals alike.

    Did you know that: the biggest “cloud” on the Internet is not owned by Amazon, or Ebay, or Google – it’s actually controlled by organized hackers; botnets possess more bandwidth and computing power than any other online presence; China (and other nations) possess cyber warfare units; China’s national strategy reportedly involves the use of asymmetric methodologies to challenge the United States economically and militarily; and, in just one foreign scheme – disclosed as the US counter-operation code-named “Titan Rain”- more terabytes of data than exist in the Library of Congress were exfiltrated to foreign servers?

    To some, these facts simply underscore the point that the threat is espionage and national economic security-related. Perhaps. Yet, keep in mind that “asymmetric” in the cyber realm refers to nonlinear strategies. In my post, I referred to the use of the Internet in warfare either as a direct attack, or as a supporting attack. During the 1973 Yom Kippur War, Israeli drones were used as decoys to “light up” Syrian air defenses, so that air forces could locate and target those defenses, successfully destroying Syria’s air defense network. A similar strategy using cyberspace could have any number of strategic effects during war or terrorism – the only limit is the creative capacity of an aggressor. So, the point is that while one might argue whether the current use of cyberspace should be considered cyberwar or not, creative planning by combatants and terrorists presents a serious threat to national security. The semantics of what we call the threat is beside the point.

    Calling out Seymour Hersch for misunderstanding the core issue hardly squelches debate. The media, academia, nonprofits and government have a responsibility for addressing the hard issues of the Internet Age: like whether the Westphalian international legal order fits the borderless age of the Internet; and, whether a universality principle should be invoked to protect the Internet rather than fighting the impossible battle of attribution in a framework where the sovereignty principle reigns. The list goes on.