Rand study urges caution on cyberwarfare attacks

The U.S. Air Force funded study urges the United States to take a defensive approach.

A new study from the nonprofit Rand Corp. is recommending the United States not invest in offensive cyberwarfare.

The problem? It is hard to predict the aftermath of a cyberwarfare attack making strategic planning almost a guessing game, according to Martin C. Libicki, the report’s lead author and senior management scientist at RAND, a nonprofit research organization.

The study, “Cyberdeterrence and Cyberwar,” was funded under the U.S. Air Force’s $210 million Project Rand research initiative. The takeaway: Cyberattacks should be “used sparingly and precisely.”

From the report:

Predicting what an attack can do requires knowing how the system and its operators will respond to signs of dysfunction and knowing the behavior of processes and systems associated with the system being attacked. Even then, cyberwar operations neither directly harm individuals nor destroy equipment (albeit with some exceptions). At best, these operations can confuse and frustrate operators of military systems, and then only temporarily. Thus, cyberwar can only be a support function for other elements of warfare, for instance, in disarming the enemy.

The report backs its findings by measuring probable outcomes to cyberattacks and determining that the results are too scattered to carry out accurate predictions. This is coupled with the problem of countering an attack. It is difficult to determine who conducted a specific cyberattack so any counter strikes or retaliations could backfire. Rather than going on the offensive, the United States should pursue diplomacy and attempt to find and prosecute the cybercriminals involved in an initial strike.

Libicki said that the military can attempt a cyberattack for a specific combat operation, but it would be a guessing game when trying to gauge the operation’s success since any result from the cyberattack would be unclear.

Instead the Rand report suggests the government invest in bolstering military networks, which as we know, have the same vulnerabilities as civilian networks.

The report supports some of the opinions of the National Security Network, a progressive organization that was founded by counter-terrorism expert Rand Beers and includes former White House counter-terrorism adviser Richard Clarke on its board. The Washington D.C-based organization focuses on international diplomacy and national security. The organization released a statement earlier this month focusing on the U.S. Cyber Command, which  goes online this month.

As words should be matched with deeds, grand ambitions of “cyberspace superiority” should be matched with a careful articulation of the means to achieve them.

If the Rand report is accurate, “cyberspace superiority” would be difficult if nearly impossible to achieve.