Deterrence Isn’t Just for Nukes
Spacewar and Cyberwar threats need the same strategy for Defense as we use to stop Nuclear War: Deterrence via our promise to retaliate in kind.
The U.S. Military is currently undergoing an exciting new, official “Revolution in Military Affairs,” in recognizing that each of the traditionally separate “domains” of warfare (land, sea, and air) nowadays must be treated, and dealt with and fought in and over, as part of a much wider, integrated battlespace. This RMA goes way beyond simply the Pentagon’s now familiar (post 1980s Goldwater-Nichols Act) organizational approach to “jointness,” i.e., to closely cooperative warfighting missions between the Pentagon’s different traditional Armed Forces branches — Army, Navy, Air Force, and Marines. It now extends into what the Department of Defense calls “multi-domain operations.” In these ops, all the strategies, intelligence, and massive pinpoint real-time battlespace situational/dispositional data together encompass a single gigantic network of personnel, platforms, formations, and headquarters that integrate into a single “hive mind” fabric of sensors and shooters, all serving a common, integrated purpose — prevailing to achieve America’s goals against all enemy threats, wherever they come from in and around Planet Earth.
An essential part of this concept of integrated multi-domain operations is recognizing that two new, non-traditional domains of national defense must also be included in the mix: the domain of Cyberspace, and the domain of Outer Space. Indeed, the United States recently stood up a new branch, the U.S. Space Force, and all branches (plus the Department of Homeland Security) include specialized units dedicated to cybersecurity.
But both of these new domains, outer space and cyber space, are so different from the traditional land/sea/air trilogy, both as to where they exist, and as to how fast events and “objects” (from packets of information, to manned and unmanned vehicles) within them move, that innovative concepts-of-operations, strategies, doctrines, hardware, software, weapons systems, delivery platforms, sensor networks, and personnel training and realistic exercises all need to be extensively researched, tested, and then subject to a rigorous, forward-thinking adoption-or-rejection process at the highest levels of Department of Defense leadership.
Because friendly assets and resources in outer space and in cyberspace might be very difficult to protect via the usual strategy of defense-by-denial (detecting and repulsing/defeating any attacks as they begin and progress), the notion of defense-by-retaliation that applies to nuclear deterrence might be useful — nay, necessary — to adapt to, and adopt for, these other domains of human conflict. A bit of context here would help the further discussion.
Deterrence via advance threat of retaliation in kind is widely accepted by nuclear weapons-owning states as a necessary form of defense against nuclear attack. This is because defending effectively against such attack, by the traditional tactic of shooting back from behind fortifications (“defense by denial”), is nigh on impossible — and the same problem applies in cyberspace and outer space defense.
For nuclear attack, the weapons are so immensely destructive that they can inflict great damage even if they are set off at a considerable distance from their targets. Their electromagnetic pulses, radioactive fallout, and environmental damage are pervasively far-reaching and baffle remediation. In addition, both traditional ICBMs and SLBMs going Mach 16, not to mention more recent, maneuverable RV’s (MARVs) and hypermodern hypersonic platforms doing up to Mach 25, are all extremely challenging to intercept at a safe distance. Next-generation stealthy strategic bombers like the B-21 Raider, equipped with low-observable, highly maneuverable, long-range Stand Off Cruise Missiles, are also very difficult to shoot down while safely neutralizing their on-board nuclear warheads.
For cybersecurity, other factors make defense-by-denial difficult. For one thing, effective cybersecurity features built into any system are very expensive, very inconvenient to users, and they tend to slow the system and reduce its capabilities — all of which makes both governmental and commercial/private cybersecurity problematic in practice. When it comes to denial of service attacks, not much can be done other than to shut down the system — which is the goal of the enemy DOS attack anyway. Malware transmits through the Internet, via wires or fiber optics or radio, literally at the speed of light; attacks can be launched and then hit their targets with mind-boggling speed; often great damage is done before the defender can even begin to react. Worse. in computer algorithms and systems architecture, there seems to be a natural advantage to adversarial analysis of “chinks in the armor” of defenses; software Red Teams if they are skilled can often out-think the friendly, Blue Team’s designers. Human nature is a particularly big chink in the armor of cyber defense: people are notoriously sloppy about maintaining robust computer passwords, and about falling for phishing and other enemy subterfuges for gaining access to “secure” systems. In an extreme case, infiltrating enemy human agents can plant malware in any system if they can covertly gain access to a “secure” facility; disguises, fake IDs, kidnapping and blackmail/extortion are favorite methods for arranging such access.
In outer space, a different set of challenges makes defense-by-denial very difficult, encouraging any nation dependent on space assets to resort to defense-by-deterrence instead. Short of permanent destruction, a satellite can be blinded or deafened/muted by being jammed via strong enemy transmission of “noise” in the frequency band(s) the satellite transmits and receives on; radio-noise jamming is a form of electronic warfare, while laser blinding of optical-sensor birds could be called “visual warfare.” Most satellites, manned capsules, and space stations include external antennas and solar panels, which are conspicuous and delicate, making them very vulnerable to attack. The platforms themselves are easy for enemies to detect and track, since it is difficult to make them immune to reflecting sunlight, they depend on active radio or laser transmissions to communicate with the ground, and their power sources and electronics have thermal signatures that stand out starkly against the near-absolute-zero temperature of the deep-space background. Radar stealth is harder to achieve, again because of all the awkwardly-shaped external fittings. And in the case of manned platforms, the slightest damage can end internal atmospheric integrity, forcing the crews into space suits and thus degrading their operational endurance and effectiveness.
Any attack directly against American assets in space could be virtual, i.e., a cyber-attack, or physical, involving an anti-satellite (ASAT) weapons launch, impact, and detonation — or some of both. And for directed-energy weapons (such as high-power lasers, or destructive microwave beams) which are ideal for use in the vacuum of space, the “ordnance” (intense packet of photons) travels literally at the speed of light, so that moments of “launch” and “impact” are indistinguishable; the shooter need not lead the target, and targets cannot “jink”. Furthermore, given the frequency of launch failures, some of them rather spectacular, outer space remains a domain it is very complicated and very expensive to access with any regularity of successful mission completion — even in peacetime and even for the most highly industrialized and technically advanced nations.
In neither outer space nor cyberspace are American/Allied military assets amenable to being isolated via “fortification” within their surrounding domain environment from which enemy attacks would arrive: Near-Earth orbit, let alone geosynchronous or cislunar orbit, cannot possibly bear the weight penalty required for massive physical armor, like befits an M-1 Abrams tank on solid ground. Cyber facilities that are thoroughly walled off via “air gapping” become almost useless to the rapid-fire inter-connectivity that is the very essence of network-centric warfare.
Other difficult effective-defense challenges apply for satellite communication links and support/control stations on the ground: These are fixed in place, with delicate and conspicuous external fittings (such as antenna dishes), thus are rather vulnerable to attack, yet are vital to the functioning of the whole. And like the satellites in orbit, the ground stations are subject to jamming.
Additionally — as with nuclear weapons — any attacks against American assets and interests in cyberspace and/or outer space need to be quickly, definitively attributed back to whatever nation or sub-state/terrorist entity perpetrated the attack. This is an especially pressing problem for two reasons. One is that activities in either of these non-traditional domains of warfare are unusually challenging to track and attribute. The other is that the aforementioned near-impossibility of defense-by-denial, necessitating instead a strategy of defense-by-deterrence (i.e., by advance threat of post-attack retaliation), requires rapid and definitive fixing of the exact source, the localized, specific point-of-origin of the attack, so that proportionate and discriminating retaliation can be delivered to precisely where it is deserved and justified.
Another challenge for defense-by-retaliation pertains to what weapon(s), in which domain(s), should be used for America’s retaliatory second strike, while avoiding either (1) inadvertent escalation of the conflict or (2) unacceptable collateral damage.
An enemy attack confined to, say, either outer space or cyberspace runs the risk at the outset of quickly spreading to other battlespace domains simply because, in the modern world, all the many domains are so thoroughly interconnected and interdependent. But this problem, known as “horizontal escalation,” would be worsened if the enemy wishes to keep the conflict confined (“limited’), whereas America retaliates more widely, spreading the conflict beyond the enemy’s desired limitation. The other type of escalation recognized by military experts is “vertical escalation,” where within the same, initial domain the retaliation is made with substantially more destructive force than the enemy initially used themselves. An example of horizontal escalation would be for America to sink an enemy’s large unmanned surface warship in retaliation for them destroying one of our (unmanned) military satellites. An example of vertical escalation (still in the unmanned category) would be for us to destroy ten of their satellites by ASATs if they destroyed one of ours. (In a worse case, there could be an outer space “Battle of Britain,” with huge losses on both sides and a semi-permanent pollution of low-Earth orbit by combat debris and unexploded ordnance.) Whether to escalate intentionally, and if so how to do so, either horizontally or vertically or both, and whether to confine the combat to machines or whether to also take enemy lives, are all very tricky policy/strategy questions that may in practice sometimes need to be made by America’s Commander in Chief.
Collateral damage, just like inadvertent escalation, takes unusual forms and thus presents unusual challenges in cyberspace and in outer space. In Earth orbit, any warfighting that causes physical damage will almost certainly spew ultra-high-velocity wreckage into orbital space. This seriously increases the risk of collision damage to other spacecraft, manned or unmanned, including those of other countries and corporations that are neutral in the conflict. In cyberspace, retaliatory attacks using “military offensive malware” that are directed at a specific enemy always run some risk of propagating through the Internet and infecting innocent third-party computer systems in other countries around the world. Attacks against industrial control software have gained public concern recently because these systems could easily cause mass casualties if successfully attacked; petroleum refineries, chemical factories, and nuclear power plants for instance could lead to property and environmental damage and human casualties akin to the Bhopal and Chernobyl disasters.
As a historical note of interest, it was exactly this concern about uncontrollable collateral damage that led the U.S. to refrain from using certain powerful cyber-weapons against Saddam Hussein’s Iraq during the 1991 Gulf War. Fortunately, that war could be brought to a quick and successful conclusion, with a minimum of friendly losses, without resort to such a destructive cyber-offensive.
In the case of the American/Israeli Stuxnet malware attack against Iran’s nuclear facilities, it was the unintentional “leakage” of the malware into some German industrial facilities — where the nature of the Stuxnet was identified and first became publicized — that led to Iran realizing that its severe centrifuge control problems were due to external attack. One of the important effects of the Stuxnet attack was psychological, i.e., it undermined Iranian confidence in their uranium centrifuge program, because the problem’s source was unknown. The inadvertent spreading which unmasked the covert attack led Iran to regain confidence in its own nuclear engineering, and also led Tehran to (rightly) blame “The Great Satan” (America) and “The Little Satan” (Israel) for a serious act of aggression. And then there was the damage suffered by industry in Germany.
With this necessary technical and historical background established, let us return to the vexed topic of attribution. Using the U.S. Air Force’s space-junk tracking radars, which are continually upgraded, and other forensic tools, which are constantly developing, physical assaults in space could probably in the future, with enough further investment in capabilities, seem relatively straightforward to attribute back to their point of origin. So, probably, would serious physical attacks on ground stations worldwide. But complacency here must be avoided, else America could be vulnerable to a “Pearl Harbor in space” without even knowing where it came from. This is because adversaries can make advances within the outer space domain in at least two areas, to baffle attribution. The perpetrator would then enjoy all the military and geopolitical advantages of eroding our space-based sensor and communication assets, without them suffering any of the concomitant systems degradation (or other retributive punishment) that we would urgently need to deliver in order to restore strategic parity — in space and therefore also in-atmosphere.
One of these areas of potential enemy technical advancement is the development of low-observable, highly maneuverable space-based weapons platforms, able to attack our space assets on command without our prior detection of their deployment and/or without our ability to detect and track them after they open fire. (It can be ambiguous whether such platforms, if non-nuclear, violate international treaties on basing weapons in space. And in an era when arms control treaties are being lapsed, revoked, cheated against, or ignored, any current signed treaties are no guarantee against future combat.)
The other area of tech advancement is the ability to covertly incorporate offensive weapons within the structures of supposedly peaceful, civilian/commercial satellites, maybe ones launched via third-party private (for profit) space-lift services, hosted by third-party countries that are not even aware of these schemes and would not be on any Pentagon list of recognized adversaries of America.
As mentioned, cyber-attack attribution, wherever the attack occurs, is always notoriously difficult. This is because the “terrain” of global data linkages is so varied, extensive, interconnected, changeable, and murky that nefarious actors are able to camouflage their actions, disguise their trails, erase their traces, “frame” innocent parties by planting false signatures, and maintain plausible deniability. Cyber attribution that is clear enough to justify a significantly-damaging retaliatory counter-strike is also made more challenging by the availability of a multitude of individual, sub-state, or disguised/unofficial state-controlled bad actors who can, knowingly or unknowingly, perform an adversary state’s bidding while the state itself seems to us uninvolved. This coterie of computer hackers ranges from low-skilled teenage “script kiddies,” through organized-crime computer hackers, to well-disciplined teams of seasoned professionals who work for a government’s military and intelligence agencies.
Suppose that a cyber attack of significant damaging magnitude, known by the U.S. Government to have been perpetrated by a specific state-level adversary, were suffered by America. Important policy issues would then be forced to the forefront of White House and Pentagon attention. “Punishment of the attacker” might be limited in some circumstances to a stiff diplomatic complaint, or to economic sanctions. In other circumstances, the decision would be made that some form of retaliatory cyber second strike is called for. Perhaps Congressional approval would be called for, by law. (Mitigation within America of the original attack’s damage and aftereffects is beyond the scope of this Research Report, but is discussed in the open literature.) Clearly, a lot would depend on very confidently determining who made the attack, and on accurately assessing the exact nature of the attack and the full extent of the damage done.
At a more “cosmic” level, the U.S. Government would have to assess the possibility that the initial one-two exchange, namely, the attack and then our counter-strike, might lead intentionally or inadvertently to one or more further rounds of cyber attack, maybe escalating in scope and damage each time, and maybe even turning into a full-blown, mutually catastrophic cyber war. The specter that hostilities could run badly out of control and even trigger the “First World Cyber-War” cannot be ignored! In a worst case, the world could be “hacked back into the cyber Stone Age.”
These technical and policy determinations are important, because some spy-versus-spy cyber snooping is considered par for the course during peacetime. But other foreign government-sponsored hacking, while not directly damaging to the computer systems and databases invaded, might nevertheless be aggressively intrusive, followed perhaps by violating intellectual property copyrights, or by stealing national-security secrets, or by sharing embarrassing things in public through WikiLeaks. Such acts can be damaging commercially/economically, diplomatically, politically, and even militarily. Current American action policy seems to be to complain to the alleged perpetrating state, and to strengthen defenses, but for the most part not to retaliate, at least during peacetime, which currently, supposedly prevails in the cyber domain.
Some hacking amounts to mere amateur vandalism, or criminal theft, which seem more the purview of the FBI and other law enforcement than the White House Situation Room.
Maybe a good norm would be to only retaliate via cyber-destruction-in-kind if the initial assault or series of assaults caused actual, significant destruction among American security, financial/commercial, or population interests. “Destruction” could range from adulteration of data files, or impairing of computer hardware; through substantial, mass government, corporate, and/or public inconvenience; through large financial losses and other monetary costs; to physical damage to industrial assets and heavy infrastructure, possibly with loss of life, via disrupting or manipulating all-important process-control software. Retaliation-in-kind ought to be proportionate and discriminating, that is, we should “do to them the same thing(s) they did to us” (in-kind retaliation), while being similar in scale (proportionate) and not causing undo collateral damage (discriminating). Of course, calibrating all of this national response, without triggering an unacceptable degree of escalatory counter-retaliation (third strikes, etc.), is a fine military and statecraft art, heavily exposed to dangers of unintended consequences and chaos theory.
The rest of this discussion about outer space and cyberspace defense-by-deterrence/retaliation is meant to apply only to situations where a state of war already exists between the U.S. and an aggressor, or to situations where the aggressor’s attack and its drastic effects clearly constitute an act of war. The latter determination would have to be made by POTUS and the U.S. Congress.
Note that according to America’s 2018 National Nuclear Posture, the U.S. Government does assert the right to retaliate against massive-enough attacks by weapons of mass destruction (WMDs) such as chemical and biological weapons using our nuclear weapons. This is because the U.S. obeys international treaties and conventions banning chemical and biological weapons, so we could not counterattack “in exact kind.” Yet we must as a nation have a means of deterrence via retaliatory threat that is decisively powerful — it needs to work “the first time, every time” against an evolving coterie of multitudinous WMD threats. Strictly speaking, this sort of retaliation (which please God is never necessary) would not count as a “nuclear first use”; rather it would be a legally and morally justified WMD second strike. Can a devastating enough cyber attack amount to a weapon of mass destruction?
Clearly, this matter is very controversial, and it would presumably only come into play in the extreme last resort of an enemy launching an attack of genuinely existential magnitude — i.e. one that clearly threatens the very survival of the American system of government, its society, and its whole population. A certain amount of ambiguity as to the possible details of our response is considered by defense experts as desirable: Ambiguity re what we would do in retaliation increases the dissuasive impact on enemy minds of our declared deterrence posture. One part of this ambiguity pertains to how we would respond to very severely damaging cyber attacks, especially ones that caused huge loss of life. Would we ever respond, not just with counter-offensive malware, but with nukes?
It is harder to conceive of how an enemy attack limited entirely in outer space, even if massive, could pose an imminent existential threat to America. But what does “entirely in outer space” mean in this context? Electromagnetic pulse attacks, carried out using nuclear weapons detonated in low earth orbit, have massive destructive effects in a continent-wide footprint on the ground below. EMPs can, among other things, start raging conflagrations (by igniting transformer fires) and cause swarms of auto and airplane crashes (by frying computer chips) that lead directly to catastrophic loss of life. What would we do then?…
As the experts say, ambiguity is a valuable part of deterrence.
It seems relatively obvious, i.e. unambiguous, that offensive American space and cyber capabilities, deployed in a defense-by-retaliation-in-kind deterrence posture, would pose a potential attacker-state with the same sort of forceful dissuasion that nuclear deterrence-by-retaliation does regarding nuclear attack. The same requirement of survivability that applies to our nuclear Triad applies here, to our space and cyber second-strike weaponry.
Since space and cyber assets are, as mentioned above, not very amenable to traditional defense-by-denial, our assets would suffer real losses when the enemy opened their attack. On the other hand, our offensive space and cyberspace weapons, even after being depleted by a surprise first strike, if made survivable enough would then be able to inflict post-attack retaliation in kind against the attacker’s space and cyber weapons and assets.
Survivability could be assured by a variety of design, engineering, and deployment techniques that could make assets difficult to observe and track, and/or make them more hardened against some forms of attack, and/or make them redundant through duplication and ready availability of replacements and backups. One approach is to base some ASAT rockets, and replacement comms and senor satellites along with their space-lift rockets, aboard stealthy submarines, perhaps SSNs or SSGNs. (The Virginia class with extended hull module is SSGN-capable.) Another survivability technique could result from the private space industry’s beginning to launch “mega-constellations” — formations of Earth-covering satellites numbering literally in the tens of thousands. Smallsats are small and inexpensive but nevertheless capable satellites that are particularly suitable to deploying in survivable swarms. (Note that American military reliance on such swarms might tempt an enemy to resort to space EMP weapons for their vast area destructive effects — but EMP weapons are not discriminating and such an enemy would cripple its own space assets at the same time it attacked ours.)
To be “survivable” in the cyber domain, copies of important software applications, operating systems, control systems, and databases could be backed up in compact format aboard SSNs, SSGNs, and even SSBNs, for post-attack downloading remotely, or while in port. While deeply submerged, submarines are safe from surface or spaceborne EMP damage. Their conductive steel all-enclosing pressure hulls provide good EMP protection even when surfaced, if hatches are closed and all masts retracted. Faraday cages, used to shield internal machinery’s electromagnetic signatures from external detection, help protect the sub’s equipment against external EMP attack as well.
The retaliatory punishment the attacker suffers, if our deterrence threat ever needs to be carried out, might not end a serious multi-domain armed conflict, but it would have the effect of reducing enemy space and cyberspace capabilities in proportion to the reduction they just inflicted on us.
The wider conflict might rage on, or even escalate, but it would be fought at a less capable (more primitive) level — though one that is more “rebalanced” between attacker and defender — and also at a less coordinated level for each side’s forces among themselves. Once again, this shows the terrible danger of believing that any war between large and well-equipped states can be kept “limited.”
In the particular case of space and cyber combat going on while nuclear combat has begun, or as a prelude to it, the arguments earlier in this Research Report against a nuclear war ever staying limited are heavily reinforced. In fact, any combat in outer space and/or cyber space would seriously complicate any process of the belligerents trying to negotiate a nuclear-war cease fire. Doing so during a “purely” in-atmosphere nuclear conflict would be hard enough. But given how much modern international communication pathways are dependent on passing through both cyberspace and outer space, successful “signaling” about limiting and ceasing hostilities — while furious combat rages within all these domains, subject as they are to the Multidomain Revolution in Military Affairs — would be nigh on impossible.
At its core, the essence of effective mutual deterrence, with any powerful weapon systems and in any battlespace domain, is to not merely make credible advance threats of post-attack retaliation. Just as important if not even more so is to also spell out clearly, well in advance of any adversary’s attack, that resorting to violence in pursuit of state interests always carries with it uncontrollable/inadvertent escalatory risks of truly nightmarish scale.