Conclusion ¹

As we come to the end of this reflective work, we offer our readers a summary of the major themes, principles and questions which run through these 7 chapters. Our analysis, centered on the themes of information warfare and cyberwar, has allowed us to put forward a few main ideas. The distinction between classic war and modern war (in the sense of “cyber” or “technological”), is not entirely relevant. Strategic laws, however, remain relevant, even if the ways of applying force are evolving.

Thus, the role of the “strategy” in the information realm is confirmed as being a key aspect. Strategy is the only component which can give a meaning to the actions we take, and to give the operations force. In the absence of a strategy, attacks only have limited impact because they are non-exploitable. It is not enough, then, to have cursors ready to be sent to action (individuals mastering technology, targets to be aimed at), or a cyberarsenal (viruses, intrusion methods, concealment). Moreover, we must fix more superior objectives, include them in a comprehensive political system, and finally, write scenarios which can reach the objectives defined by the strategies. Therefore, in order to understand the current cyberattacks (the real ones, and the ones we invent), it is fundamentally important to focus on the strategy construction which may guide them, whilst avoiding focusing on the information that started the incident itself.

If strategy maintains its first place position, then for us it is, above all, an ability to anticipate, an action strategy, a proactive attitude and not a response strategy, a reaction strategy or a strategy for a total lack of reaction (is the “do nothing” approach possible? A question asked even by Martin Libicki in his recent major report Cyberdeterrence and Cyberwar published by the Rand Corporation in 2009) [LIB 09].

In a conflict context, it is not so much the speed (even if the OODA loop principle is still effective) or the capacity to anticipate one action before another, even when it is combined with an important striking power (strategic surprise is not a guarantee for victory) as the capacity to see thoroughly and build a strategy which can ensure success.

The concepts of combination and complementarity are essential here. There can be no strategic surprise without complex combinations, and no useful and effective cybernetic attack without operations accompanying it in other dimensions: – if information warfare and cyberwar can disrupt the use of force, they do not substitute it;

– information warfare and cyberwar are not exclusive of the other dimensions of conflict;

– further still, actions led in cyberspace are not enough alone to produce important effects on the real world. When China manages a situation of crisis in cyberspace, it uses combinations of abilities and methods. When it manages the cybernetic and information dimension of the crisis, then it is done by a combination with the other dimensions;

– the methods must be combined together, but the elements within each combination must also be combined;

– cyberwar is already the art of combination: we must act simultaneously on its three dimensions (physical, syntactical and semantic);

– the difficulty that strategy is confronted with however remains as the assessment of the impact of using these combinations, of the influence between these dimensions, and the definition of the best combinations to reach a given objective.

Do we dare say that we are still in a period of observation, of testing (scale test), and of learning in this field?

All the problems related to aggressive operations lie in the ability to turn information “powerful”, so it has an immediately useable “impact”; the information’s power will come from the target choice, from the ways of using this information (or data), and from the most effective combination that we can set in motion (information, cybernetic and other dimensions). The speed of the operations materialized will also be a primary factor. The attacks must not only be directed towards systems.

Information warfare and cyberwar are not part of cybercriminality, both in terms of their motivation and nature.

But, information warfare and cyberwar are “wars” which are not really wars. They are not self-controlled; they are built into a strategy, and the characteristics of their manifestation seem to forbid descriptions such as “act of war” at the current time.

Inaccuracy (outlines, borders), uncertainty (origin of the attacks, possibilities, impacts, effects of the combinations, interactions, controlling abilities), fog (too much information, lack of visibility), lack of fixed situation (the space will evolve), impossibilities (of defense, imputability, recourse) persistent doubt, suspicions, and invisibility of the enemy all characterize the negative aspect of information and cybernetic space.

These “negative” characteristics (or positive, depending on the point of view: attacker or attacked?) are at the source of the sentiment of risk expressed by those connected with the information and cybernetic dimension. This perception has a major impact on our action. This risk forces us to engage in methods of resisting the psychological pressure that forms the cybernetic attacks, whether real or potential. If investing in cyberspace security guarantees no protection against this risk, then not investing will guarantee exposure to this risk. Therefore, Western developed countries who are dependent on their information environment are engaged in a sort of head-on race.

The set of uncertainties, inaccuracies and impossibilities to be defined and controlled opens the channel up to representations, to building a reality whose somewhat fictional, stereotyped character is, perhaps, not without its consequences on the representation that the actors themselves have of security and defense, and therefore on the very methods of conflict in progress or to come. Thus, we are handing the weak the power to fight the powerful (cyberspace as a tool for justice, the hacktivist as the sworn enemy of political and social injustice), to break through the protective walls of security (getting through firewalls, breaking down the Pentagon’s or the NSA’s software barriers), we are granting technology with a power which is harmful for society (if the technological systems fall, the society model which depends on it will collapse, as technology can conflict with citizen rights) and to those who use it, we are giving them disreputable intentions (wanting to attack, wanting to spy, wanting to destabilize). In this context of representation, generating the image of the enemy is also a key element of the cyberwar/information warfare problem. The technique tells us that it is difficult, if not impossible, to impute a cyberattack with certainty. We also know that the ability to use lines of code does not make an actor (whether this is an individual or a State) a criminal or a belligerent. The mere ability is not proof. And so, today, putting a face and name to these attackers hidden away in the shadows is a challenge. This is, then, left to the imagination, to interpretation, to construction, to hypothesis. These things will perhaps coincide exactly with the reality of it all. But, then again, perhaps not.

So who is the aggressor? There is no state-governed enemy so long as no State recognizes an attack. There is no possible enemy so long as we cannot impute with certainty, and above all, there is no enemy if the operation is only a matter of criminality. But this argument opens up the door to paranoia. Recognizing that there is no particular enemy is a bit like admitting that they are potentially everywhere. It is also a bit like admitting that the enemy is inside our own speakers. This is a slippery road which we will not go down here. However, the methods of discrimination allow us to classify real and potential problems, to limit the range of our own adversaries, competitors, potential enemies, that we do not, perhaps, share with our neighbors or allies.

Faced with all the uncertainties and impossibilities, we will also question the effectiveness of a security approach such as the “fortress” type or the “Maginot line”, conditioned by a relatively dichotomous vision of the environment (targets and aggressors, good and evil) which clearly lends itself badly to information environments which are relatively fuzzy, to the permeability of systems, especially as “skirting” is a major art of attack in this dimension.

Finally, let us remember that man is (re)placed in the center of the technological structure that is the cybernetic dimension, and of course, the information dimension in its entirety:

– conflicts, crises and confrontations make individuals act, target individuals and societies. Information space and cyberspace are a place for expression, for conflicts to play out, a channel for action, but man comes in and out of the system;

– the human being is the arm, the brain, and the target of these wars (of information and cybernetic wars);

– information and cybernetic weapons are not satisfied with disrupting the technical systems, and are not confined to disturbances in the electromagnetic spectrum;

– the human brain is the target which suffers, as much as the technical systems, Denial of Service attacks, and saturation due to too much information, remaining as one of the main difficulties in situations of risk;

– information warfare and cyberwar are instruments of power: strengthening or weakening human power to the benefit or detriment of other humans.

Using information warfare or cyberwar is equivalent to displaying a will for power. We must think about their usage according to concepts such as power, influence, and strategy, which our model of society has at its disposal for defending its fundamental values. But what power do these methods of war really impart?

It is not a question of absolute or total power. Computer attacks alone probably have more of a power to harm, to disrupt, to influence than massive, decisive, irreversible destruction. The adversary’s power is also born out of our own weaknesses that he will research and exploit, without looking to impose any spectacular “cyberarsenal”: the attacker tries to exploit his target’s weaknesses, to work on his flaws, his software and hardware, his human, psychological, strategic, tactical and political failures. The weakness may still be due to a lack of knowledge of his own environment and context. In the relationship between belligerents, it is the other’s weakness which must be sought out, and not our own power.

The control over information space and cyberspace necessarily includes control over the building blocks which construct its base system. Europe must take the intervening measures in order to try to deal with technologies, standards and infrastructures. Taking China as a model in this field, which is trying to develop its own Internet, and to ensure control over it in the pursuit of its own interests (that we will not discuss here), and is striving to free itself from the grips of international standards by creating its IPv9, or achieving autonomy in the production of its own operating systems. This does not mean building a citadel which is cut off from the world and impenetrable, but rather managing its own environment better, freeing itself from the hold that others may have over its mentalities, on our model of society. Our weaknesses might also be born out of our insufficient use of the capacities of information space and cyberspace on an international scale, to the benefit of the defense of our fundamental values.

Bibliography

[LIB 09] LIBICKI M., Cyberdeterrence and Cyberwar, www.rand.org/pubs/monographs/2009/RAND_MG877.pdf., Rand Corporation, Santa Monica, USA, 2009.

1 Conclusion written by Daniel VENTRE.