The US military named cyberspace a military domain and spawned endless repetitive conferences trying to fit cyberspace into concepts tied to the air, land, sea, and even nuclear domains. The domain designation is useful for parsing the bureaucratic lines of authority among military services. It also makes for more accustomed objectives if our military seeks to ‘dominate’ the enemies in the cyber ‘domain’. But cyberspace is a man-made, increasingly ubiquitous substrate, not a fourth or fifth domain offering some kind of boundary of action, knowledge, operational effect, or conflict.
The domain term is too narrow for the largescale, complex shared system we will really have to understand to achieve some measure of acceptable national security in the years to come. As it stands today, the global web intrudes into, connects at long range, and induces behaviors that transcend boundaries of land, sea, air, institution, nation, and medium. Computer networks will always be involved somewhere across all the domains. The importance of cyberspace in conflict is not whether computer networks are involved as a separate domain, but where, how, and to what significance for the outcomes.
Cyber war is also too narrow a term for the security of nation-states given today’s global digital system. Just as cyberspace is a substrate not bound nicely into a domain, conflict in an emerging globally connected age is more than hostilities kept within the domain’s digital limits. A ‘cyber war’ might stay within those computer networks, but a conflict of automatic national significance will not so nicely constrain itself. A cybered system is more than its cyber underpinning.
Cybered conflict is the better name for the national security dilemma today. Any given conflict can involve all sorts of systems of people, things, processes, and perceptions that are computer-related but not necessarily purely computerized. Phishing can be an attack even if it simply sends information to bad actors through the foolishness of the email recipient. The purely cyber portion could constitute a preparatory phase, a main avenue of attack, central campaign element, a largescale deception and espionage operation, an episodic enabler, a foregone set of activities, or all of these at different times in a long term cybered conflict.
At the end of the day, a ‘cybered’ conflict is any conflict of national significance in which success or failure for major participants is critically dependent on computerized key activities along the path of events. As long as the global web remains as open as it is today, human conflicts across largescale complex, digitally connected systems will be cybered at key junctures in streams of joined outcomes. Surprise will be a common feature, as will episodic scrambles to recover from cascading disasters that were intentionally or unintentionally sparked and sustained.
In a cybered conflict, many key activities occur only partly purely inside networks. Large sections of what matters overlap with traditional notions of harm, attack, and uniformed operations. The internationally accepted rules of war have trouble in application to cyber war but with a broader notion of conflict, these rules would find more resonance with much of what happens to the overall system before and during a conflict. Other well known forms of struggle such as hybrid warfare, asymmetric conflicts, and counter-terrorism campaigns are also cybered conflicts to the extent that key events depend on the cyberspace substrate for completion.
For national security, recognizing the cybered character of conflicts enables societal focus on developing national abilities to both hit and heal in equal measure to the significance of hostilities. Cybered power for a nation does not rest uniquely on the ability to dominate activities in a cyber war. Rather it is measured in the nation’s ability to disrupt likely and ongoing cybered surprises while equally to be resilient to those surprises that make it into the nation’s systems anyway using the cyberspace substrate in novel ways.
In matching the dual-use nature of cyberspace to help or harm by a dual-robustness in responses, cybered power is not dependent on having computer science skills in direct measure to that of an attacker. The allocation of cybered power will not automatically follow the same distribution of weapons, ability to hide, or recruit across hostile actors. Non–state actors could conceivably have as much cyber skill as the defending state actors, or more. But they may be resilient only so long as they are not personally identified or located for disruptive counterstrikes of some, possibly non-computerized method. If one cannot find the attacker using cybered combinations of events, a state with a great deal of cybered power compensates with extra effort into resilience. The nation sustaining the dual aspects of cybered power is then able to frustrate the attackers and roll through any successes to provide slack while identities of attackers are sought and actors located again and again over time.
Finally, using cybered conflict as the general term for national security struggles in the emerging age has one other great benefit. This characterization allows experts in security policy and information technology alike to see the security dilemma of largescale complex societal –technical systems jointly. The systemic nature of threats forces each community to link to other areas of expertise to address the ubiquity of cyberspace, its unprecedented intrusions, and tough dual-use nature. In the developing age of cybered conflict, national power depends on how all the skills sets work together against nasty surprises that travel far beyond the underlying cyber networks.
Chris Demchak is an Associate Professor at the US Naval War College and at the University of Arizona. The views expressed are her own and do not reflect those of the Navy or the U.S. government. This article is the first in a series titled Cybered Conflict.