We should not be surprised that, according to the New York Times, the Obama administration and military commanders considered “a cyberoffensive to disrupt and even disable the Qaddafi government’s air-defense system.” Indeed there are three key reasons why military leadership would be negligent if they did not ask about cyber options:
First, cyber capabilities are new, classified and uneven. Commanders (and their staffs and, more importantly, staff lawyers) are broadly unfamiliar with cyber capabilities and their effects. Whereas recreational hackers might look for a webpage to deface because they have a webpage defacement tool, this is not how the US military employs cyber capability. Commanders state their objectives and then their military staff determines what capabilities the military services or intelligence agencies might have developed or could develop in time. Since a particular cyber hammer might be useful only for an extremely particular, one-in-a-million kind of nail, a smart commander has to ask what is available or possible.
Second, cyber capabilities might provide a commander another means (along with UAVs or long-range missiles) to win the battle but not put his sailors, soldiers, airman or marines in harm’s way. If cyber capabilities could disable Libyan air defenses from afar (as we are told the Israelis may have done to the Syrians), then a military commander would be remiss if he did not investigate that possibility.
Third, military commanders according to the Geneva and Hague conventions must limit the number of civilian deaths. In many cases, such as in Libya, they may go further and limit the unnecessary killing of legitimate enemy combatants (either out of general humanity or for hearts-and-minds). If cyber capabilities could, as often promised, be precise enough to disable the Libyan air defenses without killing anyone, then a commander is obligated to consider them.
Accordingly, we should have been not just surprised but shocked if we’d heard that the US ruled out cyber capabilities without even considering them. Cyber capabilities are not nuclear weapons, usable only as a last resort. Most – especially those targeted at battlefield systems not connected to the Internet – are far more precise.
What is likely to get missed in the general discussion of this news item is that the word ‘NATO’ hardly appears in the New York Times story. The cyber capabilities discussed are US-only and would have likely have been conducted as a separate operation to support NATO but outside of its formal chain of command. This is an important point to remember if you hear someone calling for a “NATO offensive capability.” This already exists, but it lies within the national militaries, not in any collective NATO agency or unit.
In the end, the most important aspect of this story is not that the government officials and generals considered cyber capabilities but that they ultimately declined to use them. Few of these capabilities are the “Ferrari that you keep in the garage and only take out for the big race,” as an official puts it in the Times story.
This official chose the wrong Italian cars. More often than not, cyber capabilities are not nimble Ferraris but Fiats which may careen out of control if used to go too quickly or unwisely. The US apparently chose in 2003 not to use its cyber capabilities to freeze the bank accounts of Saddam Hussein, afraid the attacks might cascade – as we are told happened when the DoD attacked a jihadist website. According to the Washington Post, that operation “inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas.”
The United States is not rushing headlong to militarize cyberspace. It appears to be taking a measured approach, sometimes using cyber capabilities for limited gains, but also being very cautious. At some point, the US will use national capabilities directly as part of a military campaign. When this happens, it probably won’t be “a shot heard ‘round the world,” but a natural extension of using available military capabilities to be as (or more) effective with less bloodshed. Cyber warfare is a policy tool that may save domestic and foreign lives, and thus an option that any commander (regardless of service or nation) must consider in future wars.
Jason Healey is the director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.