The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

U.S. Memorial Day Thoughts on Cyber War


We've been hearing about "cyber war" for some time now. It has been held out as an existential threat by some people, been the topic of scores of books, and led to the establishment of military organizations in several countries, including the U.S. Cybercommand, China's Blue Army, in the UK, and more. The definition of "cyberwar" has been somewhat imprecise, in part because some people trying to define it don't necessarily understand the full range of whatever "cyber" actually encompasses. It is also the case that definitions that include some current activities might imply that we're at war, and that has political ramifications that might be unpleasant to confront. The range of activities often discussed — including snooping, theft, espionage, and DDOS — don't really seem on the same level as a tank blitz or nuclear attack. After all, would an inability to shop online for a week really be a form of battle damage?

Of course, our whole definition of "war" is itself a little muddled. We have the World Wars, certainly. But from a strictly U.S. perspective, consider the Korean and Vietnam conflicts — were those wars? Or the Gulf War, Bosnia and Herzegovina, Iraq, Afghanistan — was the U.S. at war? And is that what is going on with Libya? In one sense, yes, because in each we employed military forces against a defined enemy. But how many of those had a formal declaration of war? And none were really existential threats that required the entire U.S. to be involved. War, historically, has usually been an issue of whether a state continued to exist under its current rule or not, and sometimes whether a significant percentage of the current population continued to live or not; some wars resulted in all the adult males being killed or enslaved, or whole populations slaughtered.

Then there is the War on Drugs, the War on Poverty, and most recently, our War on Terror (among others). In these conflicts we don't actually have a nation-state as an enemy, but we do have some defined objective requiring concerted, forceful action. (Of course we also have silly, demeaning uses of the term, such as the inane "War on Christmas.")

This can all lead to a certain confusion of definitions and roles. Prior to 9/11/2001, terrorists on U.S. soil were criminals. Whether it was Timothy McVeigh, Ramzi Yousef, Eric Rudolph, Ali Abu Kamal, or the ELF, civilian law enforcement, civilian courts, and civilian prisons were the mechanisms involved. Since 9/11, we have a strong contingent claiming that terrorism is now solely a military matter, that military courts must be used, and civilian prisons are somehow insufficient (although supermax prisons have held worse mass murders and gang members for years). Why? Because we are in a "war on terror." Further, administrative rules and laws were passed to classify a particular class of terrorists as belonging under military jurisdiction as enemy combatants and heated political debate occurs around any aspect of how to deal with these individuals.

This essay is not an attempt to sort out all those issues: I'm going after something else, but I needed to illustrate these few points, first. Above, I noted that "war" is a somewhat fuzzy term, as are the definitions of who might wage it. Next, let's consider how we have been preparing to react to cyber incidents.

With the fuzziness about defining "war," and the shifting boundaries of whether it is something confronted by law enforcement or the military, it is not surprising that "cyber war" has not really been well-defined. What has happened over the last decade is that stories of potential "Cyber Pearl Harbors" have been presented to legislators, coupled with demonstrations of vulnerabilities, to justify a massive investment in the military cyber arena — but not so much our civilian law enforcement. It is simple to scare policy makers with tales that the country might be destroyed by evil hackers working for another country's military; cyber crime does not make for as compelling a picture. The result has been massive buildup in offensive military tools, intelligence support, and personnel training to support military missions.

But that buildup does little to help civilian companies under attack within U.S. borders by unknown parties. So, we now have civilian companies turning to DHS for help rather than the FBI or another law enforcement agency. But the responsibility of DHS is to secure the .gov systems, so they are now turning to the military (NSA) because they don't have the infrastructure or expertise they need for even that. We are thus well down a path to turn over the bulk of our law enforcement in cyber to the military, with the specter of terrorists and cyber war held out by those who benefit from this situation continuing to push us in that direction. Soon we will have so much infrastructure built up we will not be able to afford to go back. The Posse Comitatus Act of 1878 was intended to keep the military from becoming a national police force, but this will further erode what is left of that law. Many people reading this will say "So what?" because we're now safer against a cyberwar attack as a result of this buildup — aren't we?

But here comes the problem, and the main point of this essay. We have a history of our military and leaders preparing to fight the last war. They are preparing for an offense that is unlikely to come at us the way they have portrayed. They are building a Maginot Line for a frontal attack that any intelligent adversary will never attempt.

In fact, we're under attack NOW. And we're losing. We're losing billions of $$ worth of intellectual property per year to foreign intelligence services, foreign competitors, and criminals, and we have been for years. U.S. companies and taxpayers are effectively paying for the R&D that is supporting huge amounts of foreign development. And we are also seeing billions of $$ of value being bled from the economy in credit card fraud, bank fraud and other kinds of fraud, including counterfeit pharma and counterfeit electronics sales, with all that money going to buy houses, cars, and consumer goods for people in Eastern Europe, China, Russia, and so on — in non-US economies. (And not only victims in the U.S., but Canada, the UK and a number of other countries.) It is a war of economic attrition and it is one that the DOD is never going to be in a position to fight because it has no kinetic component, no uniformed foe, no base of operations, and no centralized command. Once again, we have been preparing for the last war, so we are losing the current one. Most of our leaders don't even seem to recognize that we are in one. If we fall, it will not be by the swift stroke of the sword, but by the death of a thousand cuts.

If we are to have any hope of surviving, we have to completely change the way we look at this situation. Every intrusion, theft, or fraud should be reported, investigated and prosecuted (when possible). It should be tallied and brought to public attention, at least in aggregate so we understand the magnitude of what is going on. Right now, too much is hushed up or written off because each incident is too small to follow up, but the combined weight is staggering; for years I've been calling it "being pecked to death by ducks" because no single duck is lethal, but millions are. By letting so many incidents go, we encourage more and fund the development of yet new crime We need to refocus ourselves with a massive law enforcement effort, with a weighting towards local response, filtering up to Federal, not a Federal response directing local response. All those billions being dumped into the Federal contractors for cyber weapons should be directed to cyber law enforcement and investigation, to development of forensic tools, and to raising awareness at the local level. Your average business and consumer is going to be much more likely to install patches to protect against criminal behavior if encouraged by local authorities than told by someone in DC to install patches against some robotic threat from overseas. And we should adopt a get-tough policy at the diplomatic level to start demanding that countries that harbor criminals see some pushback from us; the new Federal international strategy on cyberspace is a good start on this.

I have described it to some people this way: our traditional DOD is structured to protect our borders and keep enemies from crossing those borders, or even getting near them. They are very, very good at that. In fact, they're so good, they may even stop an enemy from crossing their own borders to get here! However, the enemy we're engaged with is already here — is installed on millions of our computers and has thus subverted millions of citizens throughout the country without their knowing it....including some of the military. It is like the movie "The Puppet Masters." This can't be fought by the DOD — they aren't equipped to train their weapons inward. It requires an entirely different approach, but unfortunately, our leadership doesn't understand this, and the loudest voices right now are those of the lobbyists and members of the military who stand to benefit most in the short term by continuing the status quo, and by those who don't understand the magnitude of the situation.

Concomitant with this, within the next decade I fear that we will start seeing more of our best and brightest students from the US going to universities in India, China and other countries the way those countries' students have been coming to the US for years; I'm not the only one predicting this. Why? In the US we are shuttering university programs, decreasing funding, and shrinking campuses across the country, and politicians are vilifying K-12 teachers as if they are somehow part of the problem instead of being part of the cure. Meanwhile, in India, Russia, China, Korea, Taiwan and the Middle East they are opening major new universities and hiring away faculty from the US, Australia, the UK and elsewhere to staff their research labs, paying them extraordinary salaries and benefits and giving them access to modern resources. Major corporations have already located labs near those places because of cheap labor and are helping to subsidize the growth of the universities as are the national governments so as to obtain trained help. Our national policy of booting new PhDs & MS graduates who aren't citizens, and restricting so many high-tech jobs to US nationals only means that we train the world's best, then send them back to their own compete with us. The Rising Above the Gathering Storm and Rising Above the Gathering Storm, Revisited: Rapidly Approaching Category 5 reports nailed this, but were largely ignored by policymakers and certainly by the general public. Not only are we indirectly funding other countries' ascendency via their largely unhindered theft of our intellectual property and fraud, we are accelerating it by strangling our own intellectual capital and increasing theirs.

Everyone in IT and beyond should understand — fundamentally — that this is a new form of competition, of warfare (if we are to use that term). It is competition of the mind. It is information warfare in a much more fundamental sense than using information in support of kinetic weapons. It is employing information resources in a vast strategic way, across industries and generations to shape the future of nations. We do not have enough people who are able to think strategically, with that long a view and an understanding of the issues to see the threats, to see the trends, and to see the hard choices necessary to take a safer path. We, as a people, do not have the patience. Unfortunately, some of our enemies do.

What inspired the above, in part, is that this is Memorial Day Weekend. Many people will celebrate it as a holiday with picnics or trips, watch the Indy 500, and break out the summer clothes.

But Monday is a special day in the U.S. to remember the many men and women who sacrificed their lives in the service of the country, while serving in uniform. Whether in declared war or standing guard, whether grizzled veteran or new recruit, whether defending the bridge at Concord in 1775, or on patrol in Kandahar in 2011, those who did not return home deserve special thought from those who are here to enjoy this weekend. They had husbands, wives, children, siblings, parents and friends who treasured them. On Memorial Day, we should all treasure their memories as well.

And perhaps that is the one good thing about "Cyber War" — by nature, it is unlikely to add to the list of those we should remember on Memorial Day who are not here with us.

One of the best ways to honor their memory is to remain vigilant, and that is why I wrote the above.


Posted by John S. Quarterman
on Saturday, May 28, 2011 at 09:52 PM

We spend billions on cyber wars and land wars in Asia while the U.S. Internet duopoly continues to destroy Internet freedom through regulatory capture. An FCC Commissioner votes for yet another merger and goes to work for the mergee. In little more than a decade we have gone from close to the top in Internet speed and uptake to somewhere around #28 and sliding. Yet we build Potemkin militarized villages in cyberspace while Rome burns.
The U.S. no longer has the natural resource advantage that long distinguished it and was widely misinterpreted as manifest destiny and American exceptionalism: China holds the rare earth and financial cards now. The U.S. can go the way of Philip II of Spain. When his Spanish Armada was destroyed by the Pirate Queen Elizabeth of England and weather he… built another. And eventually defaulted on Spain’s debt.
Or the U.S. can act like one of its former role models, the plucky little Netherlands which defied its Spanish Habsburg masters and built new economic models while building land out of sea.
This is the land of facebook and twitter, which have fomented revolutions in several countries this year. We can embrace openness and follow the path of that ur-blogger of paper social media, Ben Franklin, who said “Those who would give up Essential Liberty
to purchase a little Temporary Safety,
deserve neither Liberty nor Safety.” Or we can follow Philip II down the rathole of second-rateness.
If we want to win; if we want the world to win; we should stop wasting our wealth on our Armadas in Asia and spend it instead on our own health, education, and interconnectedness. Free speech, free press, free trade: free the Internet!

Posted by Jonathan E. F. Fulkerson
on Saturday, May 28, 2011 at 11:45 PM

Thank you for this thoughtful post, Dr. Spafford.

I concur: we must strive to elevate the public debate regarding the tradeoffs in security, privacy, convenience, and secrecy surrounding cyberattack, cyberdefense, and cyberexploitation inherent as we endeavor to build out the future of technology.

Recent events have brought about a unique post-9/11 opportunity for introspection.  Hopefully this moment will be an inflection point for the sort of sound, clear, candid strategic thinking that you’ve provided in this essay.  Averting a perpetual war-footing while remaining ever-vigilant is our duty as citizens—it truly is the best way we can honor the sacrifice of those we remember this weekend.

-Jonathan Fulkerson

Posted by Joe St Sauver
on Sunday, May 29, 2011 at 12:53 PM


Back in 2008, I did a talk entitled, “Cyber War, Cyber Terrorism and Cyber Espionage,” see
(or .pdf if you prefer).

One of my fundamental themes was, “Cyber war is not what you think it is,” and I continue to believe that’s true today. For example, cyber intrusions or defaced web sites or DDoS attacks are really not “cyber war.” There are some things that do qualify (in my opinion), but those aren’t them.

The things that can amount to cyberwarfare can be things you wouldn’t expect, such as:

—Spam: what a perfect low intensity persistent asymmetric attack mechanism, eh? Gradually crank up the heat until over 90% of the world’s email is cr*p, and filters have gotten so draconian that real mail gets lost, and use of a critical cyber tool is effectively denied to our country at virtually no out-of-pocket cost and no risk.

—Electromagnetic pulse attacks: if you want to talk about strategic cyber war, electromagnetic pulse is at the heart of any attack at that level. Fortunately we haven’t experienced an EMP attack to-date, but that’s the sort of attack that unquestionably would be “cyber war.” (If you’re interested, I have an invited Infragard talk on EMP available as well, see (or .pdf))

—I would also draw your attention to computer
assisted economic warfare, as analyzed in
“Economic Warfare: Risks and Responses” by
Kevin D. Freeman, see
Again, I would consider that to be an example
of cyberwar (even though most people have no
clue about what happened).

Anyhow, thanks for a thought provoking article,
and hope you have a nice Memorial Day holiday.


Joe St Sauver

Posted by Sandra
on Wednesday, June 1, 2011 at 08:02 AM

I have had countless numbers of my family serve in the military, and sadly lost a few over seas.  I was great full this year to finally be able to place some flowers on my grandpa’s grave.  Hope you had a great memorial day too!



Posted by Deb Van
on Monday, June 6, 2011 at 05:50 PM

Cyber war has always struck me as being a term of hyperbole. I don’t think one can compare it to actual wars we’ve had. At least there’s no carnage with a cyber war…...or is that just wishful thinking.

Posted by Jan Smith
on Sunday, June 12, 2011 at 05:57 PM

Cyber war is still in it’s infancy and is a fast-growing phenomenon. The idea of an electric-magnetic attack as described above by another commenter will catch many big businesses and government’s on the back foot but will be devastating when it happens. I say when and not if. I believe its just a matter of time.

Yes, there may be fewer dead bodies in our war cemeteries but there will be many more bodies fighting for survival and it may come back to ‘survival of the fittest’ and our enlightened world will fall back into the dark ages again.

To my way of thinking, Cyber-war also needs to include economic war and with so much hacking happening today, I believe this is a largely undetected and/or unacknowledged fact in today’s world already.

Posted by stubby holder
on Thursday, June 16, 2011 at 08:43 PM

Great composition Gene. For me, it is such a persuading article. I can sense the emotion of the author. The truthfulness, concern, frustration, and the hope to help not just himself but the whole country.

I was moved after reading this article. The government have overseen the subtle way of destroying their country - CYBER WAR! Now, I realized what patriotism has to do with the nation. Slowly but surely, the enemy patiently waits for their victory.

I’d like to share this to my students. Thank you for sharing, Gene. My prayers will go along with you.

Posted by top love songs
on Monday, June 20, 2011 at 12:24 PM

“But Monday is a special day in the U.S. to remember the many men and women who sacrificed their lives in the service of the country, while serving in uniform.” This was a great quote. I almost teared up while reading this. My grandpas were in the Korean War and Vietnam. It was crazy to hear some of their stories!

Posted by Tina
on Wednesday, June 22, 2011 at 12:55 AM

thanks for a thought provoking article,
and hope you have a nice Memorial Day holiday

Posted by Campus Explorer
on Sunday, June 26, 2011 at 12:40 AM

Thank you for this thoughtful post, Dr. Spafford.

Leave a comment

Commenting is not available in this section entry.