Author Q&A: In modern cyberwarfare ‘information security’ is one in the same with ‘national security’

By Byron V. Acohido

What exactly constitutes cyberwarfare?

The answer is not easy to pin down. On one hand, one could argue that cyber criminals are waging an increasingly debilitating economic war on consumers and businesses in the form of account hijacking, fraud, and extortion. Meanwhile, nation-states — the superpowers and second-tier nations alike — are hotly pursuing strategic advantage by stealing intellectual property, hacking into industrial controls, and dispersing political propaganda at an unheard-of scale.

Related: Experts react to Biden’s cybersecurity executive order

Now comes a book by John Arquilla, titled Bitskrieg: The New Challenge of Cyberwarfare, that lays out who’s doing what, and why, in terms of malicious use of digital resources connected over the Internet. Arquilla is a distinguished professor of defense analysis at the United States Naval Postgraduate School. He coined the term ‘cyberwar,’ along with David Ronfeldt, over 20 years ago and is a leading expert on the threats posed by cyber technologies to national security.

Bitskrieg gives substance to, and connects the dots between, a couple of assertions that have become axiomatic:

•Military might no longer has primacy. It used to be the biggest, loudest weapons prevailed and prosperous nations waged military campaigns to achieve physically measurable gains. Today, tactical cyber strikes can come from a variety of operatives – and they may have mixed motives, only one of which happens to be helping a nation-state achieve a geo-political objective.

•Information is weaponizable. This is truer today than ever before. Arquilla references nuanced milestones from World War II to make this point – and get you thinking. For instance, he points out how John Steinbeck used a work of fiction to help stir the resistance movement across Europe.

Steinbeck’s imaginative novel, The Moon is Down, evocatively portrayed how ordinary Norwegians took extraordinary measures to disrupt Nazi occupation. This reference got me thinking about how Donald Trump used social media to stir the Jan. 6 insurrection in our nation’s capital.

The big question is: What can – and should — we do about the current situation? There is no easy answer, of course. However, Arquilla comprehensively lays out the key components that somehow will have to blossom and converge — if we have any hope of maintaining economic and geo-political stability in the decades to come. These include stronger encryption, much more efficacious cloud security and some type of behavior-based cyber arms control agreement.

The first two of these are well on their way, based on cybersecurity innovations I had the chance to  closely inspect at RSA Conference 2021 and Black Hat USA 2021. Arquilla’s book is a good starting point for discussions to commence, in earnest, on the third component: a cyber arms control pact.

Here are excerpts of an exchange Last Watchdog had with Arquilla about his new book, edited for clarity and length:

LW: Why do we need to radically rethink cyber affairs – from top to bottom?

Arquilla: Rethinking is necessary – redirection, too – because neither market mechanisms nor government policy have addressed the key security issues.  For decades, consumers have not demanded secure IT products.  Over these same decades, mass publics on both the Right and Left, fearing invasions of privacy, have hamstrung government efforts to improve cybersecurity via regulated standards.  Thus, millions of people are made unwitting conscripts in hacker zombie armies, commercial enterprises hemorrhage out critically important intellectual property, and even intelligence and military organizations find themselves penetrated.

LW: To what extent has the Biden Administration grabbed the bull by its horns?


Arquilla: President Biden’s executive order on cybersecurity, signed in May, is a thoughtful first step.  I am most impressed with his emphasis on making sure that systems are “fully functional with cloud-computing.”  This is an important point, though not an end in itself.  The Cloud is just someone else’s computer; so, in Bitskrieg, I make a point about the need for data mobility.  Keep info moving around in the Cloud – and keep it strongly encrypted.

Another key point in Biden’s approach calls for giving close attention to supply-chain security – a major undertaking, given how much software is crafted offshore under conditions about which we know little and exercise virtually no control.

But perhaps the most important evidence of Biden’s cyber awareness is his recent statement that “if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach.”  Given that an assassination in Sarajevo sparked World War I, Biden’s notion is hardly far-fetched.  What happens in cyberspace is ever more likely to have effects in the “real world.”

LW: What do we need to learn from the SolarWinds breach?

Arquilla: SolarWinds is a classic Trojan Horse story.  The very system designed to enhance security was covertly exploited to undermine security and penetrate commercial and governmental systems, widely and deeply.  The most troubling aspect of this sort of intrusion, as I discuss in the book, is that, even though it was apparently just a cyber spying endeavor, the means of ingress were observationally equivalent to what would be done in launching a ‘mass disruptive’ cyber attack.  And in this instance, much careful attention has to be paid to the forensic investigation, to determine whether sleeper malware, capable of later acts of what I call ‘cybotage’ have been left in place.

LW: What does Colonial Pipeline tell us about ransomware, BEC scams and the general state of  enterprise exposure?

Arquilla: What concerns me most about the Colonial Pipeline incident is less the brief disruption itself and more the discourse about what to do.  Aside from the debates about whether to pay ransoms, there is a lot of heated rhetoric about retaliation.  My take is that the answer to both these debates is to focus on improving cyber defenses.  First, key information simply needs to be backed up and cached in the Cloud.  Second, the idea of retaliating has to be tempered by the knowledge that the US has the most open, richest set of cyber targets in the world.  We should hardly be eager to get into cyber-sniping when we are likely to suffer most.  Let’s tend to our defenses.

LW: Are you mostly optimistic, or guarded, about technology coming to the rescue?

Arquilla: We could make cybersecurity a lot better, quickly, with the ubiquitous use of strong encryption coupled with data mobility via the Cloud – and perhaps its cousin, the Fog.  All that’s stopping this are old habits of mind about how to secure cyber systems.  But I am greatly heartened to see that crypto and the Cloud are really gaining traction, commercially and in government and the military.

LW: Why do you assert that some form of cyber arms pact is a must?

Arquilla: Virtually all of IT is dual use.  That is, it can be used for commercial or conflictual purposes.  Computing power can make businesses more profitable and governments more streamlined.  But it can also form the basis for a new era of ‘weapons-of-mass-disruption.’ Now is the time to think about forging agreements about how we will moderate the urge to weaponize IT.  And these will have to be based on behavior rather than bean counting of tech arsenals.  Much as the Biological and Chemical Weapons Conventions are behavior-based, in which many countries capable of crafting such capabilities willingly agree to forgo them.  Something like this can be done with cyber weaponry.

LW: How far in the future is such a pact?

Arquilla: We could have had a cyber arms control agreement 25 years ago.  That was when I was part of the American delegation that met with Russian cyber experts.  The Russians were keen on comprehensive, behavior-based cyber arms control.  I agreed with them.  But when I pushed for such an approach, my masters in the Pentagon scoffed, saying that the Russians only wanted to do this because we were so far ahead of them.  My response: “They’ll catch up soon.”  Guess what?  They did.  And even surpassed us.  I devote a chapter to this subject in Bitskrieg. 

Today the prospects for reaching such agreement are still good.  But Washington has to want to see such controls imposed on cyber.  And when I say Washington, I mean civil government, the military, and the intelligence community.  Still a tall order.

LW: What’s a plausible scenario for how such a pact might come about?

Arquilla: Well, when they met, Presidents Biden and Putin discussed the possibility of a  behavior-based cyber arms agreement.  And in 2015 President Obama raised the issue with President Xi.  If the world’s current “Big Three” got on board with this idea, most other countries would, too.  Maybe not North Korea.  And, as to nonstate hacker networks, they would have a far less permissive environment for mischief-making if no country were willing to host and shelter them

LW: Anything else?

Arquilla: We haven’t talked about AI.  To my mind, military applications of artificial intelligence will likely influence strategic affairs in the 21st Century as profoundly as the aircraft did in the 20th Century.  On land, at sea, and from cyberspace to outer space.  That said, there is an effort gaining traction at the United Nations to outlaw Lethal Autonomous Weapons Systems (LAWS).  I think this effort will falter, as have most efforts to eliminate weapons, from the longbow to nukes.  Better to think through how AI can be pursued and held to the same standards as humans are when it comes to the laws of war about not attacking civilians and exercising force proportionately. AI is seen primarily through a technical prism; it should be seen more through an ethical one.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone