Since the 1980s, we have seen several successive computer cycles: the first was that of personal computers, in the 1980s. Then came the Internet, during the 1990s. It was then the age of social networks and Web 2.0 in the 2000s. Today we are facing a fourth cycle, that of digital transformation (DT), which is shaking our societies, especially the economic world, more violently. One could of course designate all this massive computer world of “cyberspace”.
These different cycles had their correspondent in the strategic field. It was the network-centric warfare, it was then the cyberdefence / cybersecurity couple. The current DT will also create a particular strategic incarnation. Let’s try to find out which
I. Network-centric warfare
We are finally not very far from the digitization of the battle space and the networked warfare. The rise of computing has given rise to strategic concerns very early on.
Far back in the early 1960s, the United States founded the DARPA to cope with Soviet efforts in calculating what was then called cybernetics: this fact deserves to be remembered when we know the role played by DARPA in the invention of the Internet. This concern was later transformed by a Zbigniew Brezinski who, as early as 1975, was talking about the Technetronic Revolution (then for him computer power is considered the means of victory over Soviet power). More recently, we must plunge back into the debates of the 1990s on the Revolution in military affairs (RMA): it was at that time to take into account the effect of personal computers but also mass networking.
All these debates illustrate a single perception: the use of the computer power provides new means to the armies. IT is only seen as a tool, a power multiplier. It applies to both weapons and staff.
The networking of staff, the boarding of computers in weapons will cause an increase in effectiveness. We are now talking about weapon systems, command systems. And it is true that efficiency is achieved: observe the accuracy of missiles or the capabilities of a modern fighter… Now, a plane is no longer a bomb carrier, it is a computer that flies and that transports computers that explode on their previously identified and designated targets by other networked computers.
This embedded computing is therefore the natural target of cyber attackers. We could only take shelter in the face of a falling bomb, now, one can imagine sending him a malicious code that gave false information will deflect the projectile from its trajectory.
But it is in terms of command that the evolution is clearest. The Anglo-Saxons use the term Command and Control to designate it, simplified in C2. During the 1990s, the computerization of the command function led to the building of a C4, then C4I, then C4ISR then C4ISTAR and then… I do not know anymore. Let’s go back to our C4 (the ISR function is specific to intelligence): it is not only Command, Control but also Communication and Computer. The command function has been automated through networked computing. It was, remember, to dispel the fog of war but also to accelerate the OODA loop. The method was able to give results (think of the two Gulf Wars) without persuading that it was enough to win a war (think of Afghanistan and Iraq).
Basically, this network war is a very utilitarian and very “top-down” war. All practitioners are aware that command-and-control networks are often used to feed up information and increase micro management by the higher command.
II. Size and inaccuracy of cyberspace
When we talked about cyberspace, it was a question of understanding and characterizing this distributed and networked computer science, but also of identifying its strategic characteristics. Little by little, we have forgotten the notion of cyberspace to switch to cyberdefence and cybersecurity. This shift occurred during the 2010 decade.
The first cases of cyber aggression dates back to the 1980s (Cuckoo’s egg in 1986, Morris Worm in 1988). With more systematic attacks (first denial of service attack in 1995, first known attack against the DOD in 1998, first “international” affair with Moonlight Maze in 1998), the strategy takes hold of the phenomenon. It joins the debate of the time on the Revolution in Military Affairs which evokes the network-centric warfare. Arquilla and Ronfeldt merge the two approaches and announce in 1997 that “Cyberwar is coming”.
These questions infuse during the 2000s. The creation of a cybercommand (2009), the Stuxnet case in 2010, Snowden’s revelations about the NSA (2013) show that the United States is very advanced on the subject. In France, from the 2008 White Paper, cyber is identified as a new strategic factor, an approach highlighted even more in the 2013 White paper. NATO seizes the subject following the aggression against Estonia, commonly attributed to Russia, although almost always in cyber, the evidence is lacking (2007). Of interest, cyber is on the scale of threats. From now on, cyber aggression could, if need be, bring about the implementation of Article 5 of the Washington Treaty. The Allies even agree to define cyber as “a fighting domain of operations”, just like other physical environments. Without going into conceptual debates about the correctness of this assimilation, let us note that this globalizing approach stuffs everything that is computer into a cyber pot.
Is it so simple?
It must indeed be noted that the notion of cyber has evolved. Other prefixes and adjectives have succeeded him: electronic (e-reputation, e-commerce), Internet or simply digital. This semantic evolution causes a cantonment of cyber in the field of security, defense, strategy. Our colloquium is a cybersecurity conference, the Lille Forum is an International Cybersecurity Forum, the US Command is a Cybercommand.
Basically, if ten years ago there was fear of the lack of awareness of the danger of cyberspace, it must be noted that finally the transplant took and the cyber precisely designates the protection function that surrounds the computer activities of all nature. From now on, when we talk about cyber, we talk about the conflict associated with cyberspace, whether it’s about crime or defense: on the one hand, we have the characteristics of protection and defense proper, on the other aggression characteristics, typically espionage, sabotage and subversion. This activity is practiced in the three layers of cyberspace (physical, logical, semantic).
For simplicity, cyber is now dealing with the fight using computers to achieve their ends. Networks and computers are the means of various weapons (worms, viruses, Trojan horses, DDOS, fakes, hoaxes…) to reach the opposing device and neutralize it, corrupt it, destroy it, lure it.
Cyber defense is primarily a matter of network protection (cybersecurity). It carries other classic functions, more aggressive (monitor, influence, sabotage). It relies on the control of networks, data and flows, which often requires a quota of these and restrictions on use, whether it is computer hygiene or more secure devices, hardened depending on the information manipulated. In other words, cybersecurity tends to restrict usage.
III. What is new in the digital transformation?
So we are in the presence of two ways to use computers. On the one hand, IT is seen as a tool. We will digitize existing processes but respect the intrinsic logic that existed before, that of the hierarchy. On the other hand, we see IT as a tool that can attack other similar tools and thus reduce the efficiency sought in the first place.
Is the new computer revolution we are experiencing radically changing things? why and how?
To answer it, let’s try to characterize it. We can of course mention the new tools and focus on the technical angle: from cloud computing to blockchain, from big data to artificial intelligence, we are witnessing a kind of speed race that constitutes a new computer revolution. This is based on a multiplication of data flows and exchanges, and thus a liberation of uses, in private companies as well as in public organizations. However, this technological approach does not seem to us the most relevant. It is better to watch the actors.
DT is based on ultra mobility, attention to users, decentralized uses, agile product development methods. Whereas until now the system was the actor, now the individual is at the center of the system. It consumes and produces data in ever greater numbers. Its behavior and uses change accordingly. Its local decisions gain importance and permanently affect the functioning of the system. It now has a lot more initiative and skill. It is immersed in an increasingly computerized environment, with sensors multiplied and integrated into complex processes, which considerably reduces the data input, increases their reliability and allows better use of their increasing number. Basically, quantity makes quality.
This primacy of the individual causes a radical transformation of professional relationships. The leader is no longer the one who distributes the tasks, but the one who maintains the meaning and direction of the action of the group, the latter being able to better self-regulate thanks to the tools. Basically, while the previous logic was top down, the new one is structurally bottom up.
It is not a question of a dispossession of the prerogatives of the top. On the contrary, since the low is gaining in competence and autonomy and at the same time it provides much more reliable and considerably more data, the top can devote itself to more complex tasks, especially since it benefits even new tools of the computer revolution: Big Data and Artificial Intelligence are globally made possible thanks to the data volumes but also to the ever increasing power of computers.
Basically, the computer revolution is not going to transform social and hierarchical relationships. It is in this sense that the big companies started their own reform and the armies follow suit.
Bey ond this ultra mobility, the underlying issue is that of data, whose already huge number will grow in unsuspected proportions, whether by new uses or the Internet of Things. Data is the energy of the 21st century, the source of wealth and power of tomorrow. Each new energy has caused a strategic transformation: the steam has caused the railroad and a wider logistics; gasoline has given rise to the mechanization of forces and the tank-plane combination; nuclear power has given rise to deterrence whose strategic effect is well established. The data will trigger a strategic transformation of the same magnitude.
But what are the consequences on our two previous computer cycles?
That of the C4 will undoubtedly give way to greater decentralization and therefore a new mode of command and control. But it will benefit from the advanced computing tools of Big Data and AI, and access to ever more data sources, those of its own systems as those of open systems.
That of the cyber poses the question of the attack defense: in other words, the old dialectic of the ball and the cuirass. It is likely that this dialectic will persist. Note, however, that the ball and the armor agree on the same goal: to pierce (or protect) a fortress that houses within it a treasure (the city, the dungeon, the secret of state, nuclear codes).
Is this logic relevant? Should we always protect “the data” (or the network)? Should we not think about the defense of a use, a mobility? think not of perimeter defense or defense in depth (which are the major cybersecurity systems) but a mobile defense based on fugacity? Here are the strategic issues that will open up and that will spark a fruitful dialogue between strategists and technicians. This debate is open…
Olivier Kempf is a strategist specialised on cyber for a decade. Member fo the scientific panel of “Forum International de Cybersécurité” of Lille, he holds a PhD in Political Siences and directs the collection “Cyberstratégie” of the Economica edition house. He is the editor of the strategic intelligence newsletter La Vigie (http://www.lettrevigie.com).