Contemporary Cyber-Douhets proselytize a doctrine of cybersecurity independence. They claim that current and coming crops of large, expensive cybersecurity programs will tame a hostile cyberspace. As with Douhet and Mitchell, history is likely to be unkind to these cyber-pundits. Unfortunately, bursting this bubble of misplaced expectations will require an extended, painful and costly process. From this, however, it is likely that an integrated and effective cybersecurity doctrine will emerge.
The Vision of Air Power
Giulio Douhet was a visionary. Born in 1869, Douhet began a tumultuous career in the Italian Army in 1882. While serving on the General Staff shortly after the turn of the century, he became an air power evangelist, advocating for the creation of a separate air arm commanded by aviators. Appalled by the Italian Army’s shocking reverses at the start of the First World War, Douhet publicly criticized military leadership and demanded an air power solution. In 1921, Douhet was promoted to general and published his seminal work on aerial warfare, The Command of the Air.
The Command of the Air argued that air power was revolutionary, rendering conventional armies superfluous. Forces on the ground would be overflown and population centers, military installations and government centers would be attacked with impunity. As a result, industry, the transportation and communications infrastructure, government and the “will of the people” would be disrupted and the war won through the aviators’ efforts.
Douhet’s American contemporary, Billy Mitchell, was also a visionary. Like Douhet, the First World War left Mitchell with a belief that air power would dominate warfare, and that strategic bombardment would become the nation’s primary threat. Mitchell was vocal about his views on air power, and vociferously attacked both the Navy and the War Department for having myopic views on the employment of aerial assets. In 1924, influenced by Douhet, Mitchell published his own book on the subject, Winged Defense.
Less than 20 years later, the vision of irresistible and dominating strategic airpower shared by Douhet and Mitchell was weighed and found wanting. Between 1939 and 1945, American and British bombers dropped almost 1.6 million tons of bombs on Germany. 914,637 tons were dropped in 1944 alone. Despite this, 1944 was the year that the German economy peaked in terms of military production. Independent the Allied air forces might have been, but strategically decisive they were not.
In contrast, the effectiveness of tactical air power, in which air forces were integrated and operated in direct support of ground operations, was far greater. The German air force, the Luftwaffe, shattered Polish forces in 1939 when German ground forces were often fought to a standstill. Similarly, the XIX Tactical Air Command, integrated with and in support of General Patton’s Third Army, damaged or destroyed 24,634 ground targets in a single month (April 1945).
This pattern was to repeat in subsequent wars. The American experience in Vietnam reinforced the shortcomings of air power acting independently, demonstrating that strategic bombing is often ineffective even when conducted by modern air forces against weak foes. In contrast, during operation Linebacker I in the spring of 1972, US Navy and Air Force aircraft were seminal in the defeat of a massive, conventional North Vietnamese offensive. US air power destroyed North Vietnamese units and effectively interdicted their supply lines, resulting in the North’s decisive defeat.
Since Vietnam, air power integrated with land and sea operations has been extraordinarily effective in conflicts ranging from Grenada to the Balkans, both Gulf Wars and Afghanistan. In fact, the only conflict in recent history where air power seems less than completely effective is the ongoing campaign against the Islamic State of Iraq and Syria (ISIS). The distinction? The ISIS campaign is being conducted by air forces alone, and not by an integrated combat team.
While Douhet’s vision has been mooted by the realities of the physical battlespace, it has been resurrected in cyberspace with a de facto doctrine that separates cybersecurity operations from an organization’s business activities. This doctrine, referred to here as “Big Cyber,” is marked by several characteristics, including:
- The establishment of discrete agencies or business units with exclusive responsibility for the cybersecurity of the larger community to which they belong;
- Centralized funding, planning and execution of cybersecurity activities that occur parallel to business activities;
- Minimal or no declarative authority with respect to the cybersecurity posture of the larger community; and
- A mandate placing great emphasis on the perimetric security of existing vulnerable systems with little emphasis on the development of secure, resilient systems.
Funding lines reflect the dominance of Big Cyber. In fiscal year (FY) 2014, US Cyber Command’s budget increased to $447 million, more than double FY 2013’s $191 million. At the same time, the Department of Homeland Security (DHS) cybersecurity operations budget was increased by $35.5 million to a total of $792 million. Security budgets at companies with more than $100 million in revenues increased by an average of five percent in 2014, while in the healthcare sector cybersecurity spending rocketed by almost 67 percent.
Perhaps more important than the total amount of funding is how the funds are allocated. The number of personnel allocated to security organizations is growing. The US Department of Defense (DoD) initially forecast a need for 6,200 additional personnel to support its cyber mission. Now, DoD anticipates an even greater requirement. Plans for additional personnel in both the public and private sectors are, almost uniformly, to assign them to dedicated cyber organizations, and not to business units in direct support of the larger organization’s business goals. Even more telling is the nature of the acquisition programs being funded. With rare exception, in both the public and private sectors, they focus on developing monolithic, centralized security mechanisms. While these programs may generate significant new capabilities, there is often no requirement for their adoption by operating or business units.
Put another way, organizations exist to pursue their business activities. Finance companies exist to profit by managing money. Pharmaceutical companies exist to profit through the development and sale of drugs. The military exists to successfully engage, defeat and destroy the enemy in defense of national interests. The careful reader will note that none of these descriptions used the word “cybersecurity.” That’s because cybersecurity is a support function intended to enable the primary business activity. When cybersecurity is perceived as an imposition or an external mandate competing with organizational business goals, it will be summarily discarded and the organization will remain vulnerable.
The Coming Collapse, and Why It’s a Good Thing
Because of this, it can confidently be predicted that Big Cyber will remain ineffective in mitigating the risks inherent to a hostile cyberspace and that it will inevitably collapse under its own weight.
Other than the significant waste of resources, that’s not entirely a bad thing. As with air power, the collective understanding of cybersecurity is constantly evolving. An understanding of air power’s evolution allows for the development of a “theory of historical enabler integration.” Under this theory, an operational enabler’s effectiveness is proportional to the degree to which it is integrated with the organization’s business activities over time.
The Second World War tested (at great expense) and disproved Douhet’s theory of an independent air arm that could determine the course a conflict in its own right. At the same time, air power embarked upon tighter integration with maneuver forces and, in that role, became increasingly effective. The development of small, inexpensive armed drones that can be deployed at the tactical level and operated by junior personnel to provide organic air support is simply the latest instance of “historical enabler integration.”
Big Cyber is today where air power was in 1943. Huge and heroic efforts are being made to bring about operational cybersecurity through the use of independent solutions that operate in parallel to business activities. It’s likely that over time, empirical operational data will dictate that cybersecurity personnel and capabilities become more tightly integrated with the business activities they are intended to protect. Cybersecurity solutions will be as prolific and as effective as productivity software is today. And cyber knowledge and expertise will be as common as the knowledge required to configure a smart phone.
Big Cyber, like Douhet’s views captured in The Command of the Air, should be applauded as a necessary phase in the development of an effective, integrated solution. And, as with The Command of the Air, its discrediting and collapse will be cause for celebration.