What are the similarities between tanks and cyberspace? What lessons can be identified and learned? When the British first used the tank in combat at Flers-Courcelette in April of 1916 and then more successfully at the Battle of Cambrai in November a year later, there was likely little further thought given to the larger implications of this new weapon system capability, beyond the hope and investment in the belief that the trinity of its firepower, protection and mobility would be decisive in breaking the stalemate of trench warfare.
Tanks did not tip the balance of World War I because they were produced in very small numbers and the few that made it to battlefield were slow, prone to break down, and carried undersized and inaccurate main guns. Commanders seemed unclear how to best utilize them.
By World War II, however, Guderian and others had recognized the tank’s devastating potential and utilized its trinity to deliver a decisive over-match through greatly improved firepower and mobility to enable lightening war, introduced as the radical new concept of Blitzkrieg, in which aircraft, tanks, and infantry each operated at their own best speed toward enemy emplacements. The subsequent staggering success fundamentally altered the execution of war for the German Army of the late 1930s and, furthermore, became the underlying doctrine for maneuver warfare through the Cold War and onward into this century.
Allied commanders were slow to catch on to the tank’s potential and this gave the Germans an early advantage that almost permanently and harmfully changed the map of the globe. The Germans were almost beyond the Channel Ports before the initiative could be re-gained by the Allies.
We worry that cyber weapons are being developed, deployed and employed today in a way that echoes the introduction of the tank during World War I. Like at Flers-Courcelette and Cambrai, cyber is employed to support conventional operations, and worryingly, without enough critical and strategic thought about its potential. Is cyber a new domain of warfare, doctrinally co-equal with land, sea, air, and space or not? Following the lead of policy statements by the United States and several other cyber powers, most agree, but not all. Thomas Rid and Martin Libicki disagree.
Rid sees “war in the fifth domain” - a separate domain for cyber in war - as a United States Air Force “lobbying gimmick,” and that it is a distinction without a difference. He believes that any credible cyber action would have a physical effect in one of the other four domains. He argues that if cyber actions are merely espionage, sabotage, or subversion, that the threshold of “war,” in whatever domain, is not reached. He sees cyber across all domains.
Libicki disputes the analogy of cyber to maneuver warfare and takes a more defensive approach, insisting that “the task…is not so much to maneuver better or apply more firepower in cyberspace but to change the particular features of one’s own portion of cyberspace itself so that it is less tolerant of attack.”
So, is cyberwarfare a domain in its own right, part of other or all domains, is it offense or defense, or both? What is the difference? Can we learn from the lesson of the tank, or not? What questions have we not yet answered?
First, we must acknowledge that it is impossible today to produce the cyber equivalent of a tank, meaning building an enduring utility weapon system that can be deployed against many targets. Cyberweapons are, in this decade, incredibly time and intelligence intensive. This may not always be the case, but for now, it is not possible to stock our armories with generic cyber weapons if we wish to stay relevant; cyber weapons change minute by minute as does our enemy.
Second, more than any other individual weapon system and/or domain, cyber is legally interdisciplinary, involves national law enforcement through domestic criminal law, the intelligence community through espionage and counter-espionage, and the military in the potential level of damage that may be done. It is not simply a matter of picking one legal paradigm, but rather of looking at any given cyber operation through all three lenses—legal, intelligence and military—to ensure that we do not run afoul of our own law or the international community’s legitimate expectations.
Third, cyber is immensely scalable, from subtle indirect influence operations that would make Sun Tzu proud, to catastrophic SCADA direct electronic levée en masse equivalent attacks that would have Clausewitz smiling and that could even escalate to his absolute war in the laboratory at an end-of-the-world level. Cyber provides commanders a broader spectrum of options than other domains. Cyber options have impact like no other domain across the military, intelligence, political, diplomatic, and economic instruments of statecraft; cyber is legally and politically complex in both planning and execution.
There are many ensuing questions: How do we rationally and effectively divide responsibility for national cyber security responsibilities between soldiers, the intelligence community, and the police? How should governments work with the private sector? What are the zero-sum and non-zero-sum aspects of cyber cooperation with other nations? Under what authorities can governments gather the information they need from other governments, or from their own citizens, without violating fundamental norms of human rights? What kind of commanders and strategic leaders are needed to frame these discussions and then to mount the cyber fight?
How do we identify these people, train and educate them, retain and oversee them? And how can free countries counter the narratives of international rogue actors, whether they are terrorists targeting innocents, or dictators testing the limits of their powers?
The strategic thinking that likely did not occur in 1917 with respect to the employment of the tank on the battlefields of France needs to occur now for cyber. We hope we have generated thought and discussion to push this issue forward. We have the opportunity, unlike the early use of the tank, to get cyber right. If we do not, then we run the risk, like with the advent of World War II, of suffering from a cyber-blitzkrieg as our enemies, who this time may be non-state actors —again—get ahead of our thinking.
The views expressed in this article are those of the authors alone and do not represent the official policy or position of the National Defense University, the Department of Defense, or the U.S. Government.