John Arquilla is Distinguished Professor of Defense Analysis at the US Naval Postgraduate School, a world-renowned cybersecurity expert, and the author of the new book, “Bitskrieg: The New Challenge of Cyberwarfare.” I’ve just finished reading the book, and it is striking for a number of reasons — the amount of expertise on display, the precise and unflinching language used to describe various situations and scenarios, and the perspectives of military power, national security, and social well-being at its heart.
Arquilla was kind enough to consent to an email interview, which occurred over this past weekend. I hope you find it illuminating.
Q: Coming from the scholarly space, I was first struck at how the fact that the Internet came out of the Department of Defense (DARPA, specifically) resonated completely differently when placed in the context of conflict, strategic balance, and warfare. Why was developing the Internet strategically important to military authorities? Did they make any major mistakes?
Arquilla: Back in the ‘60s, the Internet was important for national defense because it offered the promise of being able to maintain communications of some sort even in the wake of a massively destructive war. Needless to say, mutual deterrence made nuclear war a remote possibility; but the growing social and commercial value of the Internet now made it easy prey for all manner of depredations, including intellectual property theft, extortion, political warfare, and more. Effective preparations for defending against such a spectrum of threats were not contemplated or made early on — and not very well addressed ever since.
Q: In reading your book and others, I keep getting the feeling that social media has created a society-wide surface area of attack for other nation-states, etc. Is this a fair characterization? If so, what can be done to increase safety and decrease risk?
Arquilla: Social media have made us especially vulnerable to political warfare of the sort allegedly practiced by Russia-friendly hackers in the 2016 and 2020 American presidential elections. This sort of thing goes on in many other democracies around the world, including some fragile ones.
To my mind, the best defense against this sort of political warfare is to tamp down the coarseness of our own political discourse. If we stop dealing ourselves self-inflicted political sledgehammer blows, then the foreign propaganda will stand out more clearly. And maybe, just maybe, we can regain some faith in our own system.
Q: Assuming blood and treasure as the price of war, and influence and treasure as the spoils, aren’t we in an era in which far less of the costs and far more of the benefits accrue to cyber warriors? Aren’t we already in a bloodless cyberwar? Could it escalate, or remain a “cool war” for decades?
Arquilla: I am convinced that we are in the kind of “cool war world” that science fiction writer Frederik Pohl predicted some 40 years ago — lots of costly covert actions taken, with little respite, against poorly defended targets. Escalation to physical warfare is unlikely, which is why such warfare is so cool. But shooting wars will still occur, and advanced information technologies will transform the way such conflicts are conducted. Which is the subject of the third chapter of “Bitskrieg.” Briefly, the rules of this new kind of warfare are: many and small beats few and large; finding is the new flanking; and swarming is the new surging (see my cover article in Foreign Policy where I first articulated these concepts).
Q: You talk about the folly of firewalls and anti-virus for security and the benefits of encryption and Cloud computing, as “data at rest is data at risk.” Wouldn’t broad adoption of those techniques simply shift the game? Is there a solution, or only better/worse mitigation?
Arquilla: Data at rest are data at risk. The evidence of this is overwhelming. Continued emphasis on firewalls and anti-virals will only perpetuate that risk. Strong crypto will greatly reduce risk, and data mobility will make it even harder for malefactors to keep doing what they are doing with hopes of success. The key is to use the strongest crypto, and to keep moving the data — perhaps even breaking it into parts before uploading to the Cloud. But once in the Cloud, it shouldn’t just stay in one spot. Keep moving. It’s an old infantry adage: If you want to stay alive, keep moving.
Q: With the recent passing of Donald Rumsfeld, I was struck by your portrayal of him as being on the vanguard of cyberwar strategies, and becoming the fall guy for traditional approaches that failed, over his objections. Do you think he’s gotten a fair shake in public opinion? Why or why not?
Arquilla: Rumsfeld was a complex character. He absolutely understood the strategic implications of advances in information technology. He felt this meant the possibility of transforming the American military — and thus had the opposition of all the seniors in uniform, and many civilians, whose habits of mind and institutional interests wedded them to the old ways. That said, Rumsfeld got on the bandwagon for invading Iraq, the mistake that undid all the good he hoped to achieve. To paraphrase his comments about “known knowns,” he should have known better because he was in a position to know.
Q: If information is power, especially in conflict, what’s the future of secrecy? Or controlled information? You mention that power in the future comes from information you share, which suggests the ability to protect it until you have a point of leverage. Is that going to be possible in the near future?
Arquilla: “Sharing” doesn't necessarily mean putting it in the newspaper for all to read — though sometimes “outing” bad deeds can be a very good thing. What I mean by sharing is aimed at the context of specific communities of interest. For example, the US has some 17 intelligence agencies. The more they share with each other, the better our ability to deal with threats. Of course, this presupposes our ability to improve information security, as outlined above.
Q: The US has been under incredible pressure in recent years with ransomware attacks, cybersecurity lapses, and so forth. The 2016 election was affected, hospitals and utilities are affected, the food supply has been affected. You talk about the deterrents to a full-scale cyberattack, and Russia has had to pull its proxy cyber warriors back, but it seems we’re one spiteful hacker away from a major rogue incident. Do you think something like this might happen in the next 3-5 years? Why or why not?
Arquilla: Absent a major shooting war, I don’t envision a crippling set of cyber attacks. In part, because an adversary will withhold the most sophisticated attack methods until the stakes are very high — as in an armed conflict. That said, the range of cyber attacks coming at the US highlights the fact that defenses have been woefully neglected by government and the military — who need a new paradigm for defense along the lines mentioned above with encryption and Cloud. Also, it should be noted that, for decades, commercial firms did not devote enough attention to security because “the market” did not demand it — a classic case of what economists call “market failure.”
Q: Science is moving to a more “open” attitude, with some advocating making machine-readable data, all research findings, and even preliminary research openly available. From your standpoint, and given the reality of power balances in the world, does this seem advisable? Who benefits? Who loses?
Arquilla: I like the idea of more sharing, because doing so will enhance human welfare. But perhaps not in all areas, defense being a particular exception, and a number of competitive commercial areas being general exceptions. My colleague David Ronfeldt and I long ago identified a posture of “guarded openness” as an approach that encourages sharing wherever possible, preclusiveness where necessary.
Q: Generally, how would you recommend people think when they hear about a cyberattack, a ransomware attack, or theft of personal or corporate data?
Arquilla: The first reaction people should have when they hear of a cyber attack is to take a deep breath and not overreact. This is part of the new normal of an information age. Then, calmly, they should prompt or participate in a public discourse about the sorry state of cybersecurity and call for improvements. The US in particular is way out of balance, having exquisite offensive capabilities but extremely porous defenses. This imbalance needs to be rectified before cyber attacks cripple our forces in any future war — in ways depicted so presciently in Pete Singer's Ghost Fleet and Admiral Stavridis's 2034. Or, if you prefer, in the example provided by the Cylons in the Battlestar Galactica reboot. The Cylons understood well the yin-and-yang link between connectivity and vulnerability, and used it to destroy almost all of the Colonial Fleet.