Ypres, April 22nd 1915: the Germans launch a gas attack on the Western Front. Germany had twice attempted to use gas (October 1914 and January 1915), but both efforts failed to produce the desired results. At Ypres results were consistent with German hopes; along the 4-mile front where chlorine gas was used effects were so severe the Germans were shocked and failed to fully exploit the results.
After Ypres both sides used gas, and equipped their troops (eventually) with gas masks; all-told some 30,000 thousand died, and perhaps 500,000 were exposed. But gas didn’t turn the tide.
Screen Shot 2017-05-14 at 2.52.14 PM.png
During WW II all belligerents had gas stockpiles, but troops also had protective gear. The nature of combat – fast tactical operations covering large areas of terrain – also militated against gas and there was little use (Italy in Ethiopia, Japan in China). The Nazis gassed millions in the death camps, an evil beyond imagination, the one horrific exception.
Since then, except in three cases (Yemen – 1960s, Iran – Iraq War (1980-88), Syria’s civil war), gas hasn’t been used; for most of the world the threat of gas attacks has faded away.
The Geneva treaty of 1925 outlawing its use didn’t eliminate gas warfare; Italy and Japan both used gas in combat in the 1930s, as did others later (noted above). What changed was the two-fold realization that: 1) using gas against a well-prepared adversary would be of little overall tactical benefit, and 2) using gas would receive universal opprobrium. Even as Germany collapsed in 1945, they wouldn’t risk using chemical weapons against Allied troops.
They understood, intellectually and viscerally, that using chemical weapons would mean the nation, and the generals and politicians who ordered its use, would be held collectively and individually responsible. Use in combat had effectively ended; deterrence had worked. When deterrence failed, it was because the governments involved thought the world community would ignore them, or that they could hide their own involvement.
What has this to do with Cyber Warfare?
The recent large-scale malware attack affected people and organizations in at least 99 countries, with scary consequences; in England, for example, hospitals suspended admissions and in some cases delayed operations.
Interestingly we’ve had recent pronouncements from members of the national security community, to include leadership of the Intelligence Community, calling for cyber deterrence.
But that waters-down the concept of deterrence. Deterrence is NOT about proportional and “like” response; effective deterrence is a product of disproportional response. Deterrence works in a fairly simple way: “If you do ‘X’ to me, I’ll do X, Y and Z and maybe A, B and C to you.” You must demonstrate the capability and the will to do far more to the other guy than he can possibly do to you. He controls only the initial action, he does NOT control the nature or scope of the response. You must ensure he understands that your response will far exceed any benefit he might ever hope to receive.
In cyber that means that, whether a dozen Leninist radicals or a nation-state, if someone conducts a cyber attack against the US, the US will respond with:
1) A larger and more aggressive cyber attack, and
2) Something else: freezing their bank accounts, seizing all foreign holdings, perhaps 12 Tomahawk cruise missiles into their headquarters, perhaps some SEALs visiting them in the night; perhaps all four.
What can we learn from Ypres?
1) We need an international agreement that says simply cyber attacks will not be tolerated; the potential disruption from cyber is so severe that any group or nation that engages in such attacks, except under a declaration of war and inside the parameters of the accepted laws of war, is the enemy of all.
2) We need a stated policy: the US will retaliate against any cyber attack – swiftly and massively, far beyond the scale of the attack.
3) We need to make the investments to protect our key infrastructure from attack, just as nations equipped their armies with defenses against gas.
4) We need to make the investment in intelligence to provide rapid and reliable identification of the source of any cyber attack.
The various malware and cyber attacks we experienced in the recent past are the tip of the iceberg of what’s possible. We can protect the nation. But we need to stop studying the problem – as we have for the last 10 years – and act, and act now.
Copyright 2017 Arrias