Book Review: Darke Territory by Fred Kaplan
Fred Kaplan, a national security journalist at Slate, is the author of several successful books detailing the politics of national security within the United States. His books have included: The Wizards of Armageddon on the scientists behind the US nuclear programme and nuclear policy during the Cold War, as well as The Insurgents on General Petraeus and the other high priests of counter-insurgency. In his latest book, he tackles the history of cyber-warfare.
The book provides a narrative, from the 1980s to the present day, of the main developments in the realm of cyber warfare. Along the narrative, Kaplan stops to pay attention to key characters in the story, as well as to provide interesting anecdotes that have shaped the evolution of US cyber policy. Perhaps, no anecdote is more interesting than the one opening the book. As Kaplan tells us, after watching the movie WarGames - in which a teenager gets dangerously close to starting a nuclear war by hacking computers at NORAD - President Reagan asked the Chairman of the Joint Chiefs of Staff whether such scenario was plausible. To Reagan's shock the answer was not an unqualified: 'No.' From there, the book moves to developments in the 1990s. The book describes the Operation Desert Storm as the 'first campaign of "counter command-control warfare"' (p. 21) as well as the information warfare campaign against Milosevic in the Balkans (p. 110). The late 1990s witnessed: military exercises, such as a US military exercise in 1997 in which hackers where able to penetrate US National Military Command Center without leaving any trace; a cyber attack by teenagers code-named Solar Sunrise (p. 77), and one implicating Russia, code-named Moonlight Maze (p. 85).
The book describes the rise in US officials' interest in cyber after 9/11, driven by Richard Clarke (who will write another influential book on Cyber War based on his government experience). The book identifies two main reasons for this rise. First, technological advancement. Second, and this is a key theme running throughout the book, concerns regarding the possibility of a catastrophic cyber attack; a 'cyber Pearl harbor' in the words of a Commission of inquiry. At this stage, the book provides a detailed account of the development of various agencies connected to the cyber effort including the Office of Tailored Access Operations within the National Security Agency, and the US Cyber Command. The book also provides a convincing account of the concerns and political manoeuvres surrounding the passage of the Protect America Act in 2007. Touching upon a crucial trade-off in the post-9/11 era - that between security and privacy - Kaplan discusses how NSA expanded its reach. Director Keith Alexander argued that, in order to collect the right information, one had to collect all the information; the whole 'haystack.' Kaplan also clarifies that this required some linguistic sleight of hand, such as the effort to convince policymakers that 'storing' data on American citizens did not necessarily mean collecting data. The book also explores international politics issues, from the early uses of cyber against Serbia in the 1990s, to Russia's cyber attack on Estonia and China's hacking operations. A key watershed in this development is represented by StuxNet, the US cyber attack against the Iranian nuclear programme, and the following institutionalisation of cyber warfare within US foreign policy.
Some reviewers have criticised the book for its narrative approach. P. W. Singer has lamented that the anecdotes often lack detail and nuance and that the book focuses more on the bureaucratic history of cyber warfare than on its 'secret' history. Ben Buchanan has made a similar argument in War on the Rocks. Singer is also correct in criticising the 'Pearl Harbor' bias. The book seems to imply that policymakers should be concerned about a potentially catastrophic cyber attack. As detailed above, this was already a concern in 1995. Since then, however, such an attack has not materialised. Cyber weapons have been used as an instrument during more conventional conflicts. Cyber attacks, however, have been used on their own to achieve strategic and political goals. Russia's hacking of the 2016 US Presidential Elections is just an example. This attack, like many others, did not represent a catastrophe on the scale of Pearl Harbor, or 9/11 (to update the analogy), but an effort to discredit US democracy. Too narrow a focus on a Pearl Harbor-like event, might distract for current and problematic uses of cyber weapons. While these criticisms are fair, the book still provides a good introduction, especially for non-experts, not so much on cyber and cyber war, but on the US approach to (and policies on) cyber war.
Furthermore, the book raises some interesting themes. First, the cyber realm poses clear challenges for traditional categories within international politics. How can we distinguish between cyber security concerns and cyber war? As Kaplan writes, 'cyber security, cyber espionage, and cyber war' are 'in a fundamental sense synonymous' (p. 123). This blurring occurs both in terms of weapons and in terms of targets. Criminals, terrorists, foreign nations, as well as teenagers use the same 'weapons.' When does an attack on private firms become an attack on a state? How can we distinguish between cyber theft and cyber espionage? When is a cyber attack an 'act of war'? Moonlight Maze came as a shock to US officials with some wondering whether the US should declare war on Russia (p. 85). Is it a matter of damage to infrastructure? Of casualties? Cyber also poses challenges for traditional distinctions between offensive and defensive operations. Cyber networks are way too vast for static defence. The only way to defend one's own network is to analyse the enemy's capabilities and pre-empt any attack by 'active defense' (p. 180). Second, and more important for the purposes of this project, cyber also blurs the traditional boundaries within intelligence and intelligence studies between espionage, intelligence collection and covert action. Third, the book also highlights the problem of asymmetry. Asymmetry has been a key concern in recent US conflicts. This time, however, asymmetry poses new challenges. The US's status of superpower largely relies on its communications technology, on networks, on satellite, and on cyber. Such reliance could be easily exploited by a much weaker enemy with enough resources and know-how to hack US systems. This scenario plays a prominent part in China's attack against the US in the sci-fi novel Ghost Fleet, by Peter Singer and August Cole. Finally, it is clear that cyber will occupy a prominent role in 21st century security concerns. Yet, policymakers seem particularly ill-prepared to understand, let alone discuss and act upon cyber issues. Here, the book's attention to the bureaucratic history of cyber warfare is helpful in suggesting the existence of a competent and engaged network of officials. It is, however, unclear to what extent these officials can influence Congressional and Presidential decision-making. Cyber still remains a 'dark territory' especially for those in charge.