RETHINKING SECURITY

Over the weekend, I read Steve Clemons’ blog “What Happens When They Get Drones?” Given my previous blogging on tech diffusion, I obviously agree that drone technology and countermeasures will spread (they are, in fact, already spreading). Clemons asks a provocative question, but one that may be cause for me to qualify my post on military diffusion.

The question that President Obama, who has admitted direct, routenized involvement in creating the drone ‘kill list’, should ponder is what will happen as the barriers to entry on drone technology fall enough so that an adversary’s drones can be deployed against U.S. and allied forces and interests.

There are legitimate issues concerning drones, but when thinking about technological blowback it is also important to utilize plausible threat scenarios.

Drones require basing, infrastructure, intelligence, targeting, and protection from anti-aircraft weapons. Drone use is enabled precisely because of the fact that the United States enjoys political relationships that enable basing and military advantages that prevent enemies from attacking and destroying basing and targeting capabilities. It does not make sense for a potential adversary to build up such capabilities because they can be sighted, targeted, and destroyed fairly easily. In other words, an adversary’s ability to protect or hide its drones is more relevant to the discussion than the drones themselves.

If using offensive drones in forward theaters of operation is difficult, attacking at home is substantially more difficult. Any attack on the American homeland requires drone basing, and it is unlikely that any state in the Americas would be likely to risk American retaliation by hosting a drone base. With the present generation of offensive drone tech, its more likely adversaries will develop cheap kamikaze-style weapons with explosive payloads, which would be likely regardless of the “kill list” since the first people to use such weapons did so in the First World War.

The same issues come up with thinking about blowback from American use of Stuxnet. The issue of possible retaliation or adversaries targeting the US came up in policy deliberations about Operation Olympic Games. There are certainly grounds for worry due to the security holes in industrial control systems. But in generating an attack scenario, we have to ask several questions. First, who is the likely attackers? What would their motive be for attacking? States use force to achieve instrumental political purpose.

Even should that state do so through covert means, it would be important for the target to realize who struck it in order for the attacker to have some hope of achieving compellence. Would such an attacker, in light of stated American policy to potentially use military force to respond to Stuxnet-grade cyberattacks, do so? It’s certainly possible that adversaries might respond via less-lethal attacks, the very impotence of such methods would not have too much hope of shifting American policy.

It might be objected that sub-state actors might not fear American escalation dominance, but how does targeting Stuxnet make it more likely they will strike? We already have a host of sub-state enemies that violently oppose us, and no lethal cyber attacks. They prefer to use bombs rather than bits. As Sean Lawson and Jason Healey have written, the ironic thing is that the only major infrastructure attack to cause physical damage has been carried out by the US—in spite of the numerous legacy flaws in industrial control systems that experts have cataloged over nearly twenty years.

This is not to deny that there are legitimate concerns about opponents adopting drone tech for military advantage or Stuxnet putting information about industrial control systems vulnerabilities into the public eye. But threat scenarios about technology need to be based not only on a sound understanding of the technologies themselves, but also on politics, motive, psychology, interest, and logic.

For example, take one of the more plausible scenarios post-Stuxnet: the Iranians generate a powerful cyber capability (and they do have an energetic tech sector).  They create a means of deploying an information deterrent. They might carry out a demonstration. But this also raises questions about what form such a coercive demonstration would take and whether it would really disrupt the US, especially if it is directed at primarily economic targets. The scenario, again, should not be dismissed out of hand. But any attack scenario should be sufficiently fleshed out rather than making blanket assertions that Stuxnet painted a bulls-eye on America’s technological backbone.

This goes for conventional capabilities like anti-access weapons too. We can’t generate threat scenarios based solely on technology. We need realistic politics and adversaries too.