By Andreas Haggman:
In November 2011 the UK government published its national Cyber Security Strategy, outlining the exponential growth of the internet, the threats and opportunities this presents, and a vision for 2015. Two main themes are present throughout the document: the need to acquire knowledge, skills and capability; and the role of the three main actors in the cyberspace – government, public and businesses. It can be postulated that these themes neatly align with the Trinitarian concepts underpinning seminal war theoretician Carl von Clausewitz’s magnum opus On War. In this work, Clausewitz presents two intertwined triangular relationships: the first – reason, passion and chance – is embodied by the second – government, people and military. I will here argue that this second Trinity can be used as a main point of comparison between Clausewitz and the UK Cyber Security Strategy, but two critical flaws severely limit its applicability to war. Given the increased securitisation of cyberspace, the application of Clausewitzian theory to this nascent domain of security seems to be an apt endeavour.
Clausewitz’s time-tested adage holds that the most effective and successful wars are conducted when the government, the people and the military of a state are in harmony. Without the support of one, the other two would fail in their endeavours. Similarly, in the UK Cyber Security Strategy, the government, the public and private businesses each have important roles to play and the malfunction of any party would seriously compromise the other two.
Warfare is clearly no longer conducted in the ways of the nineteenth century and with the current hype and ongoing debate about the ascendancy of cyber war, it is imaginable that the UK Cyber Security Strategy Trinity can be applied to conflict in the digital domain. However, there are two critical flaws with this theory, one conceptual and one motivational.
The first and most crucial flaw with transposing the new Trinity onto the waging of war lies in the imperative conceptual differences between war and warfare. War, as Clausewitz defines it, is a continuation of policy by other means. War is conducted in pursuit of some political goal which could not be achieved by negotiation or diplomacy. Warfare, on the other hand, encompasses the techniques and tools by which war is conducted. Warfare is merely a component of war; it is a means by which war can achieve its ends. In other words, if war provides the strategy then warfare provides the tactics.
With regards to cyber, Thomas Rid and others have convincingly argued that the digital domain cannot be the scene for war, but only for warfare. Changing a 1 to a 0 in computer code does not by itself accomplish policy goals any more than a single bullet fired on Omaha beach brought down the Third Reich. The point here is that cyber capabilities are tactical, not strategic. Therefore, a Trinity focused on cyber is only applicable to warfare, whereas Clausewitz’s Trinity governs the conduct of war. By this reasoning, the Cyber Security Trinity is a tactical concept, but it is found in a document supposedly outlining a strategy. This conceptual disjoint means that the UK Cyber Security Strategy Trinity cannot eclipse Clausewitz’s Trinity, because the two address different levels of conflict.
The second flaw comes from the one aspect of the Trinities which differentiates the two: business. In Clausewitz’s Trinity the military fits in neatly because it shares the interests of the government and the people in upholding and maintaining national security and integrity. Private corporations, on the other hand, exist for the main purpose of making monetary profit with little incentive for furthering the interests of the nation. Granted, all three parties share an interest in preventing or defeating cyber attacks, but whilst the government and public do so for their mutual good (for example prosperity and security), businesses do so because they derive profit from a prosperous and secure government and people, not because they are inherently interested in national prosperity and security.
In an age of globalisation and multinational enterprises there is scant motivation for a company to limit itself by conforming to the wills of a single state and public. In a time of conflict, a business has the ability to simply provide its services to the highest bidder, making it a thoroughly unreliable Trinity partner. Taken independently from the conceptual flaw above, this motivational issue seems to severely hinder the inclusion of businesses at a strategic level. This hindrance seems equally applicable if we accept that the UK Cyber Security Trinity can only be applied at a tactical level. Therefore, the inclusion of businesses in the UK Cyber Security Strategy means that this Trinity cannot replace Clausewitz’s Trinity.
From these two flaws we can conclude that the Trinity of government, public and business cannot be used as a substitute for Clausewitz’s Trinity of government, people and military (where, in the last role, intelligence services are presumed to play an important part). This twenty-first century concept was conceived in the light of nascent threats to UK cyber security and in that domain it should stay. That is not to say the new Trinity does not serve a purpose. Indeed, given that cyber security is a very real and a very pressing concern, having a robust and well-publicised strategy to counter the problem is paramount. What is clear, however, is that it is a foolhardy endeavour to attempt to wrest Clausewitz from his lofty perch atop the field of war theory.
Andreas Haggman is a MA student in Intelligence and International Security at King’s College London. His academic focus is on cyber security, particularly the development of weaponised code and organisational responses to cyber security issues.