Do We Want Science At Any Price?

Operation Paperclip: The Secret Intelligence Program That Brought Nazi Scientists To America by Annie Jacobsen describes how American ambition to win the Space Race and the Cold War with the Soviet Union led to an unprecedented immigration bypass program to extract Nazi Germany’s brightest scientific minds.

Linda Hunt was the first writer to file multiple Freedom Of Information Act requests with different military organizations to access the classified documents pertaining to Operation Paperclip. After more than a year, two lawyers and a threatened lawsuit the U.S. Army finally released the records and billed her $239,680 in so-called search fees (significantly more than $500,000 in today’s money). Annie Jacobsen’s book builds upon Hunt’s revelations and adds hundreds of hours of interviews and declassified intelligence documents. Her paperback stands at 445 pages. It is segmented into five parts. It takes the reader to the end of WWII when the Joint Intelligence Objectives Agency (JIOA) and the US Army’s Counterintelligence Corps (CIC) come across the Osenberg List. This document was the equivalent to a LinkedIn for scientists and engineers employed by the Third Reich. It served as a target list during Operation Paperclip with rocket scientist Wernher von Braun at its top. Jacobsen describes the bureaucratic and moral challenges of a democratic nation when recruiting Nazi war criminals. For example, the case of Walter Schreiber illustrated a nauseating calculus by the US military to contract the former surgeon general of the Third Reich under Operation Paperclip despite tacit knowledge of his contributions to war crimes. Another example is the case of Hubertus Strughold. He rose to academic fame and received the nickname “Father of Space Medicine”. A San Antonio library bore his name and a plaque was put on display to honor his scientific work in complete ignorance of his human experiments on concentration camp inmates. Needles to state that in both cases, the inconvenient, dark truth of their participation in Nazi war crimes eventually imbued and drowned these men’s careers. Although they were never held accountable.

The Paperclip extractions surrounding medicine and chemistry appear to dominate Jacobsen’s book. However the lines are blurred between the different areas of expertise of the German scientists. And the density of information opens a many rabbit holes for the curious history buff. One of the more captivating things about the entire program is its historical impact that can still be observed today. For example, the program went from its original call sign “Overcast” to “Paperclip” to “Defense Scientist Immigration Program” whereby the CIA renamed its involvement the “National Interest” program. This particular terminology recently reappeared in the Military Accessions to the Vital National Interest (MAVNI) program and later slightly amended during the State Department’s effort to facilitate travel for highly qualified applicants during COVID-19 pandemic imposed travel bans.  Furthermore, Operation Paperclip created the foundation for other highly classified, ethically and morally obscure intelligence operations such as “Operation Bluebird/Artichoke” or “Project MK-Ultra”. Another interesting facet to this entire program that is not discussed in the book is the difference in educational systems between the United States and Germany. To this day, I believe the state-sponsored approach to afford all citizens free access to education in Germany is advantageous over the American tuition-based approach that requires substantial financial support. It was a dominant factor to allow the early 20th century Germany to develop intercontinental rockets, advanced nerve agents and other ground-breaking technology. Then, the United States was not only lacking a competitive educational system but it lacked advanced military technology to keep up with the more progressive nations of the time.   

(The German rocket team at Fort Bliss, Texas, after World War II led by Dr. Wernher Von Braun. Source: NASA Marshall Space Flight Center photo/DefenseMediaNetwork)

Annie Jacobsen masterfully presents the moral dilemma the United States government had to resolve in the quickly evaporating environment following the allied victory over Nazi Germany. The well-reserached book is packed with historical facts, contemporary interviews, and portraits of person’s of interest, each material for a separate book or movie. While her writing style is concise and captivating, I found myself progressing slowly due to the aforementioned density of intriguing characters and circumstances that populate each page. This book sheds light on some of the toughest moral and ethical questions. Some of which are still unanswered today. How was it possible that our democratic government looked past the former commitment to Nazi Party ideology of countless scientists, a few even awarded the NSDAP’s Golden Party badge honoring their outstanding services to the Nazi Party or the Third Reich. Can US citizenship be bought by saving the nation millions in research? Was WWII all about extracting scientific and technological advantages at the price of admitting Nazi ideology to our educational and scientific institutions? 

I think the most uncomfortable takeaway from this book is the arbitrary character of the US government. An old German adage goes “Wes Brot is ess’ des Lied ich sing’” (who pays the piper calls the tune). Throughout history this arbitrary character of different US governments casted a shadow on American democracy and the price of freedom.  

Militarizing Influence

Our information environment is increasingly dependent on the inescapable, largely unregulated cyberspace. Beyond national and geographical boundaries, however, this comes with its unique challenges ranging from information accuracy, integrity and relevancy to weaponizing information to influence a target audience in the pursuit of a diplomatic or economic goal. 

tl;dr

This paper proposes the development and inclusion of Information Influence Operations (IIOs) in Cyberspace Operations. IIOs encompass the offensive and defensive use of cyberspace to influence a targeted population. This capability will enable the evolution of strategic messaging in cyberspace and allow response to near-peer efforts in information warfare.

Make sure to read the full paper titled Information Influence Operations: The Future of Information Dominance By Captain David Morin at https://cyberdefensereview.army.mil/CDR-Content/Articles/Article-View/Article/2537080/information-influence-operations-the-future-of-information-dominance/

(Source: DoD/Josef Cole)

The United States Cyber Command (USCYBERCOM) unifies the direction of cyber operations within the Department of Defense. This paper proposes to incorporate Information Influence Operations (IIOs) into its capability set. This influence will facilitate the exertion of soft power in the pursuit of US national interests. Moreover, IIOs will reduce the need for large-scale operations or use of critical cyber offensive operations. 

A notable omission in the paper is a clear definition of IIOs. The ‘Introduction’ suggests that “the unrealized value of cyberspace, and what makes it so dangerous, is it allows direct access to the individual and to the public at large. This access, when used correctly, provides actors in cyberspace the ability to influence public opinion and shape the narrative of ongoing operations.” This, however, appears to be conflating cyberspace with the general, public media landscape while it implies an operator could just hack Twitter accounts and send out some tweets with a favorable narrative. Applying the lessons and learnings from its efforts to counter foreign influence operations, Facebook views all “coordinated efforts to manipulate or corrupt public debate for a strategic goal” as an influence operation. By definition in Joint Publication 3-13, information operations are described as “the integrated use of electronic warfare, computer network operations, psychological operations (PSYOP), military deception, and operations security to influence, disrupt, or corrupt adversarial decision making while protecting our own.” Therefore a suitable definition combining all of three concepts would define IIOs as “a capability to shape and direct public opinion in order to influence, disrupt, or corrupt adversarial decision making by leveraging soft- and hardware technology supported by psychological weapons and tactics in the pursuit of a strategic national interest.”

The author could have expanded more on the principles of US combatant command structures and its basic chain of command. This would have helped the reader to understand the current discrepancies in ownership of IIOs. As it stands, US combatant commands are structured by geographic focus and functional capabilities. USCYBERCOM falls into the latter category. A functional command unifies different military branches to achieve its mission. It remains unclear which military branch currently takes ownership of IIOs, if any. Taking it a step further out of the frame, the author comes out short on delivering a convincing rationale of when and where IIOs should be deployed and under whose authority. Cyberspace is predominantly civilian space created and maintained by privately held servers all across the world. Would USCYBERCOM install a permanent Information Influence Operations Center to execute IIOs spanning multiple months and years? Would such action require presidential or congressional approval? And would approved missions cease at servers operated on US soil or exclude US citizens from manipulation? Would it release a transparency report detailing the measures taken against foreign and domestic threats and under whose authority? These and other important questions need to be considered when thinking about consolidation of government power.  

But not all is dark and gloomy. The author does detail his proposition with a few more insights. In revisiting Stuxnet, NotPetya or the Russian involvement in dividing the US electorate during the 2016 US Presidential elections the author builds a foundation to support the argument for a centralized command of IIOs. Two of these events were targeted cyber attacks on critical infrastructure, one allegedly driven by the US and Israel, and the third event was a carefully curated, multi-year effort to exploit vulnerabilities in the US democratic process. All of these events indeed demonstrate the power that can be wielded through cyberspace operations, but where I disagree with the author is the comparability of these unique events and a causality between cyberspace and influencing information. Combining cyber attacks to corrupt critical infrastructure with a targeted narrative to redirect the public’s attention is a serious threat to US national security. However, identifying the operator and the motive behind such an attack may reveal domestic, private actors with a mere criminal motive, if attribution is even possible. Take the coordinated social engineering attack on Twitter ahead of the 2020 US Presidential elections. Government accounts from Joe Biden to Barack Obama as well as the accounts of notable public figures such as Elon Musk or Jeff Bezos were hacked, hijacked and abused to distribute a bitcoin scam. Should USCYBERCOM have stepped in, take network control from Twitter, a private business, in order to mitigate and counter the attack? 

In the section ‘Influencers’ the author does raise valid concerns when he states that “influencers are capable of wielding influence over millions and have used this influence for a multitude of purposes from philanthropy and advertising to political ends.” Online reach is tantamount to circulation of a print paper with the difference being longevity – the internet never forgets. Unchecked influence of influencers is something our society needs to review and decide upon. Perhaps private businesses will recognize the powers that be and increase checks and balances for this specific type of user or automatically guardrail reach to create equity among users.

In the section ‘Operationalizing IIOs’ the author states “There is little brand loyalty in the online world. Consumers will go elsewhere to find what they need if their preference is slow or unavailable. Influencing and controlling that “someplace else” yields the opportunity to wield influence.” In essence, the author suggests to take advantage of users impatience by increasing the time it takes to load a website. Once this latency or lag is in place, an operator may incentivice users to shift their attention to an alternative information source. This can be achieved through well-targeted advertising campaigns. As an example, the author offers the case of Amazon losing over $72 million due to a 63 minute outage on Prime Day 2018.

There is research to support an increased impatience during ecommerce transactions. However, there is an equal amount of research on brand loyalty, which across markets sees about 75% and higher retention rates once a customer relationship has been successfully established. For example, an Amazon Prime user, who pays for the privilege of Prime is unlikely to switch a book order to Barnes & Noble simply because there is a few milliseconds of delay when placing the order. It takes a contrast in price and shipping time to break the established brand loyalty with Amazon. Furthermore, in the author’s example the IIO appears to be directed at an ecommerce transaction. Even in the hypothetical foreign policy scenario of introducing latency to Alibaba to redirect users to Amazon to decrease economic output/revenue or other feasible US objectives, the author doesn’t really explain how it could favorably influence future behavior.

IIOs offer a tremendous potential to support diplomacy while strengthening our national security. Allocating the responsibility to exert and drive information influence to a military institution, however, raises constitutional concerns. It would likely undermine the trust of our allies but also chill diplomatic relations with non-allied nations. From a military perspective, an effort to centralize capabilities can reduce overall cost of cyberspace operations and increase transparency among military stakeholders. On the other hand, all centralized command structures are vulnerable to a single-point of failure, which can be devastating when USCYBERCOM is facing a sophisticated, superior adversary. In addition, an effort to centralize IIOs might increase the response rate to attacks in cyberspace or efforts to coordinate foreign influence operations by an adversary due to the extended chain of command.   

Left Of Launch

The Perfect Weapon is an intriguing account of history’s most cunning cyberwarfare operations. I learned about the incremental evolution of cyberspace as the fifth domain of war and how policymakers, military leaders and the private technology sector continue to adapt to this new threat landscape.  

Much has been written about influence operations or cyber criminals, but few accounts present so clearly a link between national security, cyberspace and foreign policy. Some of the stories told in The Perfect Weapon touch upon the Russian interference in the 2016 presidential elections, the 2015 hack of the Ukrainian power grid, the 2014 Sony hack, the 2013 revelations by Edward Snowden and many other notable breaches of cybersecurity. These aren’t news anymore, but help to understand America’s 21st century vulnerabilities.

Chapter 8 titled “The Fumble” left a particular mark on me. In it, Sanger details the handling of Russian hackers infiltrating the computer and server networks of the Democratic National Committee. The sheer lethargy by officials at the time demonstrated over months on end, including Obama’s failure to openly address the ongoing cyber influence operations perpetrated by the Russians ahead of the elections, was nothing particularly new yet I still felt outraged by what now seems to be obvious. The chapter illustrates some governance shortcomings that we as a society need to overcome in order to address cyberattacks but also build better cyber defense mechanisms.

Left of Launch is a strategy to leverage cyberwarfare or other infrastructure sabotage to prevent ballistic missiles from being launched

But the most insights for me came from the books cross-cutting between the cyberspace/cybersecurity domain to the public policy domain. It showed me how much work is still left to be done to educate our elected officials, our leaders and ourselves about a growing threat landscape in cyberspace. While technology regulation is a partisan issue, only bi-partisan solutions will yield impactful results.

David E. Sanger is a great journalist, bestselling author and an excellent writer. His storytelling is concise, easy to read and accessible for a wide audience. Throughout the book, I never felt that Sanger allowed himself to get caught up in the politics of it but rather maintained a refreshing neutrality. His outlook is simple: we need to redefine our sense of national security and come up with an international solution for cyberspace. We need to think broadly about the consequences of cyber-enabled espionage and cyberattacks against critical infrastructures. And we need to act now.

Tales Of Invincible Frogmen

Men In Green Faces is a gripping fictional combat novel. It shows the cruelty, intensity, but also the strategic intelligence and psychological resilience needed to prevail in war.

The story follows Gene Michaels and his team of highly-trained, elite commandos on their tour of duty during the Vietnam War. They are stationed on Seafloat, a floating Mobile Advanced Tactical Support Base (MATSB), somewhere in the Mekong Delta at the southern tip of Vietnam. Throughout their deployment, the team goes on different missions roaming the thick tropical jungle in search for specific targets and evading enemy positions. With each mission, the reader learns a little more about the complex, individual characters. They’re not just warriors devoid of emotions, but live and struggle through the atrocities of war – far away from home and their families.

Men in Green Faces is a dialogue-heavy fictional combat novel. It’s the kind of book that poses a situation and you’d want to discuss it with someone else or, if you’re so adventurous, enlist in the Navy right away. I learned about this book when Jonny Kim shared that his motivation to become a U.S. Navy SEAL was partly inspired by this book. To illustrate why this book is in part so powerful, I’ll leave you with the below excerpt of one of the teams early missions to extract a potential target for interrogation:

“Almost without a sound, the squad, already in file formation, came on line and dropped down to conceal themselves within the foliage. The last thing they wanted was contact. Through the bushes and trees Gene caught movement. It was one lone VC (Viet Cong) in black pajamas, talking to himself even as he strolled closer to their location. Not another person in sight. Just ten feet farther to the left, and the VC would have seen their tracks in the mud. The squad was dead quiet. Their personal discipline never faltered in combat. Almost mesmerized, Gene watched the VC strolling closer. The man passed Doc without detection, then Cruz and Alex. He came within eighteen inches of Brian, who was still in Gene’s position. The VC, carrying an AK-47 over his shoulder, holding it by its barrel, continued to talk to himself, just walking along within inches now of Jim. Jim grabbed the VC, slapped a hand over his mouth, and took him down. There was virtually no sound. Before Gene realized he’d moved, he had the VC’s AK-47 in his hand and the rest of the squad had backed in around the three of them, ensuring 360-degree security. Gene positioned his 60 inches from the VC’s head. The man’s eyes were stretched wide, almost popping from their sockets. He knew about the men in green faces, and it showed.”

Threat Mitigation In Cyberspace

Richard A. Clarke and Robert K. Knake provide a detailed rundown of the evolution and legislative history of cyberspace. The two leading cybersecurity experts encourage innovative cyber policy solutions to mitigate cyberwar, protect our critical infrastructure and help citizens to prevent cybercrime.

The Fifth Domain, commonly referred to as cyberspace, poses new challenges for governments, companies and citizens. Clarke and Knake discuss the historic milestones that led to modern cybersecurity and cyber policy. With detailed accounts of how governments implement security layers in cyberspace, gripping examples of breaches of cybersecurity and innovative solutions for policymakers, this book ended up rather dense in content – a positive signal for someone interested in cybersecurity, but fairly heavy for everybody else. Some of the content widely circulated the news media, other content is intriguing and through-provoking. While the policy solutions in this book aren’t ground-breaking, the authors provide fuel for policymakers and the public to take action on securing data, but, perhaps more importantly, to start developing transparent, effective cyber policies that account for the new, emerging technologies within machine learning and quantum computing. Personally, I found the hardcover edition too clunky and expensive. Six parts over 298 pages, however, made reading this book a breeze.

The Nuclear Option in Cyberspace

Stuxnet was a malicious computer worm that caused substantial damage to Iran’s nuclear program. It was likely deployed to prevent a conventional military strike against Iran’s nuclear facilities. The 2015 cyber attacks on Ukranian critical infrastructure caused loss of energy for hundreds of thousands citizens of Ukraine in December. It was likely staged to test cyber operations for the upcoming 2016 U.S. presidential election. Both cases offer interesting takeaways: (a) offensive cyber operations often empower rather than deter an adversary and (b) offensive cyber operations resulting in a devastating cyber attack to the integrity of the target may be responded via conventional military means. But where exactly is the threshold for escalating a cyber attack into conventional domains? How can policymakers rethink escalation guidelines without compromising international relations? This paper discusses achieving strategic stability in cyberspace by way of transferring the concept of a nuclear no-first-use policy into the current U.S. cyber strategy.  

tl;dr

U.S. cyber strategy has a hypocrisy problem: it expects its cyberattacks to deter others (defend forward) without triggering escalatory responses outside cyberspace, while it is unclear about what it considers off-limits. A strategic cyber no-first-use declaration, like the one outlined in this article, could help solve risks of inadvertent instability while allowing cyber-​operations to continue.

Make sure to read the full paper titled A Strategic Cyber No-First-Use Policy? Addressing the U.S. Cyber Strategy Problem by Jacquelyn Schneider at https://www.tandfonline.com/doi/full/10.1080/0163660X.2020.1770970

Credit: J.M. Eddins Jr./Air Force

In 2018 the Trump administration adopted its progressive National Cyber Strategy. These sort of policy declarations are commonly filled with agreeable generalities, albeit this National Cyber Strategy read in conjunction with the 2018 Department of Defense Cyber Strategy introduced a new, rather reckless cyber posture of forward attack in cyberspace as a means of a preemptive cyber defense. Key themes, e.g. 

  • Using cyberspace to amplify military lethality and effectiveness;  
  • Defending forward, confronting threats before they reach U.S. networks;  
  • Proactively engaging in the day-to-day great power competition in cyberspace;  
  • Actively contesting the exfiltration of sensitive DoD information; 

raise important questions of national security. Why does an industrial superpower like the United States feel a need to start a cyber conflict when it could redirect resources toward building effective cyber defense systems? How many cyber attacks against critical U.S. infrastructure are successful that it would justify a forward leaning cyber defense? What is the long-term impact of charging the military with cyber strategy when the private sector in Silicon Valley is in a much better position to create built-in-cybersecurity and why aren’t resources invested back into the economy to spur cyber innovation? Each of these questions is material for future dissertations. Until then, instead of a defend forward strategy in cyberspace, a cyber policy of no-first-use might complement securing critical infrastructure while ensuring allies that the U.S. cyber capabilities are unmatched in the world and merciless if tested. 

No-first-use is a concept originating in the world of nuclear warfare. In essence, it means 

“a state declares that although it has nuclear weapons, and will continue to develop and rely on these weapons to deter nuclear strikes, it will not use nuclear weapons first.”

Instead conventional (non-nuclear) warfare will be utilized to respond to attacks on its sovereignty. These policies are not treaties with legal ramifications if violated. They’re neither agreements to ban production of certain weapon systems nor intended as arms control measures. In fact, no-first-use policies often take shape in form of a public commitment signaling restraint to friends and foes. They are made for strategic stability in a given domain. 

No-First-Use Cyber Policy 

Taking the no-first-use concept to cyberspace may be a national security strategy at low cost and high impact. Cyberspace is by its configuration transient, hard to control, low cost of entry and actor-independent. For example, a web crawler is at times a spiderbot indexing websites for search engines to produce better search results. At another time the same web crawler is configured to recon adversary cyber infrastructure and collect intelligence. Yet another time, the tool may carry a malicious payload while scraping website data. This level of ambiguity introduces a wealth of cyber policy hurdles to overcome when drafting a no-first-use cyber policy. Schneider recommends starting with distinguishing the elements of cyber operations in its strategic context. As mentioned before some actions in cyberspace are permissible, even expected, other actions using the same technology, are not. Now, there is no precedence for a cyber operation to be so effective at scale that it would compromise its target (state) altogether. For example, no known cyber operation has ever irreparably corrupted the energy infrastructure of a state, destroyed social security and health data of its citizens and redirected all government funds, bonds and securities without a trace or leaving the state in a position unable to respond within conventional warfare domains. This means the escalation risk from a cyber operation against critical infrastructure is lower in cyberspace compared to an attack with conventional weaponry. Therefore a successful no-first-use cyber policy must focus on the cyber operation that produces the most violent results and is effectively disrupting a conventional defense (by disrupting critical infrastructure). 

Another consideration for an effective no-first-use cyber policy is the rationale of continued development of cyber capabilities. A no-first-use cyber policy does not preclude its parties from actively testing adversaries’ cyber vulnerabilities; it only bars them from exploiting such weaknesses unless the adversary strikes first. 

A strong argument against adopting a no-first-use cyber policy is diplomatic appearances. First, it might signal a weakness on part of U.S. cyber capabilities or indicate to allies that the U.S. will not commit to protecting them if under attack. Second, it may also result in hypocrisy if the U.S. launches a first strike in cyberspace after political changes but is still bound to a no-first-use policy. For Schneider a successful no-first-use cyber policy 

“credibly convinces other states that the U.S. will restrain itself in cyberspace while it simultaneously conducts counter-cyber operations on a day-to-day basis.”

She also recommends strategic incentives through positive means: information sharing, foreign aid or exchange of cyber capabilities. The end goal then ought to be strategic deterrence through commitments in cyberspace to restraint high-severity cyber attacks.  

I found the idea of a no-first-use cyber policy captivating, albeit inconceivable to be implemented at scale in cyberspace. First, even though cyber operations with the potential to blackout a state are currently reserved for professional militaries or organized cyber operators in service of a state-actor, I don’t believe that a lone non-state actor is not capable of producing malicious code with equal destructive powers. Second, I see attribution still as a roadblock despite improving cyber forensics. Any democracy would see the hypocrisy of mistakenly engaging a non-state actor or the risk of misidentifying a state-actor as perpetrator. Moreover, the current state of attribution research in cyberspace is considering humans with certain intent as foundation when future cyber conflict may be initiated by a rogue or faulty autonomous weapon system under substantial control of an artificial intelligence. Third, any policy without legal or economic ramifications isn’t worth considering. An effective deterrence is hard to achieve without “skin in the game”. Perhaps an alternative to a no-first-use cyber policy would be a first-invest-into-cyber defense policy. Emulate the Paris Climate Accord for cyberspace by creating a normative environment that obligates states to achieve and maintain a minimum of cybersecurity by investing into cyber defense. This way constant innovation within the private sector reduces vulnerabilities, which will lead to a self-sustaining deterrence.