Updated by Bennyye @2012-4-23: 恰巧,在2012年4月13日新加坡《联合早报》刊登了约瑟夫·奈的署名文章《网络战争与和平》而这篇文章的内容与我转载的内容大体一致。国内已经翻译出来,参见最后。
在美国空军大学2011年冬季的战略研究季刊上,号称“软实力”之父的约瑟夫·奈发表了一篇题为“Nuclear Lessons for Cyber Security?”的文章。在文章中有一个章节较为详细地阐述了他对于Cyberspace的观点,摘录参见最后。
值得一提的是,文中提到了一本他的最新著作——The Future of Power,其中第五章就详细阐述了他所谓的“cyberspace power”(网络空间实力)。此书中文版最近刚刚在国内发行,有兴趣的读者可以去看看。
我们常说“信息与网络安全问题是一个国家战略问题”,那么,可以看看约瑟夫·奈是如何将一个技术问题上升到政治高度的。
Cyber is a prefix standing for computer and electromagnetic spectrum– related activities. The cyber domain includes the Internet of networked computers but also intranets, cellular technologies, fiber-optic cables, and space-based communications. Cyberspace has a physical infrastructure layer that follows the economic laws of rival resources and the political laws of sovereign jurisdiction and control. This aspect of the Internet is not a traditional “commons.” It also has a virtual or informational layer with increasing economic returns to scale and political practices that make jurisdictional control difficult. Attacks from the informational realm, where costs are low, can be launched against the physical domain, where resources are scarce and expensive. Conversely, control of the physical layer can have both territorial and extraterritorial effects on the informational layer. Cyber power can produce preferred outcomes within cyberspace or in other domains outside cyberspace. By analogy, sea power refers to the use of resources in the oceans domain to win naval battles on the oceans, but it also includes the ability to use the oceans to influence battles, commerce, and opinions on land. Likewise, the same analogy can be applied to airpower.
The cyber domain is a complex man-made environment. Unlike atoms, human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off by throwing a switch. It is cheaper and quicker to move electrons across the globe than to move large ships long distances through the friction of salt water. The costs of developing multiple carrier task forces and submarine fleets create enormous barriers to entry and make it possible to speak of American naval dominance. In contrast, the barriers to entry in the cyber domain are so low that nonstate actors and small states can play significant roles at low cost.
The Future of Power describes diffusion of power away from governments as one of the great power shifts of this century.4 Cyberspace is a perfect example of this broader trend. The largest powers are unlikely to be able to dominate this domain as much as they have others like sea, air, or space. While they have greater resources, they also have greater vulnerabilities, and at this stage in the development of the technology, offense dominates defense in cyberspace. The United States, Russia, Britain, France, and China have greater capacity than other state and nonstate actors, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cyber systems for support of military and economic activities creates new vulnerabilities in large states that can be exploited by nonstate actors. Four decades ago, the Pentagon created the Internet, and today, by most accounts, the United States remains the leading country in both its military and societal use. At the same time, however, because of greater dependence on networked computers and communication, the United States is more vulnerable to attack than many other countries, and the cyber domain has become a major source of insecurity.5 The term cyber attack covers a wide variety of actions ranging from simple probes, to defacing websites, to denial of service, to espionage and destruction.6 Similarly, the term cyber war is used very loosely for a wide range of behaviors. In this, it reflects dictionary definitions of war that range from armed conflict to any hostile contention (e.g., “war between the sexes” or “war on poverty”). At the other extreme, some use a very narrow definition of cyber war as a “bloodless war” among states that consists only of conflict in the virtual layer of cyberspace. But this avoids important issues of the interconnection of the physical and virtual layers of cyberspace discussed above. A more useful definition of cyber war is, hostile actions in cyberspace that have effects that amplify or are equivalent to major kinetic violence.
In the physical world, governments have a near monopoly on large-scale use of force, the defender has an intimate knowledge of the terrain, and attacks end because of attrition or exhaustion. Both resources and mobility are costly. In the virtual world, actors are diverse, sometimes anonymous, physical distance is immaterial, and offense is often cheap. Because the Internet was designed for ease of use rather than security, the offense currently has the advantage over the defense. This might not remain the case in the long term as technology evolves, including efforts at “reengineering” some systems for greater security, but it remains the case at this stage. The larger party has limited ability to disarm or destroy the enemy, occupy territory, or effectively use counterforce strategies. Cyber war, although only incipient at this stage, is the most dramatic of the potential threats. Major states with elaborate technical and human resources could, in principle, create massive disruption as well as physical destruction through cyber attacks on military as well as civilian targets. Responses to cyber war include a form of interstate deterrence (though different from classical nuclear deterrence), offensive capabilities, and designs for network and infrastructure resilience if deterrence fails. At some point in the future, it may be possible to reinforce these steps with certain rudimentary norms, but the world is at an early stage in such a process.
If one treats hacktivism as mostly a disruptive nuisance at this stage, there remain four major categories of cyber threats to national security, each with a different time horizon and different (in principle) solutions: cyber war and economic espionage are largely associated with states, and cyber crime and cyber terrorism are mostly associated with nonstate actors. For the United States, at the present time, the highest costs come from espionage and crime, but over the next decade or so, war and terrorism may become greater threats than they are today. Moreover, as alliances and tactics evolve among different actors, the categories may increasingly overlap. In the view of ADM Mike McConnell, “Sooner or later, terror groups will achieve cyber-sophistication. It’s like nuclear proliferation, only far easier.”7 We are only just beginning to see glimpses of cyber war—for instance, as an adjunct in some conventional attacks, in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges by the Stuxnet worm. Deputy Defense Secretary William Lynn has described the evolution of cyber attacks from exploitation, to disruption of networks, to destruction of physical facilities. He argues that while states have the greatest capabilities, nonstate actors are more likely to initiate a catastrophic attack.8 A “cyber 9/11” may be more likely than the often mentioned “cyber Pearl Harbor.”
【译文】
两年前,一条有缺陷的电脑代码感染了伊朗核计划,并摧毁了许多用于铀浓缩的离心机。一些观察家称这种明显的蓄意破坏预示着一种新的战争形式;美国国防部长帕内塔警告,美国人可能会受到“网络珍珠港”袭击。但我们对网络冲突究竟有多少认识?
电脑及相关电子活动的网络领域是个人造的复杂环境,里面的人类对手有高智能且有针对性。山脉和海洋很难移动,但网络空间却可以借助开关关上和打开。电子的全球移动远比大型船舰的远距离移动更为廉价和快速。
多功能航母特遣部队和潜艇舰队的研发成本是许多国家无法承担的,也因此确保了美国的海上优势。但进入网络领域的壁垒很低,即使是非国家参与者和小国也能以低廉的成本发挥重大的作用。
网络空间是不安全的主要来源
在我的著作《权力的未来》(The Future of Power)中,我提出政府权力的分散是本世纪一个最重大的政治转折。网络空间就是一个绝佳的例子。美国、俄罗斯、英国、法国和中国等大国较之其他国家和 非国家参与者,对海洋、天空或太空有更大的控制能力,但要说在网络空间占据霸权地位却没有多大意义。其实,大国依赖复杂网络系统支持军事和经济活动,因此 出现了可以被非国家参与者利用的全新弱点。
四十年前,美国国防部创造了互联网。今天,按照多数人的看法,美国仍然在网络的军事和社会用途上居领先地位。但对联网电脑和通讯的更大依 赖,让美国比其他许多国家更容易受到攻击,且网络空间已成为不安全的主要来源,因为在目前的技术发展阶段,攻击显然比防守更容易。
“网络攻击”(cyber attack)一词涵盖多种行为,包括简单的刺探、修改网站主页、让网络无法提供正常服务、谍报活动及破坏行动。同样的,“网络战争”(cyber war)一词被宽松地用来形容许多行为,反映了从武装冲突到敌对较量等各式各样的战争的字典涵义(如“两性战争”或“禁毒战争”)。
另一方面,一些专家对网络战争有狭义定义:即国与国之间的“不流血战争”,局限在网络空间的电子冲突。但这忽视了网络空间实质和虚拟层面间重要的相互联系。正如感染伊朗核计划的Stuxnet病毒所显示,软件攻击可以造成非常真实的后果。
网络战争更为有用的定义,是网络空间中发生的敌对行动,其所造成的结果增强或等同于严重身体暴力。在真实世界里,政府近乎垄断了大规模武力的使用,防守上更是熟悉地形,攻击行动可能因为消耗或疲劳而结束。资源和流动性都非常昂贵。
相比之下,网络世界的参与者多种多样(有时还可以匿名参与),实际距离变得无关紧要,而且某些形式 的攻击成本很低。因为互联网的设计是为了方便使用而不是安全,攻击者目前比防守者更具优势。技术上的进步,包括“再造”一些系统来提高安全性的努力,最终 可能会改变这种状况,但至少到目前为止情况依然如此。规模较大的一方解除对方武装或消灭敌人、占据领土、或有效使用反击策略的能力都受到限制。网络上的战 争、谍报、恐怖主义
网络战争现阶段还只是刚刚开始,但却是潜在威胁中最让人关注的。原则上,拥有复杂技术和人力资源的大国,可以通过对军事和民用目标发起网络 攻击造成大规模的干扰和实际破坏。对网络战争的应对之策包括通过阻断服务实施某种形式的国际威慑、攻击能力、及在威慑失效的情况下快速恢复网络和基础设施 的设计。在某个阶段,或许还可以通过一些基本规则和军备控制来加强上述措施,但世界仍处于这一进程的早期阶段。
如果把现阶段意识形态组织所谓的“黑客行动主义”(hacktivism)视为多半属于破坏性的滋扰,那还有四类对国家安全构成威胁的网络 威胁,每类有不同的时间跨度:网络战争和经济谍报活动大多与国家相关,而网络犯罪和网络恐怖主义则大多涉及非国家参与者。美国目前的最大的损失源于谍报和 犯罪活动,但在未来10年左右,战争和恐怖主义可能造成比今天更大的威胁。
此外,随着联盟和策略的演变,威胁种类可能出现越来越多的重叠。在美国前国家情报总监、海军上将迈克·麦康奈尔(Admiral Mike McConnell)看来,“恐怖组织迟早会掌握复杂的网络技术。这就像核扩散,只是它容易得多了。”
世界才刚刚开始看到网络战争的影子——在2008年格鲁吉亚常规战争中出现的断绝网络服务攻击;或者是近期对伊朗离心机的破坏。国家拥有最 强的力量,但非国家参与者更有可能发起灾难性的攻击。“网络911”的可能性可能要大于经常被提及的“网络珍珠港”。各国现在应该坐下来,讨论如何限制网 络战争对世界和平的威胁。