An Antifragile Approach to Preparing for Cyber Conflict - Historical Analogies, Current U.S. National Cyber Strategic Approach, Probability and Consequence of Positive and Negative Black Swan Events
"Defense" of any system against all highly improbable, but significant events, what are sometimes referred to as Black Swan events, is not possible. These events are, by their very nature unpredictable and uncertain, which is why they so dominate our thinking, and our culture. The work of Nassim Taleb regarding these highly improbable events and his proposed approach of "antifragility" may have utility in studying what the USAF should do in order to be prepared for the future in cyber operations. This approach emphasizes the futility of trying to predict when/where and how these highly improbable but significant events will occur and of preparing to defend against those scenarios. This leads to a "barbell strategy" based on an understanding of the probability and consequence of both positive and negative Black Swan events, which maximizes optionality while ensuring against systemic failure. Three essential elements emerge from this as critical to building "antifragility" into our national cyber capabilities. The first is the need to truly understand our minimum required capabilities, to acknowledge what ruin would really look like so that it can be avoided at the lowest possible cost. Second, how can optimal learning be built into the system, allowing the inevitable shocks of any magnitude to make the system stronger. Finally, what construct, organization or approach can efficiently and effectively incentivize the high-risk/high-payoff end of the spectrum. There is a demonstrated history of throwing around Pearl Harbor and the attacks of 9/11 as cyber scenarios to defend against or prepare for. In this assessment, the potentially more helpful analogies of the Battle of Britain and the Maginot Line will be evaluated as well. This will help to examine the potential application of "antifragility" and the associated "barbell strategy" to USAF strategic preparations for conflict in the cyber domain.This compilation includes a reproduction of the 2019 Worldwide Threat Assessment of the U.S. Intelligence Community.The United States is arguably the most internet dependent nation on Earth, and our military is keenly aware of the risks that this dependence poses. A quick internet search of "cyber Pearl Harbor" and "cyber 9/11" shows that these concepts have been publicly discussed since at least November 1997, when Deputy Secretary of Defense John Hamre testified to congress about the dangers of an "electronic Pearl Harbor". In later interviews, he credited Air Force General Tom Marsh with "authoring the phrase". There is a vast array of published work on both "cyber Pearl Harbor" and "cyber 9/11" that indicates there is no shortage of awareness something dire might happen in cyberspace. Even Secretary Hamre has acknowledged that it may not have been the best analogy to use at the time he first introduced it. Almost invariably, these terms are used to demonstrate that we should be doing something different in order to avoid or defend against the cyber-equivalent of those traumatic events. What do "cyber Pearl Harbor" or "cyber 9/11" even mean? Beyond the scare tactic of bringing up a traumatic event from our collective social memory, each of these scenarios can be seen to represent a different type of unanticipated attack on the United States. What is lost in the sensationalism that often surrounds bringing up these analogies is that they actually can represent scenarios that should be deeply and carefully considered, but not necessarily in the way that scare-mongers would suggest. The utility of scenarios in understanding different aspects of cyber conflict is not limited to these two oft-cited examples. There are other analogies in the recent history of warfare that we should also draw upon to help understand how to prepare properly for combat in this new domain.