The Best Defense

The FP transcript (VII): How our experiences in Afghanistan and Iraq shaped our approaches to Libya and Syria

[Here are Parts IIIIII, IV, V, and VI]

Ricks: Michèle, you looked like you were about to say something.

Flournoy: I think that this discussion is about the alignment of objectives. Are they consistently aligned with our interests? And is the level of cost bearable and appropriate, given the nature of our interests?

I saw that sort of insight applied to subsequent cases. I think the experience of Iraq -- the inherited operations of both Iraq and Afghanistan -- caused us to have a very fundamental strategic discussion about Libya, for example, and why we weren't going to put boots on the ground, invade the country, own it, et cetera. People have said, you know-- it's the caricature of leading from behind, and that this is some terrible mistake for the U.S.

What it was, was really circumscribing our involvement to match what were very limited interests, to say we are going to play a leadership role that enables others who have more vital interests to come in and be effective. But we are not going to be out in front; we are not going to own this problem; we are not going to rebuild Libya.

I think that the experience of Iraq and Afghanistan -- working through how do you get operations back onto a track where your interests and your actions are aligned -- also informed things like Libya, like Syria, and so forth. You can argue whether or not that we made the calculation right, whether we got it right or not. But I'm just saying that the conversation -- the fundamentals conversation -- did happen in subsequent cases because of, I think, the experience in both Iraq and Afghanistan.

Ricks: Would you say that President Obama -- to put you on spot -- is good at having that sort of conversation?

Flournoy: In my experience he is. If the staff doesn't -- if the process doesn't serve it up to him -- he's usually pretty good at saying you're not asking the right question, the right question is "x."

Brimley: I mean just as a two-finger on that. That was my first month at the White House when that happened. And it was an amazing process to watch almost from start to finish as a case study in how a president considers the use of force.

Ricks: You're talking about Libya?

Brimley: Yes. When you read the history it seemed to me that with the decision to invade Iraq, there might not have been a formal National Security Council meeting where the benefits were voiced in open session in a proper process. But [on Libya] the president held at least three or four full National Security Council meetings and dozens of deputies and principals meetings to weigh that issue.

Ricks: And was the question why front and center?

Brimley: Yes, very much so.

Point No. 2: When you look at the mechanics of what we did in Libya, we provided a set of capabilities that were unique. We had unique comparative advantage: air- to-air refueling, ISR architecture, command-and-control architecture.

Alford: Geography mattered on that too.

Brimley: Geography, yes absolutely. The fact that we had a presence in the Mediterranean already was very helpful.

Alford: And you have an ocean.

Brimley: Right. We provided this set of unique capabilities that were enabling for other partners, to include partners from the Gulf to act in ways that they hadn't before. Every situation is different.

But I think that process, at least for someone like me relatively young, as a case study in how we think about how we think about use-of-force decision-making and the way we provide unique capabilities in the future is hugely informative.

The second thing I'd say on Libyais that as a young person, my limited experience dealing with these issues has been informed almost entirely by Iraq and Afghanistan. So when we were debating Libya, people in my generation were very sort of hesitant to really almost do anything. Almost a hard-core realist approach of "it's not really core to our national interests; we shouldn't get involved." But the people, I think, who had came of age in the Clinton administration who dealt with limited uses of force -- no-fly zones -- were much more willing to entertain creative solutions. So people in my generation, I think, going forward will tend to be an all-in or all-out.

Ricks: There's an article to be done there on the generational qualities in foreign policymakers.

Brimley: I think the people within the Clinton administration having dealt with a couple of these use-of-force decisions in the ‘90s were much more creative in how they thought about ways in which we could use force but not go all in.

Alford: A great example, real quick. I was a second lieutenant in Panama when we took out Noriega. And by December 26th the Panamanian people were on our side, but that could have easily been a counterinsurgency fight, but the Panamanian people were very Americanized. We invaded that country, took out its leader, and rebuilt it. And it happened like that because the Panamanian people said yes. By February I was home, drinking beer.

(More to come about, especially about  the relationship between golf and force structure)

Flickr

The Best Defense

If we don’t want to be like the Iranians and get Stuxnetted, take these 4 steps

By John Scott

Best Defense guest columnist

It's Wednesday, and that means another story about the looming threat of cyberattack, how vulnerable the United States and its infrastructure is, how bad the Chinese are, how to retaliate, etc. But what seems to be left out of the discussion is what can practically be done about it (beyond scolding bad people). 

The first thing that should be done is to shrink surface area for attack. What does this mean? Right now the U.S. government and industry runs a pretty homogenous set of operating systems and applications that have shown to be a big part of the problem; specifically, Microsoft and Adobe are two companies whose wares have become amazing attack vectors. Why? For a few reasons: 1) if you want to create a virus/exploit weapon you tailor one for largest adoption, 2) attack large morphing code bases that give rise to known-unknown software vulnerabilities, and 3) updates don't always filter out in time once new vulnerabilities are detected and patched.

A great example is how Stuxnet is reported to have entered the Iranian nuclear program: 

The main (and initial) infection vector is the transmission of the Stuxnet malware via USB devices: if an infected USB device is inserted into a clean PC and later accessed with the Windows Explorer, then the infection of that PC is triggered. This is due to either a malicious ‘Autorun.inf' file present on the USB device (for the oldest variants of Stuxnet) or to the usage of the ‘LNK' Windows vulnerability (MS10-046,CERT-IST/AV-2010.313 advisory) for the variants found in June 2010.

The Iranians were probably running older versions of Microsoft operating system software that wasn't updated (and was probably pirated to boot). Further, the Iranians were a victim of Microsoft's business model of stitching together source code to lock-in users and conversely lock-out other software, which allowed the virus carte blanche access to anything. 

So what should we, the government, or private companies for that matter, do? First thing, we've got to get our own house in order to limit our vulnerabilities (or "know thyself," to paraphrase Sun Tzu).

  • First, get rid of software for which we have to continually make excuses. Just as the U.S. military doesn't promote smugglers (Han Solo) and farm boys (Luke Skywalker) to general, stop deploying software that requires additional fixes and comes stitched together. Microsoft and Adobe might be less expensive software, but if it leaves a backdoor open, is it really "cheaper"?
  • Second, only install operating systems and applications where the source code is available for widespread public inspection. Keeping source code secret increases its widespread vulnerability to exploitation when a defect is detected.
  • Third, increase heterogeneity of operating systems and applications to create gaps so that a virus/exploit can't transverse between different systems.
  • Fourth, fund research into more secure operating systems and make the fruits of that investment public: A rising tide lifts all (security) boats. A small investment in maturing source code can have a large impact. 

John Scott is a senior system engineer for Radiant Blue Technologies and was a co-author of Open Technology Development: Lessons Learned and Best Practices for Military Software (Department of Defense, 2011). He occasionally blogs at Powdermonkey.

Night shiftMarkusram/Flickr