Utility Of Offensive Cyber Capabilities To Military Strategy And Operations

‘Once humans developed the capacity to build boats, we built navies. Once you built airplanes, we built air forces.’ (Greenwald & MacAskill, 2013, pp. 7), and once we built computers and networks, we built cyber weapons. A lot of states stress the strength of their defensive cybersecurity structures. Only a few have admitted to having offensive capabilities. Nevertheless, there’s compelling evidence that many more either currently have, or are actively working on acquiring them. Even states, such as the United States and China, that do not overtly admit to possessing such weapons are not shy about incorporating offensive cyber operations into their official military doctrine (Smeets, 2018, p. 395).

Offensive cyber capabilities can be defined as capabilities that enable the conduct of “ an offensive military operation conducted via an electronic device and directed against an enemy information system or network that is designed to accomplish some traditional political or military objective” (Petkis, 2016, p 1442). Even though up to the time of this writing, no direct casualties have been attributed to such weapons, they nevertheless form a cornerstone of today’s military arsenals.

This essay will evaluate the utility of offensive cyber military capabilities to military strategy and operations. It looks at their use in common strategies, namely annihilation, coercion, attrition, terrorism and decapitation. It concludes that offensive cyber capabilities show their greatest potential when used as a force multiplier in conjunction with conventional weapons, but stand-alone cyber-attacks still hold certain strategic advantages. For brevity’s sake, the essay will focus on the military strategies and operations of states, excluding terrorists, insurgents, and other non-state armed groups.

Offensive Cyber Capabilities

Offensive cyber capabilities are capabilities through which offensive operations can be conducted in cyberspace. Cyberspace is “the global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers” (DoD, 2007, p.100). These operations are commonly divided into two types: Computer Network Attacks ( CNAs), where “actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves” ( DoD, 2007, p. 111) and Computer Network Exploitation, where infiltrating the enemy’s networks are used to gather intelligence and data (Whyte and Mazanec, 2019,p. 25).

There is controversy amongst both scholars and practitioners when it comes to including some hostile measures taking place in and through cyberspace, such as misinformation campaigns through the internet or social media, under the broad banner of offensive cyber. In the U.S. practitioners tend to exclude these attacks (General Counsel of the D.O.D., 2016, p. 1013). Whereas in Russia, they are viewed as an integral part of the country’s cyber warfare operations (Kello, 2017, p. 213). Similarly, in the literature, some do include these capacities, such as Whyte and Mazanec (2019, p. 80). Others, like Rattray and Healy, disregard them (2010, p. 77). This study aligns itself more closely with the views of Whyte and Mazanec, and Russia. The reason for this is that these campaigns, whether performed by bots or humans, do constitute “The use of computer networks to disrupt […] information resident in computers and computer networks” ( DoD, 2007, p. 111) by changing or disrupting the information available on social media and the wider internet. even if the final aim is not to change the information as much as the opinions of those who consult said information.

Elements of Military Strategy

Military Strategy can be defined as

“ The practice of reducing an adversary’s physical capacity and willingness to fight, and continuing to do so until one’s aim is achieved. It takes place in wartime as well as peacetime. [It] consists in countering the strengths and exploiting the weaknesses of an opponent […] Strategy comes down to out-positioning one’s rivals, not just militarily, but also diplomatically and if possible, economically and culturally, even before the first clash of arms and often well after the hostilities have ceased.” (Echevarria, 2017, p. 1)

A key element of this definition is that military strategy is not simply confined to wartime. It takes place before, after, and outside hostilities. Echevarria further identifies a few common strategies undertaken by armies throughout history: Annihilation and dislocation, coercion and deterrence, attrition and exhaustion, terror, and decapitation, and targeted killings (Echevarria, 2017, p. 2). In practice, these strategies are never used alone, but rather in conjunction with one another. A single military operation can also serve multiple strategies at once. For instance, there is a significant overlap between operations that support attrition, and those that support terror, such as the bombing of cities and major population centers.

Annihilation and dislocation

A strategy of annihilation consists of incapacitating an enemy’s forces to a degree that causes them to realize the extent of their powerlessness. The ultimate goal is to cause them to pursue a peace advantageous to the attacker, ideally, unconditional surrender (Kaldor, 2010, p. 272). Annihilation relies primarily on brute force, e.g. Superior numbers, artillery, etc. Dislocation is more about the element of surprise to out-position the enemy (Smyth, 1997, p. 3).

Using offensive cyber capabilities as stand-alone operations presents some inherent limitations to annihilation and dislocation. While certain famous case studies did involve kinetic damage caused by cyber-attacks (i.e. Stuxnet), none have resulted in casualties. The damage done through cyber operations tends to be primarily reserved for cyberspace itself. Another difficulty in realizing strategies of annihilation with the use of cyber capabilities is that cyber-attacks entail a tradeoff between spread and persistence. Cyber-attacks, due to the very nature of the space they occur in, are easier to recover from than their kinetic equivalent. Rebuilding physical infrastructure lost to bombs, for example, is generally a matter of years. Restoring networks and services usually takes weeks, if not days. A few cyber operations, to date, have been able to show persistent results, these attacks, however, only managed to do this by having very limited and narrow scope, such as the Stuxnet (Rattray & Healy, 2010, p. 78).

This does not mean that offensive cyber capabilities are entirely useless when it comes to annihilation and dislocation. This is when the role of cyber capabilities in military operations as a force multiplier comes into play. Offensive Cyber capabilities can facilitate and empower kinetic attacks through various means. CNEs can be used to gather military intelligence and ensure operational and tactical superiority by supplying information on the enemy’s defenses, troop preparedness, and movements, commander decision making, as well as its weak and strong points. CNAs can serve to aid and amplify the scope of kinetic attacks by creating surprise and confusion through undercutting the enemy’s defense systems. This can be done by disrupting enemy recognizance and detection systems. During the 2007 Israeli operation against Syria, the attackers were able to bypass Syria’s defenses by remotely disabling their radars (Rattray & Healy, 2010, p. 80). CNAs can also delay and prevent defensive actions by hindering an enemy’s ability to plan and react to a physical attack by disabling their communications, as well as command and control structures. An example of this would be the 2008 Russo-Georgian war, as “When Russian tanks rolled into Georgia in 2008, their advance was greatly eased by cyberattacks on Tbilisi’s command, control, and communications systems, which were swiftly and nearly completely disrupted” (Arquilla, 2012, pp. 9).

By using offensive cyber capabilities in combination with kinetic operations, the strategist can circumvent the tradeoff between scope and persistence inherent to cyber-attacks. A few days’, or even hours’, worth of damage to radars and communication systems is all that is needed to mount a surprise kinetic attack. Permanently dislodging, and even annihilating enemy defenses and strength. While the scope part of the equation is handled by cyber operations, the persistence angle is dealt with kinetically.

Coercion and Deterrence

Coercion is forcing an enemy to go through with an action that is preferable to the strategist but disadvantageous to the enemy. Deterrence entails preventing the enemy from going through with an advantageous action that would be harmful to the strategist. Deterrence can further be divided into Deterrence by Denial where an enemy’s perceived gains from a particular course of action are reduced, and Deterrence by punishment where the threat of retaliation is used to discourage the enemy. Some scholars, such as Thomas Shelling, do not even distinguish between the two, instead of using the terms active coercion to describe forcing compliance and passive coercion to mean deterrence, placing the two on a continuum rather than as an opposition ( Shelling, 1966,p. 69).

Multiple case studies support the utility of offensive cyber capabilities in both active and passive coercion. Namely, the Russian activities against both Ukraine and Montenegro when both sought closer relationships with the west. In the case of Ukraine, Russia used a combination of methods, such as sending proxies, a massive disinformation campaign, and a military invasion. More importantly for the purposes of this study, Russian linked hackers managed to bring down the country’s electrical grid for a few hours, without, however, leaving any lasting damage to the system. In addition to this, Russia mounted multiple attacks against Ukraine’s banking and media sectors (Zetter, 2016, pp. 6)

When Montenegro applied for NATO membership, it faced similar, although not as drastic, efforts on the part of Russia. In the case of Montenegro, much like Ukraine, the Kremlin resorted to a mix of methods. It supported opposition parties against the country’s pro-western government and mounted Distributed Denial of Service (DDOS) attacks against political and social institutions such as the parliament, media websites, and the pro-western party in power (Hodgson et al, 2019, p. 12).

In both cases, the success of cyber capabilities in ensuring coercion appears limited. Montenegro went through with their NATO membership, and Ukraine, despite the ongoing occupation of Crimea, still maintains close ties with the west. In the case of Ukraine, the variety of tools used to deter it from getting closer to NATO countries and coerce it to remain under the Russian sphere of influence would make it hard to determine, had the operation been a success, to what extent this would be due to Russia’s use of offensive cyber capabilities.

Attrition and Exhaustion

Attrition and Exhaustions refer to strategies that seek to slowly diminish the enemy’s physical and psychological fighting resources, while conserving one’s own, rather than to achieve decisive military victory, like annihilation and dislocation (Langlois & Langlois, 2009, p. 1053). Whereas attrition targets physical resources, exhaustion targets psychological will to fight.

The use of offensive cyber capabilities offers great potential when it comes to both attrition and exhaustion strategies. The offense dominant nature of cyber conflict, as well as the low barriers to entry (Lindsay, 2018, p. 376), make it easy to launch a series of attacks without great cost. The tradeoff mentioned above in the annihilation section does not matter as much in this case. Even attacks that can be recovered quickly still incur massive financial and psychological costs. An example of this would be the ‘Shamoon’ Iranian cyber attack against Saudi Aramco, the state oil company. While the company’s production quotas remained normal, it took massive financial losses due to the attack. The costs of rebuilding the networks and their security system were important, as well as the losses due to being offline in the meantime (Carr, 2013, p. 35).

The key to a successful attrition strategy is not just to exhaust the enemy’s willingness and resources, but to conserve one’s own as well. In this case, cyber-attacks allow the strategist to strike and inflict damage without reaching the threshold of an armed attack and provoking costly kinetic retaliation. The anonymity and attribution problems inherent to cyberweapons also allow for plausible deniability. Both features are crucial in the case of heavily asymmetric conflicts, where attrition strategies are common. Information warfare through cyber means also offers an opportunity to exhaust the enemy’s psychological resources and willingness to fight. Namely by eroding popular morale as well as public trust in the leadership ( Kello, 2017, p. 216).

Cyber-attacks also work as a force multiplier in attrition warfare. In the event of military escalation, CNAs can be used to confuse the enemy and waste his resources by creating a multitude of false alarms in radar and detection systems (Rattray & Healy, 2010, p. 87).

Terror:

Strategies involving terror seek a primarily psychological effect, mainly, as the name suggests, fear. They involve “premeditated, politically motivated violence directed against non-combatant targets to modify public opinion or to change a government’s policies” (Echevarilla, 2017, p. 65). In recent years, the terms terror and terrorism have taken on a very negative connotation. They have also become almost exclusively associated with non-state armed groups. In practice, states can and do use strategies and operations that deliver primarily psychological rather than material damage. For instance, Echevarilla considers the massive WWII-era bombing of cities as a terror strategy (2017, p. 68).

Multiple attacks discussed so far in this essay can be construed as examples of terror tactics using cyber capabilities. Namely, Russia’s attack of the Ukrainian energy grid, which did affect civilians. In addition to Iran’s attack of Saudi Aramco, which did not directly affect civilians but did hit a non-combatant target. Similarly, the 2007 Russian cyber-attacks against Estonia can be viewed as a campaign of cyber-enabled terror. The attacks hit the country’s financial system, media organizations, and other non-combat targets prominent in civilian life. Some even believe that Russia’s aim with the attacks was to sway public opinion as to “incite large enough demonstrations that they would provoke violence. Then, Moscow could have used the ensuing violence as a pretext for launching an anti-Estonian insurgency that could have justified either direct Russian support for the insurgents or even Russian military intervention,” (Blank, 2017, p 86).

In addition to the above-discussed cases, there is a large potential for the use of offensive cyber capabilities to create mass casualties and ensuing terror, in what many have compared to a ‘cyber 9/11’. These include, according to the United States Department of Defense: The use of offensive cyber capabilities to trigger a nuclear plant to malfunction and eventually meltdown, causing Chernobyl-like levels of lethal radiation. To lend this scenario some credibility, the use of cyber capabilities against nuclear facilities is well documented in the literature through the case of Stuxnet. This scenario, however, would be a reverse Stuxnet, causing centrifuges to overpower instead of disabling them. The U.S. D.O.D. has also theorized that cyber weapons could be used to provoke massive drownings and property damage by remotely opening dams near areas with high population density. They could also result in high numbers of plane crashes by disabling or compromising air traffic control systems. (General Counsel of the D.O.D., 2016, p. 1015).

Decapitation and targeted killings

Decapitation refers to the removal of the head of a hostile state or organization such as the commander of rival armed forces. Targeted killing, often used as a tool for decapitation, is the “intentional selection, targeting and execution of an individual – not held in physical custody – by a state for military, political or security purposes” ( Grayson, 2012,p. 120). Decapitation does not necessarily involve targeted killing. A hostile leader can simply be replaced by a more sympathetic one.

The use of cyber operations as a stand-alone measure offers limited possibilities when it comes to targeted killings. While some have theorized that, potentially, enemy killer drones could be hacked remotely and turned against the leaders that set them (Petkis, 2016, p. 1431), for now, that possibility remains within the realm of science fiction. On the other hand, Cyber capabilities act as a force multiplier used in conjunction with kinetic powers. Mainly, the use of CNE attacks to gain intelligence about an enemy’s whereabouts can assist in planning assassination attempts. One example of this would be the 2010 killing of Mahmoud al Mabhouh, then leader of Hamas. Al Mabhouh’s computer had been infected by a trojan virus which helped Israeli intelligence services track his movements and locate him (Carr,2013, p. 36).

The use of cyber capabilities to conduct disinformation campaigns and hack electoral machines to replace enemy leaders with weaker or more easily corrupted ones has been widely discussed in recent years. Russia, in particular, has been accused of using its considerable cyber resources to sway public opinion in various democracies. It did so in the above example of Montenegro, and there is credible evidence that it interfered in the 2016 presidential election, amongst others. It is difficult to determine, to what extend did Russia’s actions affect the change of leaders (Groll, 2019, pp. 8). However, this strategy certainly holds potential.

Conclusion

This essay has evaluated the utility of offensive cyber capabilities to military strategy and operations. It has reviewed current and potential uses of computer network attacks and computer network exploitation in five common military strategies: annihilation and dislocation, coercion, attrition and exhaustion, terror, and decapitation. It has been found that overall, the best use of these attacks is as a force multiplier in support of and in conjunction with kinetic military operations. The combination of cyber and kinetic operations allows the strategist to remediate the tradeoff between scope and persistence that arises when conducting standalone cyber-attacks. This is not to say that stand-alone offensive cyber operations do not have any merit to achieving strategic aims. These operations can be extremely useful in wearing down an enemy’s resources through a series of easily recoverable, yet financially costly attacks. Information warfare tools can also reduce their psychological readiness to fight, essential to a successful attrition strategy. They also have great potential for terror strategies and the information warfare possibilities they offer can assist decapitation strategies through election meddling.