Offensive Cyber Working Group

By Daniel Moore

We have been expecting cyberwar for decades. Researchers and commentators alike have awaited a revolution in military affairs delivered by non-violent digital coercion. In their view, cyber-warfare was expected to shake the great balance of power, plunge countries into nation-wide outages, and turn our deepest dependencies against us in the fight between nations. It all sounded quite compelling. After all, we have embraced the ascent of the internet with a passion weaving networks into every facet of our existence. Yet the revolution in warfare never came. Far from non-violent digital coercion rendering war obsolete, we have seen that war remains a brutal, violent experience for soldiers and civilians alike.  We observed cyber-warfare incorrectly; we have over-promised on what is likely and under-promised on what is possible. The result is wildly inappropriate expectations of what we may see in future conflicts. 

It is not that we have not seen cyber-attacks. We have indeed, and ransomware has exacted a particularly heavy toll from governments, businesses, and individuals globally. Some ransomware operations were employed by governments as a form of crude, barely-deniable cyber-attack. We have also seen military-driven targeted attacks within conflict. 

I offer three points:

1. Cyber-warfare is an incremental evolution of other forms of warfare that, when used correctly and jointly with other capabilities, can deliver meaningful effects and help achieve objectives.
2. Cyber may deepen existing asymmetries rather than upset them. 
3. Our visibility is deeply biased as a result of limited evidence and a narrow, desensitizing perspective. 

Evolution, not Revolution

The odds of winning a military campaign singularly through cyber are essentially zero. Disrupting networks gives you no dominion over territory, and the very nature of offensive cyber capabilities preempts them from meaningfully deterring an adversary from their intentions. This means that questions such as “Has Russia failed its cyberwar with Ukraine” are mostly unhelpful. Rather, we should ask: “Why have the Russians failed to control the narrative of war?” or “Have the Russians used offensive cyber to degrade the Ukrainian military’s capacity to execute against its objectives?” The sooner better questions permeate the public conversation, the faster we can focus on what offensive cyber can achieve rather than focusing on what it overpromises.

Attacking networks can be a force multiplier in warfare, if used well. A well-timed tactical attack against elements of local command and control can reduce enemy effectiveness. These capabilities – which are realized through what I call event-based operations ­– are becoming increasingly common as a natural extension of electronic warfare (EW) and can be repeatedly useful and robust. 

Similarly, a strategic or theater attack against a deployed enemy can impact communications, adversely degrade telemetry, render critical networks inoperable, and even affect combat system availability. Though crudely executed, the February 2022 Russian attack against Viasat – supposedly intended to disrupt the Ukrainian military in the leadup to the Russian invasion of Ukraine – is a good example of pursuing more significant effects against enemy forces. 

I call these types of attacks presence-based operations as they frequently require extensive network intelligence campaigns to precede them. They are valuable but brittle assets. Such capabilities draw from a storied history of clandestine sabotage coupled with the communications expertise of signals intelligence (SIGINT) to create a potent, modern lovechild. 

In both circumstances, the capability alone is not enough. A tactical network attack will not win an engagement, and a strategic one will not determine a campaign. Even when used in relative isolation, such as in the Israeli example of “the campaign between wars”, attacking networks is not the revolutionary reinvention of modern warfare. Cyber-warfare presents opportunities and risks from the steeply increasing dependency on networks, feeding all aspects of armed conflict and modern life. War remains innately kinetic. 

Asymmetries Remain

It has been argued that network operations are easier to carry out than their kinetic counterparts. The barrier of entry is supposedly lower, the internet is easier to traverse than a hostile airspace, there is some flimsy measure of deniability, the effects may be tailored or indiscriminate, and the tools of the craft are often easier to come by. This is true – to a limited degree. In reality, the complexities of creating effective offensive capabilities, reaching and breaching targets of interest, positioning your tools, and successfully getting the effect you want when you want it are immense. There is a reason why the vast majority of attacks we see are ransomware and wipers; they are crude, flexible, variably indiscriminate weapons. They are often the tools of the asymmetrically inferior. 

Cyber often amplifies existing asymmetries in warfare. The best-resourced nations, the ones with immense investment in SIGINT, EW, technical research, and software development are best placed to leverage the full value of network attacks. The United States, despite its lawyer-laden sprawling bureaucracy, likely holds both impressive strategic and tactical capabilities and the know-how to use them. At the very least, it is arguably best positioned to fulfil this potential. 

That said, offensive cyber is asymmetrically a means of persistent harassment. For nations such as Iran or Ukraine, it provides a means to consistently exact some cost from its adversaries while presenting limited risk. In most respects, cyber operations amplify the existing operational characteristics of the nations who use them.

Gaps in Visibility

We are inundated with coverage on network attacks. Whether it is increasingly high-quality journalism, private-sector research, government agency publications, or academic analysis, it seems that attacks get surveyed and catalogued daily, with a global reach. This perception is highly misleading and creates a pervasive bias which results in unnecessary surprises and a diminished capacity for accurate threat assessment. Our visibility is principally centered on (a) the loudest, worst threat actors, (b) adversaries targeting Western or Western-neutral countries, and (c) leaks. Each of these provides unprecedented access to otherwise sensitive, compartmentalized capabilities. But it is still a sliver. 

When was the last time we saw a publicly and reputably reported strategic network attack against a major adversary by the United States, the United Kingdom, or even Israel? These threat actors are often the benchmark for operational and technical capacity, and yet they are consistently absent from view for years at a time. Considering what was possible with Stuxnet in the 2010s and various statements on network attacks expended against Iranian targets in the 2020s, we simply do not know what the state of the art is in offensive cyber. 

We have yet to publicly capture forensic details about an attack against military equipment. Considering vulnerabilities in military networks and hardware, the odds that these capabilities do not exist are miniscule. We have also yet to see network attacks leading to cascading failures of critical infrastructure within armed conflict. It does not mean they are impossible to execute, simply that they are hard, rare, and possibly saved for the rainiest of days. 

Conclusion

It is crucial to acknowledge the limitations of what we see, and drive forward with cautious assessments. We know enough about warfare to understand that cyber will not fundamentally change it in the immediate future. We also know publicly enough about cyber to understand that there are likely threat actors about with capabilities meaningfully beyond what we have seen thus far. In this sense, the Russian invasion of Ukraine is both highly educational and a cautionary tale; we can learn from it, but must be careful not to over-extrapolate from it.