What is Cyber “Warfare”?
In the context of Nation and Non-Nation State actors within the current cyber domain, what constitutes “Warfare”? When does a hostile act graduate into an act of war in a poorly-defined battle space such as Military Cyber operations? Is it a matter of technical sophistication that delimits military-grade from civilian-available code, the same way that degrees of explosiveness, caliber, range, and firing rate all delimit civilian-approved personal weapons from military-grade weapons of war? Or in the case of cyber, is it not so much the code’s complexity and design philosophy – the code itself – but rather who uses it and what the code targets that decides whether an incident should be classified as cyber harassment, or perhaps instead cyber: vandalism, blackmail, stalking, crime, theft, espionage, defense, attack, or … Warfare? For example, the script a teen hacker uses to vandalize a High School web portal could certainly be the same used by the cyber detachment of a military’s Psychological Operations units to deface a foreign autocrat’s government website and influence the opposition ahead of an election. Neither defacement is devastating, and the code is identical, but the identity of the Actor significantly changes the incident’s optics.
Similarly, the same could be said about Advanced Persistent Threats in general. The majority of state-sponsored hacking lines of effort are Persistent, they are Threats, but they aren’t Advanced. Rather, the most common APT uses the same phishing, spear phishing, and Whaling attacks that criminals have used since at least the mid-90’s to illegally gain access to an information system. What is different is that financially-motivated criminals typically snatch and run from targets of opportunity, while a state-sponsored offensive computer network team often persists in order to exfiltrate difficult-to-monetize data which is of foreign intelligence value. Again, it is the identity and behavior of the offender which suggests whether an intrusion can be considered militarized, vice criminal, anarchist, etc.
Military Cyber Operations: The Law
International law does no better at addressing the definition of Cyber Warfare; The UN Charter and the Law of Armed Conflict (composed of various treaties, such as the Geneva Conventions) were written to address air, land, and sea battles and as such are ill-suited to address the characteristics of cyberspace. By UN definitions, a cyber attack would have to be successfully argued as having constituted an armed attack or infringement of sovereignty, in order to then be considered an act of war.
However, if Policy analysis and recommendations as disciplined endeavors are to have any useful meaning, then one particularly-important detail which must be reconciled is the Law of Armed Conflict’s consistent use of the term “distinct military advantage.” Attacks on civilian infrastructure, for example, are prohibited unless they lead to a distinct military advantage – but just what that includes is open to interpretation by military leaders and politicians. Certainly in the process of gaining access to the military-oriented technical data stored by defense contractors such as Boeing, Raytheon, or Northrop Grumman, attackers are necessarily penetrating civilian-owned infrastructure, and yet doing so gives them a distinct military advantage.
While one Nation may believe that it is not at war with another and thus such an attack is unlawful, the attacking nation could easily argue (if it felt it had to) that it was engaged in a War with the other, that stealing that technical data in order to gain a future battlefield advantage was no different than doing so during a present-day conflict. From that perspective, civilian-owned infrastructure is a legitimate military target regardless of the lack of hostilities in other, more traditional domains of conflict (air, land, sea, space). By attempting to fit Cyber Warfare into the language of the Law of Armed Conflict and the UN Charter, there is in conclusion, no such thing as Cyber “Warfare” – the term could apply to any Cyber act at any time by anyone, to any degree, regardless of the target. We can do better than that.
Military Cyber Operations: the Ground Forces, War-Fighter Dilemma
So there is no true Cyber “Warfare” domain of conflict in a legal sense; coordinated state-sponsored cyber attacks still exist in a big way, but increasingly as a complement to more traditional methods of War. The conventional military school of thought is that Cyber capabilities exist along the spectrum of Combat Power available to a combatant commander; cyber then is only an “effect” achieved in the conduct of an already-declared theater of active armed conflict, used in a joint combined arms, multi-echelon, and cross-discipline effort to achieve strategic and tactical objectives. As the Ground Forces Commander (GFC) has a wide range of capabilities available to achieve battlefield effects – regiments of Light Infantry, Mechanized Infantry, Artillery, Armor – so too is an offensive cyber team but one more capability available to the GFC.
One of the drawbacks with this school of thought is that it exposes Cyber weapons to the same vulnerabilities of traditional “reconnaissance by fire”. Said plainly: if you fire an artillery shell, you tend to give away your position. If the enemy returns fire, they have given away theirs as well. What we have seen with Stuxnet, Flame, Gauss, DuQu, etc. is that once a military-grade cyber weapon has been released into the wild, it is eventually discovered; the code becomes the property of the intellectual commons, it is reverse-engineered, analyzed, and then made available for repackaging and reuse by all State and non-State actors of all skill levels; in short, it is typologized and in a word: attributable. Consider then that if the GFC uses those cyber weapons to support an overall war effort, then it becomes immediately apparent what actors developed the code. During the 2014 Annexation of Crimea, multiple Ukrainian government ministries were subjected to cyber attacks. The code used was clearly in support of Russian objectives; no serious commentator would suggest they were part of a false flag operation, conducted by some opaquely-motivated third party. No, the attributes of the code (i.e., programming language used, attack vectors targeted, naming conventions, philosophy of modular design, etc.) instead directly served as an unambiguous reference point for characterizing Russian-sponsored malware.
Whether the risk of attribution is prudent or not depends on the battlefield effect achieved, but perhaps only the most far-sighted technocrats will be able to correctly say when giving up the right of repudiation is worth a battlefield effect – the average combat arms/maneuver Officer would hardly be the first candidate for making those decisions. This leads to another drawback of the GFC-led school of thought on Cyber Warfare: command and control issues. Unless cyber offensive capabilities are exhaustively and regularly categorized and parsed out at “appropriate” levels of command as they are developed, then there is a real risk of an O-6/Brigade Commander ordering a cyber effect which benefits his mission in the short run, but detracts from the overall cyber posture for higher-echelon missions in the long run.
Consider for example if a nation had the ability to shut down the power grid serving a city occupied by an enemy. There’s no doubt of the advantage derived from shutting it down. However, if the same could be achieved by a series of precision missile strikes on the power substations throughout the city, which would be the better option? In theory, a cyberattack on a power grid could be reversed immediately, restoring power to the civilian population once the enemy was defeated. The missile strike would destroy infrastructure and deprive the civilian population of a critical need, enemy defeated or not. On the other hand, if that code were captured (by the enemy, or a third party nation-state highly motivated to observe just how the belligerents conducted themselves in cyberspace), then that cyberattack could well be the first and last time that code could ever be used. Missile strikes can be repeated at will, cyber strikes perhaps not so much. The command and control issue then asks at what level of authority should cyber effects be made available? The prevailing attitude of conventional forces in the US military is “mission first.” Thus, if during their one-year deployment, an O-6 who is actively campaigning to earn his/her General Officer star isn’t told ‘no,’ then she may well come to believe it normal to permanently burn cyber capabilities in exchange for short-term progress in her mission alone. At the end of that one-year tour, said commander may be promoted based on the impressive results achieved with cyber operations, yet will have squandered an entire generation of exploits simply to make her Officer Evaluation Report more attractive. If the command and control issue goes the opposite route, and said theoretical commander must traverse multi-layer bureaucracy to get approval for a cyber operation at the Strategic Command level, the process may prove too cumbersome to ever be of use. And unlike Nuclear Weapons, the non-use of cyber capabilities doesn’t increase their value to the strategic calculus, it makes them irrelevant.
Military Cyber Operations: The Framework
The above scenario and set of issues are useful because they helps postulate a framework for Cyber Warfare, but inversely suggests a paradigm for Cyber Operations Other Than War (COOTW). The thinking goes that because offensive code requires so much in R&D resources, and yet might only be usable a limited number of times in actual combat, that an actor wouldn’t unleash its best, most powerful offensive cyber capabilities for anything other than the most urgent, fundamental fight for its very existence in the face of certain destruction: in other words, the First Strike doctrine regarding the use of nuclear weapons. The inverse is COOTW at the extreme opposite of the conflict spectrum: making use of tailor-made code for conducting cyberspace operations which advance national and war-time interests, but whose uses are not acts of war in themselves: espionage against State and non-state actors, cyber-attack target templating, illicit technology transfer, or psychological operations.
It is in the frame work established above that we can postulate three distinct military cyber attack “modes” or applications: 1) COOTW as outlined in the paragraph preceding, 2) Cyber effects supporting the GFC at a tactical level, and 3) a pure, conflict domain-independent form of Cyber “Warfare” that could exist, but simply does not today: a first-strike, prolonged, comprehensive effort to entirely defeat an enemy in totality using all available cyber weapons at an actor’s disposal. Currently, the term ‘Cyber Warfare’ is used vaguely (and perhaps, intentionally flippantly) to describe all three modes. Such use will likely persist for years, yet it will fail to fundamentally convey to civilian and political authorities the real complexities that cyber operations planners must negotiate through, on the ground, daily. Military Cyber Operations are here to stay, and they are combat evolved. But until international law catches up with technological innovation, or US Defense policy planners decide to take a firm, unambiguous stand on what does and does not constitute an act of War in the cyber battlespace, then Cyber “Warfare” cannot be classified as “Warfare” at all.
Author’s Note: This article was originally published NOV 2015 as a series of postings on LinkedIn regarding the future of quantum computing; it was then reposted to a defense forum online for further discussion and guest contribution. A handful of reference materials published since the original posting series have been considered and interjected to further support the original claims. The overall structure has been edited into three blog articles for clarity and ease of reading. None of the conclusions or arguments from the original series of posts have been modified in any way.
 Email phishing is, in short, clicking on a link in an unsolicited email which masquerades as a legitimate, which then begins installing a malware payload onto the target computer, or redirects the unsuspecting to a malicious site which steals credentials or infects the user’s computer.
Great article. Concur 100%. My thoughts are that cyber capabilities need to be employed during the targeting process and considered during all B2C2WG. When it comes to determining cyber effects, could we use the CARVER methodology? Again, good read. Thanks.