Chief among the challenges faced by those wishing to conduct warfare within the cyber domain are the misconceptions that lead to ill-informed policy, planning, and execution regarding cyber activity. Misconceptions surrounding cyber warfare stem from essentially two causes. One reason for many misconceptions is a lack of technical understanding for what is actually involved in carrying out warfighting actions within the cyber domain. The other reason that cyber warfare is generally misunderstood or misrepresented is that most individuals, even in the military and government, do not adequately understand the authorities, definitions, and legality which are involved in warfare in general and specifically how they apply to the cyber domain of warfighting.
To truly appreciate how technology constrains cyber warfighting activity involves at least notional understanding of a wide spectrum of cyber technologies. As such, even those cyber professionals technically proficient in one aspect or another of the resources needed to carry out cyber warfare may not fully comprehend the abundance and diversity of technical challenges. It is easy to focus on the cyber tools and technology involved in exploitation and attack effects because those are what are readily associated with cyber warfare. As we have laid out through the chapters in this book, the technical challenges also involve a diverse infrastructure and skill requirement to successfully carry out cyber operations from friendly cyberspace, across the internet, and into target enemy systems.
Even those individuals who readily understand Title 10 and Title 50 of the US Code and how they provide authorization and oversight to cyber warfighting actions need further comprehension of cyber. We have discussed many examples of how certain cyber actions when viewed through the frame of those titles actually represent potential war crimes or illegal actions. We must ensure that an understanding of cyber warfare is not limited to what lets us conduct war within the cyber domain but includes the information required to keep such actions just and within lines of international convention as well.
Having policy makers and commanders involved in cyber warfare with offensive security backgrounds would make them potentially better positioned to make informed and legal cyber warfighting decisions. This is obviously a solution that isn’t going to manifest itself, but it represents the type of background that would provide operational insight into cyber warfare just as it has for me. Combining such knowledge with military or government experience would be the ideal genesis for creating the cyber combatant commanders and house and senate armed services oversight committees of the future, prepared to handle this new domain of warfare. More realistically, as citizens who grew up with computers and access to the internet become senior leaders, military commanders, and politicians, there will at least be a much higher baseline computer and internet knowledge among those groups which will naturally lead to decisions and commands that better reflect and leverage this cyber understanding.
In the same way, I think the legality and authority issues of cyber warfare will become more easily understood with time, as will strategy and tactics regarding cyber warfare. Once you have leaders and warfighters who have grown up with cyber warfare and cyber domain activities existing and being carried out, strategy will better employ it. Imagine the advent of airplanes in warfare. At the time, there were no senior commanders, generals, or government leaders who had gone through their lives with an understanding of airplanes and their military applications. As such, you have people attempting to execute strategic planning and tactical decisions with the addition of a warfighting implement they potentially do not understand and assuredly are not accustomed to. The same is the case for the cyber domain, as it continues to influence and be connected to other domains of warfare, it will be better understood, leveraged, and executed.
Major Misconceptions
Resulting from the knowledge gaps in technology and legality are the major misconceptions which challenge the successful implementation of the cyber domain as an adequate and appropriate warfighting environment. The following are not representative of the totality of challenges faced in conducting cyber warfare and cyber activities, but in my opinion, they are some of the most impactful.
Exploitation Is Warfare
Cyber exploitation and intelligence gathering activities by foreign adversaries are continually referred to as cyber-attacks. This use of vernacular permeates from the media into the minds of those who ingest it. For this and other reasons, cyber activities which are not attack effects or battlefield preparation are constantly referred to as attacks or cyber warfare. We have established that this is incorrect. Title 50 activities are not acts of war whether they are committed by the United States or other nations and we need to remember that.
When a foreign spy is discovered in the United States, they are not shot; they are tried, convicted, and incarcerated or depending on their political or diplomatic status simply expelled. The US government itself has taken this same stance with cyber actors in its charging through the Department of Justice and Federal Bureau of Investigations of attributed uniformed hackers from China and other countries. This should further enforce the fact that for a cyber activity to fall within the legal and authoritative realm of warfare, it must actually be a fully attributed state-sponsored attack effect.
Even when conducted by uniformed members of a foreign country as part of state-sponsored cyber intelligence gathering, it is considered intelligence gathering under Title 10–type authorities and not Title 10 warfighting actions and authorities. As such, it would be outside the authorities of most national and certainly international convention for a state to respond to such exploitation or intelligence gathering activities with their own cyber-attack effects. This would certainly be viewed as an unprovoked warfighting action and potentially a declaration of open conflict.
Ease of Attribution
There is not a widespread appreciation for the sheer difficulty in attributing cyber activity. This is the case for exploitation, intelligence gathering, and attack effects launched within the cyber domain. Especially where cyber-attack effects, which are acts of war, attribution must be with absolute fidelity if a response is to be launched. We need to remember that a response to an act of cyber warfare can be a missile launch, invasion, or otherwise similarly weaponized warfighting action. Since that is the case and given the ease with which cyber actions can be masked and attribution undermined, convincing decision makers and politicians to declare war or approve warfighting activity based on an attribution of a cyber-attack effect would seem extremely unlikely.
There are essentially two ways in which a cyber-attack effect can elicit a warfighting response within a realistic time window. The state which launched the cyber warfighting action can openly admit the act as part of a declaration of hostilities against its enemy. The only other situation that responsibly allows for warfighting responses to a cyber-attack effect is when the attributed perpetrator is a state with which the victim and responding state is already in open conflict. These two scenarios revolve around open acknowledgment of motivation for the cyber-attack. Short of the perpetrator admitting it was a Title 10–type action, in cyber, there is essentially no way to know the intent of a cyber activity without it resulting in an attack effect or being admitted as an effort to bring one to bear. When part of a declaration of hostilities or ongoing conflict, motivation is admitted or assumed.
Return Fire
In cyber warfare there is no realistic concept of return fire. If we ignore the previous misconception and assume attribution is actually possible, there is still no feasible situation where it would happen so fast that cyber or other actions could subsequently be launched against the unit or asset which launched the attack effect. Remember, a tool which delivers an attack effect can be installed days, months, or even years prior to being executed. Further, even if the enemy hackers are discovered placing the attack tool, without execution having happened, there is no way to completely know, or more importantly prove, the motivation of that action. When the necessity for timeliness is combined with the near impossibility of attribution in the first place, return fire seems a laughable concept. Cyber-attack effects should be directed as a strategic decision as part of a greater and wider conflict, not as part of a tactical response to an ongoing firefight.
I like to compare the ridiculous concept of returning fire in the cyber domain to the following example. Imagine US patrol in Afghanistan accidently came across a Soviet-era land mine, placed decades earlier to deter afghan advances. The land mine is stepped on by one of the patrol members and it explodes. The mine was placed by Soviet soldiers who are potentially dead of old age and are certainly no longer even in the country of Afghanistan. What target might the surviving members of the patrol return fire against? This may seem like an exaggeration, but it would be just as easy for the members of that patrol to go back in time and return fire against the Soviet soldiers who placed the mines as it would for a victim of a cyber-attack effect to attribute, target, and respond in a tactical manner to the assets which launched the cyber-attack with their own cyber-attack capabilities.
Target Dictation
There is this idea that once targets are found in the cyber domain, commanders can simply direct them be attacked and it will be so. What makes the return fire scenario even more improbable is the fact that target dictation in the cyber domain happens as the result of vulnerabilities being present and weaponized exploits existing. Commanders and decision makers cannot dictate which targets are susceptible or which capabilities exist. So even in a scenario where we ignore that attribution is extremely difficult and successfully targeting for return fire next to impossible, we may still be unable to respond to that target with cyber-attack effects. Let’s assume attribution was essentially immediate and with enough fidelity to responsibly dictate a response against the enemy who conducted it. We must also assume that the enemy that conducted it has not simply been attributed but that the location from which it is obfuscating its communication pathways or accessing the internet to conduct cyber operations has also been located and with enough fidelity to adequately target it. For return fire to happen while the aggressors are still carrying out cyber-attack effects would also mean that the infrastructure identified as being actively used by the enemy is vulnerable to an exploit in the arsenal of the responding state and that an attack effect that is viable on the enemy device is available.
Resource Availability
In case we have not yet decided that cyber warfare is insanely difficult or potentially wholly unrealistic, there is more! In the same line as the misconception that targets in the cyber domain can simply be chosen based on a decision by a commander is the incorrect assumption that tools are readily available. I don’t just mean the exploit and attack tools, but also the ability to even communicate with a target once it is chosen or operate interactively on that target with an access tool if it can be exploited.
The difficulty in attaining the technological resources involved in cyber warfare coupled with the potential ease with which control or ownership may be lost would have to weigh so heavily on every warfighting decision it might paralyze the cyber operator and the commander alike. Let’s do some more assuming to continue illustrating the difficulty in cyber warfare these misconceptions help decision makers ignore. Let’s assume a cyber-attack effect was launched, and the victim not only attributed the perpetrator but identified the infrastructure they were actively using to launch more cyber-attack effects against other assets of the victim state. The commander picks that infrastructure as a target and cyber-attack effects as the appropriate response action. Let’s even assume the victim state has both a working exploit against those systems and an attack effect that will nullify the enemy’s cyber warfighting capability. The decision that is now faced by the commander is, is it worth it? Remember, using an exploit and/or an attack effect potentially risks the loss of control or ownership of that resource.
Imagine a patrol in enemy territory is engaged by enemy small arms fire. Now imagine that the patrol leader has to weigh the fact that if he or she responds in kind with small arms fire from their M-16 assault rifles, there is a chance that the M-16 weapon as a resource might be lost, not to the patrol, but to the entire state military. This is an unrealistic situation in the domain of land warfare, but in the cyber domain, it is very real, and assuming all other challenges leading to an ability to return fire or engage an enemy with cyber-attack effects were satisfactorily accomplished, there is still the question of whether or not the risk to the cyber resource itself is worth it in the given scenario. Would you be willing to risk an exploit and attack effect resource in a cyber return fire response against enemy cyber infrastructure if that same exploit and attack effect would be needed to shut down enemy air warning radar ahead of troop deployments and air strikes? I don’t think I would. This is further in support of the fact that cyber domain warfighting activity should be strategically planned and weighed at the theater or global level and not a part of tactical responses in ongoing battles as the potential implications of cyber resource utilization are so far-reaching.
Shelf Life
There are resource assumptions beyond the misconceptions about the general availability of cyber resources both in general and in a target-specific sense. There is a notional concept that these resources can be stockpiled and kept of the shelf so that when the time comes for use, the potential for their loss is less damaging to the overall cyber warfighting capability. The fact is that this is simply not the case. Even if a state had the ability to create stockpiles of different exploits, access tools, and attack effects, there is no guarantee that when the time comes that they are utilized, they are effective. There is an entire global industry sector dedicated to securing cyber systems from being subject to exploitation, unauthorized access, and attack.
An attack effect or exploit may still work and the vulnerability enabling their execution on the target may still be present, but the security industry may have developed signatures based on similar capabilities already seen or simply improve heuristics to the point that they detect the tools as malicious and stop them. Cyber security companies don’t care if a tool is an amateur hacker backdoor or a state created zero-day exploit. They are doing their best every day to stop all types and sources of potentially malicious cyber activity. This means that even if the ability to stockpile cyber resources were realistic, stockpiling them in the first place may be a wasteful endeavor. Aside from the security industry, there are also any number of other states, organized crime entities, and hacker groups trying to also develop cyber resources, which may be almost identical to what is stockpiled. These facts also further complicate that decision paralysis on whether or not to risk losing a cyber resource through its utilization as it may be lost at any time even if never utilized.
Static Targets
Just as there is a misconception that once developed, a cyber resource is readily available to be used until needed, there is an assumption that targets are static. I mean static in two ways. The first assumption is that once a resource is developed for use against a target, that target will remain in a state which allows for the cyber resource to function. The second assumption is that the target’s location will remain the same in the time between target determination and response execution.
Every key stroke, second of being powered on, and on off flip of a bit changes the state of a cyber system which makes them extremely volatile targets. Pretend every earlier misconception were true and a target has been attributed as enemy cyber infrastructure and exploits and attack effects exist for it and the decision has been made to use those tools against it and no security industry development challenges the tool’s execution. In the time it took to do all of this, the enemy may have moved infrastructure, or more likely left the system up, which was never theirs to begin with, and moved their tools and operation elsewhere on the internet. In this case the cyber-attack response by the victim may actually be taking place against a system owned by a non-combatant. If this system were grandma’s smart fridge, no big deal, if it was a machine in a hospital used to track medication dosages and allergies, we suddenly have a potential war crime and innocent casualties on our hands.
The previous scenario illustrates the challenge with the speed of target location change in the cyber domain. To show dynamic the state of cyber system targets, imagine the enemy systems were all using the Microsoft Windows 7 operating system and had been prepared several months ahead of time for a widespread attack to cut off power to military and government forces ahead of an invasion. Now, in those months Microsoft announced and implemented an automatic update of all Windows 7 and newer systems to the Windows 10 operating system. Now the targets with cyber-attack tools on them are no longer vulnerable to the attack effect or its executing exploit.
Next Hacker Up
In the Marines and many other military organizations especially, there is the concept of next man or woman up. If one Marine or soldier goes down or cannot perform their duty, there is an entire Marine Corps or Army full of troops ready and willing to take their place. While this is a stoic concept and useful in some settings, it is not a realistic scenario in the cyber domain of warfighting. I have heard with my own ears a senior leader say to highly trained and specialized cyber operators, “you are not special, I can replace you with any Marine.” While I appreciate the intent of warfighters not thinking they are better or special or deserving of accolades and special treatment over those in other military occupational fields, it is ignorant of certain facts. You can’t just replace a pilot, medical doctor, or special forces soldier with anyone from the larger forces. Cyber warfighters should be no different. The time it takes to develop the type of skills red teamers and penetration testers have which is needed to conduct cyber operations takes years and at least a commiserate level of knowledge if not formal education in computer science at the post-graduate level. The military and government services often struggle with this as they are organizations that rely on an ability to replace individuals, whether due to promotion, duty location rotation, or change in responsibilities. As such, cyber warfighters must be viewed as an extremely limited resource, especially given the ease with which they could find themselves employed outside of the military or federal service.
Open Conflict
Most of this book has covered the technological and conceptual challenges to war within the cyber domain as seen in a vacuum. While all true and applicable out of a vacuum, they do not capture the greatest potential challenge to using cyber as a warfighting domain. In an open conflict with another nation, such as another state or states, like happened in the World Wars, the cyber domain may not be available. There is a potential that the enemy has completely shut itself off from cyber communications with the rest of the world, making cyber warfare almost entirely ineffective. There is also the potential in a wide enough conflict that the cyber domain ceases to exist altogether. Imagine World War III, GPS and communication satellites are shot out of space with missiles, undersea cables are cut, nuclear weapons and EMPs are detonated. In such a scenario, pooling resources into cyber warfare seems foolhardy. I am not suggesting that the cyber domain and cyber operations aren’t extremely important, and still worth pursuit in an open conflict situation, but using what little access might be obtained in such a conflict is likely to be far more important as an intelligence gathering mechanism than a conduit for a one-time cyber-attack effect.
Open Conflict Challenges
Supposing in an open conflict the infrastructure which enables the cyber domain was not specifically targeted with kinetic weaponry, there are still specific challenges to leveraging cyber-attack effects in times of open war, and in many cases cyber-attack effects are inferior for one or all of the following reasons to more conventional warfighting options commanders may have at their disposal.
Target Availability
As already discussed, targets have to present an attack surface reachable via the cyber domain to be part and parcel to cyber warfare. Even if attacks are not directed at systems which enable this attack surface to be reached between states across the cyber domain, incidental damage from conventional warfare in the same conflict may similarly limit the ability to reach cyber systems with attack effects. More than that, enemies are likely to go into states of self-seclusion particularly in the cyber domain knowing that maintaining an internet or otherwise interconnected presence for cyber systems poses an elevated risk.
Communication Dependability
The timing of cyber-attack effects is very important as many times such tools are used in concert with other operations during a conflict. As such, these tools are likely deployed ahead of the operations they support and are expected to be executed at the appropriate time. For much the same reasons the attack surface may not be available in the first place, communication lines between the perpetrating state and its cyber-attack effects can be easily lost due to incidental damage from kinetic strikes, if those systems aren’t already the target themselves of kinetic weapons. There are potential mitigations for this in having triggered attack effects and other automatic execution mechanisms, but if the system loses power around the time the attack is needed or the system acting as a launch point is otherwise effected, attack effect execution and communication with access and other tools can be undependable.
Ineffective Weaponry
Assuming targets can be reached and are available for the deployment of cyber-attack effects, there is the possibility that the target for one reason or another has become resilient or resistant to the cyber exploitation or attack effect. We have covered many reasons why this may be the case, regardless of why having a warfighting domain with weapons which have elevated chances of becoming ineffective is a dangerous asset to rely on as part of a wider warfighting repertoire. This could be exceedingly frustrating to commanders and decision makers as the various assets in the cyber arsenal may not reveal themselves as ineffective until the moment they are relied upon and executed.
No Battle Damage Assessment
Another important concept for a warfighting domain as part of a greater open conflict is the ability for commanders and warfighters to recognize the effectiveness of their strikes. This helps steer the commander toward continued or altering utilization of various weapon systems and warfighting resources. If you shoot ten missiles at an enemy aircraft and all of them miss or cause negligible damage, you may switch weapon systems used to engage such aircraft in the ongoing firefight and in future skirmishes. With cyber-attack effects, there is a difficulty in determining the battle damage assessment and overall effectiveness. This is the case in a vacuum where the attack effects themselves are likely responsible for a lack of communication with the target once executed, the situation is exacerbated in open conflict where any of the previously discussed communication impacts or issues could also lead to a difficulty in observing effects on a cyber system after it has been attacked via the cyber domain. Without knowing whether or not a valuable cyber exploit or attack is effective, a commander may suffer further still decision paralysis with continued use. Is it worth more deployments of a valuable exploit and attack effect that may be better used for more important targets down the road if you cannot determine its effectiveness against current targets? Probably not.
Cost-Effectiveness
Access to enemy cyber systems, especially in an open conflict, is an extremely valuable source of information. In an open conflict, the entire conventional arsenal is available to a commander in most cases. Choosing to give up or endanger an intelligence gathering source such as a cyber system, where a cheap and easy to re-produce missile can also accomplish similar strategic effects, comes across as irresponsible. In a conflict where enemies are already engaged in open conventional warfare with bombs, missiles, bullets, and artillery, justifying using a cyber-attack effect in their stead is hard to picture. I am not saying scenarios wouldn’t exist where cyber-attack effects might not be the best option. However, in open conflict, the cost-benefit of using and risking cyber resources like exploits and access tools to launch attack effects within the cyber domain is hard to justify.
Summary
In this chapter we covered the major misconceptions surrounding the concept of cyber warfare. We also discussed some of the cultural and environmental issues that lead to these misconceptions that are both generational and technical in nature. Next we discussed the concept of open conflict and how it affects aspects of cyber warfare, including the existence of the cyber warfighting domain itself. The challenges to cyber warfare in an open conflict were also covered.