The trope of the cyber warrior has changed radically. Circa 1999, cyber warriors at the Joint Task Force Computer Network Defense worked under the U.S. Space Command. It seemed like a poor fit. Space operations require the careful orchestration of many different parts, huge checklists, and a zero-defect culture in the face of literally thousands of possible errors. Every move is choreographed. Cyber warriors, at least then, did not work that way. They entered systems silently. When there, they braced themselves for surprise regardless of how thoroughly they were briefed. They learned to orient themselves quickly, looking for handholds that let them manipulate the system before the system found and expelled them. They innovated when they had to. They left as quickly as possible. It sounded as though the special forces community would have been a better fit.
It Takes a Campaign
But the hacker as cyberspace commando no longer fits today’s practice. Most successful hacks these days do not involve an intruder as such, but a piece of malware created to sneak past a system’s defenses and put itself in a position to take control of a system to execute a series of instructions and then call out for further instructions. Hacking, like many human endeavors, has been automated. Hackers are like toolmakers—closer in spirit to the space community than in 1999, although hackers no longer work for U.S. Space Command. They now work for U.S. Cyber Command (CYBERCOM) which, together with the U.S. space community, operates under U.S. Strategic Command. . . .
If the primary purpose of a cyberwar-operations campaign is to affect the adversary’s thinking, then perhaps this should be undertaken in coordination with (or in direct support of) a broader deception operation—which, in turn, is likely to be run by psychological operators rather than digital mavens. This returns us full circle to an older notion of information warfare as an overarching discipline—or it simply reminds us that everything really is connected to everything else and that our organizational principles are not meant to be (even literally) carved in stone (on headquarters buildings) but are just notions that seem to make sense at the time.
To the extent that eroding the adversary’s confidence is the main point of a cyber attack, the character and sequencing of cyber attacks might make a great difference. The United States wants to create a narrative that convinces the adversary not to trust its machines. To the extent that narrative formation—that is, story-telling—is more than a set of random words, carrying out a cyber attack on Thursday, having decided to so on Wednesday, is more than incidental. It requires a campaign. . . .
Cyber Campaign Conundrums
Perhaps the greatest obstacle to planning an offensive cyberwar campaign is convincing commanders raised in the world of physical force that cyberwar has something to contribute. Apart from temporarily shutting down jihadist websites, it has been nearly impossible to see the impact of operational cyberwar (outside highly classified channels). Predicting effects, as argued, is iffy. Yet the cyber warrior may argue that it could work and do so without eating into the resources (such as gasoline) otherwise used to prosecute combat.
One approach is for cyber warriors to prove their bona fides on their own and then leverage success to get a better seat at the planning table. But how? Perhaps they could show off their strategic warfare campaigns—which do not need integration with operational combat commanders to be carried out. Yet even if cyber warriors succeed visibly, kinetic operators may deem civilian targets softer than defense systems, even if effects on civilian networks suggest how military networks may be affected. The effects of operational cyberwar against targets that the kinetic operators are not focused on (and thus not monitoring) may be hard to prove; kinetic operators will have to take the word of cyber warriors.
Cyber warriors also could demonstrate their power against military targets if given permission to act. But at what point in the campaign? Early strikes, as argued, are most likely to be telling because as combat proceeds, defenders tend to tighten up vulnerabilities. But once attacks start, both sides will be reacting, and the question will be who reacts best and first. The slower the defenders’ adjustments, the larger the window of opportunity. Defenders may well be quicker on the mark: they would have immediate battle damage reports (at least for disruption attacks) if not necessarily certainty about what caused the damage. But if the capability to conduct cyberwar depletes as a result of use, by the time enough effects are created to impress their cohorts in warfare, the efficacy of cyber warriors will have become weaker.
If cyber warriors aim to make foes doubt their own information system, the results of their confidence-eroding or will-eroding cyber campaign may be ambiguous, slow to register, and a tough sell to a skeptical audience—even if historians later deem their efforts decisive.
Cyber warriors also might bide their time, watching for opportunities to complement kinetic operations. For instance, planners of a kinetic attack may worry about prevailing against a counterattack. If hacking the adversary’s command and control can create confusion or delay orders and thereby retard the counterattack, the original mission may have a better chance of succeeding with lower casualties. Command and control—cyber warriors may argue—often is difficult to target directly by other means: for example, specific targets may be buried or hidden within adversary command-and-control centers. The airspace required for a bombing run may be too well defended, a particularly daunting proposition if significant on-station time is required to find the target. Anti-jamming capabilities may be present to frustrate electronic warfare. If the objective is to confuse the minds of the adversaries rather than paralyze them with fear, kinetic approaches may not offer very much. A low chance of success with cyber operations may trump a zero chance of success with kinetic ones.
Cyber warriors then can argue the prime attraction of cyber attacks: they are cheap to do once the requisite capacity exists and the intelligence has been collected on the target (which may already have been acquired for other purposes ahead of time). The major operational cost driver—which applies to only some cyber attacks—is mounting an air sortie (which could be unmanned) to inject a radio frequency signal into an adversary receiver. Otherwise, such an attack is riskless (to its operators) and primarily requires the time and attention of cyber warriors with little else to do. By contrast, kinetic operations can be costly in both men and materiel.
Many of the costs of a cyber attack, and hence the basis for objections to mounting one, are other than in men and materiel. One is collateral damage. The not-always-well-founded fear of violating the law of armed conflict may be another (lawyers love to chew over cyber attacks perhaps because the targets of cyber attacks are seen as civilian, such as banks). Maybe preparations for cyber attack can reveal more than comparable preparations for kinetic attack, allowing defenders to infer the importance that an attacker places on a target. This logic applies more so to nonobvious targets. By contrast, cyber attacks against the adversary’s central command-and-control system are so obviously inviting that discovering preparations against them would not say much. A cyber warrior’s true objective, however, can be confounded by cyber attack attempts on both critical and noncritical sites—if cyber warriors are willing to waste a good exploit just to divert the adversary’s attention.
Finally, if cyber attacks are given the time to work while other attacks are withheld, planners may have to be convinced that waiting is either tolerable or unavoidable. A problem for cyber warriors is managing the trade-off between the time required for preparation (often months) and the time during which the target is held off-limits for other attacks. As it is, cyber warriors can and perhaps should prepare many targets in case one gets chosen for a cyber attack, but the resources of cyber warriors are not infinite. In some cases, cyber warriors may recognize that the need for destruction outweighs the hope of causing confusion. . . .
Thinking Beyond Cyber SOPs
Controlling the effects of cyber attack entails controlling cyber warriors. In the physical world, both command and control are getting better thanks to increasingly ubiquitous surveillance and the proliferation of communications networks. The physical effects of war can be meticulously documented and attributed (much as police now operate under more effective scrutiny because of cameras). In cyberspace, however, keystrokes can come from anywhere. Standard operating procedures are a poor guide when one cannot state a priori exactly what the means of attack should be for a class of target, much less predict the likely effects of cyber attacks. Cyberwar commanders must be empowered to act appropriate to the crises, choosing whether to follow standard operating procedures or to think beyond them.
Editor’s Note: This abridged excerpt from Libicki’s upcoming release of from Cyberspace in Peace and War (Naval Institute Press, October 2016) contains minor edits and deletions consistent with a Proceedings feature length article.