The Utility of Offensive Cyber- Operations in Conventional Military Engagements

Abstract

Several high profile cyber-attacks have suggested that cyber-weapons are as important a force multiplier today as airpower was in 1939. This concept requires further analysis to place the utility of cyber-weapons in context, particularly within the tactical level of conflict. To determine the potential uses of cyber-weapons, this paper examines the recent evidence of cyber- operations in conflict and extrapolates potential utility within a conventional military scenario. From this analysis, the evidence demonstrated that for deliberate attacks with commensurate planning and lead time, cyber effects can have a significant impact on the outcome of the conflict but, outside this scenario, the use of cyber-weapons is likely to have minimal impact

Background

Over the past quarter-century, governments have increasingly looked to the use of cyber-operations as a means of supporting conventional militaryengagements. This increase in cyber-activity has, understandably, correlated with the proliferation in advanced, technical weaponry and has become an active topic in military academia. Proponents of cyber-operations such as Bonner have argued aggressively the merits of cyber-operations, defining it as a new domain of warfare alongside land, sea, air and space.¹ Other academics, such as Feakin, have argued a more conservative opinion, presenting that cyber-activity does not fundamentally change conventional military operations.² This essay will critically analyse the current and potential uses of cyber-operations in support of conventional military activity. This analysis will determine if cyber-operations are the latest fad of militaries attracted to technological solutions or if cyberspace truly is another domain of warfare providing a measurable advantage to the stakeholder that can control it.

War’s conventional military operations are actions that use force, or the threat of force, to compel an adversary towards a particular course of action. War, in the words of Clausewitz, is ‘the continuation of politics through other means’.³ This definition of military operations focuses on kinetic activity and, consequently, this analysis will not include what can be defined as cyber-espionage or cyber-activity that does not directly support a kinetic military operation. Cyber-espionage has already been demonstrated through the 2015 Mandiant report on China,⁴ as well as the US-China Cyber Agreement,⁵ as having great utility in gathering intelligence. Intelligence does indirectly support a military operation by establishing favourable conditions for a military action, however this analysis will focus on the utility of cyber- operations after an engagement has begun. This will establish the broader utility of cyber-operations and put into perspective the arguments comparing modern cyber-operations with the genesis of air operations at the turn of the 20th Century. Paramount in this analysis will be determining if activities in cyberspace provide a measurable advantage within the context of a military engagement.

Contemporary Cases

Complicating any analysis of cyber-operations supporting a military engagement is the lack of historical evidence and the trend for modern actors to hide their true cyber capability. The only contemporary case of cyber activity supporting a military operation is the 2009 Russian-Georgian conflict. This conflict saw the coordination of a conventional Russian attack, spearheaded by mechanised divisions, with a significant denial-of-services cyber-attack on Georgia. The military attack quickly routed the Georgian forces, who never seriously countered with subsequent operations until the Georgian submission to Russian demands five days later. At first glance this appears to indicate a clear example of cyber-activity enabling a decisive military victory but under closer examination the Russian-Georgian example is not as conclusive as it appears. The cyber-attack did prevent Georgians from using the internet and slowed international response to the conflict ⁶ but, as the US Cyber Consequences Unit ⁷ makes quite clear, the cyber- attack had little to no impact on the outcome of the military conflict. This analysis makes sense when we consider the conventional military disparities between the Russians and the Georgians as well as the small number of Georgians who used the internet at this time. As this contemporary example of cyber-warfare is inconclusive at best, other evidence is required to determine the utility of cyber-operations.

The Russian-Georgian conflict may not clearly demonstrate the utility of cyber-operations but the concept of a denial-of-services attack to deny the situational awareness of an adversary’s headquarters is not unsound. This idea is the same as conventional jamming of military communications, which has been used with considerable effect since the First World War. The denial-of-services attack did force the Georgians at the political level onto alternate communications networks,⁸ which could also occur if a military force was to use comparable communication technology at its operational headquarters. Modern militaries are doing just this under a new concept of networked warfare.⁹ These military organisations are integrating traditional radio communications with TCP/IP technologies to create a local network for military communications that is not unlike the internet. As such, a denial-of-services attack could be used to deny a headquarters’ its situational awareness, providing a measurable advantage to the aggressor.

However, it must be noted that part of the success of the Russian denial-of- services attack was due to the Georgian internet architecture. This network architecture was not dynamic or adaptable as it had all of its international connections routing through Russian switches, providing single geographic points of failure for the overall network. Ever since the 2007 Estonian cyber- attack,¹⁰ the international community has been developing robust network architectures and practices aimed at handling similar denial-of-service attacks. It would be a fair assessment that modern militaries are aware of the risk of poorly designed networks and would be practised on the actions to take if the network is attacked. If this assessment is accurate, a denial-of- services attack may not provide the anticipated measurable advantage and would be of questionable utility to an engaged military force.

Access

Another theoretical use of cyber-operations to influence the land campaign is to remotely access modern weapon systems and either deactivate or gain control of the system. If this was to be applied reliably, the attacking force would be able to turn its opponent’s weapons against them and thus gain a significant advantage in the conventional battle. One such weapon system that is commonly assessed to be vulnerable is the UAV, or drone, which has been used in modern conflicts to conduct remote strikes. Compromising a military’s UAVs is not quite as unbelievable as it first appears. This technology has some inherent design flaws enabling them to be hacked, as demonstrated by Petrovsky.¹¹ This problem does not have a straightforward solution due to the challenges of securing control systems.¹² Thus, it can be reasonably assumed that a more advanced weapon system could be vulnerable to a sophisticated attacker who has the requisite knowledge and technology. If this were to be successfully applied against an opposing military force, the cyber-attack would provide a significant military advantage, reducing the opponent’s firepower and potentially gaining firepower in the trade. This idea of exploiting weaknesses in a control system is suspected to have been used by Israel in 2007 when it conducted an airstrike on a Syrian nuclear facility, allegedly deactivating Syria’s radar defence network using a cyber-attack.¹³ The truth of this is impossible to ascertain but, as research laboratories are demonstrating, new system vulnerabilities are continually being identified. Thus, it is reasonable to assume that some military technology may have similar vulnerabilities waiting to be exploited. This assumption is based on the precondition that the adversary is able to identify the vulnerability and develop an exploitation for it; a process that is likely to take considerable time.

As the contemporary example of cyberpower supporting a military force is inconclusive, theoretical examples of the potency of cyber-operations have been examined. These examples have demonstrated the potential of cyber to be of use to a military force, provided the military is using a modern doctrine of networked warfare and has unknown vulnerabilities in its system. However, this is only half the story, because for a capability to be truly useful to a military force it must not only be able to generate a desired effect but must also be able to be used in a timely and responsive manner. That is to say, unless a capability can be used when and where a commander wants, it has minimal utility supporting a military force.

One factor that undermines the useability of cyber-operations is the ability for the attacker to gain access to the opposing military force’s network and be able to utilise its chosen cyber technique. All the examples mentioned have relied on the universal connectivity of the internet to gain access to the target network in order to exploit it. This is not the case with military networks as the outcomes of the ‘Conficker’ virus on French naval jets in 2009 highlighted. Following the discovery of the virus, the French government re-designed its networks, preventing them from connecting to civilian networks.¹⁴ This trend has been repeated by several modern militaries, suggesting that for offensive cyber-techniques to have utility they must be able to first gain access to their target network. This could theoretically be achieved by connecting a re-transmitter or repeater to the military network; an activity that could be achieved by a Special Forces unit. This may be successful but still carries risk in sending highly trained soldiers in close proximity to an area that is likely to be closely guarded. Another technique that could be employed to bridge the air gap is copying the malware onto a USB and leaving it to be connected to the network by some feat of deception or human nature. This technique is what was likely to have been employed to bridge the air gap by the ‘Stuxnet’ virus in 2010.¹⁵ However, as the ‘Stuxnet’ virus demonstrated, using this technique has a large signature, increasing the likelihood of detection, and takes considerable time to attack the intended target.¹⁶ Access to the target network is a significant challenge for the attacker to overcome in order to employ offensive cyber techniques. However, given enough time or acceptance of risk, this can be overcome and should be a significant consideration, not an obstacle, to the utility of cyber-operations.

The question of access to a military system highlights another limiting factor of cyber-operations that directly impact their utility: the idea of responsiveness. Conventional military operations are dynamic in that they are constantly changing, the successful commander being the one who can change and adapt quicker than his or her opponent.¹⁷ This is difficult to achieve with cyber-operations due to the time a successful operation takes to conduct. Cyber-operations require a large amount of intelligence of the target network, as well as time to program attacks and find vulnerabilities in the target system.¹⁸ This was demonstrated in the Russian-Georgian case in which some of its code was developed years before the actual attack.¹⁹ This is an extreme example but it does highlight the amount of time required to execute a successful attack. The lack of responsiveness is made even harder if there is no continuous physical connection to the target network, as would be the situation if the USB technique is used as in the ‘Stuxnet’ case. This is because the entire code will need to be written prior to injecting it into the target system. This limitation does not lend itself to a constantly changing battlespace, particularly one that is contested with trained operators looking for malicious code as they defend and maintain the operability of their military equipment.

Cost

Another consideration for the utility of a military capability is the ability for stakeholders to gain access to that capability. This concept is best demonstrated by the recent conflicts in Afghanistan and Iraq where relatively cheap improvised mines were used with great effect on the battlespace.

In this regard, cyber-operations can be seen to be a clear winner as they have a relatively low cost of entry as many lone actors utilise offensive cyber techniques. This has been demonstrated by the attack on the Australian sewage network in 2001 where a lone actor, using no more than a laptop and wi-fi connection, was able to conduct an act of cyber-terrorism.²⁰ This attack was conducted on a civilian system which did not have the security precautions a military network would have likely had but it did illustrate that for its cost, the cyber-operation could have a significantly greater effect. Even when we upscale this to a military example, such as ‘Stuxnet’ which is estimated to have cost around $10 million,²¹ a cyber-operation is still quite inexpensive compared to the conventional military alternative. The low entry cost level of cyber-operations is a significantly positive consideration when considering its utility, as it has the potential to enable small state, and possibly even non-state, actors to compete with global powers.

As mentioned, the overall objective in a military operation is to convince or coerce an opponent towards a particular course of action. The ability for a capability to generate a coercive effect is another consideration for cyber- operations’ overall military utility. Cyber-operations have several distinct limiting factors when used as a coercive tool. First, for coercion to work, the threat must be credible. This is not easy to achieve with cyber-tools, as once a tool is demonstrated it is likely that a defence or copycat weapon will be produced.²² Consequently, the very act of demonstrating a cyber-weapon may prevent that cyber-weapon from being utilised again, undermining any coercive affect. Additionally, once damage is inflicted, it may take a couple of weeks to repair the damage, which further undermines cyber-tools being used to coerce an adversary. The inability of cyber techniques to be the defining weapon in a military operation is underlined by the consideration that it was not the denial-of-services attack which convinced Georgia to cede to Russia, nor did ‘Stuxnet’ convince Iran to cease its nuclear program. However, another aspect of coercion is not the threat of the action but how that action influences an opponent. The threat of cyber-operations could generate a response of militaries not following the modern techniques of networked operations. If this were to occur, cyber-operations would have generated a measurable supporting effect on the battlefield as they would have compelled the adversary to fight using less than optimal tactics. Cyber-operations may not be able to generate a measurable effect through traditional coercion but they could be useful as a form of psychological warfare, which is another positive consideration when assessing the overall utility of cyber-operations.

A final consideration of a capability’s utility is the cost of using that capability. This can be illustrated by nuclear weapons, which could be considered to have no utility at the operational level of warfare because of the collateral and moral damage of using the weapons. Similarly, cyber-operations can be considered to have an intrinsic cost in their use. This can be seen in the collateral damage they cause, as demonstrated by ‘Stuxnet’, which is considered to have infected over 30,000 computers.²³ However, it should be considered that if a military is operating a closed network, there is a reduced likelihood of collateral damage. Another hidden cost of using cyber-weapons is, once utilised, there is the potential for them to be reverse-engineered and used against the attacker. This threat illustrates the potential for collateral damage to limit the usability of cyber-operations, at least while the military operation is relatively balanced, as desperate commanders commonly accept greater risk.

Conclusion

This analysis has shown that militaries are increasingly taking up technologies that, in civilian use, have demonstrated vulnerabilities to cyber-attacks. It was further safely assumed that similar techniques demonstrated on civilian infrastructure could be used in a military setting to generate a measurable advantage to the attacking force. However, for this utility to be realised, limiting factors will need to be overcome, such as the ability to access the target network; the ability of cyber soldiers to rapidly respond to a changing battlespace; and the potential for cyber weapons to be turned on their users. These limiting factors were then balanced with the potential psychological effects of cyber-operations as well as their availability to all sizes of military forces. Overall, cyber-operations have the potential to significantly alter the balance within a military operation, if the commander is willing to take on the risk of their use. This risk, compared to the reward, is likely to increase as the trend to more technology continues. The overall utility of cyber-operations is neatly surmised by former FBI chief Jim Settle, when he stated: ‘You bring me 10 hackers and within 90 days I will bring this country to its knees’.²⁴

Endnotes

1. EL Bonner, 2014, ‘Cyber Power in the 21st Century Joint Warfare’, Joint Force Quarterly, Vol. 74, 1 July
2. T Feakin and B Schreer, 2014, ‘Australia and ‘Cyberwar: Time for a measured debate’, The Strategist^, 11 March
3. C Clausewitz, On War, Howard, Michael; Paret, Peter, Princeton University Press, p 87
4. Mandiant, 2013, APT1: Exposing One of China’s Cyber Espionage Units, Mandiant, p 25, at: https://www.fireeye.com/content/dam/fireeye- www/services/pdfs/mandiant- apt1-report.pdf
5. A Segal, 2016, ‘The Top Five Cyber Policy Developments of 2015: United States-China Cyber Agreement’, Council on Foreign Relations, 4 Jan, at: https://www.cfr.org/blog/ top-five-cyber-policy-developments-2015-united-states- china-cyber-agreement
6. J Bumgarner and S Borg, 2009, ‘Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008’, Project CyW-D, University of Utah, at: http://www. projectcyw-d.org/resources/items/show/138
7. Bumgarner and Borg, 2009
8. Bumgarner and Borg, 2009
9. National Research Council, 2005, ‘Networks and the Military’ in Network Science. Washington, DC, The National Academies Press, p 19, at: https://doi. org/10.17226/11516
10. European Parliament, 2014, ‘Cyber defence in the EU: Preparing for Cyber warfare’, Briefing, Oct 2014, p 2
11. K Jain, 2015, ‘Design Flaws Make Drones Vulnerable to Cyber-Attacks’, The Hacker News, 3 Oct, at: https://thehackernews.com/2015/10/drone-hacking.html
12. D Kuipers and M Fabro, 2006, ‘Control Systems Cyber Security: Defense in Depth Strategies’, Idaho National Laboratory, May, p 8 at: https://inldigitallibrary.inl.gov/sites/ sti/sti/3375141.pdf
13. R Flemming, 2010, ‘Bits Before Bombs: How Stuxnet Crippled Iran’s Nuclear Dreams’, Digital Trends, 2 Dec, at: https://www.digitaltrends.com/computing/bits- before- bombs-how-stuxnet-crippled-irans-nuclear-dreams/
14. K Willsher, 2009, ‘French fighter planes grounded by computer virus’, The Telegraph, 7 Feb, at: https://www.telegraph.co.uk/news/worldnews/europe/france/4547649/ French- fighter-planes-grounded-by-computer-virus.html
15. Flemming, 2010
16. F Schreier, 2015, On Cyberwarfare, DCAF Horizon Working Paper No 7, pp 88- 89
17. J Boyd, 1987, A Discourse on winning and losing, Unpublished brief, at: https:// danford.net/boyd/
18. Schreier, 2015, p 89
19. Bumgarner and Borg, 2009
20. J Hayes, 2003, ‘Australia’s National Information Infrastructure Vulnerabilities to Cyberterrorism’, Signalman, Autumn/Winter
21. Flemming, 2010
22. Libicki, M, 2009, Cyberdeterrence and Cyberwar, RAND: Project Airforce, p 141
23. Flemming, 2010
24. Hayes, 2003