Where, when, and how might offensive cyber operations impact the outcomes of war? For over 40 years, this debate often spiraled to the extremes, whether offensive cyber operations are revolutionary or mostly hype, a warfighting game-changer or useful just for informational advantage.
Analysts could talk past one another because it was not always clear which aspects of cyber operations or of warfare they were discussing. Lacking any larger framework, assessments could overlook key questions used to assess any military capability, such as whether the operation was during an actual battle, beforehand, or in the rear area. Assessments typically did not differentiate if the target was a weapons system, critical infrastructure, or something else, nor whether the likely purpose was espionage or disruptions.
Adapted from a longer work of scholarship in the Texas National Security Review, this article explains a novel analytical structure, categorizing cyber operations across all of those criteria.
After summarizing the debate this article then walks through the framework, cell-by-cell, with examples almost entirely from the ongoing Russo-Ukrainian War. This structured approach shows that cyber operations in warfare are far more diverse than often recognized in previous debates.
Moreover, although these cyber operations in Ukraine “have not achieved any systemic effects, and they have arguably been less cost-effective than kinetic fires,” the frameworks highlights that warfare drives innovation in cyber operations. When this research began in 2019, prior to Russia’s invasion, most of these cells would have been blank. As crises and conflicts between cyber powers become more frequent, offensive cyber operations will continue to be used in surprising ways.
Framework for Offensive Cyber Operations in Warfare
As early as 1979, cyber pioneers were already warning that with computers allowing the retargeting of ballistic missiles, “if they were penetrated, an enemy could retarget the missiles to impact on low-value or even friendly targets!”
There is also strength in the opposite position, that since offensive cyber operations “are not always easy, cheap or effective in managing destruction at scale … they’re unlikely to produce the game-changing moment in modern warfare that many anticipated.”
To give more transparency to these debates, Table 1 summarizes the Framework for Offensive Cyber Operations in Warfare, extending Daniel Moore’s characterization of operations as based on either presence or event. The framework introduces several important distinctions. It first distinguishes the where and when of an attack. It also makes the distinction between exploitation and attack, which is common enough, but also between attacks against the information or system itself versus the trust that adversaries place in the information or system.
Table credit: Author
Categorizing Offensive Cyber Operations
The major distinction of the framework is when and where the offensive cyber operations take place in the context of a war: before hostilities break out, before a battle or in the rear area, or during an actual tactical engagement between adversaries. Within each of those three distinctions (the rows of Table 1), the paper will analyze the target and intent (the columns).
Before Hostilities
Operations that take place before hostilities are not wartime operations per se, but they create the conditions of success in armed conflict sometime in the future or in the “strategic competitive space” below the threshold of armed conflict. In defense doctrine, this includes operations that take place in Phases Zero or One: shaping or deterring. States often take advantage of unique characteristics of offensive cyber to substitute for other kinds of power.
Prior to its 2022 invasion of Ukraine, Russia conducted attacks across three columns. Microsoft detected Russian “efforts to gain initial access to targets” to gain “access to critical infrastructure for future destruction,” an example of the exploiting information.
Russia also provided examples of attacking information, networks, and IT systems as well as undermining trust in institutions or eroding morale. Russian military intelligence “launched destructive wiper attacks on hundreds of systems in Ukrainian government, IT, energy, and financial organizations.” Moreover, “Ukrainian government websites … were defaced … claiming that data had been deleted from government servers and would be released.”
Such operations might also shape the strategic environment for victory without fighting, to “have to cumulative impact on the strategic level [to] damage or degrade … sources of national power,” such as Russia’s interference in elections in the United States, Ukraine, and elsewhere.
Attacks against trust in military information or systems aim to erode confidence that a system works as intended, perhaps like the U.S.-Israeli Stuxnet operation against Iran’s nuclear enrichment program. Though the primary goal was to disrupt infrastructure, attacking trust was a key supporting component of the operation.
Russia disrupted Ukraine’s power grid in both 2015 and 2016, examples of attacking physical infrastructure or weapons systems.
During Hostilities: Before Battle or in the Rear Echelon.
Offensive cyber operations that take place during Phases Two or Three — seizing the initiative or domination, in defense lingo — are used as a complement to other sources of power or as an independent capability.
One goal is to exploit information, such as stealing an adversary’s battleplan or trying to understand the location of its tactical assets. Russian intelligence, for example, spied on Ukraine’s rail networks, which are “key to solid and fast heavy weapon delivery to the bases near the frontline.”
However, compared to operations before hostilities, these operations are more likely to be disruptive and event-based: “Like firing a weapon, an event-based operation entails sending a payload from attacker to target in the hope of immediately reducing its integrity or capacity to operate.” Russia’s operations in Ukraine have recently followed this model, relying on “‘pure’ disruptive tools.” These are “lightweight in design and primed for immediate use, containing only the capabilities required to disrupt or deny access to the target system,” rather than establish the quiet, long-term presence needed for espionage.
Event-based attacks against information might seek to undermine logistics or telecommunications, such as Russia’s 2023 offensive cyber operation against Ukrtelecom, while those to undermine trust in the government or erode public morale include a range of cyber-enabled information operations. For example, Russian cyber operators planted false messages that Ukrainian President Volodymyr Zelensky had surrendered, likely intended to “erode confidence in Ukrainian media outlets and institutions.”
They are also used to erode trust in weapons systems or physical infrastructure. A Russian-affiliated hacker claimed to have gained illicit access to Delta, a Ukrainian battle-management system, posting screenshots of friendly and enemy troops.
Even a suspicion that an adversary could read or, worse, modify battle plans and intelligence could be enough to drive a military towards inefficient alternatives. Had Buckshot Yankee, the U.S. codename for Russia’s 2008 infiltration of classified defense networks, occurred during actual hostilities, the American military might have had to abandon the entire network until it was resolved.
Attacks against physical infrastructure or weapons systems have been used as an independent capability to strike fixed targets behind the battle lines or interdict military forces moving there. Both before the invasion and after, Russian cyber operators disrupted Ukraine’s Viasat commercial satellite communications network, “taking out major [command-and-control] infrastructure critical to managing the military and the country during wartime.”
During Hostilities: Battle
Offensive cyber operations also may play important roles when forces are shooting at one another. This generally takes place in Phase 3 — dominate.
Using cyber capabilities to exploit information allowed Russian intelligence, in 2016, to know the location of perhaps every Ukrainian D-30 howitzer battery, having implanted malware in the software used to coordinate their fires. An adversary might know the exact location of every smart or RFID-equipped rifle or soldier equipped with a wearable computer.
An excellent example of attacks against information, networks, and IT systems is Operation Orchard. In 2008, the Israeli air force used a cyber capability to falsely show operators a black screen rather than their incoming airstrike. An adversary might also manipulate Air Tasking Orders or the common operating picture, representing hostiles as friendlies or vice versa.
Russia’s invasion of Ukraine indicates that militaries might attack trust during battle, having targeted Ukrainian front-line troops with messages like “You are encircled. Surrender. This is your last chance.”
While the research for this paper found no strong examples of attacking on trust in military information or systems during battle, the hacker who gained access to the Ukrainian Delta battle-management system bragged about having more access than he had actually gained, possibly to reduce trust in the system.
There are also few instances of attacking infrastructure or weapons systems during an actual tactical engagement, though the U.S. military had an early scare. In 1998, the guided-missile cruiser USS Yorktown was entirely fitted out with Windows NT. Unfortunately, after a divide-by-zero error in database software, the ship was left dead in the water. It was not a stretch to imagine similar impact from enemy action.
Since then, there had been few if any examples until the counter-drone fight in the Russia-Ukraine war. One Ukrainian officer claimed that “Ukraine often inserts malicious code into Russian drones mid-flight,” while Ukraine’s defense intelligence agency has claimed to have conducted a “successful attack” against software used to control Russian drones. Such future attacks might not just take down one drone or, for that matter, one guided missile cruiser, but every other weapon system that shared the same vulnerability — and at the same moment.
Moore gives the chilling example of the U.S. Tomahawk Strike Network, “which reportedly allows anybody who has the authority to logon … [and] take control of the missile,” or indeed all missiles. This could allow Chinese cyber operators to “effectively neutralize Tomahawks enroute to strike [Chinese] missile bases” and, as a bonus, disintegrate operators’ trust in the system.
Such operations are still quite narrow compared to actual military plans. The United States considered using cyber capabilities to “cripple Libya’s air defense” and intended “to disable Iran’s air defenses, communications systems and crucial parts of its power grid.”
Open Minds and Caution
Policymakers, practitioners, and analysts should be accordingly cautious with any claims about cyber operations in warfare which are not specific about the where, what, and why. Capabilities that have been worthless in one category of the framework may be game changing in another category or in the next war. To avoid overly broad and incorrect conclusions, analysts must avoid generalities and clarify which aspects of cyber capabilities in warfare their research seeks to explain.
Innovation in offensive cyber operations may come less from technological change itself (though artificial intelligence might be an exception) than by the creativity and brazenness of threat actors and the increased digital dependence of modern societies. Not many years ago, there was a scarcity of examples of cyber capabilities during wartime. After Russia’s invasion of Ukraine, there is an unfortunately rich dataset: the Ukrainian government reported being involved in remediating 128 per month in the first half of 2023.
Policymakers, practitioners, and analysts must therefore also be wary about broad claims about what cyber operations cannot do. They cannot simply extrapolate from grey zone warfare, in times of relative peace when states did not invade each other for territorial gain. Humanity is still in the opening decades of the digital age and there are many more decades, and wars, to come. More war will mean more innovation so that cyber capabilities will continue to be used in surprising ways.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs. He was a plankholder of the first joint cyber command in 1998 and the White House’s Office of the National Cyber Director in 2022.
Image: Midjourney
Jesus Christ is King
Comments are closed.