Warfighting in Cyberspace
Since the Gulf War, the U.S. military has followed an operational script that exploits technological advantages to fight and win quickly. It starts with blinding strikes against intelligence and command and control systems. Such attacks leave the enemy unable to organize a coherent defense, giving U.S. forces time to mobilize overwhelming forces and control the scope and pace of fighting. Confusing the enemy is a prerequisite to defeating it on the battlefield. Information attacks leave U.S. enemies bewildered and ineffective. Rapid low-cost victories follow. For better or worse, this is the modern American way of war.
Cyberspace operations are naturally suited to such an approach, given the fact that adversary military forces are growing dependent on the domain. There is nothing extraordinary about using cyber attacks against adversary communications. This is just the evolution of a familiar operational script using a new instrument. That said, the technological peculiarities of cyberspace make it especially attractive: the large number of attack surfaces, the ability to preposition malware long in advance, and the possibility of sabotaging weapons systems that rely on elaborate software and increasingly complex supply chains. Should great-power competition become a great-power conflict, no one will be shocked if the United States opens the fighting in cyberspace.
Foreign militaries have watched the United States with great interest over the last thirty years, and, in some ways, they have mimicked the U.S. approach. This is not surprising, given U.S. conventional successes. Their efforts now include dedicated efforts to use cyberspace for military purposes. As a recent chairman of the Joint Chiefs of Staff pointed out, more than twenty foreign states have created organizations specifically to integrate cyber operations into conventional planning. Why wouldn’t they? It is natural that they should seek to exploit cyberspace to gain battlefield advantage over rivals, especially given the shrinking boundary between the digital and kinetic worlds. For military planners, the cyber temptation may prove irresistible.
Yet, the nature of the domain cuts in both directions. The peculiar attributes of cyberspace create opportunities for attackers, to be sure, but they also include a number of technical, organizational, and political constraints. Moreover, the operational possibilities of cyberspace also create a number of strategic dilemmas. Even perfectly executed cyber campaigns may produce unexpected and unwanted strategic results, and these problems go beyond the familiar fears about wartime escalation.
The Allure of Cyberspace
It isn’t hard to understand why leaders expect cyberspace to play a central role in future conflict, or why they are enthusiastic about going on the offensive. U.S. rivals are keen to find ways of overcoming their relative material weakness. They might believe that cyberspace operations will reduce U.S. advantages, especially if they can disrupt the elaborate communications infrastructure the United States needs to project power over vast distances. Aggressive operations at the outset of a conflict would put U.S. forces on the back foot and policymakers into a hard choice about whether to rebuild and advance against committed defenders. The logic here is akin to Japan’s strategic calculus before Pearl Harbor, but with the benefit of seizing the initiative without having to do something so provocative.
Chinese military doctrine emphasizes the importance of controlling information in the early stages of any conflict and focuses on what it takes to win under “informatized conditions.” The 2001 edition of the Science of Military Strategy, a highly influential statement published by the People’s Liberation Army, states that precision strikes at the outset of war could “paralyze the enemy in one stroke.” A recent update to the strategy focuses on the “effective suppression and destruction” of enemy’s information systems alongside an “information protection capability.” China seems to believe that it cannot win if it does not “seize and control the battlefield initiative, paralyze and destroy the enemy’s operational system of systems, and shock the enemy’s will for war.” Russia has also moved toward integrating cyberspace operations into conventional offensives, albeit with mixed results in Georgia and Ukraine. For Russian strategists, cyberspace operations disorient and demoralize adversaries before conflict begins and help to neutralize enemy command and control systems afterward.
U.S. allies are developing their own ideas about how to combine cyberspace operations with traditional warfighting, viewing the domain as both a threat and an opportunity. British Army doctrine, for instance, notes that threats are increasing “as we and other actors become more and more reliant on sophisticated information services.” At the same time, efforts to merge cyber and kinetic operations create new opportunities to debilitate adversary systems, achieve tactical surprise, and control the scope and pace of conflict.
American defense officials also assume that cyberspace operations will play a central role in future conflicts, especially in the early days of war. Their public statements indicate that a process to merge cyber and conventional missions is already underway. Although U.S. Cyber Command has spent a great deal of time developing an approach to competition below the line of armed conflict, it also emphasizes “fully integrating cyberspace operations into combatant commander plans as well as existing boards, bureaus, cells, and workgroups used to plan and execute warfare.” Meanwhile, the regional combatant commands “must identify their requirements for cyberspace operations both as supported and supporting commands in support of this campaign planning effort.”
All of this represents a growing recognition of the link between cyberspace and the physical world. It makes no sense to segregate planning for cyberspace from air, land, and naval operations because the latter cannot operate without the former. Further, cyberspace operations work through physical assets — cables, power stations, server farms, and so on. Discussions of virtual space and cloud computing obscure the fact that digital information moves through a physical infrastructure. Success requires more than clever code. It means making sure that the code can reliably travel to its destination. Joint publications note that cyberspace operations can extend operational reach, but, without careful planning in advance, cyber and kinetic attacks may work at cross-purposes.
However, the enthusiasm for cyber operations goes beyond the practical need to secure infrastructure. For policymakers and planners, cyberspace operations suggest a low-cost route to quick and decisive victories. Instead of relying on overwhelming force, cyber attacks undermine an enemy’s ability to mount a coherent defense. Modern militaries are efficient because they coordinate their activities in cyberspace, but this also makes them vulnerable. In theory, well-designed information attacks will cripple their intelligence and communications before serious combat begins, turning an otherwise bloody battle into a lopsided rout.
These visions of victory, however, might prove to be elusive. Because cyber weapons must be tailored to the configuration of specific networks and machines, very detailed intelligence is required for effective operations. Conventional munitions can be fired anywhere, but digital payloads are only effective against specific targets. This intelligence is hard to obtain and easy to lose. Reasonably capable defenders implement routine updates and change configuration settings in ways that frustrate attackers. Firewall modifications, computer resets, and equipment transfers have similar effects. There are many other ways to lose access, some of which are beyond anyone’s control. A flood at a target state’s server facility, for instance, may require a temporary shutdown and replacement of hardware.
It is safe to assume that these problems will increase in war, when defenders will have obvious reasons to harden their information systems. Fear of cyber attacks will put a premium on vigilance, making offensive operations that much harder. Defenders will also have reason to implement redundant communications, so they can keep fighting even after being targeted.
Given the technical obstacles to disrupting military information systems, states might be tempted to target more vulnerable alternatives. Civilian infrastructure relies on extensive industrial control systems, some of which are outmoded. Concerned engineers point out that many were not designed with cyber security in mind. They emphasize efficient and reliable distribution, not safeguards against cyber saboteurs. Moreover, it is not an easy task to harden infrastructure control systems, given their scale and the need to keep them working at all times. States who seek to compel wartime enemies using cyberspace operations may look at infrastructure as an attractive target for practical reasons. It’s a lot easier to hit city power and water systems than military command and control.
The strategic rationale behind such attacks is crude countervalue logic: Disrupting civilian life will cause panic and urgent calls for peace. Modern societies will break down if the electronic infrastructure of daily life fails. The problem goes beyond water and power, given the ubiquity of cyberspace in society and the vanishing boundary separating the digital and physical worlds. The danger is not just a temporary power outage, but a deeply unsettling loss of social order. If cyber operations disrupt basic infrastructure, even temporarily, they might also cause the population to fear that the worst is to come. And, in that case, they will call on their leaders to seek a settlement.
This strategic approach is somewhat similar to the “city bombing” logic of some interwar airpower theorists. Giulio Douhet famously argued that strategic bombing would make wars shorter by making them awful. Bombing campaigns would not just destroy buildings, but they would undermine basic city services. Douhet envisioned a grisly three-stage approach: The first wave of bombers would drop explosives to demolish structures and create kindling, the second wave would drop incendiaries to light them on fire, and the third wave would drop chemical weapons to gas the fire crews. The terrible realization that the government was incapable of responding effectively would compound the shock of destruction. Surrender would be the only option.
Douhet’s grim vision would probably strike most contemporary readers as repulsive, given the evolution of norms against large-scale bombing of densely populated urban centers. The notion of deliberately causing mass destruction is grotesque, and wartime policymakers may reject this option as immoral, even if they seek to manipulate foreign public opinion against an enemy regime. This was certainly the case in the nuclear age, where such objectives animated arms control even during particularly intense years of superpower competition.
But what if they had an alternative? Suppose they could create the same kind of popular distress that would lead to calls for peace, but without the carnage of city bombing? Cyberspace operations against infrastructure might strike them as ideal.
There are problems with this option, however. To say that information control systems are vulnerable is not to say that it is easy to cause large and lasting damage to civilian infrastructure. Modest operations may cause temporary disruptions, but presumably a great deal of coordination and resource would be required for larger campaigns. And because we have not lived through a great-power war among states with sophisticated cyberspace capabilities, we have little empirical basis for predicting their effectiveness.
Beyond these technical questions is the larger issue of how civilians will respond. Douhet’s expectations did not come to pass in World War II: Civilians were resilient and adaptable even in the face of enormous psychological pressure of bombing raids. Why they would be less resilient in the face of cyberspace operations is not clear, especially given the notion that they would be largely spared from violence. It is possible that their reactions will be peculiar, given our growing dependence on cyberspace. But they might also feel a sense of outrage, especially if the buildup to war featured a long period of nationalism and demonization of the enemy. Under these conditions, the coercive value of infrastructure attacks will be very small.
The tactical limits of cyberspace operations should give pause to states that are developing war plans based on the assumption of rapid and highly effective information attacks. A dose of caution would help to avoid bad choices fueled by technical naivety. The strategic limits of infrastructure attacks ought to encourage the same kind of careful introspection. Unfortunately, leaders have a long history of pre-war wishful thinking, and they might fall victim to dreams that cyber operations will deliver bloodless victory. If so, they are likely to face a set of even trickier strategic dilemmas.
Escalation and Protraction
The first has to do with intra-war escalation. Despite the limits of cyberspace operations against hardened military targets, political leaders may overreact to news that their information systems are under assault. Nightmares of rapidly losing command and control, and of losing the war itself, might encourage risky decisions. Rather than testing the resiliency of information systems against a technologically savvy enemy, they might preemptively escalate the war.
The simplest way to avoid escalation is to fight conservatively. This means eschewing cyberspace operations against critical targets and generally erring on the side of caution rather than taking the risk that the target regime would fear its rapid demise. Doing so, however, would increase the likelihood of protracted war.
Disruption and Negotiation
Disrupting enemy communications makes good tactical sense. Units who are unable to communicate will find it difficult to coordinate their efforts. Unreliable command and control undermines battlefield effectiveness, leaving deployed forces vulnerable to defeat in detail. New technologies offer the possibility of using cyber attacks and electronic warfare to induce this kind of operational sclerosis.
Tactical success might interfere with strategy, however, if the goal is to force the enemy to negotiate favorable terms. Ideally, using cyber capabilities to divide the enemy’s hierarchy would make it easier to insulate willing peacemakers while focusing military pressure on die-hards. Dividing the enemy, however, risks making it hard to locate a reliable negotiating partner with the authority to speak for the nation and the ability to compel the armed forces to stand down. Multiple and rival power centers may emerge from atomized national institutions. Peace deals with any of them may prove temporary at best and geographically limited to the areas in which specific commanders hold sway.
Costs and Assurances
Emerging technologies are alluring because they promise rapid victories, either by themselves or as force multipliers. The ability to win at low cost suggests the ability to secure important national interests with minimal risk. Offensive cyber operations, coupled with kinetic blinding strikes, are meant to stun the target in the opening stage of conflict, allowing the attacker to deploy reinforcements safely. The attacker controls the tempo of the war and can set the terms for ending it. The target, on the other hand, will struggle to muster any meaningful response and may face the terrible choice of accepting bad terms or fighting on at a severe disadvantage.
But, in this scenario, the victor may find it impossible to provide credible assurances that it will not cheat on the terms of the peace settlement and go for a more comprehensive victory later. Why should it settle for a limited victory when it appears to face little risk in seeking more ambitious goals? It will be particularly hard to assuage the loser under these conditions. Recent scholarship suggests this is an important reason why great powers have so much trouble coercing smaller rivals in peacetime. This problem also works against war-termination efforts.
Strategy and Grand Strategy
Strategy is a theory of victory. It describes how military violence helps the state achieve its political goals, and how to use violence to compel enemies to back down. Cyber operations might be used for strategic purposes if they enable physical violence, reducing the cost to the attacker and coercing the target to settle. Grand strategy, in contrast, is a theory of security. It describes how various foreign policy instruments help the state achieve durable national security. Grand strategy deals with questions about the nature of world politics, the underlying sources of national power, and the utility of both military and non-military tools.
Victory in war is not the same as security in peacetime. In some cases, necessary wartime decisions actually undermine long-term grand strategy. Draining the state coffers in pursuit of victory may leave the victor in a precarious position, especially if the war inspires other states to balance against it. The introduction of new technology might also have unexpected effects on the balance of power and the postwar international economy. Suppose that a great power uses cyberspace operations energetically in a future conflict, employing new and powerful tools against especially hard targets. Malware targeting enemy forces may infect civilian computers far beyond the battlefield. This, in turn, may reduce postwar confidence in the regional and international economic order. Firms and consumers may retreat from online commerce and communication, with effects that are hard to predict.
I have previously argued that fears about political economic consequences of cyber operations are overstated, based partly on an analysis of the reaction to the Stuxnet attack on Iran’s nuclear complex. Users, firms, and states were mostly untroubled by that attack, despite significant malware contagion. But the Stuxnet virus contained attributes that limited its ability to cause unintended harm: target-identification checks, limits on the numbers of computers it could affect, and automatic shutdown protocols. Tools used in a war against a serious rival, where the stakes would be much higher, might not be so constrained. As a result, they might perform as expected against military targets, but also cause significant third-party damage. The same is true for potential attacks on critical infrastructure. In these cases much would depend on the intensity of the attack and the time and effort needed to rebuild. Broad wartime campaigns against infrastructure may have lasting economic consequences in peacetime. Offensive cyber operations and other novel attacks might contribute to strategic success in the war, but they risk undermining grand strategy after the shooting stops.
Joshua Rovner is associate professor in the School of International Service at American University. He served as scholar-in-residence at the National Security Agency and U.S. Cyber Command in 2018 and 2019. The views here are the author’s alone.