Cyber Warfare Is Lamer Than You Think.

Cyberspace was first recognised as a global battleground by the US Joint Chiefs of Staff in the 2004 edition of National Military Strategy:

[the nation’s armed forces] must have the ability to operate across the air, land, sea, space and cyberspace domains of the battlespace. Armed Forces must employ military capabilities to ensure access to these domains to protect the Nation, forces in the field and US global interests.

This new form of warfare had entered the military consciousness in the late 90s, as America realised that targeted attacks had the potential to disrupt on-the-ground operations. In 1999, they found that some American DoD networks had already been breached; unclassified but sensitive data had been extracted.

Reacting to this threat, the Clinton administration dedicated two rough groups to DoD security. One focused on offensive manoeuvres; the other on defending the US network from breaches and attacks. In 2008, these were merged into one command, designated the US Cyber Command (USCYBERCOM).

There were significant growing pains, however, as the DoD prioritised speed of growth over adequate manpower. There was little uniform training across different Service branches, and the traditional distinctions of ‘offence’ and ‘defence’ didn’t really apply to this new form of combat.

Meanwhile, external cyber threats had grown stronger. In 2012, Secretary of Defence Leon Panetta remarked:

We know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity [sic] and water plants and those that guide transportation throughout this country. We know of specific instances where intruders have successfully gained access to these control systems. We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life.

Panetta’s comment reflected a very real concern plaguing the Department of Defence. USCYBERCOM’s defensive capabilities were purely reactive. Admiral Rogers publicly explained this situation to Congress in September 2015:

Digital tools in cyberspace give adversaries cheap and ready means of doing something that until recently only one or two states could afford to do.

‘Cyber harassment’ of occasional leaks continued, and — slowly — the true scope of cyber-engagement started to emerge. Rogers’ successor — the first woman to command a numbered fleet — Vice Admiral Jan Tighe, sketched the new dynamic in 2014:

To some extent, the new cyber norm is a big challenge — every day we’re under some type of threat. Fighting our networks every day and making sure we’re providing for and operating networks that are secure is job one.

Whilst the defensive was a constant, unending reactive process, the offensive was dropping “cyber bombs” on ISIS by 2016.

Although Secretary of Defence Ashton Carter discounted it, saying “I was largely disappointed in Cyber Command’s effectiveness against ISIS. It never really produced any effective cyber weapons or techniques”, General Townsend’s example showed real auxiliary potential.

[we] identified primary command posts ISIS was operating from but didn’t know where alternate command posts were located. Rather than hitting the sites with missiles and having the militants be unknown for a while… they used “multidomain operations capabilities” from space and cyber to deny the enemy’s primary command posts, forcing them to move and unveil alternate command posts.

Once identified, the coalition struck the alternate command posts, working its way back to the primary sites. . . . While the operation overall was a success…it took weeks to plan with only about a week of payoff.

As isolated attacks had been largely ineffective against the bulk of ISIS, USCYBERCOM decided to launch the mammoth Operation Glowing Symphony.

Beginning in late 2016, this was a marked, all-out effort to scrub ISIS misinformation and propaganda off the internet.

ISIS’ propaganda arm had been painstakingly tracked for years, each video and magazine traced back to its source, seeking patterns. Turns out, ISIS was using just 10 core accounts and servers to manage the distribution of its content across the world. From its magazine, to online web pages in all languages imaginable, ISIS was spewing harmful content onto the online space almost non-stop.

Joint group ARES gained initial access to the network through a phishing email. Once there, the theory of 10 nodes was confirmed correct. However, it was complicated: ISIS content was hosted on servers around the world, sitting right next to unrelated commercial documents or hospital records. Months were spent proving that USCYMBERCOM could surgically remove content, without disturbing anything else hosted on each server.

Finally, after almost 6 months of picking gingerly around the system, noting down every individual, every security answer, and everyone’s responsibilities, the group launched the attack. In the space of 24 hours, they swept through ISIS accounts. Folder directories were deleted, passwords changed, sites bought down.

Operation Glowing Symphony did not erase ISIS from the web, but crippled the group’s fundraising efforts and online presence. The difficulty of purchasing a new server in the middle of an active war zone has made it hard to re-emerge onto the airwaves.

The reality of large scale cyber warfare, however, is a far cry from dramatic, sweeping cyber raids. Years of painstaking work had a payoff within a week. Even now, group ARES is still monitoring ISIS activity, occasionally messing with users.

Brandon Valeriano found that “The majority of cyber escalation episodes are at a low severity threshold and are non-escalatory. These incidents are usually ‘tit-for-tat’ type responses within one step of the original incident.”

Cyber attacks’ true weakness in wartime is their lack of universal effectiveness. While nuclear and traditional munitions are indiscriminate — the same munitions can be used to target an aircraft hangar, a massed enemy formation, a munitions factory, or a hospital — most cyber weapons must be highly tailored to a specific target.

Not only must virtual cyber attacks take advantage of specific vulnerabilities, but software gaps are relatively easy to detect and patch: manufacturers routinely publish information about known vulnerabilities. This can totally invalidate a cyber attack halfway through production, making remote access attacks highly unreliable.

Furthermore, this ever-evolving landscape of defence and vulnerability has huge repercussions on the idea of ‘cyber weaponry’. Whereas traditional military might is measured in the firepower and infantry numbers, building a ‘bank’ of cyber weapons is nigh-impossible. By the time a cyber weapon requires deployment, it may be hilariously outdated.

General Paul Nakasone remarked in a January 2019 interview on the radical difference in shelf life between conventional and cyber capabilities:

Compare the air and cyberspace domains. Weapons like JDAMs [ Joint Direct Attack Munitions] are an important armament for air operations. How long are those JDAMs good for? Perhaps 5, 10, or 15 years, sometimes longer given the adversary.

When we buy a capability or tool for cyberspace . . . we rarely get a prolonged use we can measure in years. Our capabilities rarely last 6 months, let alone 6 years. This is a big difference in two important domains of future conflict.

Conversely, while ‘close access’ attacks — such as an inserted USB drive — are highly effective, they can be very costly to pull off, both in hours on the job and human life.

The wartime effectiveness of cyber attacks is embarrassingly low. When Russia made a number of synchronised cyberattacks against Ukrainian power companies in 2015, it was the first time a country’s offensive cyber operation had targeted a power grid.

Service was temporarily disrupted to 225,000 customers for several hours, and energy providers operated at a limited capacity for some time after service was restored. There were no reported casualties.

Counting the effectiveness of cyberattacks in the number of bodies paints an incredibly poor picture. Small-scale vigilante attacks display this particularly well. The recent doxing of Russian soldiers — where their numbers, names and more data has been publicly released — has been heralded as “the 1ˢᵗ use #doxing as a weapon of war in the history of warfare!”. However, this data leak has aided no Ukrainian civilians, nor impeded Russian progression in any manner.

Put crassly — why dedicate years of constant remote tracing and work, when a single bomb could do a better job?

Cyber weaponry effectiveness could be measured another way: financial damage. Here, malware reigns supreme. The most expensive cyberattack to date was the 2017 NotPetya attack, again targeted at Ukraine. The total global damage of this attack was $10 billion; Fedex alone lost $300 million.

Unfortunately, in the context of wartime, targets have demonstrated a consistent ability to quickly recover even from devastating cyberattacks. In two such cases in North Korea, “despite the destruction of files, all [banks] are still in business…none spent more than an inconsequential amount of time recovering.”

Coordinated public sanctions have far greater — and faster — economic impact than individual cyber strikes. It is estimated that over the next 12 months, Russian companies and banks will need to repay more than $100bn. After just over a week, the Russian economy has shrunk by roughly 14%.

So, sure, cyber warfare is running low on its sexy, cyberpunk futurist image. It’s a long-term, operational branch through which the military can apply external pressure to the battlefield. Definitely not as cool as a cyber nuke. That said — it’s leagues ahead of the “Anonymous” 14-year-olds bragging about committing ddos attacks on Twitter.