Within 15 years of the invention of powered flight, nearly all of the doctrinal missions of an air force had been not just discovered but integrated under a single commander in battle: Billy Mitchell at the 1918 battle of Saint-Mihiel.1 The pressure of extended high-intensity combat drove innovations in the use of airpower that were hard to imagine before World War I, when planes seemed fragile and of limited use on the battlefield. During that war, airpower started to come into its own, due to technological improvements, doctrinal advancements, and coordinated use by a single commander charged with integrating airpower with other combined arms to triumph in a major battle.
Adversaries in the full-scale invasion of Ukraine have similarly been pushing offensive cyber operations, discovering new relevance and missions — driven by those same pressures of combat — and hinting that there are more possibilities to come. Russia’s invasion of Ukraine raises a critical question: Where, when, and how might offensive cyber operations impact the outcomes of war?
For over 40 years, answers to this question have been diverted into a debate of whether offensive cyber operations are revolutionary or mostly hype. While illuminating and important, much of that debate had to do with examining different aspects of warfare. It did not clearly differentiate between offensive cyber operations that were conducted on an actual battlefield in the midst of a traditional tactical engagement between armed forces, those conducted well behind the front lines, and those conducted before the battle had even begun. Nor did it clearly specify if the target was a weapons system or not. Many assessments predated the full-scale Russian invasion of Ukraine and so lacked adequate examples of “cyberspace operations in a high-intensity interstate war,” 2 or an empirical base.3 Many were also based on incorrect assumptions — unstated, as often as not — that territorial conquest would be somewhat “anachronistic.”4
This article accordingly introduces a novel analytical structure to clarify the role of offensive cyber operations in warfare. The Framework for Offensive Cyber Operations in Warfare categorizes offensive cyber operations based on the circumstances of their use across the different phases of war, from pre-conflict shaping operations, to prior to the battle or in the rear echelon, to the actual battlefield. Within each of these three phases, offensive cyber operations can be categorized by intent: exploiting information, attacking information, attacking trust in weapons systems or critical infrastructure, and attacking weapons systems or critical infrastructure.
Not only does this framework contain appropriate examples for almost all of these 15 circumstances, but many of the operations in these examples appear to have been tactically relevant and operationally successful. Most examples come from a single high-intensity war — the ongoing Russian invasion of Ukraine. Although these offensive cyber operations “have not achieved any systemic effects, and they have arguably been less cost-effective — or at least more capacity-constrained — than kinetic fires,” they indicate that states will use cyber capabilities in new ways during wartime.5
Framework for Offensive Cyber Operations in Warfare
Table 1 summarizes the Framework for Offensive Cyber Operations in Warfare, which categorizes operations by when or where the operation in question took place as well as by the intent of that operation. The framework begins by distinguishing the where and when of an attack, to better understand cyber operations conducted before hostilities versus those that take place just prior to a battle or behind the battle lines versus those used tactically during the battle itself.6 Many past analyses somehow failed to include this crucial criterion in their assessments.
The framework might in future be expanded to include offensive cyber operations that are related to a conflict but that take place outside of the zone of conflict (such as a Russian operation related to Ukraine but targeted at infrastructure in Europe or the United States).7 I have omitted this for now to keep the table a more manageable size.
The Framework for Offensive Cyber Operations in Warfare categorizes this when/where variable based on the intent of the operation, building on Daniel Moore’s useful characterization of operations as either presence-based — “strategic capabilities that begin with lengthy network intrusions and conclude with an offensive objective” — or event-based — directly activated tactical tools that can be deployed in the field to immediately create localized events.8 This framework includes five types of intent: exploiting or targeting information, networks, and systems (such as stealing or deleting information); targeting trust in institutions or eroding morale (such as with cyber-enabled information operations); attacking trust in military information or systems (“undermining the adversaries’ confidence in his capabilities,” a core capability in a 2003 “roadmap” signed by the U.S. secretary of defense)9; and attempting to defeat physical infrastructure (such as the electrical grid) or weapons systems (such as integrated air defenses).
These are fuzzy categories with substantial overlap. The intent that motivates an offensive cyber operation is often not obvious. Moreover, warfare is messy and resists easy characterization. Accordingly, these categories are best used as loose guides.
Other research has included some of these distinctions — especially between exploitation and disruption — but have not also included attacks on trust or compared when and where offensive cyber operations occur on the battlefield.
That said, an important distinction of the framework presented here — and one made many times by Moore and others — is between the exploitation of information and disruption (computer network exploitation and computer network attack, in military terms). The framework goes further, making the rarer distinction between an operation that is intended to attack the information or system itself and an operation that is attacking the trust that the other side places in the information or system. Many offensive cyber operations could be intended to do both, with erosion of trust being an acceptable outcome if a hard kill proves too difficult. The category “defeat physical infrastructure or weapons system” is meant to capture an operation that is intended to directly take a physical object out of the fight, rather than just, say, launch a denial-of-service attack on a military network, another tricky distinction.
Other research has included some of these distinctions — especially between exploitation and disruption — but have not also included attacks on trust or compared when and where offensive cyber operations occur on the battlefield.10 The one example that explicitly includes the phases of a conflict was inspired by earlier work on the Framework for Offensive Cyber Operations in Warfare.11 Other important research, such as that conducted by Joshua Rovner, discussed similar factors but without providing a formal framework.12 Accordingly, the Framework for Offensive Cyber Operations in Warfare should substantially improve analytical methodologies and outcomes.
Table 1: Framework of Offensive Cyber Operations in Wartime
Exploit Information (Presence-Based) | Attack Information, Networks, and IT Systems (Event-Based) | Attack Trust in Institutions or Erode Morale (Event-Based) | Attack Trust in Military Information or Systems (Presence- or Event-Based) | Defeat Physical Infrastructure or Weapons Systems (Event-Based) | |
---|---|---|---|---|---|
Before Hostilities (Phases 0 and 1) | Extensive Russian espionage and preparation of battlefield in Ukraine (2022) | Russian “WhisperGate” attack on Ukrainian infrastructure and government (2022) | Russian defacement of Ukrainian government webpages with false messages (2022) | - No exact examples found of attacking trust as primary goal of offensive cyber operation - As potential secondary goal or additional impact: U.S.-Israeli “Stuxnet” operation against Iranian nuclear enrichment (20??–2012) - Chinese theft of blueprints for Joint Strike Fighter (2007) | Russian “Black Energy” and “Industroyer” disruptions of Ukrainian power grid (2015 and 2016) |
During Hostilities: Before Battle or in the Rear Echelon (Phases 2 and 3) | Russian “Gamaredon” espionage campaign to support invading forces (2022–2023) | Russian disruption of Ukrainian telecommunications (2022) | Russian military intelligence telegraphing disruptive offensive cyber operations for second-order psychological impact (2023) | Attempt of Russian-aligned hackers to erode trust in Ukrainian “Delta” battle-management system (2022) | Russian “AcidRain” disruption of Viasat satellite terminals used by Ukraine and others (2022) |
During Hostilities: Battle | Possible Russian implant to track Ukrainian howitzers (2016) | Israeli “Operation Orchard” against Syrian air defense (2008) | Possible Russian cyber-enabled information operations to erode Ukrainian battlefield morale (2022–present) | No exact examples found | Russian and Ukrainian hacking of battlefield drones (2022-present) |
The Timing and Intent of Offensive Cyber Operations
Providing a transparent analytical model, backed with examples from history, will better enable assessments of the impact of offensive cyber operations in wartime. The framework presented here distinguishes between the when and where of a cyber operation — before hostilities, before the battle or in the rear echelon, or during the battle (that is, in a head-to-head tactical engagement between forces) — and the intended effect of the operation: to exploit information or to disrupt information, networks, systems, trust, critical infrastructure, or weapons systems. This section presents examples of offensive cyber operations that took place in these different phases and that had varying intents.
Before Hostilities
Operations that take place before hostilities are not wartime operations per se, but they create the conditions of success in armed conflict sometime in the future or in the “strategic competitive space” below the threshold of armed conflict.13 In Defense Department doctrine, this includes operations that take place in Phases Zero or One: shaping or deterring.14 States often use offensive cyber operations during these phases as a substitute for other kinds of power, “to degrade or destroy enemy capabilities in peacetime, rather than being forced to initiate and engage in costly conflicts in the physical world.”15
Tactics to exploit information include gaining exquisite military intelligence to learn of strategic or military plans or for operational preparation of the environment. In the run-up to Russia’s 2022 invasion of Ukraine, Microsoft detected Russian “efforts to gain initial access to targets that could be used to provide both intelligence on Ukraine’s military and foreign partnerships,” and “access to critical infrastructure for future destruction.”16 Such intrusions constitute normal intelligence preparation of the battlespace and are common for most advanced militaries. In a 2008 operation called Buckshot Yankee,17 “extensive penetration of U.S. government networks had presumably provided Russian intelligence services with aggressive visibility into current deployments, future planning, and policymaker thinking,” access which might be decisive in armed conflict.18
Another way to exploit information is by stealing technological advantages that are useful to the battlefield. One example is China’s cyber theft of the blueprints for the Joint Strike Fighter and its deployment of a copy.19
One month before Russia invaded Ukraine, it launched attacks in two additional categories of the Framework of Offensive Cyber Operations in wartime: attacking information, networks, and IT systems as well as undermining trust in institutions or eroding morale. Microsoft has reported that the day before the 2022 invasion, “operators associated with the GRU, Russia’s military intelligence service, launched destructive wiper attacks on hundreds of systems in Ukrainian government, IT, energy, and financial organizations.”20 To undermine trust before the invasion, “Ukrainian government websites, including that of the Ministry of Foreign Affairs, were defaced with a message in Russian, Ukrainian, and Polish claiming that data had been deleted from government servers and would be released.”21
Tactics that fall under these two categories might also shape the strategic environment for victory without fighting. Some claim, for example, that China’s leadership is following the precepts of Sun Tzu to use cyber tools to win without war, since “supreme excellence consists in breaking the enemy’s resistance without fighting.”22 Russia has interfered in elections in the United States,23 Ukraine,24 and elsewhere25 in order to disrupt morale and undermine governments. In the language of persistent engagement, such cyber operations “short of armed conflict can have a cumulative impact on the strategic level [and] can damage or degrade … sources of national power.”26
Such offensive cyber operations that take place before hostilities might include tactics like those used in the U.S.-Israeli Stuxnet operation against Iran’s nuclear enrichment program.
An adversary might use cyber capabilities to disrupt the flow of logistics into a military theater (an attack on information, networks, and IT systems), perhaps to delay a force’s arrival until after the decisive moment. This is a longstanding Department of Defense concern given that “over 90 percent of [Defense Department] deployment and distribution transactions are handled on unclassified systems.”27 In 1991, the department feared a massive logistics disruption as Dutch hackers “modified or copied unclassified but sensitive information related to U.S. war operations”28 during the run-up to the first Gulf War.29 In what turned out to be a coincidence, the Defense Department feared that the Solar Sunrise campaign of February 1998 was intended to disrupt Operation Desert Fox, a show of force against Iraq.30
The goal of an attack against trust in military information or systems is to erode confidence that a technological or operational system works as intended. Such offensive cyber operations that take place before hostilities might include tactics like those used in the U.S.-Israeli Stuxnet operation against Iran’s nuclear enrichment program. The primary goal appears to have been to destroy war-related infrastructure, but attacking trust was a key component of the operation. David Sanger quoted one participant involved in Stuxnet as saying:
“The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole “stands” that linked 164 machines, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”31
Likewise, the abovementioned Chinese theft of blueprints for the Joint Strike Fighter was assumedly intended primarily to gain secret information. But a secondary goal (or incidental impact of the operation) might have been to undermine trust in that platform.
Attacking physical infrastructure and weapons systems includes disrupting militarily relevant infrastructure, such as was the case when Russia disrupted Ukraine’s power grid in both 2015 and 2016.32 It also includes sabotaging militarily relevant capabilities. This could include the “left-of-launch” offensive cyber campaign,33 in which the United States allegedly sabotaged North Korean ballistic missile launches to slow down development of the overall program.
Offensive cyber operations may also include coercion, but as this topic is covered in great depth by other authors it is not included in this paper, which is primarily focused on the tactical and operational levels of warfare.34
During Hostilities: Before Battle or in the Rear Echelon
Once hostilities have opened, the time for shaping or deterring operations is over. Offensive cyber operations that take place during Phases Two or Three — seizing the initiative or domination, in Defense Department lingo — are no longer used as a substitute for other kinds of power, but as a complement to them or as an independent capability.35 For the U.S. military, such operations are likely to be “pre-allocated to support a specific aspect of an Operations Plan or Contingency Plan” or “allocated to a Combatant Commander.”36 The bulk of the existing examples of offensive cyber operations that occur during hostilities appear to fall into this category, rather than taking place on the battlefield itself.
Offensive cyber operations that are conducted during hostilities more often have a disruptive component, meaning they are typically event-based. Moore noted the key reasons for this:
Like firing a weapon, an event-based operation entails sending a payload from attacker to target in the hope of immediately reducing its integrity or capacity to operate. As a result, these capabilities are often more tactical in nature, easier to integrate with existing military OODA [observe-orient-decide-act] loops and are promising candidates for joint warfare.37
Russia’s use of offensive cyber operations has followed this model. The country has “overwhelmingly opted to deploy … ‘pure’ disruptive tools,” according to Mandiant, a leading cyber intelligence and cyber response company.38 These “pure” disruptive tools are “lightweight in design and primed for immediate use, containing only the capabilities required to disrupt or deny access to the target system.”
Techniques to exploit information could include stealing an adversary’s battleplan or trying to understand the location of its tactical assets. Russia’s Gamaredon group, associated with the Russian Federal Security Service (FSB), has had a long-running “campaign focused on acquiring military and security intelligence to support potential invading forces.”39 Russian intelligence has also spied on Ukraine’s rail networks, which are “key to solid and fast heavy weapon delivery to the bases near the frontline.” Ukraine has stated that this was done to help Moscow understand “supply dependencies, schedules, and specific equipment/machinery.”40
Tactics to attack information include disrupting systems that are crucial to mounting an effective defense or disrupting logistics. Since its invasion began, Russia has conducted dozens of attacks to disrupt Ukrainian systems, such as a large-scale offensive cyber operation against Ukrtelecom, the main fixed-line telecommunications company, in March 2023.41
While these operations have not had a lasting or strategic impact, Russia has had more success with this technique in the past by disrupting communications. During Russia’s 2008 invasion of Georgia, “computer researchers had watched as botnets were ‘staged’ in preparation for the attack, and then activated shortly before Russian air strikes,” which started the war. 42 According to a review on the 20th anniversary of the attack, “thirty-five percent of Georgia’s Internet networks suffered decreased functionality during the attacks, with the highest levels of online activity coinciding with the Russian invasion of South Ossetia. … Even the National Bank of Georgia had to suspend all electronic services” for 11 days due to the cyber disruption.43 More recently, in Operation Glowing Symphony in 2015 and 2016, U.S. Cyber Command unleashed substantial power to disrupt the Islamic State’s social media and internet propaganda.44
Techniques to undermine trust in the government or erode public morale include a range of cyber-enabled information operations. One possible way to erode trust and morale was made clear from an accident: If Hawaii can, in error, send a warning about an incoming intercontinental ballistic missile, as it did in 2018, an adversary might do so deliberately during wartime to cause panic.45
However, as with most categories in the framework presented here, the war in Ukraine provides the most concrete examples. Mandiant has found that Russian military intelligence set up fake hactivist identities “to claim responsibility for cyber attacks and leak stolen documents or other proofs from their victims.” Their goal was “almost certainly an attempt to prime the information space with narratives of popular support for Russia’s war and to generate second-order psychological effects” from the initial offensive cyber operation.46
However, as military dependence on information technology grows, there are fewer options for such workarounds. There are, after all, only so many fax machines, sextants, or printed maps to go around.
Earlier Russian attacks on Media Group Ukraine that planted false messages that Ukrainian President Volodymyr Zelensky had surrendered were likely not intended to trick Ukrainian defenders to lay down their arms, but rather to “erode confidence in Ukrainian media outlets and institutions.”47
Offensive cyber operations that take place before battle or in the rear echelon can also be used to erode trust in weapons systems or physical infrastructure. In late 2022, a Russian-affiliated hacker claimed to have gained illicit access to Delta, a Ukrainian battle-management system. He posted screenshots of the locations “of friendly troops, enemy troops, barracks, ammunition depots, intelligence data and other information.”48 Such operations need not be obvious or even detected to cause a loss of trust: “Subtle malicious manipulation of command and control telemetry, or minute disturbances in targeting latency could wreak havoc across an entire operational theatre.”49 Offensive cyber operations might cause enough disruption to a system that its operators just learn to ignore it and rely instead on workarounds that might adversely impact their readiness to fight: “The mission planning system is ‘fubar’ yet again. We gotta switch to pencil and paper for the third time today.” However, as military dependence on information technology grows, there are fewer options for such workarounds. There are, after all, only so many fax machines, sextants, or printed maps to go around.
Had Buckshot Yankee, Russia’s infiltration of classified Defense Department networks, occurred during actual hostilities with the United States, the American military might have had to abandon the entire network until it was resolved. Even a suspicion that an adversary could read (or modify) battle plans and intelligence could be enough to force a military to use less efficient alternatives. Such an attack could have strategic political effects, if it occurred in the systems of, say, a NATO ally, who might then be ejected or quarantined from allied military command-and-control networks so as not to infect others.
Highlighting the substantial overlap between disrupting a system and disrupting trust in that system, the “left-of-launch” cyber operations that the United States launched to disrupt North Korean missile tests may have also been intended (or had the effect of) eroding that regime’s confidence that their missiles would be dependable during wartime.
Attacks against physical infrastructure or weapons systems can be used as an independent capability to strike fixed targets behind the battle lines or interdict military forces moving there. Both before the invasion and after, Russian cyber operators disrupted Ukraine’s Viasat commercial satellite communications network,50 “taking out major [command-and-control] infrastructure critical to managing the military and the country during wartime.”51 In April 2022, Russian military intelligence was frustrated in its attempt to deploy “Industroyer2 malware against high-voltage electrical substations,” which had been programmed weeks before to detonate on April 8, 2022 and disrupt electrical power in Ukraine.52
During Hostilities: Battle
Offensive cyber operations also may play important roles during tactical engagements — whether large-scale battles between corps or fleets or local fights between individual platoons, ships, or aircraft. This generally takes place in Defense Department Phase 3 — dominate — but it also includes any violent military engagement, including raids or border skirmishes. “Battle” and “battlefield” are accordingly used as a loose description of tactical engagements.
The basics of using cyber capabilities to exploit information, the first subcategory, are broadly similar to using older technologies. For example, a normal target of signals intelligence — such as listening to and decoding Morse code over high-frequency transmissions, a mission of my first unit in military intelligence — are appropriate for cyber capabilities as well. In an exercise in the mid-1990s, the first combined offense-defense cyber unit stole the blue-force’s Air Tasking Order within two hours,53 giving them perfect knowledge of the next day’s raids. A Ukrainian commander has claimed that his unit hacked a Russian drone’s video feed to determine its home base, which was then shelled.54
Such use of offensive cyber operations could be used to monitor an adversary’s common operating picture in real time (which might be accomplished using traditional signals intelligence) or track and follow every one of a certain type of unit or platform (which would be very difficult). For example, according to reporting by Crowdstrike, in 2016, Russian military intelligence knew the exact location of Ukrainian D-30 howitzers, having implanted malware in the Android software used by 9,000 artillery soldiers to coordinate their fires.55
As modern armies kit their soldiers out with smart or radio frequency identification-equipped rifles and wearable computers for situational awareness (such as the U.S. Army’s Nett Warrior for Rangers and other elite troops, based on a Samsung Galaxy Note II phone), it might be possible for a future adversary to know the exact location of every individual soldier or weapons system on the battlefield.56
The next subcategory is attacks against information, networks, and IT systems. Disrupting information using cyber capabilities is one obvious tactic. In the 1980s, the United States appears to have discovered a critical vulnerability “in the Soviet Union’s high-frequency command-and-control communications that could be exploited to shut down … orders from the high command to its strategic missile forces, submarine fleet, and air forces.”57
Cyber capabilities might also be used to modify information, the next subcategory, during a tactical engagement. During Operation Orchard in 2008, the Israeli air force apparently used a secret cyber capability called Senior Suter.58 Jamming Syrian air-defense radars would have left telltale signs, tipping off operators that something was amiss, so Senior Suter apparently showed operators a blank screen, instructing the computer not to display the incoming Israeli strike aircraft. More insidiously, an adversary could manipulate Air Tasking Orders or the common operating picture, even representing hostiles as friendlies or vice versa. Such an operation would be highly likely to erode operator trust in those systems, which might be an additional goal of the campaign.
Offensive cyber operations are far more novel when it comes to their ability not just to disable or disrupt but to disrupt all targets with similar characteristics.
Modifying information might affect theater-wide command and control. Russia’s access to U.S. classified systems during the abovementioned Buckshot Yankee operation in 2008 demonstrates the possibilities: Plans and orders might not just have been deleted but changed. Even if it may seem implausible that such an operation could be launched successfully against hardened U.S. classified networks, Iranian networks might not be so robust against U.S. Cyber Command or Israel’s Unit 8200. Nor might India and Pakistan, or Azerbaijan and Armenia have networks that are strong enough to resist attack from the other.
Russia’s invasion of Ukraine indicates that militaries might be specifically attacking trust during battle, the fourth subcategory. Russian cyber-enabled information operations have targeted Ukrainian frontline troops with messages like “Your battalion commander has retreated. Take care of yourself.” and “You are encircled. Surrender. This is your last chance.” These imply that the messages were sent at or near the time of battle.59
The fifth subcategory is attack on trust in military information or systems during battle. While the research for this paper found no strong examples, the Russia-aligned hacker who gained access to the Ukrainian Delta battle-management system bragged about having more access than it seems he had actually gained. This was possibly a failed attempt to reduce trust in the system and force Ukraine to use a backup system. According to the U.S. company Recorded Future,
For Delta, trust is crucial. The system enables rapid battlefield communications, ultimately facilitating quicker decision-making. Creating doubt among Ukrainian commanders to make them hesitant to use or share information to the system would have serious repercussions on the war’s outcome.60
Techniques to attack infrastructure or weapons systems, the next subcategory, include disabling or disrupting physical infrastructure and weapons systems. While such cases seem to be rare, the Department of Defense had an early scare. In 1998, the guided-missile cruiser USS Yorktown was entirely fitted out with Windows NT, which “reduced the Yorktown crew by 10 percent and saved more than $2.8 million.” Unfortunately, after a divide-by-zero error in a database manager, the ship was left dead in the water,61 successfully though ironically reducing sailors’ workload. It is not a stretch to imagine something similar occurring due to enemy action.
While one assessment found “there are no publicly known cases of Russian cyber actors disrupting military equipment in the field,” it does appear that Russian and Ukrainian militaries have been disabling each other’s drones, not with straightforward jamming, but through offensive cyber operations.62 One Ukrainian officer claimed that “Ukraine often inserts malicious code into Russian drones mid-flight.”63 Ukraine’s defense intelligence has officially claimed to have conducted a “successful attack” against software used by Russian operators to control their drones, leading to a sustained outage.64
Such drone hacking is still quite narrow and tactical compared to Nitro Zeus, a large-scale U.S. Defense Department cyber contingency plan, circa 2010, “to disable Iran’s air defenses, communications systems and crucial parts of its power grid.” 65
Around the same time, the United States considered, but ultimately decided against, using cyber capabilities to “cripple Libya’s air defense and lower the risk to pilots,”66 as part of the initial air assault to replace the regime of Muammar Gaddafi. Different policymakers gave competing rationales for not pulling the trigger, such as that the Defense Department wasn’t prepared (“we just ran out of time”67) or that, because the United States was punching down, it need not use its most advanced cyber weapons (“these cyber capabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there”68).
Offensive cyber operations are far more novel when it comes to their ability not just to disable or disrupt but to disrupt all targets with similar characteristics. This is not merely theoretical: Repeatedly in the past, entire organizations, sectors, and nations were knocked offline due to early attacks exploiting common-mode failures, like the Morris Worm (1988) and SQLSlammer (2003). Until just a few months before it struck in 2017, literally every computer running Microsoft Windows was open to the vulnerability behind NotPetya (except, perhaps, those at the National Security Agency, where it was developed). The same is true of weapons systems and sensors. Some future attack might not just take down one guided missile cruiser but every other ship of Ievery type that shared the same vulnerability — and at the same moment.
Moore gives the chilling example of the Tomahawk Strike Network, “which reportedly allows anybody who has the authority to logon … [and] take control of the missile,” or indeed all missiles, just as Roger Schell warned in 1979:
Indeed, if Chinese network forces successfully compromise a TSN control node—a tall order but not impossible—they can effectively neutralize Tomahawks en-route to strike [People’s Liberation Army] missile bases and limit US ability to intervene in the conflict prior to the US Navy’s arrival on the scene. Even if US operators are eventually alerted to a compromise, they will nonetheless be compelled to bring the TSN down pending a forensic investigation in order to avoid possible friendly fire incidents or any further mishandling of launched Tomahawks. For the duration of the conflict, the damage to combat readiness and efficacy would have already been done. Trust in the platform would be impaired, which is possibly an even more damaging prospect than any concrete threat to the missiles themselves.69
What started as an attack against the weapon system itself magnifies in its impact by becoming an attack on trust.
Lastly, offensive cyber operations are not just useful for disrupting infrastructure or a weapon system but for commandeering a target or indeed commandeering all targets with similar characteristics. After all, hacking is all about subverting a computer so that it follows the attacker’s instructions and not the original owner’s.70
As is hopefully clear from this section, analyses of the impact of offensive cyber operations in warfare will be much more effective using frameworks such as the novel one presented here. Analysts need such tools to distinguish the when, where, and what of offensive cyber operations to drive further and better analyses.
Further Research
The framework presented here might itself be further improved with tighter categories for easier coding of large data sets and could be extended with additional examples. As mentioned earlier, it might benefit by including operations that take place outside the conflict zone that are meant to influence the conflict (such as, say, Russian attacks against European energy infrastructure).
The Framework for Offensive Cyber Operations in Warfare could also be substantially improved by incorporating not just offensive cyber operations, but defensive ones as well.71 The principal difficulty of including defensive operations is that defense tends to be diffuse, loosely coordinated, and steady state. Offense is conducted by specialized units and is purposeful, is driven by specific objectives, and is time bound. A framework optimized to examine offense, like the framework in this paper, might never be able to adequately address defense. For example, even though much of offensive cyber operations is about attacking trust, it is hard to conceptualize a defensive trust operation for infrastructure or military equipment.
Not long after Russia’s February 2022 invasion, Google expanded its protection against denial-of-service attacks, allowing Google to absorb the bad traffic in a distributed denial-of-service attack and act as a “shield” for smaller websites in Ukraine.
However, this framework can incorporate some aspects of defensive operations, most clearly in what the U.S. Cybersecurity Framework calls the defensive phases of respond — containing the impact from a cyber incident — and recover — resilience to return “to normal operations to reduce the impact from a cybersecurity incident.”72 These phases only occur in direct response to a cyber incident and so are similarly purposeful and time-bound. When actions are taken knowing an attack is likely to come, sometimes the protect phase is important as well. Here are some examples of how the framework presented here could be used to categorize defensive cyber operations:
- Before Hostilities: Defeat Physical Infrastructure or Weapons System. Ukraine’s power-grid operators and engineers successfully scrambled to limit the damage from the disruptions Russia caused using Industroyer and BlackEnergy.73 (Respond phase)
- Before Hostilities: Attack Information, Networks, and IT Systems. Microsoft specifically developed and deployed new ways to protect against and better detect Russia’s WhisperGate malware, which had been used against Ukraine’s infrastructure and its government.74 (Initially the respond phase for Microsoft but feeds other phases for Ukrainian defenders.)
- During Hostilities, Before Battle or in the Rear Echelon: Defeat Physical Infrastructure or Weapons System. After Russia’s AcidRain disruption of Viasat terminals, Ukrainian commanders and forces switched to other means of communications to remain resilient.75 (Recover phase)
- During Hostilities, Before Battle or in the Rear Echelon: Attack Trust in Institutions or Erode Morale. Ukrainian officials claimed, in March 2022, to have disrupted five Russian botnets that had been spreading disinformation. (Respond phase)
- During Hostilities, Before Battle or in the Rear Echelon: Attack Information, Networks, and IT Systems. Not long after Russia’s February 2022 invasion, Google expanded its protection against denial-of-service attacks, allowing Google to absorb the bad traffic in a distributed denial-of-service attack and act as a “shield” for smaller websites in Ukraine.76 (Protect phase)
Can Cyber Deliver?
The impact of offensive cyber operations in modern warfare in the short term will depend much on the specifics of the capability and the conflict. In the long term, innovations in technology and the frequency and intensity of conflict will likely matter more.
Over the Short Term
Based on the most extensive unclassified modeling of how offensive cyber operations would affect battle outcomes — in this case between U.S. and Chinese fleets — a 2022 paper by J. D. Work found that the success of offensive cyber operations was closely tied to the nature of modern naval warfare. Because large-scale missile exchanges led to a “disproportionate impact of even relatively small advantages,” Work concluded that offensive cyber operations provided substantial “advantage over the adversary, with greater numbers of adversary vessels damaged or sunk where [offensive cyber operations] options were employed in support of missile fires.”77
The most impactful offensive cyber operation in wartime will generally be the most difficult, requiring substantial intelligence, patient planning, and advanced capabilities guided by elite operators and open-minded commanders. It will also be limited by extremely high levels of uncertainty. That is, some operations might be astoundingly effective, while others that are seemingly identical may fail entirely. It is difficult to know beforehand which will be which.
It appears, for example, that Russian cyber operations against Ukraine were less than fully effective in part because of a successful defense by Ukraine, which was backed by the global technology sector, volunteers, and U.S. Cyber Command.78 So, successful defense is possible, but it is not inevitable. In Ukraine, those defenses have so far prevented any cyber catastrophes, but will they next time? Would Iran’s defense have prevailed against Nitro Zeus or Taiwan’s against the People’s Liberation Army? There is no way to know beforehand.
The rule of thumb in ground warfare is that an attacker should have between a three to one and a six to one advantage to be confident of victory. There can be no such easy estimate in cyber conflict. A global cyber onslaught might be undone by a serendipitous discovery,79 one of the best-defended technology giants could be hacked by teenagers,80 or attackers might bypass elite defenses just by first compromising a trusted vendor.81 Defenders might easily swat away 99 offensive cyber operations only to have the 100th sweep away all before it. While some cyber operations (like intelligence) have lower uncertainty compared to others, all are less predictable than traditional operations.
This is more than just saying there can be David-beats-Goliath upsets: The complexity of cyber space and cyber operations stymies predictions of which side will prevail.
However, even less sophisticated offensive cyber operations could substantially change battlefield outcomes, especially if exquisite insights are gained by cyber-enabled intelligence operations, making the battlefield far more transparent. Relatively unsophisticated operations might help deliver a fait accompli — such as China delaying U.S. forces long enough to achieve limited objectives in Taiwan — or be used as an opening attack to “keep the victim reeling when his plans dictate he should be reacting,” in the words of Richard Betts.82
Russia attempted this with its Viasat attack to disrupt Ukrainian command and control, an attack that was only unsuccessful because of Ukraine’s preparation. Russia was more successful during the invasion of Georgia in 2008. While not decisive, those attacks impeded “the Georgian government’s ability to react, respond, and communicate, [creating] the time and space for Russia to shape the international narrative in the critical early days of the conflict.”83
And the Longer Haul
Beyond the next decade, offensive cyber operations in warfare may be less driven by the particulars of one or a few wars, and more driven by the frequency and intensity of global conflicts and the general direction of technological progress. After all, the future will look substantially different than today. Humanity is still only in the first decades of the information age, which, like the agricultural and industrial ages before it, will encompass decades or even centuries.
Wars drive innovation and improvisation. Since most of cyber conflict has occurred during the relative peace of the post-Cold War decades, theories of cyber conflict have been based in false assumptions like that “territorial conquest continues to become somewhat more anachronistic.”84 Most of the examples in the framework presented above have come from a single war, the Russian invasion of Ukraine, over the past two years. If conflicts between cyber powers become more frequent, offensive cyber operations will continue to be used in surprising ways.
Offensive cyber operations in warfare may also move in surprising directions based on technological changes. Advances in AI since 2022 make it hard to assess the danger of AI-driven offensive cyber operations or promises of AI-driven defenses, though some efforts have been made to assess whether AI will ultimately favor attack or defense.85
More generally, if nations successfully secure their critical infrastructure or weapons systems at scale, adversaries will find it nearly impossible to succeed in launching offensive cyber operations for many of the categories of this framework. More likely, however, societies and armed forces will continue to become increasingly dependent on technologies that are not secure, opening themselves to more, and more intense, offensive cyber operations.
Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs. He was a plankholder of the first joint cyber command in 1998 and the White House’s Office of the National Cyber Director in 2022.
Acknowledgements: The author wishes to acknowledge the participants of a workshop on this topic at Columbia University in 2019; research assistance by Chris Smith, Shawn Gibson, and Brian Palacios Paz; previous work going back decades by many academics, analysts, and academics; and the reviews or input by several colleagues (especially by Steve Biddle, Erica Lonergan, Daniel Moore, Greg Rattray, and J. D. Work) as well as several anonymous reviewers.
Image: Staff Sgt. Renee Seruntine