Is Cyber Revolutionary or Barely Relevant in Modern Warfare?

Offensive cyber operations in warfare have long had the potential to be revolutionary but that promise has remained distant, being “much harder to use against targets of strategic significance or to achieve outcomes with decisive impacts, either on the battlefield or during crises short of war.”

But this assessment cannot be the whole story. Humanity is still only in the first decades of the digital age, which, like the agricultural and industrial ages before it, will last centuries. The near future is darker, with more crises and conflict between high-tech powers, than during the relative peace of the post-Cold War era, when most cyber conflicts have been fought.

This article expands on a longer work of scholarship in the Texas National Security Review, which introduced a framework to categorize offensive cyber operations in wartime. This article goes farther, to assess under what conditions offensive cyber operations may be either relevant or revolutionary during wartime.

Starting with an overview of four areas of disagreement between cyber doubters and pessimists (those that suspect cyber operations will be important and those who fear they likely will), the article continues with an analysis of the ways that cyber operations may be novel or transformative, and the ways they might be actually revolutionary.

For the near term, cyber capabilities may be more like electronic warfare or use of information technology more generally: not just relevant but “increasingly essential for mission performance” to survive in a modern military conflict.

The future lasts a long time, however, and cyber operations have the power to be win battles and wars. As technology continues to accelerate and the geopolitical environment deteriorates, no one should write off the revolutionary potential. A particular set of circumstances, and a unique leader, might use offensive cyber operations in decisive and surprising ways.

 

 

Enthusiasts and Pessimists

As far back as 1979, some in the Department of Defense have been warning that adversaries might penetrate computers to “retarget [U.S. intercontinental ballistic missiles] to impact on … friendly targets as part of a surprise attack!” But after 45 years there have been no such obvious revolutionary use of cyber power, so cyber-pessimists have accordingly cautioned against overhyped technological determinism.

Martin Libicki was an early skeptic, arguing that the “revolutionary impact of cyber warfare can be no greater than the revolutionary impact of digital networking.” An oversimplification, it turns out, as technology has repeatedly provided a marginal advantage while opening a catastrophic vulnerability. More recently, Erica Lonergan, Shawn Lonergan, Ben Jensen, and Brandon Valeriano have concluded that since offensive cyber operations “are not always easy, cheap or effective in managing destruction at scale,” they are “unlikely to produce the game-changing moment in modern warfare that many anticipated.”

There is wisdom in both perspectives.

Four Areas of Debate and Confusion

Oversimplified, there are four areas of disagreement between doubters and pessimists.

Lack of Clarity about “Revolutionary” or Relevant”

Debates between doubters and pessimists can sometimes steer to the extreme positions of “revolutionary” or “irrelevant,” rather than gradations such as revolutionary, necessary, relevant, and largely irrelevant.

To be revolutionary, cyber capabilities would need to have an effect that either (a) is novel and not achievable by other methods or (b) drastically decreased cost or increased scale. A high-end revolutionary capability would transform the fundamental nature of war, not just particular ways in which it is fought. A lower-end revolutionary capability might merely be decisive — “revolutionary” as in the 1990s’ “revolution in military affairs.”

Below that, offensive cyber operations may not be revolutionary but still necessary. Like defensive electronic warfare, they may be an often-essential part of modern battle to avoid being blinded or disrupted.

Cyber operations may be merely relevant, providing substantial, but circumstantial, advantages, used if they prove more available or effective than other capabilities. Particularly adept commanders might integrate them in stunning ways — matching their strengths with the opportunities presented by the adversary — that may be hard for others to mimic. Lastly, some capabilities in some instances may be largely irrelevant.

Characteristics of Cyberspace and Cyber Capabilities

Cyber-power doubters and pessimists tend to rely on different cyber characteristics — both of which are logical and have explanatory power.

Doubters often highlight specific dynamics of offensive cyber capabilities (such as those cited by Erica Lonergan and Shawn Lonergan: secrecy; the technical challenges of planning and conducting strategic operations; their limited effects; and the relationship between espionage and military cyber operations). Pessimists, by contrast, start with a different set of characteristics, worrying that some characteristics of the cyber domain (e.g., lower cost, scalability, cascading impact, the expanse of vulnerable systems, and system-wide vulnerabilities of the underlying global internet) permits far wider, more destructive operations than states have yet decided to engage in.

Differing Methodologies and Scope

Doubters tend to rely on evidence of how cyber capabilities has been used in the past while pessimists worry more about how they may be used in future. This means the doubters’ arguments are particularly strong, rooted as they are in data and empirical methods. However, some of the pessimists’ strongest findings — such as Erica Lonergan’s conclusion that “cyber-operations by their very nature are designed to avoid war” — reflect a design choice with predictive power only if the future looks like the past.

Lastly, many of the worst cyber incidents over the past decades are not reflected in the pessimists’ databases. Many remain classified; were not attacks but major failures which highlight deeper vulnerabilities; or were criminal attacks, such as ransomware, which seemed to lack national-security relevance at the time. Each highlight, to the enthusiasts, that offensive cyber may have more potential than has been previously tapped by states.

Precision of Analysis

Neither enthusiasts nor pessimists have always been clear about what aspect of aspect of modern warfare they were assessing. The Framework of Cyber Operations in Warfare provides one way to clarify the why, when, and where of cyber operations and improve analysis. Enthusiasts and doubters may still disagree but at least they can have more confidence they are debating about the same part of the elephant.

Assessment

Many of the tactics summarized in the framework have already been proven relevant, including during tactical engagements. Mere relevance is, after all, a low bar. But under what conditions might cyber capabilities be revolutionary, meeting either element of the definition: (a) is novel and not achievable by other methods or (b) drastically decreased cost or drastically increased scale?

Steven Biddle has written how for the last 100 years, the “modern method” of force employment — integrated firepower, maneuver, concealment, and reserves — “damps the effects of technological change.” This downward pressure ensures cyber capabilities are unlikely to be revolutionary. Using cyber capabilities to disrupt infrastructure or weapons systems might help win a war, but there are many ways to do this and cyber usually is not the cheapest, easiest, or most predictable way to do so.

Four categories of offensive cyber operations have more potential.

The first is disruption at scale, which upends traditional notions of mass. Traditionally, military force scales somewhat linearly, which does not hold for some kinds of cyber operations. Common-mode and other vulnerabilities allow one-on-multitude attacks. Destroying 1000 Iranian centrifuges does not require substantially more mass than taking down one. A cyber operation to disable a single missile-cruiser is a nice military trick but one that several missiles might accomplish just as well. But an operation targeting common-mode vulnerabilities might disable an entire flotilla, so long as they shared the same vulnerability, which could be decisive, especially in a crisis in the Taiwan Strait.

Second is commandeering at scale. Capturing a weapon no longer requires overpowering or scaring off the operators, just needing to overcome only the security of the computer running the system. Large, crewed weapon systems — a guided-missile cruiser or tank — should have a manual override to defeat such a tactic, though it might take time to do so or leave the weapon system with decreased capability (such as by disconnecting from the command network). Drones and other autonomous systems, with few if any humans in or on the loop, would likely be less able to defeat such subversion. As was warned back in 1979, if you rely on insecure smart weapons, do not be surprised to find them pointing back at you.

Third, in rare instances, offensive cyber operations might be a coup de main, winning without resort to traditional weapons. This would likely only be possible under three conditions: a defending state leaving itself uniquely dependent and vulnerable; faced by commanders with exceptional intelligence and offensive capabilities, and no small amount of audacity and coup d’oeil; and likely fighting over a non-existential issue in which territorial gain is not crucial to success.

Lastly, artificial intelligence might amplify the impact the novelty of cyber operations or magnifying their impact (such as launching an AI-driven worm to autonomously seek out and disable enemy systems, a super Stuxnet).

Can Cyber Deliver?

Cyber operations such as these, done predictably and at scale, could up-end Biddle’s modern method. But the most revolutionary are also likely to be the most difficult, demanding substantial intelligence, patient planning, and advanced capabilities steered by elite operators.

Revolutionary operations seem to be in realm of science fiction — at least until militaries and societies are more technology-dependent, offensive capabilities are sufficiently advanced, and geopolitics sufficiently dangerous. But don’t rule them out: The digital age will surely continue for centuries more.

More likely are cyber-enabled intelligence operations granting especially exquisite insights. These get less attention than disruptive attacks but are far more likely to shift national-security outcomes.

Also likely are cyber operations to conduct just enough of a surprise attack to either achieve a fait accompli — such as China delaying U.S. forces long enough to have achieved limited objectives in Taiwan — or as an opening attack to “keep the victim reeling when his plans dictate he should be reacting,” in the words of Dick Betts. The next victim may not be as well prepared as Ukraine was after Russia attempted to disrupt military communication with attack against the Viasat satellite network.

The potential of all offensive operations will be limited by their extremely high variance. That is, some operations might be astoundingly effective while others, seemingly identical, may fail entirely and it is difficult to know beforehand which is which. It appears, for example, that Russian cyber operations against Ukraine were less than fully effective in part because of a successful defense by the Ukrainians, the global technology sector, volunteers, and U.S. Cyber Command. But what about next time? Does Ukraine’s success tell us much about whether Iran will prevail against U.S. Cyber Command? Or Albania against Iran? Or China against Taiwan? Or Armenia against Azerbaijan?

There is no way to know beforehand. The rule of thumb in ground warfare is that an attacker should have a 3:1 to 6:1 advantage to be confident of victory. The uncertainty of cyber operations means there are no such assumptions: A global cyber onslaught might be undone by a serendipitous discovery, one of the best-defended technology giants can be hacked by teenagers, and elite defenses can be bypassed by properly updating software from a trusted vendor. This is more than just saying there can be David beats Goliath upsets: The complexity of cyberspace and cyber operations inhibits predictions of who might prevail.

Even if cyber operations never meet their revolutionary potential, they will constantly deliver surprise. Successful commanders may deliver an upset against a superior military force by balancing the advantages of cyber weapons with the disadvantages and the opportunities provided by their enemy. This could be especially true in critical engagements in which small advantages can lead to disproportionate impact. Modeling by J. D. Work has shown that during naval engagements between Chinese and U.S. fleets, cyber operations provided substantial “advantage over the adversary, with greater numbers of adversary vessels damaged or sunk where [cyber] options were employed in support of missile fires.” That might be the difference in any future war in the Pacific.

The real potential of offensive cyber operations may only be revealed in a more dangerous world, when states feel the need to unleash their previously reserved, most-advanced capabilities. More simply, states feeling existentially threatened will attempt the highest-risk Hail-Mary cyberattacks. Were China to invade Taiwan, or the United States and Israel attack Iran, the intensity and quality of cyber operations could surpass historical experience.

Policymakers, practitioners, and analysts should accordingly remain open-minded about the revolutionary (or relevant) potential of offensive cyber operations. In cyber, never say something will “never happen.” It is entirely possible that the criticism of the cyber-doubters will remain relevant for decades to come. Prudent risk management, however, requires hedging bets and planning for the worst.

 

 

Jason Healey is a senior research scholar at Columbia University’s School of International and Public Affairs. He was a plankholder of the first joint cyber command in 1998 and the White House’s Office of the National Cyber Director in 2022.

Image: Cpl. Armando Elizalde via Department of Defense