Story

Operational Cyberwar: Cybersupremacy is impossible because cyberspace is not a unitary domain

 Operational cyberwar consists of wartime cyberattacks against military targets and military-related civilian targets. Even if this does not constitute raw power, it can be a decisive force multiplier if employed carefully, discriminately, and at precisely the right time.

For this discussion, the context is a conflict between the United
States and an opponent that also relies heavily on computer networks to conduct military operations (a growing candidate list as digitization becomes the norm). Because operational cyberwar against military targets is not an escalation of physical warfare, it does not raise broader questions about the depth of the war.

Those who accept the destruction of information systems as legitimate can hardly quibble about operations to confuse such systems.Thus, this discussion can avoid delving into strategic issues (until the matter of attacks on military-related civilian targets is raised).

Operational cyberwar is also not the same as CNE, even if CNE is required to understand the target, get access to the right attack vantage point, and collect BDA. To keep the lines of argument clear, the discussion also excludes:

  1. Physical attacks on networks (excepting rare cases when a cyberattack leads to physical damage)
  2.  Electronic interference against a network’s RF links
  3.  psychological operations (even if cyberoperations do have psychological effects).
     

Stipulating that the opponent has networks is necessary to give
meaning to operational cyberwar. Indeed, that is what differentiates
this from other forms of combat.

U.S. air and space capabilities are, if anything, more dominant against adversaries lacking aircraft or spacecraft than they are against adversaries with them. But the contribution that U.S. dominance in operational cyberwar can make to victory reflects the extent to which adversaries have a footprint in that domain: no footprint—no impact.

Beginning this discussion requires clearing the air on two matters. First, operational cyberwar cannot win an overall war on its own;
it is a support function, and is likely to remain so indefinitely. It cannot
occupy territory; put people’s lives at risk; or, except in specialized cases,
break things.

The direct effects of the most fiendish cyberattacks, ifdiscovered, can often be reversed within hours or, at most, weeks.As previously noted, cyberattacks are likely to be too weak to coerce a population into surrender, particularly one already hardened by the normal privations of war.

A support function is hardly a euphemism for a worthless endeavor, though. The current U.S. space constellation is a support function but is also indispensable to how the nation would wage conventional war. The Middle East has provided many examples of how airpower can convert the prospects of slow heavy combat into a rout (the 1967 Six-Day War, the 1991 Gulf War). But this does mean that operational cyberwar can be analyzed only in the context of the military functions it does, in fact, support.

Second, the question of cybersupremacy is meaningless and, as
such, is not a proper goal for operational cyberwarriors. Here, we define
supremacy as being analogous to its use in other media One air force
can prevent another from taking to or at least surviving in the air; one
navy can bottle up another in port; one army can prevent another from
holding ground.

Cybersupremacy is impossible because cyberspace is not a unitary
domain.

Both organizations can simultaneously keep each other off their own networks. In practice, hackers do get into other people’s networks.

Unfortunately, the idea that someone “owns” another network if he or she can make its machines obey his or her instructions abuses the concept of ownership.

Ownership implies exclusivity. If nothing else, outside hackers cannot claim physical control, and physical control dominates all other forms of control. Owners can physically add or remove machines from a network and can install software directly. If worse comes to worst, owners can discard and replace systems.

Owners with the wit to have backed up their data and applications can resynthesize their networks regardless of who has messed with them. Indeed, a large percentage of exploits require physical access to a system to work.

Furthermore, there is no ipso facto relationship between keeping the
bad guys out and getting into where the bad guys live even if such
underlying factors as the relative quantity and quality of each others’
hackers predisposes success or failure at both.

In short, there is no such thing as a single cyberspace, but at least two: yours and theirs. Without a common space, there is no such thing as supremacy.

The remainder of the chapter discusses some of the operational
challenges of operational cyberwar.Cyberwar can play three key roles: It might cripple adversary capabilities quickly, if the adversary is caught by surprise.

It can be used as a rapier in limited situations, thereby affording a temporary but potentially decisive military advantage.

It can also inhibit the adversary from using its systems confidently. Following discussion of these roles, the chapter touches on civilian targets
before taking up organizing for operational cyberwar.