An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Oct. 1, 2020

Six Myths About Offensive Cyber Operations

By Lt Col Benjamin Ramsey, USAF and Mr. Robert Colletti Air Land Sea Bulletin 2020-2

Background

The Department of Defense designated cyberspace as its newest warfighting domain in 2011. Immediately thereafter, an academic debate over the practicality and nature of cyberspace warfare ensued, with many experts including cyber scholar, Marin Libicki, Chief Technology Officer at Human Rights First, Welton Chang, and author, Sarah Granger  weighing in.[1] Academic objections to the acceptance of cyberspace as a warfighting domain did little to detract from the development and maturation of United States (US) Cyber Command. Nonetheless, misunderstandings continue to appear in academic articles about the nature of offensive cyber operations (OCO), in part because many aspects of OCO are secret due to operational requirements. As senior military leaders lobby for resources and policy makers struggle to fit OCO into the spectrum of international competition, both groups display an unintentional bias toward treating cyberspace as exempt from doctrine that applies to the physical warfighting domains. Misunderstandings of OCO and its effects are clouding the environment for decision makers. This article is intended to increase clarity for decision makers by debunking common myths about OCO.

Myth 1: OCO development is swift and execution is virtually instantaneous.

Authors have, erroneously, characterized cyber operations as being nearly instantaneous (e.g., they travel “from one point on the globe to any other, in less time than it takes an average person to blink,” or they “happen at the speed of light”).[2] This is the non-kinetic equivalent of claiming the time between weapon release and impact is the speed of an airstrike. As with flight operations, OCO can last several hours and is the culmination of weeks, months, or years of gathering intelligence and developing capabilities. The preparation leading to effective OCO is never a “relatively short period of time”.[3] Characterizing cyber effects as so rapid that “time, as it is traditionally understood in military affairs, has become irrelevant” at best inaccurate, hindering military leadership from appreciating the true challenges of executing these operations.[4]

Some military leaders have blamed the significant difficulties associated with executing OCO on limited authorities and oppressive bureaucracy. These leaders claim OCO would become “easy and quick” with few restrictions.[5] The reality is, the challenges associated with performing mission analyses, obtaining technical intelligence, and overcoming adversary defenses overshadow all legal and administrative obstacles that apply to OCO. Indeed, Joint Publication (JP) 3-0 recognizes that, “asymmetric attacks can be countered with well-planned joint operations synchronized with actions of interagency partners, international organizations, [nongovernmental organizations], multinational forces, and elements of the private sector.”[6] This level of synchronization requires significant time to achieve.

An analogy to help understand the challenges associated with OCO is the raid on Osama bin Laden’s compound on May 2, 2011 in Abbottabad, Pakistan. Military leaders did not simply “sprinkle Special Forces fairy dust” on the targeted compound in the way some military exercises “sprinkle cyber fairy dust” on challenging adversaries. In reality, the US collected vast quantities of intelligence about the targeted compound to provide military planners the greatest possible clarity. The special forces team that ultimately killed Osama bin Laden in his compound repeatedly practiced the raid against a full-sized compound replica in the weeks leading up to the mission. An abundance of intelligence collection and realistic mission training are likewise required for OCO to effectively engage an adversary.

Myth 2: OCO is the decisive “easy button” depicted in action movies.

Military planners should avoid limiting their expectations of OCO as another means to achieve dramatic or explosive effects. A recent article describes an OCO that would overheat “a phone battery to cause a low-yield explosion.” The author proposes this outcome could “neutralize” an adversary.[7] For this battery-based OCO to succeed, there are a series of criteria that must be met. The cyber operators must know the make and model of the target phone; have established access to the software on it; know, in real-time, when the adversary has the phone close enough for an explosion or fire to cause serious harm; and, most significantly, know there is a physical vulnerability in the phone that allows it to be exploded on command. Any of these criteria is difficult to achieve and, to count upon all four occurring simultaneously during combat, is foolish. A close examination of each of the criteria makes apparent the improbability of such a series of events.

The first criterion, that cyber operators know the exact make and model of the target phone through technical intelligence sources, is plausible. However, simple operational security (OPSEC) practices (such as using multiple phones) increase the required weight of effort. A knowledgeable and well-trained adversary could replace a phone frequently to avoid being tracked. This technique is well-known to criminals, as portrayed in the television show The Wire.

If intelligence sources are able to determine the exact phone make and model, the next situational criterion is access. This, too, is plausible through a number of avenues (such as a covert connection over a cellular network). Cyber operators would need to establish and verify access, check for system changes, and confirm the user’s identity prior to mission execution. An adversary can dramatically increase the necessary intelligence efforts by keeping the phone powered off except for short periods of use or through other common OPSEC techniques.

An exploding phone can only cause damage or distract people within a small area, so mission success depends upon confirmation that the target phone is in proximity to the adversary. For example, a sniper could visually verify the target phone is in the adversary’s hand and beside the adversary’s head. However, this questions why the sniper would not be the weapon of choice in that scenario. A better option would be for the cyber operator to access the camera and acceleration sensors on the target phone to verify its proximity to the adversary, although this approach places an additional dependency on the previous two criteria.

Finally, like many proposed weapon systems, the most difficult hurdle to overcome is resourcing. Cyber operations require substantial resources to develop, test, certify, and sustain a capability that must be continuously funded and operated by cyber specialists. As with any other kinetic weapon, the exploding phone technique would have to be tested many times to validate the weapons affect. Furthermore, the ecosystem of mobile devices is vast. With new hardware and software constantly emerging, it is unlikely the entire development cycle could be completed before the adversary’s phone is upgraded or replaced.

If, somehow, all of these criteria were met, the effect is likely to be underwhelming. Although an exploding battery could cause burns or start a fire, the irony is that more people have died from swallowing coin-sized batteries than from exploding ones.[8] Since all commercially-available mobile devices face regulatory pressure to mitigate possible damages from battery failure, even the prospect of such a defect could rapidly drive a product off the market.

Myth 3: All of cyberspace is vulnerable to fire-and-forget “cyber weapons”.

A 500-pound bomb will be just as destructive ten years from now as it was ten years ago and it is effective against many types of physical targets. Conversely, OCO mission success depends upon every aspect of the target configuration. Any changes in network topology, electromagnetic interference, passwords, software, or time of day have the potential to thwart OCO that required weeks, months, or years to develop. The misrepresentation of OCO as target-agnostic “cyber bullets, bombs, missiles, or intercontinental ballistic missiles,” is counterproductive.[9]

In 2015 the US Air Force published an “Air Force Operating Concept” that described the possibility of the cyberspace equivalent of a heat-seeking missile by the 2030s.[10] Portions of the vignette are technically feasible, such as its description of fiber optic line tapping to gain access to a network “air gapped” from the Internet. Other aspects of the vignette are contradictory. For example, “fire-and-forget” malware that uses “highly autonomous logic” to automatically exploit an unexplored network cannot also produce “precise, predictable effects” because the target network and the autonomous actions of the malware are unpredictable.[11] The effects of releasing autonomous malware into an adversary’s network could not be fully controlled, just as with the release of biological weapons.

The vignette furthermore describes the ability of advanced malware to detain a pursued adversary in an elevator. It is technically possible for malware to stop an elevator from moving, perhaps, by disabling a building’s electrical system. However, if a pursuit team already has access to real-time adversary location data, the ability to remotely detain the adversary in an elevator would be superfluous. Pursuing forces could cut power to a building more easily by using Soldiers or guided munitions than with advanced OCO.

It is unlikely that cyber operators, intelligence analysts, or intelligent malware could quickly map technical configurations of an elevator system, find a vulnerability, develop an exploitation, and produce the desired effect on command while tracking the exact location of the adversary. OCO will continue to require active human participation and ingenuity to be effective. Even today, the least complex OCO requires creative troubleshooting by well-trained teams to overcome unexpected obstacles within target networks.

Myth 4: Software and hardware heterogeneity is an effective defense against OCO.

Authors that tout heterogeneity to protect key cyber terrain fail to account for the diversity of means by which cyber operators gain access. For example, the claim that “a heterogeneous network … cannot be completely taken down by a single vulnerability” is demonstrably false.[12] This misconception may arise from a narrow understanding of OCO effects as being the product of self-propagating malware, such as the Shamoon worm that disabled 30,000 Saudi Aramco computers in 2012.[13]

A software vulnerability is not necessary to gain unauthorized access into a target network. The numerous access methods for OCO include passwords garnered through social engineering, a vulnerable wireless access point plugged into a trusted network segment, and a co-opted insider. Once cyber operators gain access into the target network and establish administrator privileges, it does not matter whether the network uses one operating system or one hundred; the cyber operators can perform any activity on the network as easily as a fully-trusted administrator can.

Myth 5: OCO can be deterred with threats of an immediate response.

Swift attribution of sophisticated OCO is risky due to the challenge of accurately identifying the hostile actor. A significant body of research concludes that “attribution is a critical issue that is difficult to overcome” in cyberspace.[14] For example, in a joint report the US and the United Kingdom highlighted a Russian-associated threat group that utilized Iranian-associated malware for their operations and hijacked ongoing Iranian operations for their own use.[15] Therefore, while a victim may have initially compromised by one threat group, an entirely different threat group can transform an otherwise covert operation into OCO.

Service members looking at computer screen.
Unidentified Marines with Marine Corps Forces Cyberspace (MARFORCYBER) Command pose for photos in the cyber operations center at Lasswell Hall aboard Fort Meade, Maryland, 5 February 2020. MARFORCYBER Marines conduct offensive and defensive cyber operations in support of United States Cyber Command and operate, secure, and defend the Marine Corps Enterprise Network. (Photo illustration by Staff Sgt Jacob Osborne, USMC)
Service members looking at computer screen.
200205-M-VG714-0054
Unidentified Marines with Marine Corps Forces Cyberspace (MARFORCYBER) Command pose for photos in the cyber operations center at Lasswell Hall aboard Fort Meade, Maryland, 5 February 2020. MARFORCYBER Marines conduct offensive and defensive cyber operations in support of United States Cyber Command and operate, secure, and defend the Marine Corps Enterprise Network. (Photo illustration by Staff Sgt Jacob Osborne, USMC)
Photo By: Staff Sgt. Jacob Osborne
VIRIN: 200205-M-VG714-0054

Additionally, numerous significant OCO have taken place against diverse targets (such as military satellites, political candidates, universities, and supermarkets) that remain unattributed to this day. Cyber operators took control of the Roentgen Satellite astronomy platform and rendered it permanently useless in 1998, and also held a SkyNet military satellite hostage in 1999. To date, both groups of cyber operators remain unknown.[16] Similarly, OCO that caused a half million dollars in damage to the National Aeronautics and Space Administration’s Maryland offices in 1989, took control of the CBS News homepage in 2003, and disabled South Korean broadcast networks and banks in 2013 remain unattributed.

JP 3-0 states “deterrence prevents adversary action through the presentation of a credible threat of unacceptable counteraction” and goes on to assert that “ideally, deterrent forces should be able to conduct decisive operations immediately.”[17] To maintain deterrence a response generally must be swift, however hasty attribution and rapid retaliation necessitates that a decision maker is willing to risk punishing the wrong actor. A quick strike against the incorrect actor would undermine deterrence by demonstrating a clear inability to accurately attribute OCO.

Myth 6: A state can deter or compel an adversary state using only OCO.

Thomas Shelling’s work, Arms and Influence, describes two forms of coercion: deterrence (passive coercion) and compellence (active coercion).[18] A large body of research on the nature of cyber deterrence finds that, without “reliable models to assess the relative strength of different states’ offensive cyber capabilities or estimate the effects of [OCO], the concept of deterrence stability makes little sense in cyberspace.”[19] At least two conditions required for deterrence are impractical using covert OCO: the threat must be communicated accurately to the target and the target must clearly understand the threat.[20] A vague threat of consequences in, and through, cyberspace cannot be an effective deterrent. The exact effects of an OCO are nearly impossible to quantify, even for a sophisticated attacker. Furthermore, if the adversary state knew what key cyber terrain the US held at risk and understood what the generated effects would be, the adversary could neutralize the threat with focused cybersecurity measures. A rational course of action for the adversary state would be to commit the necessary resources, up to the expected cost of the threatened effects, to secure its cyber terrain and nullify the threat. It is far more cost effective to remediate a cyberspace vulnerability than to develop an effective OCO based on a vulnerability.

The outlook for cyber compellence is similarly doubtful. Historical attempts at compellence using only OCO reveal a pattern of ineffectiveness. Among the first attempts at OCO compellance were the unprecedented, distributed denial-of-service attacks against Estonia’s government, banking, and news broadcasting networks in 2007.[21] The OCO was significant in scope and enacted in response to Estonia’s plans to relocate the remains of a Soviet World War II memorial. Not only did the OCO fail to influence Estonia’s decision to relocate Soviet graves and a prominent statute, it also led to the creation of the North Atlantic Treaty Organization Cooperative Cyber Defense Center of Excellence in Estonia the following year.

Similarly, a Russian OCO against the Ukrainian power grid in December 2015 served as a proof-of-concept and a coercive act.[22] This OCO required “many months” of disciplined intelligence gathering and tool development, yet was only able to cause a six-hour disruption of electrical service for less than one percent of the Ukrainian population.[23] As a comparison, the average electrical service outage following a winter storm in the US states of Vermont and Maine are 15 and 42 hours, respectively. These examples demonstrate that OCO, by itself, has failed to be perceived as “an unacceptable risk to the adversary’s achievement of objectives.”[24]

While “deterrence and compellence are marginal as pure actions in cyberspace,” doctrine offers an alternative.[25] JP 3-0 explains that “[Special Operations Forces] contributions can provide operational leverage by gathering critical information; undermining an adversary’s will or capacity to wage war; and enhancing the capabilities of conventional US, multinational, or indigenous/surrogate forces.”[26] OCO can provide many similar options to commanders, but should only be applied toward deterrence as part of multi-domain approach.

Conclusion

It is imperative the US and its allies approach the application and maturation of OCO as rigorously as they approach novel missions in the physical warfighting domains. The first step toward self-improvement must always be an honest appreciation of reality, as faulty assumptions often lead to faulty solutions. This article describes some common misconceptions about OCO that are counterproductive to informed decision-making. Knowledgeable cyberspace operations professionals must do more to share their insights, at the unclassified level, with the general public. Only then can policy advisors and academics accurately debate OCO limitations and opportunities in service to national security.

Lt Col Ramsey is a Branch Chief in the Operations Directorate of US Cyber Command.

Mr. Colletti is a Future Operations Planner in the Operations Directorate of US Cyber Command.

End Notes

[1] Martin C. Libicki, “Cyberspace Is Not a Warfighting Domain”” RAND Corporation, 2012, https://www.rand.org/pubs/external_publications/EP51077.html; Welton Chang and Sarah Granger, “Warfare in the Cyber Domain”, Air and Space Power Journal, Fall 2012, http://www.airpower.au.af.mil/apjinternational/apj-s/2012/2012-3/2012_3_10_chang_s_eng.pdf.

[2] Martti Leho, “The Modern Strategies in the Cyber Warfare,” in Cyber Security: Power and Technology, eds. Martti Lehto and Pekka Neittaanmaki (Switzerland: Springer International, 2018), 7; Richard Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do about It (New York: HarperCollins, 2010), 30-31.

[3] Ibid, 25.

[4] Ibid.

[5] James E. McGhee, “Liberating Cyber Offense”, Strategic Studies Quarterly, Winter 2016, https://www.airuniversity.af.edu/Portals/10/SSQ/documents/Volume-10_Issue-4/McGhee.pdf.

[6] Office of the Joint Chiefs of Staff, “Joint Publication 3-0: Joint Operations”, 22 October 2018, https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_0ch1.pdf?ver=2018-11-27-160457-910.

[7] Jennifer Phillips, “Tactical Maneuver in the Cyber Domain”, Joint Force Quarterly, no. 93 (2nd Quarter 2019):19, https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-93/jfq-93.pdf

[8] US Fire Administration, “Electronic Cigarette Fires and Explosions in the United States: 2009-2016”, FEMA, July 2017, https://www.usfa.fema.gov/downloads/pdf/publications/electronic_cigarettes.pdf; Alex Horton, “Vape Pen Kills Man After Exploding In His Mouth”, The Washington Post, 5 February 2019, https://www.washingtonpost.com/health/2019/02/05/vape-pen-kills-man-after-exploding-his-mouth/; Asher Fogle, “Toddler Dies After Swallowing a Button Battery”, Good Housekeeping, 6 January 2016, https://www.goodhousekeeping.com/health/news/a36283/toddler-death-battery/.

[9] David E. Sanger, “US Cyberattacks Target ISIS in a New Line of Combat”, The New York Times, 24 April 2016, https://www.nytimes.com/2016/04/25/us/politics/us-directs-cyberweapons-at-isis-for-first-time.html.

[10] US Air Force, “Air Force Future Operating Concept”, (September 2015):31, https://www.af.mil/Portals/1/images/airpower/AFFOC.pdf

[11] Ibid.

[12] William D. Bryant, “Resiliency in Future Cyber Combat”, Strategic Studies Quarterly, Winter 2015, https://www.airuniversity.af.edu/Portals/10/SSQ/documents/Volume-09_Issue-4/Bryant.pdf

[13] Nicole Perlroth, “In Cyberattack on Saudi Firm, US Sees Iran Firing Back”, The New York Times, 23 October 2012, https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html.

[14] David D. Clark and Susan Landau, “Untangling Attribution”, Harvard National Security Journal, Vol. 2, No. 2 (2011), 25-40.

[15] National Cyber Security Centre, “Advisory: Turla group exploits Iranian APT to expand coverage of victims”, 21 October 2019, https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims.

[16] Patrick Tucker, “The NSA is Studying Satellite Hacking”, Defense One, 20 September 2019, https://www.defenseone.com/technology/2019/09/nsa-studying-satellite-hacking/160009/.

[17] Joint Publication 3-0: Joint Operations”, 22 October 2018

[18] Thomas Shelling, “Arms and Influence”, New Haven, CT: Yale University Press, 1966.

[19] Edward Geist, “Deterrence Stability in the Cyber Age”, Strategic Studies Quarterly, Winter 2015, https://www.airuniversity.af.edu/Portals/10/SSQ/documents/Volume-09_Issue-4/Geist.pdf.

[20] United States Air Force, “Doctrine Annex 3-0: Operations and Planning”, 4 November 2016, https://www.doctrine.af.mil/Portals/61/documents/Annex_3-0/3-0-D15-OPS-Coercion-Continuum.pdf.

[21] “Hackers Take down the Most Wired Country in Europe”, Wired, 21 August 2007, https://www.wired.com/2007/08/ff-estonia/.

[22] Quentin E. Hodgson, et al., “Understanding and Countering Coercion in Cyberspace”, RAND Corporation, 2019, https://www.rand.org/content/dam/rand/pubs/research_reports/RR2900/RR2961/RAND_RR2961.pdf.

[23] Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, WIRED, 3 March 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.

[24] Joint Publication 3-0: Joint Operations”, 22 October 2018

[25] Gartzke, 59.

[26] Joint Publication 3-0: Joint Operations”, 22 October 2018