Lennart Maschmeyer | 01.24.22
The prospect of cyberwarfare continues to haunt defense planners, policymakers, and the public. Earlier visions of cyberwar, in which opponents hurled cyber weapons and logic bombs at each other at the speed of light, have mostly subsided. Yet fears of a strategic cyberattack causing a “cyber Pearl Harbor” remain acute. And even if cyberattacks remain below the intensity of armed conflict, many argue that their unrivaled effectiveness expands the value of “hybrid warfare,” opening a new space for strategic competition. Cyber operations, in this view, will allow states to shift the balance of power and attain strategic gains in ways that were previously impossible without going to war. In other words, by staying in the gray zone states can get more for less.
If true, this development would herald no less than a revolution in strategic competition. The reality is more prosaic. In a recent article in International Security, I show that current expectations about the strategic potential of cyber operations focus on the promise of technology, while neglecting key operational challenges. As has often been the case with new and ostensibly revolutionary military technologies, the way actors use them at the operational leveldetermines their strategic utility. And a closer look at the operational challenges in cyber conflict— including Russia’s five major disruptive cyber operations in the Russo-Ukrainian conflict—suggests that its strategic value will be modest.
Cyber operations are not novel instruments of power, but instruments of subversion. Like all such instruments, cyber operations hold great strategic promise but falter all too often in practice. The reason is an operational trilemma between speed, intensity, and control: cyber operations cannot have all three properties at once. In theory, cyber operations offer rapid and stealthy options to sow mass disruption capable of shifting the balance of power. In practice, however, they tend to be too slow, weak, and volatile to deliver on that promise.
Subversion and its Promise
Subversion is a common but understudied mechanism of power familiar mostly to intelligence scholars and practitioners in the context of nonmilitary covert operations. The distinctive characteristic of subversion is its reliance on the secret exploitation of vulnerabilities in adversary systems. Exploitation involves identifying flaws in a system, and then using these flaws to infiltrate the system to produce unexpected outcomes for the victim.
Traditional subversion uses spies to infiltrate organizations or groups and manipulate them. For example, a spy could attain employment at an industrial facility under a false identity, exploiting insufficient background checks. The spy could then gain access to sensitive machinery, before sabotaging it by exploiting weaknesses in security protocols. Since humans are fallible, any human-made system of rules and practices is vulnerable in principle.
Subversion can produce a wide range of effects: it can influence policy and public opinion, sabotage infrastructure, disrupt the economy, and foment unrest—it can even overthrow governments. As a result, subversion is a nearly irresistible option: it is cheaper and lower risk than warfare, yet still capable of significantly weakening adversaries.
Subversion’s Pitfalls: An Operational Trilemma
But the same characteristics that enable this strategic promise also often prevent its fulfillment. Subversion promises low risks and low costs because of its secrecy and its exploitation of adversary systems. These operational characteristics are not a given, however, but require significant efforts to achieve and maintain. Secrecy requires stealth and adaptation. Exploitation requires reconnaissance of systems, identification of vulnerabilities, and development of means of manipulation—all under the constraints of secrecy. These challenges limit operational speed, intensity of effects, and control. Moreover, increasing one variable tends to create corresponding losses across the remaining ones.
First, speed is constrained because reconnaissance, identification of vulnerabilities, and development of exploitation techniques all take time. Since an increase in speed means less time to develop and refine exploitation techniques, it correspondingly tends to reduce the intensity of effects and the degree of control over an operation.
The second variable in the trilemma, intensity of effects, is constrained by adversary systems and the need for secrecy. The properties of the target system determine the maximum intensity of effects—for example, if economic disruption is the aim, the target system must in some way affect the relevant economic processes. Even if the target system is capable of such an effect, however, the process of manipulation must stay hidden until the effect is produced. Otherwise, the victim can neutralize it—typically, by arresting the spy involved.
Finally, subversive actors never fully control a target system, and usually have only incomplete knowledge about its design and functioning. Because of this limited control, manipulation may fail to produce the intended effect or lead to unintended consequences. This trilemma means that subversion is typically too slow, too weak, and too volatile to provide strategic value.
The Subversive Nature of Cyber Operations
Cyber operations share this operational trilemma. The core mechanism of cyber operations is hacking—exploiting vulnerabilities in computer systems to make them behave in ways not intended by their designers, owners, and users. These systems are of a different kind than the social systems targeted by traditional subversion, but the mechanism of exploitation involved follows the same functional logic: identifying flaws in a system and then using them to manipulate it.
Hacking targets two types of vulnerabilities. First, it can target flaws in the design of the technology itself, such as software code, to make systems behave in ways neither their designers nor users intended or expected. Usually, this means granting access and control to the hacker. But it can also exploit flaws in hardware design.
The second type of vulnerability targets users and security practices. Phishing emails offer a classic example, leveraging weaknesses in human psychology to trick users into installing malware or revealing access credentials. Regardless of the vulnerability exploited, cyber operations then use the targeted system to inflict damage upon an adversary. As in the case of traditional subversion, hackers turn these systems into instruments of the sponsor’s interests. In a second parallel, hackers also proceed stealthily, establishing access to, and assuming control over, targets without alerting the victim to their presence.
Hacking can achieve similarly diverse effects as traditional subversion, ranging from influencing public opinion to disrupting the economy to the sabotage of critical infrastructure. In modern societies a growing portion of social, economic, and physical processes are computerized. This computerization produces vast efficiency gains, but it also creates new liabilities. Current expectations about the strategic potential of cyber operations are correct in identifying this promise.
The Subversive Trilemma and the Strategic Limitations of Cyber Operations
Yet the exploitation required to fulfill this promise involves the same operational challenges as in the case of traditional subversion, and therefore produces the same trilemma. As a result, in practice cyber operations offer similarly limited strategic value.
Contrary to prevailing expectations, cyber operations face key constraints when it comes to speed. Hacking requires reconnaissance, identifying suitable vulnerabilities, and developing the means to exploit them, such as computer viruses. All of this takes time. If operational speed is required, there is less time for reconnaissance and development which means that the tools and techniques deployed are less likely to achieve large effects and significant control over the target system. And hacking, like traditional subversion, also requires stealth. Upon discovery, victims can delete malware and patch vulnerabilities, so hackers must proceed with caution—constraining the intensity of effects that can be produced.
Conversely, increasing the intensity of an operation tends to slow down speed and decrease control. The greater the desired scale of impact, the more reconnaissance and development time will be required to achieve a corresponding degree of control over a target system capable of producing the desired effect. The more capable the system, the more likely it is to be well protected, raising the risk of discovery. With the increase in scale, the likelihood that something goes wrong also tends to increase—unless one invests even more time in reconnaissance and development.
Finally, as in the case of traditional subversion, control in cyber is also limited. Access to target systems usually remains incomplete, and some parts of these systems remain unfamiliar. Even those parts that hackers have access to may behave differently than expected in response to manipulation. The same fallibility that produces logical flaws that enable exploitation may also apply to the hackers themselves. For example, in the 2016 sabotage operationagainst Ukraine’s power grid, the infamous Sandworm hacking group had developed a program that was capable of physically damaging power circuits by overloading them. Yet the hackers had missed something: the industrial control systems they targeted reversed IP addresses. As a result, the malicious commands went nowhere, the capability failed to produce any effects, and the victims neutralized the outage in little more than an hour.
In sum, the trilemma predicts that an increase in one of speed, intensity, or control will tend to produce a decrease in the other two. And increasing two variables at once tends to produce corresponding “double losses” in the remaining variable. For example, high-speed and high-intensity operations will entail an extremely high risk of losing control.
The Strategic Value of Cyber Operations: Expectations versus Evidence
This subversive trilemma defangs cyber operations in most circumstances. Contrary to expectations, cyber operations cannot be fast, intense, and anonymous—or at least not all at once. In practice, cyber operations are usually too slow, too weak, or too volatile to contribute to strategic goals.
My research into the use of cyber operations in the Russo-Ukrainian conflict—a paradigmatic example of cyber-enabled gray-zone conflict—confirms these conclusions. In contrast to expectations about the integral role of cyber operations in hybrid warfare, cyber operations have been mostly irrelevant to the military dimension of the conflict. And Russia’s five major disruptive cyber operations against Ukraine failed to produce strategic value—in large part because of the operational constraints laid out above. Even the one operation that produced strategically significant effects, the 2017 NotPetya operation that disrupted businesses across much of the world, ultimately supports this theory: the reason for its wide spread was a loss of control. The hackers had no way to control the malware’s spread, and thus no control over the scale of its disruption—which, based on forensic evidence, spread far wider than intended. The operation had a measurable strategic impact since it reduced Ukraine’s GDP, but its uncontrolled spread also produced additional costs as several Western countries levied sanctions against Russia in response, reducing the attack’s net strategic benefit.
This last point highlights an important distinction between strategic impact and value. Cyber operations can produce significant impacts by spreading widely, but their uncontrolled spread limits their strategic value. And because of the trilemma, the greater the scale of effects, the greater the risk of losing control tends to become.
In most circumstances, then, the subversive trilemma significantly limits the value of cyber operations. Their track record in Ukraine confirms this assessment. Of course, actors may occasionally get lucky and manage to achieve strategic goals despite taking exceptional risks. Yet such rare scenarios should not dominate threat assessments and strategy development. In theory, it is possible to juggle three balls while sprinting one hundred meters at competitive pace without dropping a single ball. In practice, few—if any—will be able to achieve this feat.
Lennart Maschmeyer is a senior researcher at the Center for Security Studies at ETH Zurich. You can follow him on Twitter @LenMaschmeyer.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.