The Limits of Cyber Operations in Wartime

Interesting paper by Lennart Maschmeyer: “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations“:

Abstract: Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear. Many expect cyber operations to provide independent utility in both warfare and low-intensity competition. Underlying these expectations are broadly shared assumptions that information technology increases operational effectiveness. But a growing body of research shows how cyber operations tend to fall short of their promise. The reason for this shortfall is their subversive mechanism of action. In theory, subversion provides a way to exert influence at lower risks than force because it is secret and indirect, exploiting systems to use them against adversaries. The mismatch between promise and practice is the consequence of the subversive trilemma of cyber operations, whereby speed, intensity, and control are negatively correlated. These constraints pose a trilemma for actors because a gain in one variable tends to produce losses across the other two variables. A case study of the Russo-Ukrainian conflict provides empirical support for the argument. Qualitative analysis leverages original data from field interviews, leaked documents, forensic evidence, and local media. Findings show that the subversive trilemma limited the strategic utility of all five major disruptive cyber operations in this conflict.

Tags: , , ,

Posted on May 31, 2022 at 6:06 AM17 Comments

Comments

John May 31, 2022 6:22 AM

hmm….

Wars are won, on the land, face to face.

“The victor only seemed to win”.

Their seeming triumph was short-lived!!

John

Jurgen May 31, 2022 6:43 AM

‘tSeems that there is also the angle of Empire (Hardt&Negri), by way of ‘network warfare’ against … well, counterinsurgence. Back and forth.

Clive Robinson May 31, 2022 9:42 AM

@ ALL,

When all is said and done, wars are about three things,

1, Resources
2, Ideology
3, Influance.

Mostly they boil down to control pf an area, region or territory in some way.

Historically that was “land”, and control was via “Boots on the ground”.

As time pushed forward resource issues became less of an issue, because often both sides wanted someting the other had, so it was control of “trade” that became important.

Thus history moved forward and the paths of trade by land and sea became the control points. So the idea of Navel / Maratime warfare came into play. Which has gone through surface warefare, briefly through air warfare and back to submarine warfare.

Just as submarine warfare became practical, so aerial warfare became practical, but like surface warefare aerial warfare has a “visability” issue, the presence of forces can nolonger be hidden. The old adage of,

“He who holds the high ground”

Moved upwards into “space” but is effectively flawed. To “stay in space” currently requires one of two things,

Firstly to be in “free fall” which in practical reality is a very slow, and highly predictable spiral down a gravity well to destruction.

Secondly to expend vasts amounts of not just energy but matter to navigate the gravity well and rise up it.

Both have significant disadvantages, as has been demonstrated by atleast four nations. That is destroying satellites is not just possible, it is actually fairly easy, just costly and has significant down sides.

So the fight has been moving from active or kinetic conflict on the ground, in the sea, air and space to Ideology.

Ideology is a battle for minds, so far all we realy know is to win,

1, You have to get at minds before they can defend themselves.
2, Stop alternative information that conflicts being available.

The first we politely call “indoctrination” the second “propaganda”.

In both cases to attack them requires freely available “information” that is widely disseminated.

But information is a tool it knows not truth / falshood, good / bad, right / wrong. Those are “subjective” and arise in the minds of observers.

What many forget is that weapons designed for one war-space are often fairly ineffective in another war space. A torpedo even when carried on an aircraft, is effectively usless in either air combat or land combat. Missiles whilst effective in most combat spaces are usually way to costly to be practical except in highly targeted ways against very high value targets, or when the payload has significant radius.

Technically “information” does not occupie a physical space as by it’s self it has no agency in a physical space.

Therefore “information weapons” are limited to action in what are non physical spaces of the mind, and processing of information.

Thus to be effective in other war-spaces a bridge is needed for an information weapon to get “agency” in a physical space.

Currently few understand how to build such bridges, thus information weapons have limited utility.

All we currently know is that to be effective current information weapons require as a minimum,

1, Access.
2, Fragility or nonresilience.

If neither exists then current information weapons fail.

dbCooper May 31, 2022 10:08 AM

@Clive Robinson
“Currently few understand how to build such bridges, thus information weapons have limited utility.”

My observation is the MAGA fraction of the US Republican party have mastered building these bridges.

Best regards.

Clive Robinson May 31, 2022 11:23 AM

@ dbCooper,

My observation is the [XXXX] fraction of the [YYYY] have mastered building these bridges.

Actually they have not[1].

What they have achieved is “indoctrination” of a few by “propaganda”. There are certain personality types that are not just amenable to this, but positively crave it and directly or indirectly become “zelots”. This has been a process of cults and religions for many thousands of years.

So much power can be obtained over their minds in the information space that they selfharm willingly including castrating and disembowling themselves if “asked” to do so directly or indirectly.

But it is still a “Directing Mind” controling an information tool, that in turn controls another more local directing mind “with agency” There is nothing in the physical spaces that actually has agency, hence no bridge.

Now if you can get a directing mind to type commands at a keyboard that leaves one physical system and ends up in another physical system and that second physical system executes them without constraint to cause physical disruption/harm to an asigned operation then you have built a bridge.

But as noted you first have to gain “access” and secondly the second system has to be “nonresilient” or “fragile”.

The essence of security is three part,

1, Stop unauthorised access.
2, Stop unauthorised acctions.
3, Stop or limit agency.

Whilst they all stop “the bridge” at various points, as a general rule the first is easier than the second which in turn is a lot easier than the last.

[1] By the way as has oft been observed on this blog there are many XXXX factions of many YYYY entities. They are basically seaking “control” through “power” or “Status” which they have aquired by “anti-social” behaviours, often as a consequence of mental disability that shows up as one or more of “Narcissism, Sadism, Machiavellism, or socio/psychopathy” for which there are tests, but no cures currently.

Ted May 31, 2022 12:27 PM

It could even be argued that kinetic activity has its limits in power struggles. See also: the Russo-Ukrainian conflict

However, I really appreciate the paper’s attempt to classify the type of activity that cyber is. Here it is observed as an instrument of subversion. The paper highlights five cyber operations:

  • election interference (2014)
  • power grid I (2015)
  • power grid II (2016)
  • “NotPetya” (2017)
  • “BadRabbit” (2017)

I would love to see a similar analysis with a widened scope and with different actors. If cyber operations have been seen to have a negligible strategic impact, how much of this is due to strategic restraint.

Winter May 31, 2022 12:59 PM

@Ted

It could even be argued that kinetic activity has its limits in power struggles.

War is about forcing your will unto a people that do not want you.

It has two phases:

  • 1 Breaking the means to oppose you
  • 2 Making them do what you want

Phase 1 generally involves destruction. Phase 2 requires actual involvement with the people to be dominated, e.g., killing, deporting, or enslaving them.

Cyber activities can help by sowing division, stoking treason, misdirection, derailing communication, and directly by derailing operations that depend on software and communication.

These direct actions against computers have not yet proven very effective.

JonKnowsNothing May 31, 2022 2:49 PM

@ Winter, @Ted, @Clive, @All

re: War is about forcing your will unto a people that do not want you.

War is also about people, who DO want you to engage in war.

It’s 2 sides of a buttered slice; tossed randomly; which side will land buttered side down.

As previously noted, engaging in war, is just one part of the equation.

1) Active Engagement. The messy part.
2) Establishing Control. A base, toehold, foothold, foundation for sustained activities
3) Holding on to those Controls. To maintain Control while you take what you came for; reward your supporters and eradicate opposition.

The tricky part of the buttered slice, is that these very actions can last hours, days, months, years, decades or centuries. Nearly every edition-version has collapsed in spectacular fashion at some point. Even those that lasted “centuries” did not remain in a stagnate format.

The Pax Romana wasn’t Peaceful, just less bloody in some parts of the Roman Empire.

A short walk through of the history of Europe, would give a good overview of the who, where, why, of how of the buttered slice falls… UP or DOWN.

The reasons have not changed, because people do not change. Some like plain bread and some like it buttered.

Ted May 31, 2022 2:51 PM

@Winter

These direct actions against computers have not yet proven very effective.

I’d argue that the cyber activities you listed (ie: sowing division, misdirection, derailing communication…) can be effective. I don’t know what it takes for cyber to make it into the official WAR! chest.

My fear is over-simplifying cyber here. The paper’s title “The Subversive Trilemma” suggest the author’s analytical approach:

I introduce and use a systematic framework to measure operational effectiveness across the variables of speed, intensity, and control, and I triangulate strategic utility.

I really wish I could find a condensed version of this analysis. Also, so much pertinent info is probably classified, it’s hard to fully match more cyber operations with their goals and outcomes.

Clive Robinson May 31, 2022 5:39 PM

@ Bruce, ALL,

Not sure if others have started reading the 40page PDF or not.

But some things to note,

1, The paper is atleast twice as long as it could be due to the number of refrences alone.
2, It veres into some spurious arguments.
3, It tries to redefine existing terms in the current domain of art.
4, It is over wordy, with a little care and droping of unneeded argument it could be reduced to just a couple of pages or three.
5, There are things in there that are easy to rebut (see on air warfare with bombing in WWII as just the first example as any historian of the period can give evidence of via “area bombing”, “night time bombing” and towards the end “radio navigation aids”[1]. Then there is the nonsense of bombing and moral[2]).

There are quite a few other things, but to list just the ones I’ve read so far would take ten or more posts.

Should the paper have a rebutal written… Well that depends on your point of view, my advice is actually read it and make your own mind up. In part because presenting argument that is debatable, or is inacurate does not of necessity invalidate the hypothesis.

[1] The reason for Wide Area bombing was two fold, navigation was crap untill radar (H2S) was put in aircraft and even then, bomb aimers released early based on seeing earlier hits so the bombing rolled back along the incoming flight path. This has been well known and publically well documented for half a century at least. Accuracy of bombing only improved significantly later with the likes of “Gee” which was not a “beam system” –which the Germans favoured– but a more accurate time based system, and can be seen as a forerunner of GPS. Oh and the Russian system currently in use for when the NavSats get taken out…

https://en.m.wikipedia.org/wiki/Gee_(navigation)

[2] It was simultaniously argued during WWII that “wide area bombing” of mainly civilian targets would destroy German moral, whilst German bombing of Briton would strengthen British moral… That is it was a compleat nonsense to cover up the fact that neither the RAF nightime raids including 1000 Bomber raids, nor USAF Daytime Raids were actually doing that much harm to production because neither side could hit targets using visual navigation and aiming. The spread being five miles often missing the industrial targets entirely, initial bombs having fallen short and subsequent bombs “rolled back” through civilian districts and even country side and farm land[1]. At one point there was a serious enquirey as to if there was nightime colour blindness/confusion as coloured flares dropped by pathfinders did not actually improve accuracy as expected.

Cassandra June 1, 2022 2:16 AM

@Clive Robinson

neither the RAF night-time raids including 1000 Bomber raids, nor USAF Daytime Raids were actually doing that much harm to production because neither side could hit targets using visual navigation and aiming.

Very true. The heavy water plant in Norway was bombed by a USAF daylight raid. 173 bombers released 1099 bombs to produce 711 explosions. It killed about 20 civilians. Four bombs hit the plant’s power station, two hit the electrolysis building, causing little damage. Heavy water production resumed very shortly after. The vast majority of bombs fell well away from the target, causing the civilian casualties.

There’s a map charting bomb strikes in this article:

hxxps://weaponsandwarfare.com/2017/02/04/bombing-of-vemork/

The Germans had a different problem, relevant to data security. They used a network of spies in the UK to report back to Germany where the V1 ‘flying bombs’ hit as well as the later V2 rockets, so they could adjust the timers on the V1 motors to cut out at the point where the glide profile would end in London. What they did not know was that the entire spy network had been compromised, and false information was sent back via the communications channels set up, telling the Germans that the V1s and V2s were going too far over London. This caused the Germans to alter the timing and targetting so that most of them landed short or in other locations rather than London.

hxxps://en.wikipedia.org/wiki/Double-Cross_System#V-weapons_deception
hxxps://en.wikipedia.org/wiki/Double-Cross_System

Jurgen June 1, 2022 2:36 AM

[ … So much for the ‘net trope that in order to sollicit comments, one comments with a wrong text. Not Empire but Multitude. Discuss going elsewhere… ]
Never mind.

@Clive: Dresden, much ..? Otherwise, shall we all revert to the article (indeed)?
Isn’t it about a. tactical-level pushing the envelope of ‘speed, intensity, and control’, where there’s a dose of Boyd; b. strategic-level inconclusiveness ..?
To b.: If so, what are the strategies aiming for? Strategy is to achieve something, the path to the dot on the horizon.
If this strategy isn’t working, either change the a.-part, tactical-level (apparent) ‘ineffectiveness’ OR change the b.-part, the path.

If the ultimate goal is to create a permanent state of war (ref. Multitude, and ref. the 48-yrs ago book) on the other hand, the strategy is working quite fine.

Denton Scratch June 1, 2022 11:13 AM

@Ted

I really wish I could find a condensed version of this analysis.

Indeed. It’s very repetitive; I bailed out at the bottom of page 3.

I would like to know why Russian network hacking against Ukraine hasn’t been more fruitful. They’ve succeeded before. I speculate that hackers interfering with e.g. power plants becomes moot when those power plants (or power-lines, or sewage stations, or whatever) can be disabled quickly and decisively using a couple of cruise missiles.

Like, if you’re in a hot war, then the covert aspects of netwar are pointless. The enemy knows who’s attacking them, because – they can see them attacking them.

Incidentally, I believe Ukraine’s netwar capabilities are not far short of Russia’s. It would not surprise me if Ukraine has executed successful network attacks against Russia; I don’t see much information about the Russian home-front through the fog of propaganda.

Ted June 1, 2022 12:39 PM

@Denton Scratch, All

I would like to know why Russian network hacking against Ukraine hasn’t been more fruitful.

Yes, hopefully we will get more details. Not that this is totally surprising, but General Nakasone of the US Cyber Command confirmed for the first time that the US was conducting offensive hacking operations in support of Ukraine.

General Nakasone goes on to say:

“This is kind of the piece that I think sometimes is missed by the public. It isn’t like [the Ukranians] haven’t been very busy, they have been incredibly busy.

https://news.sky.com/story/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command-12625139

R.Cake June 2, 2022 2:11 AM

@Clive, all,
indeed the paper is quite lengthy and has some repetition. Still, quite interesting as an individual analysis.
What I found completely missing is the aspect of effort spent. The author keeps repeating their triangle model, but ignore/omit effort as the fourth axis. It appears they simplified the model just assuming that any attack would have a somehow constant effort function behind it.
In reality however, an attacking/hacking entity has limited resources and needs to decide how to spend these. Any attack by any entity has an effort function measured in total FTE (full time employee equivalents) per time, just as any constructive engineering organization would have for their projects.
Assuming that an attacker has X FTEs in their pool, they need to decide how to spread these across the “projects” they are tasked with.
So if we want to conceive a theory of cyber warfare, it matters a lot how much staff at what qualification level an attacker has available.
Is it just a bunch of hired guns with tasks handed out by a central office, or a well-trained collective of effective collaborators with clear rules of operation? Is it 20, 200 or 2.000?
The answer will make an obvious difference to the usability of this organization for an imagined “cyber war”.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.