Main Image Credit An interior view from the International Space Station's (ISS) Cupola module with a laptop showing the space station's orbital location position in a live tracker. Courtesy of NASA
If Defence is to appropriately weight cyber operations then there are some dangerous myths about the practicalities of cyber warfare that need to be confronted.
The British Army has recently formed 13th Signals Regiment to conduct cyber operations on the modern battlefield. This is a welcome capability, providing a home for cyber expertise to help Defence protect its networks, and threaten those of adversaries. It is vitally important, however, that these capabilities are not over-hyped. Cyber capabilities will be relevant in wars of the future, but they will not be decisive, and will not replace the need for hard power.
The first of the cyber myths is speed. The Hollywood portrayal of hacking, in which typing faster determines victory or defeat, has ingrained itself in how people perceive cyber attacks. US concepts of operation describe the speed of cyber operations as occurring in ‘nanoseconds’. Data may be transferred at that speed, but cyber attacks do not happen so quickly. A hostile network is opaque until it is penetrated. The first stage of an attack is reconnaissance, entering the network to gather information on where its control points are and how its defences function. Because the defences are initially unknown, each penetration – which must go undetected – is usually small, becoming more effective as the attacker learns more about the target network. Only then can penetrations aiming at points of control be initiated.
Against civilian systems with rudimentary defences this can be fairly simple. However, against any advanced network it is likely that attacks will need to jump air gaps, or multiple firewalls, requiring human carriers to either physically inject precisely crafted malware, or to verify malicious data for the system to let the virus enter secure compartments. Banks fight these attacks on a daily basis. Most attacks fail altogether. Successful penetration campaigns usually take a year or two, usually starting with the penetration of lower security systems and then using these trusted external networks to progressively jump the gaps into more secure ones.
The second myth is about control. In 2017 General (Retd.) John Allen described a hypothetical 2018 cyber attack against a US warship that crippled its defences in a manner perfectly coordinated with a swarming drone strike. How exactly this attack was coordinated General Allen never explains, which reveals a great deal about why no such attack has taken place. In short, military systems are usually air gapped and connect to the outside world intermittently, or straddle multiple separate networks, each with distinct security parameters, such as military satellites. Thus, an attacker may penetrate a network, but the number of intermediate networks between attacker and defender, and potential intermittent connectivity, will not allow them to maintain a continuous link to the malware. They have two options. Either the malware can begin to attack the system immediately upon emplacement – like the Stuxnet attack on Iran’s centrifuges – or it can await activation. The attacker, however, cannot control when the gaps are jumped because it usually depends upon a person in the defender’s organisation making an error. If the malware requires activation then the attacker’s options for coordinating that attack are limited by the fact that they cannot dictate when they will gain access to the system. So, while they may have windows of opportunity to activate the attack, it would be remarkably fortunate if those windows coincided with a ship being within the range of a swarm of small drones.
In cyber warfare an attacker cannot reliably control the speed, or timing, of effects. Nor can they be entirely certain of what the effect will be. The WannaCry ransomware attack, which effected several hospitals in the UK and large commercial firms, is a case in point. The attack was crippling for a computers using Windows XP. However, the exploit upon which it was based was rendered ineffective by a simple routine patch. Those who were affected had failed to update their systems. Given that effective cyber campaigns take up to a year to penetrate a target, and an actively defended system is patched routinely, there is always a risk that when malware is activated the system will have been patched and its impact diminished or blocked entirely. Alternatively, key elements of the target network could have been left off at the time of activation, which saved a major shipping company from WannaCry.
The WannaCry attack is instructive because it essentially crippled systems that were poorly or incompetently defended. It did not affect banks, or institutions with active defences. In one sense this highlights why 13th Signals Regiment is important – having active defences for Defence’s networks is necessary. However, it also means that the systems that can be most reliably targeted are parts of civilian infrastructure like railways. Attacking such systems can unquestionably disrupt military operations. But it will not defeat an opposing force, which brings us to the most dangerous myth about cyber warfare: that it is analogous to physical fighting.
Commenting on the formation of 13th Signals Regiment, the UK Secretary of Defence, Ben Wallace, argued that ‘Cyber attacks are every bit as deadly as those faced on the physical battlefield’. This is a dangerous delusion. There are as yet no examples of a cyber attack directly causing a fatality. The argument that cyber attacks are as deadly as physical fighting leads inexorably to the view that the former can compensate for a deficiency in the latter. It should be asked in this context whether a cyber-enabled Iraqi Army could have prevented the fall of Mosul in 2014. Indeed, the force retaking Mosul did employ offensive cyber operations, yet it still took over 90,000 troops nine months of gruelling urban fighting to liberate the city. Offensive cyber operations were also used against the Taliban, and while the outcome of the Afghan campaign is still undecided, one would be hard pressed to describe it as a victory.
Offensive cyber activities do not promise to be any more decisive in peer-level warfighting. Russia made widespread use of offensive cyber operations in Ukraine to disrupt Ukrainian infrastructure, and target Ukrainian troops. As a novel ISR element in the Russian kill chain cyber operations led to the death of Ukrainians. But this depended upon artillery, and despite these tactical successes Russia was still forced to commit a large number of its special forces and paratroopers to direct combat operations in Donbas.
The reality is that the UK’s potential adversaries do not field armies that are systematically vulnerable to cyber attacks. They do not rely on capabilities that are highly networked. The UK, on the other hand, does. Therefore, the most important role of 13th Signals Regiment is to defend one of the UK’s greatest vulnerabilities – its ability to get forces to the fight, with their command and control systems functioning. But if those forces are not equipped and trained to apply physical violence then all the cyber expertise in the world would be unable to prevent defeat, let alone secure victory.
Jack Watling is a Research Fellow in Land Warfare at RUSI.
Dr Jack Watling
Research Fellow, Land Warfare