Although cyberspace may have been declared the fifth domain of warfare by the U.S. Department of Defense, many wonder if the concepts of warfare applies to this domain. Is the domain somehow different from the others? Can states achieve new political outcomes by the clever use of cyberspace alone? Can the threat of actions taken through cyberspace alone deter warfare?
At first, some analysts, such as Richard Clarke in his 2011 book on cyberspace, Cyber War, posited that cyberspace would be definitive – that end states, or the final stage of a military operation, could be achieved through the clever manipulation of computer systems alone. Later, that view was contrasted by analysts such as Thomas Rid in his 2012 piece in Foreign Policy, entitled “Think Again: Cyberwar,” in which he argued that cyberspace might have little ability to achieve new end states at all and might merely pose nuisances for states in their quest to change the status quo.
I argue that cyberspace as a domain of warfare is neither a definitive nor insignificant domain – it will neither win wars alone or be utterly useless during conflict. Thus, cyberspace ought not to be viewed as a decisive, separate, unique, or meaningless domain, but instead as one domain working in tandem with the others through which power is exercised to pursue an end state.
Cyberspace’s role in warfare has yet to be properly integrated into U.S. war planning, largely due to this earlier debate over whether it will prove decisive or inconsequential. It is neither. Cyberspace will not be able to deliver cyber effects and threats that, alone, will shape adversary behavior. But if delivered in tandem with other domains, their effects will be meaningful. ‘Cyber deterrence,’ like ‘air deterrence’ or ‘sea deterrence’ is real, but, applied alone, may connote exaggerated notions of its likely effectiveness.
Scholars originally treated the introduction of cyberspace as if it were different from the other domains. At first, many thought cyber warfare would occur often, separate from traditional, kinetic warfare, and be enormously impactful. That does not seem to be happening. It could be that cyber warfare will indeed be impactful, but more likely serve as a complement to the other domains in a conflict, part of a larger political and military confrontation with states and non-state actors. That is, cyberspace operations may prove important but will likely be integrated into a state’s military strategy, like all other military domains – not fenced off from any larger strategy, confrontation, or conflict.
Is the Cyber Domain Different?
Cyberspace operations are the employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Commanders conduct cyberspace operations to retain freedom of maneuver in cyberspace, deny freedom of action to adversaries, and enable other operational activities. Cyberspace operations involve the delivery of effects – or any change to a condition, behavior, or degree of freedom – via cyberspace and can be as diminutive as collecting intelligence or delivering propaganda to as harmful as disrupting government websites or stopping a civilian Supervisory Control and Data Acquisition (SCADA) system used to monitor and control an industrial plant or physical equipment at a dam, electrical power plant, or air traffic control system.
A strategic attack is an act which renders a decisive or catastrophic effect on the outcome of a conflict, civilian infrastrucuture or population, or which has a significant impact on U.S. power or prestige. A strategic attack is an offensive action aimed at generating effects that most directly achieve national security objectives by affecting an adversary’s leadership, conflict-sustaining resources, and/or strategy. A cyberspace attack consists of any hostile act using a computer or network system intended to disrupt, manipulate, or destroy an adversary’s critical cyber systems, assets, or functions to achieve a decisive effect on the overall conflict that manifests in the physical domains.
It should be noted that decisive effects, however, do not necessarily translate into decisive outcomes. For example, North Korea conducted a decisive cyber attack on the infrastructure at SONY Pictures in November 2014 but the event did not lead to kinetic war. Cyberspace attacks are actions that create various direct denial effects in cyberspace – such as degradation, disruption, or destruction – that manifests in the physical domains.
The nation is under constant cyber exploitation for intelligence collection purposes by state and non-state actors such as terrorist and criminal groups. Russia, China, North Korea, Iran, and the Islamic State use cyberspace during “peacetime” to pursue a variety of goals, including operations that violate U.S. sovereignty by employing cyber capabilities against U.S. critical infrastructure, stealing intellectual property, attacking U.S. industry, conspiring to commit acts of terrorism, and producing cyberspace effects on U.S. private and government infrastructure.
Cyberspace competition is occurring every day. The effects cyber capabilities have and can have on infrastructure is quite real. These tools can make weapon systems fail and critical infrastructure, such as air traffic control, rail lines, traffic lights, electrical power grids, hydro-electric dams, purification systems, mass media networks, communications networks, and financial systems “go dark,” or become disrupted. These capabilities, however, are rarely used by states. The two notable exceptions were Stuxnet in 2010 – a targeted attack against Iranian computer controls of the country’s uranium enrichment centrifuges – and the attack on Ukrainian electrical grids in 2015. Cyber capabilities to conduct espionage, steal proprietary information, or transmit terrorism information, however, are exercised frequently.
Cyber effects alone – apart from warfare in the other military domains – could kill thousands as secondary effects, should cyber capabilities be directed to disrupt civilian infrastructure – such as electrical grids, hospitals, or gas lines – and be persistent, not allowing victims to reconstitute their civilian networks. Such attacks, however, would unlikely change the political status quo between states. Should Russia attack U.S. electrical grids, causing thousands of Americans to die in traffic accidents and hospital failures, the tragedy would be enormous but not likely lead to U.S. military failure or the loss of any political alliance or territory to Russia. It could lead to military confrontation in many domains and in several theaters, but the cyber event alone would change no borders.
Further, such attacks out-of-the-blue and divorced from prior serious political confrontation are as unlikely as an adversary using just one domain in a period of peace to attack the United States. In short, a nation-state is just not likely to use cyberspace alone to attack the civilian infrastructure of a competitor in peacetime. Although such a strategic cyber-attack is conceivable, it is unlikely in the extreme – as unlikely as a U.S. foe using only the air domain to send one airplane into the United States to destroy one element of U.S. civilian infrastructure.
Extremely targeted, independent cyber-attacks on private sector infrastructure divorced from any kinetic violence have occurred, however, such as the massive Shamoon-virus cyberspace attack on Saudi Aramco in 2012 and the 2011 Ababil attack on U.S. financial institutions.
The most notable was the North Korean attack on Sony Pictures that caused millions of dollars of damage to Sony computer systems. The operation was both an “attack” as well an act of “compellence” – an effort to compel Sony not to release its movie, The Interview, which placed North Korea’s leader, Kim Jun-un, in a perceivably bad light, by threatening to release stolen emails, sensitive employee information, and copies of unreleased films. A state threatening individuals within a U.S. private company does not fall neatly into U.S. definitions of crime or warfare; cyberspace may now allow for such micro-targeting of individuals worldwide for extremely narrow state goals. But while the attack may have been successfully performed by North Korea, it likely had little to no overall effect on the U.S.-North Korean relationship – Sony Pictures may have been successfully intimidated to a small degree, but the U.S. government was not.
Cyber effects can, however, affect a nation’s confidence in its weapon systems, communications, or its ability to supply troops or feed civilians. They may create moments of doubt and pause or popular disquiet when directed at the government for failing to maintain such systems. A disruption of computer systems in the U.S. could cause a significant disruption to daily life. A lack of confidence in U.S. computer systems – such as with one’s bank account or regional air traffic control system – would indeed affect confidence but would not, alone, decisively change state relationships.
|FORM OF CYBER ATTACK||LIKELIHOOD||LIKELY U.S. RETALIATION VIA CYBERSAPACE|
|Strategic Cyber Attack apart from any political crisis (‘out of the blue’)||Unlikely: conceivable but unlikely||Most Likely/Most Appropriate: to match civilian damage suffered|
|Strategic Cyber Attack in concert with a political crisis||Moderately Likely: however, parties will likely harden cyber defense as the crisis unfolds, making a successful attack harder to achieve||Likely/Appropriate: to match civilian damage suffered|
|Strategic Cyber Attack in concert with an all-out state-on-state war||Likely: however, parities will fear mutual strategic cyber-attack on infrastructure and Command and Control and harden cyber defenses and therefore may instead practice mutual restraint||Likely: to match or exceed military and civilian damage suffered in order to seize initiative and control escalation|
|Theater or tactical cyber-attack in concert with regional conflict||Likely: such attacks will be tactically oriented, minimalist and integrated into the theater conflict||Likely: to match or exceed theater conflict intensity and adversary actions|
|Espionage||Most Likely||Somewhat likely: some actions may be conceivable to attack individual actors or states for exceptionally grave state losses|
|IP Theft||Most Likely||Somewhat likely: some actions may be conceivable to attack individual actors or states for exceptionally grave state losses|
|Terrorist Use of the Internet||Most Likely||Likely|
Although cyberspace is now considered the fifth domain of warfare by the U.S. Department of Defense – the others being land, sea, air, and space – cyberspace operations ought not to be viewed as separate, stand-alone military options apart from the other domains. Many analysts often view and analyze cyberspace as a military domain in which states fight and remain in exclusive of the other domains. But, in fact, the U.S. defends itself in all domains and uses military forces in all domains in a manner and combination it chooses. There is, or should be, nothing different about cyber warfare, or, more accurately, warfare via cyberspace. Warfare involves all domains; the addition of the cyber domain does not change how warfare is conducted – all domains can be or should be involved all the time.
The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the U.S. Government, the Department of Defense, or the National Intelligence University.