A Theory of Cyber Warfare – Part 1

A theory of Cyber Warfare must first be bounded. It would be difficult to formulate an elegant and cogent theory that could encompass the nearly limitless applications cyber technology could have to every realm of human affairs including diplomacy, intelligence, economy, crime and terrorism. However, when focusing exclusively on cyber warfare and the application of cyber capabilities to military objectives, it is much easier to develop a theory.

Secondly, it is logical to build a theory of cyber warfare upon existing theories of warfare if possible. Given that the cyber domain has the most in common with the sea and air domains, it follows that the cyber theorist should first attempt to draw from theorists of naval and air warfare. This theory builds off of the work of naval theorist Julian Corbett and air power theorists William C. Sherman.

A Maritime Analogy: Corbett on Naval Warfare

In his book Principles of Maritime Strategy, Julian S. Corbett identifies the objective of naval warfare as command of the sea. “Command of the sea… means nothing but the control of maritime communications, whether for commercial or military purposes.”[1] This concept of controlling the sea lines of communication relates directly to cyber warfare. The cyber domain is ultimately a domain of communication; therefore controlling the digital lines of communication becomes the primary object of cyber warfare.

Corbett goes on to divide command of the sea into three categories: securing command, disputing command and exercising command. According to Corbett, securing command means, “putting it out of the enemy’s power to use effectually the common communications or materially to interfere with our use of them.”[2] Corbett says one can secure command either by obtaining a decision (decisive victory) against the enemy fleet, or by blockade.

There are comparisons to both these types of actions in cyber warfare. Obtaining a decision is comparable to one side’s cyber force aggressively seeking out and neutralizing the other side’s cyber defense capabilities. Having eliminated the enemy’s ability to resist, the cyber attacker then has unlimited control of the digital lines of communication. The comparison for a blockade is the Distributed Denial of Service attack (DDoS), currently one of the most common types of cyber attack. The DDoS uses a “botnet,” or network of willing and unwilling computers, that combine their processing power to send a barrage of information packets that will completely overload the target’s servers. The DDoS, like a blockade, prevents any information from going in or out of the target system.

When unable to secure command, Corbett advocates at least disputing command. One can dispute command either with minor counterattacks or with the omnipresent threat of the “fleet in being.”[3] The former seems to lend itself more to cyber comparisons. Belligerents who do not have the capability to completely dominate or shut down the opposing network will often stage limited attacks to harass, deface and disrupt enemy communications and digital activity.

Finally, once a force has secured command it is it is then able to exercise command. “We engage in exercising command whenever we conduct operations which are directed not against the enemy’s battle-fleet, but to using sea communications for our own purposes, or to interfering with the enemy’s use of them.”[4] Essentially, the benefits of exercising command are the reward of effectively securing command.

Corbett gives three main examples of exercising command: Defense against invasion, attack and defense of commerce and attack, defense or support of military expeditions. All of these variations can apply to cyber warfare. Once a side has secured command of the digital lines of communication, it can use its cyber dominance to defend itself, attack/steal enemy information or assets, or support military operations. In summary and for future reference, the following is Corbett’s own outline of his theory…

  • Methods of securing command: 
    • By obtaining a decision. 
    • By blockade. 
  • Methods of disputing command: 
    • Principle of “ the fleet in being.” 
    • Minor counterattacks. 
  • Methods of exercising command: 
    • Defense against invasion. 
    • Attack and defense of commerce. 
    • Attack, defense, and support of military expeditions.[5]

An Aerospace Analogy: Sherman on Air Warfare

Major William C. Sherman’s book Air Warfare, published in 1926, came at a particularly critical time in the evolution of airpower. Sherman lived in a time when air warfare was still extremely young and unestablished. Today it seems obvious that warplanes should be separated into various types such as bombers and fighters and that each of these types should possess certain characteristics. For example, fighters should be fast and maneuverable while bombers should be able to carry a heavy payload.

However, in Sherman’s time none of these ideas were firmly established and they therefore required a great deal of thought and consideration before they solidified. Sherman bases much of his theory on the experience of World War I. In early World War I, it was impossible to develop a theory of air warfare because air combat was so young that adversaries had not yet learned to oppose each other in the air or with effective ground fire. Thus, all air actions were relatively unopposed. 

Given the Clausewitzian conception of warfare as a “duel,”[6] early air warfare could embody no theory because there was no duel, only one-sided, unopposed action. This can be compared to early forms of cyber attack where the adversaries were so unprepared that there was no real conflict from which to draw lessons.

By the end of World War I however, aircraft had developed through trial and error, a set of elementary air warfare practices. Aircraft had clashed in the air, struck ground targets and air defense had developed effective means of shooting down aircraft. However, all this had taken place on a limited scale and Sherman faced the challenge of applying these limited lessons to the expanding future of possibilities. “As we go forward in the direction of larger numbers [of aircraft], the foundation of historical fact becomes more and more insecure.”[7]

This was the experiential setting for Sherman’s book and also reflects the setting for this theory on cyber warfare. Cyber warfare is still in its infancy but there have been limited cyber clashes where cyber warriors have faced off, exchanging blows in offensive and defensive action. What remains is to characterize and codify the lessons of these limited actions in order to set the groundwork for the expansion and evolution of cyber warfare.

To illuminate the nature of air warfare, Sherman begins by identifying key characteristics that aircraft should have in different balances and quantities in order to be effective. For Sherman, these characteristics included speed, useful load, structural strength, landing speed, rate of climb, ceiling, maneuverability, power, visibility and ease of maintenance.[8]According to Sherman, “factors that enter into design must be understood before proceeding to a study of tactical methods.”[9] This principle applies equally to cyber warfare and therefore this theory identifies three functional characteristics critical for cyber effectiveness: survivability, processing power and maneuverability.

Sherman also divides his characteristics into those belonging to aircraft themselves and those “outside of the machine itself, which may enter with decisive effect.”[10] For air warfare, these external or physical characteristics of the environment mostly relate to weather. However for cyber warfare they take the form more of general properties of the electromagnetic spectrum and digital networks. The three physical characteristics of the cyber domain are ubiquity, the digital coastline, and real-time evolution. 

Applying Sherman’s methodology to cyber warfare, it is possible to build off of the strategic foundation laid by Corbett and identify the specific physical and functional characteristics that make cyber warfare unique. Following this, the next step is to determine the specific types of capabilities that yield effectiveness in cyber warfare. Just as Sherman identified specific types of aircraft that could exploit the physical and function characteristics of the air, it is possible to identify forms of maneuver to exploit the physical and functional characteristics of cyberspace.

Physical Characteristics of the Cyber Domain 

Building off the theoretical framework derived from naval and airpower theorists, the next step is to identify the characteristics of the cyber domain and how it is either similar to or different from other domains like the air or the sea. The physical characteristics of hardware, software and the transmission signal are similar to the terrain or weather in other domains. The physical characteristics generate the constraints and boundaries to actions in the cyber domain, just as roads, mountains and rivers constrain the land domain. The three main physical characteristics of the cyber domain are ubiquity, the “digital coastline” and constant modification.

Ubiquity 

The cyber domain shares the characteristic of “ubiquity” with the air domain. The cyber domain is the electromagnetic spectrum and the vastness of that spectrum creates almost unlimited possibilities. In this way it is similar to the air domain. There are countless possibilities of what you can employ in the air, anything from missiles to aircraft to dirigibles. The air domain itself, just like the cyber domain, is an open and relatively unconstrained environment where a multitude of actions can take place.

The Digital Coastline (or Electromagnetic Coastline)

Unlike the air, the cyber domain only comes into contact with the other domains at given points. In this way the cyber domain is similar to the sea. Both the sea and the electromagnetic spectrum have a “coastline.” A warship cannot target the center of the Asian landmass without crossing over into the “air” domain by using missiles. Likewise, cyber weapons can only target objects that are either within the cyber domain, or on the coastline of the cyber domain where cyber meets the physical world. A force that is completely unconnected from technology is not vulnerable to cyber attack just as a land-locked country is not vulnerable to amphibious assault. Thus, like naval forces, cyber capability is physically limited.

Real-Time Evolution

The cyber domain is similar to the urban environment in the sense that humans created it. Any land soldier knows that the urban environment presents some of the most complex and confusing terrain imaginable, including sewers, skyscrapers and subways. The cyber domain is even more tangled and complex. To make matters worse, the cyber domain changes and evolves at an exponentially faster rate than the urban domain or any other domain for that matter. 

Fighting in the cyber domain could be similar to fighting an urban battle where the buildings were being built, destroyed and reconfigured in the midst of the action. The cyber domain is evolving faster than any other environment. Not only do structures change but the very nature and “laws of physics” within the environment are subject to change as well. This means it is very difficult to plan ahead in cyber warfare.

Functional Characteristics

As Sherman has explained, in air warfare, certain characteristics offer an advantage. For example, in fighter aircraft, maneuverability is essential for winning air-to-air engagements. The ability to carry a heavy payload is an important characteristic for bombers. Likewise, in cyber warfare, certain characteristics offer an advantage namely survivability, processing power and maneuverability.

Survivability

Survivability is a valuable characteristic in all forms of warfare. In the cyber domain a variety of factors determine the survivability of a network. Three of the most common methods to improve survivability are the air gapped network, multiprotocol networks and redundant systems. Each one of these methods takes advantage of a different aspect of cyber terrain. Air-gapped networks benefit from the digital coastline. Multiprotocal networks benefit from real-time evolution. Redundant systems benefit from ubiquity.

The first and most simple is a closed network or “air-gapped” network. An air-gapped network uses cyber terrain to its advantage by completely removing itself from the digital coastline. An air-gapped network is isolated from the rest of the internet and there is no physical connection running outside the network. This type of network is the most secure.[11] However, an air-gapped network is still vulnerable to attack by software carried in physically on a disk or portable drive.

Another factor that can increase survivability is the multiprotocol network.[12] The multiprotocol network takes advantage of cyber terrain’s real-time evolution, just like an urban defender benefits from the web of manmade structures, walls and barriers found in a city. Multiprotocol networks can appear inconvenient on the surface and sometimes even emerge by accident. Examples of multi-protocol networks can be found in many DoD organizations that use multiple systems and software programs that cannot talk to each other. This is inconvenient for the user but also inconvenient for the potential attacker. Malicious software can find it impossible to cross over from one protocol or operating system to another.

A variation on the multiprotocol network employs “virtualization,” where a virtual, software-based operating system is imbedded within another operating system. Examples of virtualization software include commercially available programs that allow a user to run a virtual PC on an Apple computer. In these types of cases, the virtual machine could be attacked and infected but the effects would not spill over to the host system. Because multiprotocol networks and virtualization are manmade obstacles, their robustness and complexity are limited only to the imagination. Also, as mentioned before, unlike urban fortifications that take a long time to build, digital fortifications are constantly changing and evolving at an incredible speed.

Redundant systems capitalize on the ubiquity of the cyber domain and offer yet another way to increase a network’s survivability. The most effective way to employ a redundant system is to keep it hidden from the adversary. Therefore, even if a cyber attack is successful, the attacker will not be able to locate and destroy the redundant systems and backups hidden in the vast expanse of cyberspace. Redundant systems are more effective because they can go anywhere and hide anywhere. Hackers can use this same principle to their advantage as well. The ubiquity of the cyber terrain offers endless possibilities for escape and concealment.

Processing Power 

Processing power is the most straightforward functional characteristic within the cyber domain. Processing power can be compared to firepower in conventional warfare. Greater processing power offers more options to the cyber defender or attacker. A supercomputer can break into an encrypted server in a matter of seconds where a home computer might take years to accomplish the same task. Like firepower, sometimes processing power alone is enough to achieve victory in an attack without the need for maneuver.

In addition, there is an ongoing evolution in the nature of processing power that is also tied to the ubiquity of the cyber domain. More and more, cyber attackers are using botnets to achieve dramatically greater processing power. As previously explained, a botnet uses the combined power of many computers scattered all over the global network. Sometimes the owners of these computers are willingly assisting the botnet, other times they may be unwitting accomplices. Either way, botnets demonstrate a way to capitalize on the ubiquity of the cyber domain to achieve processing power on par with a supercomputer.

Maneuverability

Maneuverability in cyberspace can be “logical” or “physical.” Logical maneuver takes place at the software level as programs and data move around a network. Physical maneuver is the actual physical transport of hardware from one location to another. In both cases, greater maneuverability offers a marked advantage. Ultimately, an advantage in maneuverability means the ability to act before the enemy does, change faster than the enemy does and move quickly enough to avoid enemy attacks.

While the characteristic of maneuverability is relatively quantifiable and straightforward, the application of maneuverability is much more complex. Cyber maneuver capitalizes on maneuverability to achieve an objective. Like maneuver in land warfare, effective action often combines an array of moving and stationary forces as well as assaulting and supporting elements. Unlike survivability and processing power, the characteristic of maneuverability has limited intrinsic value and must be linked the action of maneuver towards an objective.

Forms of Cyber Maneuver

After laying out the physical and functional characteristics of air warfare, Sherman went on to describe the various categories of aircraft and their applications. Sherman’s categories of capabilities included, observation, pursuit, attack, bombardment, air defense and logistics.[13] In cyber warfare it appears that there are not currently clearly defined types of platforms like fighters and bombers, however, the division of capabilities still exists and can be more accurately characterized as different forms of maneuver.

The possible forms of cyber maneuver are endless. However, not all actions in the cyber domain can be characterized as maneuver. Passive or static actions such as employing a firewall or air-gapped network are not maneuver. Furthermore, a single attack, seeking an advantage only in volume is not really maneuver either. Therefore, a DDoS attack is likened more to an artillery bombardment or “attack by fire” than it is to maneuver. Static elements or bombardments can form part of a maneuver, but there must also be a moving or changing element in the equation.

The three most common forms of cyber maneuver are evasive maneuverinfiltration and penetration. Evasive maneuver can be logical or physical and exploits all aspects of the cyber terrain (ubiquity, digital coastline and real-time evolution) to avoid and hide from an attacker. Infiltration can also be logical or physical. It exploits ubiquity or breaches the digital coastline to find a gap in enemy defenses and gain access without detection. Penetration is generally logical and capitalizes on real-time evolution, using innovation and superior software to force entry into an enemy network.

Evasive Maneuver 

Evasive maneuver can take advantage of all aspects of the cyber terrain. Cyberspace is so vast and ubiquitous that finding a target can be difficult. Targeting becomes even more difficult when the target is maneuvering to avoid detection. It is also important to note that evasive maneuver is not inherently defensive. Rather, a cyber attacker can maneuver to evade an enemy defense or counterattack.

Evasive maneuver can be logical, as in the case of changing an IP-address or changing to a different operating system. Such a simple change can throw off an attacker and buy time for a defender. Logical maneuver generally exploits the complex, real-time evolution of the cyber domain. The relevant microterrain for logical maneuver becomes the manmade servers, operating systems, protocols, firewalls and software that populate the network.

Evasive maneuver can also be physical, involving the physical movement of computers and servers from one location to another. Physical evasion generally exploits digital coastlines and has the advantage of avoiding physical attacks like malicious thumb drives.

A variation on evasive maneuver is the counterattack. The counterattack is simply an evasion, followed by an attack. Sometimes the enemy, in the act of attacking, can unknowingly leave himself exposed. The counterattacker aims to exploit this vulnerability. A counterattack also serves the purpose of blocking or disrupting the enemy’s ability to pursue. If a defender only evades, the enemy can follow. If the defender evades and then counterattacks, the attacker might lose momentum.

Another factor that makes cyber maneuver different from maneuver in other domains is that the lines blur between the physical characteristics of manmade terrain and functional characteristics of maneuverability. In other words, the terrain itself can maneuver. As previously mentioned, this would be similar to engaging in an urban fight where the enemy was able to build, destroy and move buildings in real time. This phenomenon greatly expands the realm of possibility when it comes to cyber maneuver, particularly evasive maneuver.

Infiltration 

Infiltration exploits ubiquity to find a gap in enemy defenses and allows attackers to gain access to a network unopposed. Like evasive maneuverinfiltration can be logical or physical. A logical infiltration involves finding a gap or weakness in enemy software. Physical infiltration involves breaching the digital coastline by traveling to a physical location where a network is vulnerable. Examples of physical infiltrations might include connecting a thumb drive to a closed network, or splicing communication cables to intercept enemy communications. 

The defining characteristics of infiltration are that it looks for an existing gap in the enemy defenses and that the infiltrator aims to avoid detection. Often, if an infiltrator is detected, the mission will fail, even if the operation is already over. For example, if an infiltrator gains access to a closed system using a thumb drive and is collecting intelligence on the enemy, he will only be able to continue collecting intelligence as long as the enemy is unaware of the breach. As soon as the enemy detects the infiltration, they will execute an evasive maneuver to escape.

A variation on infiltration is the “stay behind” operation. The term stay behind operation stems from US Army Special Forces doctrine during the Cold War. The plan was for Special Forces teams to infiltrate enemy lines simply by hiding in place and letting the advancing enemy roll over them. This same concept appears frequently in cyber warfare. It is possible to gain access by allowing your enemy to steal malicious software or unknowingly buy hardware with malicious code already imbedded in it.

Penetration 

Penetration differs from infiltration in that it creates a gap in the enemy defenses instead of looking for an existing gap. Penetration is also more difficult to accomplish without being detected. Penetration is generally logical and employs some new software innovation to overwhelm the enemy defenses in an unexpected way. Therefore, penetration and its potential counters take advantage of real-time evolution of the cyber domain. The essence of penetration is similar to the introduction of a secret decisive weapon on the conventional battlefield. When the new weapon appears, it dominates an unprepared and unsuspecting enemy.

Like the employment of a secret weapon, attackers should save penetrations for decisive moments in the battle. Unlike infiltrations, which can remain active for years without alerting the enemy, a penetration immediately triggers an enemy response. As soon as the enemy identifies that its networks are vulnerable, the enemy will rapidly take action to fix the problem and guard against future penetrations of the same type. 

This is much like the limited time window of a dominant weapon on the battlefield. The more dominant the weapon, the faster the enemy will move to counter it.[14] Because of the cyber domain characteristic of real-time evolution, defenders are able to develop countermeasures even more rapidly. Thus, surprise and timing are essential to an effective penetration. More than in any other domain, an innovative penetration of an enemy system is unlikely to work more than once.

Conclusion and Summary of Part 1

Just as Corbett provides an outline of his theory, below is the outline for our theory of cyber warfare. Corbett’s work is included as a strategic foundation. Building upon that foundation are the physical and functional characteristics of cyber warfare, followed by the forms of cyber maneuver.

  • Methods of securing command: 
    • By obtaining a decision. 
    • By blockade. 
  • Methods of disputing command: 
    • Principle of “ the fleet in being.” 
    • Minor counterattacks. 
  • Methods of exercising command: 
    • Defense against invasion. 
    • Attack and defense of commerce. 
    • Attack, defense, and support of military expeditions.[15]
  • Physical characteristics:
    • Ubiquity
    • The Digital Coastline
    • Real-Time evolution
  • Functional characteristics:
    • Survivability
    • Processing power
    • Maneuverability
  • Forms of cyber maneuver
    • Evasive maneuver
    • Infiltration
    • Penetration

This concludes the first part of “A Theory of Cyber Warfare,” by the Hybrid Defense Academy staff writers. The next article in the series will focus on specific case studies illuminating the theoretical concepts discussed above.

NOTES:

[1] Sir Julian Stafford Corbett. Principles of Maritime Strategy (New York: Dover, 2004),   Kindle edition, 90

[2] Ibid., 165.

[3] Ibid., 168.

[4] Ibid., 235.

[5] Ibid., 168.

[6] Carl von Clausewitz. On War (Princeton: University Press, 2008), Kindle edition, 75.

[7] William C. Sherman, Air Warfare (Maxwell AFB: Air University Press, 2002), 117.

[8] Ibid., 45.

[9] Ibid., 35.

[10] Ibid., 53.

[11] Franklin D. Kramer et al. Cyberpower and National Security (Washington: Potomac, 2009), Kindle edition, 289

[12] Ibid., 186.

[13] Sherman, vii.

[14] Edward N. Luttwak. Strategy: The Logic of War and Peace (Boston: Harvard, 2002), 144.

[15] Corbett, 168.

Related Articles

Responses