Throughout history, classical military and political thinkers have attempted to codify the universal truths of warfare. Sun Tzu’s The Art of War, Clausewitz’s On War, and Machiavelli’s The Prince each attempt to synthesize warfare to salient essentials to be followed. At the same time, continued evolution in weapons technology necessitate that these truths be reexamined and revalidated.
Many of these advancements, like the development of the crossbow, the advent of the dreadnaught, and the emergence of air power have each forced leaders to understand their new capabilities and determine how to maximize their effect while determining if the fundamental truths of armed conflict remain intact. This periodic re-examination is natural and cyclic. With the integration of a new weapon system, tactic or capability, the fundamental role of that advancement must be understood. Sometimes this is done during peacetime, such as with the modern tank and armored warfare, and other times; the essential nature of a new capability only emerges during conflict, such as the airplane during World War I or the drone during the Global War on Terror (GWOT).
The Military Application of Cyber Effects (MACE) requires that commanders understand the capabilities and limitations of cyberspace operations. In order to establish a baseline for discussion, we must review some basic definitions. Joint Publication 1-02, the Department of Defense’s official dictionary, lists the definition of cyberspace as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processor and controllers,” and cites Joint Publication 3-12, Cyberspace Operations, as its source. Joint Publication 3-0, Joint Operations, defines cyberspace operations as “the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.” A final foundational point to be highlighted is that of the five domains (sea, air, land, space, and cyber space) cyberspace is the only manmade domain; therefore, the domain itself is subject to be changed by MACE.
The following truisms may look familiar to some of you. They are many of the same principles first defined by now retired Army Col. John Collins to describe Special Operations Forces. Not surprisingly, many of these have a strong corollary with the nation’s ambitions for cyber capacity and should be taken to heart.
Humans Are More Important Than Hardware
For better or worse, we all use the same x86-based and ARM processors built in the same forges. We all use the same operating systems. We all acquire SCADA (supervisory control and data acquisition) from the same vendors. We all use the same routing protocols. So people make the difference in cyber operations. Computers and sensors are deterministic and, while they can act on a set of pre-determined rules, they cannot make intelligent decisions. Further, any eventualities leading to a case that has not been previously defined result in either a default case or an error state. What this means is that computers blindly follow orders and do not adapt.
All cyberspace effects attempt to put the adversary’s cyberspace capabilities in this error state in order to force the human at the other end to make a decision advantageous to friendly forces. This is a subtle but important point: The real target of any cyberspace effect is the human at the other end of the sensor or network. Computers and sensors do not understand human psychology, nor can they explain human behavior. Further, the exploitation of any cyberspace capability really exploits the flawed logic of the human who built the capability in the first place.
Additionally, for now at least, any discussion of artificial intelligence is moot. As any real computer scientist will tell you, artificial intelligence is nothing more than a series of parlor tricks that result in the appearance of “intelligent decisions” based on algorithm models and statistics. The best example of a human prevailing over artificial intelligence is when the chess Grandmaster Garry Kaparov played against IBM’s supercomputer Deep Blue in 1996. After Deep Blue handily beat Kasparov in the first of six matches, Mr. Kasparov changed his normal tactics and ended by winning four of six matches.
Contrary to popular belief, cyberspace operations do not require computational capabilities to be in abundance. They do require that the forces employing those capabilities do so in a manner that targets critical capabilities and critical vulnerabilities at a time and place to achieve the desired military effect. That effect must make progress to achieving an objective. That objective should support meeting the commander’s intent. These forces must be intelligent and well-trained in order to employ capabilities to achieve desired effects while denying adversaries the ability to meet their operational objectives.
What this really means is that economy of force is required in cyberspace operations much as it’s required in every other warfare domain. We have become addicted to multi-gigabit connections, terabytes of storage, and gigaflops of processing power; however, the delivery vehicle for a “cyber weapon” is an exploit that all too often is only a few bytes in size. Likewise, the payload for these exploits is often not more than a couple of hundred kilobytes. As an example, the Metasploit open-source framework contains a fully interactive back door which is 22 bytes in size. Please go back and read that last comment again; it is 22 bytes. If exploits are so small and require such few computing resources, why can’t everyone exploit a system? The answer should be self-evident, like Special Operations Forces, not everyone has the innate talent or necessary intellect to be trained to a uniform standard to do so.
The Quality of the Force is More Important Than the Quantity of the Force
A small force of carefully selected, trained, and led personnel is preferable to large numbers of personnel who may not be up to the task. The Mythical Man-Month, by Fred Brooks, showed the folly of believing that adding more personnel to a software project equated to more productivity. The Military Application of Cyber Effects, by its very nature, is asymmetric. A distributed denial of service (DDoS) is an inelegant, easily detectable computer network attack that is conducted by exhausting a system resource — in short, a brute force maneuver. Through the use of automation and amplification techniques, however, a DDoS of even a very large enterprise network can be conducted by a single individual.
An example of the other end of the cyberspace capability spectrum is the requirement for covert data exfiltration or manipulation. Covert data exfiltration requires the surreptitious removal of data. More personnel involved in this type of operation from within a resource will mean more “noise” and a higher likelihood of detection and mission failure.
In 1965, Gordon Moore, a co-founder of the Intel Corporation, observed that the number of transistors in integrated circuits doubles approximately every two years. His prediction came to be known as Moore’s law. David House extended Moore’s law by saying that along with the number of transistors present, processing power doubles every eighteen months. A “zero-day” exploit is a computer exploit against a vulnerability that becomes publicly known only after it has been weaponized and used. It is the “skunk works” of cyberspace capabilities and a best-case scenario for many offensive cyberspace operations.
However, unlike the Skunk Works research that has produced surveillance aircraft that are still flying 50 years after delivery, the average lifespan of a zero-day exploit is generally considered to be about one year. Imagine if the military had one year to use up the entire inventory of Tomahawk missiles from the date of first fielding. The shelf life for an offensive cyberspace capability is tremendously short, yet may still require large amounts of time, money, and other resources to develop. Meanwhile, our adversaries face the same issues. Our understanding of a given adversary’s offensive cyberspace capabilities must keep up with its inventory rotation.
Cyber forces must be consistently employed and trained in order to keep up with the pace of technology and to be fully qualified to use the current inventory of cyberspace capabilities. Assigning a true cyber subject matter expert for even one 18-month tour outside of cyberspace operations requires an almost complete retraining and recertification. Much like Special Operations Forces, cyber operators who work outside their field lose their edge … only they do so now at the speed of Moore’s or House’s law.
Competent Cyberspace Operations Forces Cannot be Mass-Produced or Created After an Emergency Occurs
Competent, let alone proficient, cyberspace operations forces cannot be created quickly or easily. In order for computing resources to be exploited, operators must understand their target down to how an individual bit traverses and is manipulated by a processor. All processors operate differently in some very fundamental ways. Desktop computers, smart phones, routers, switches, network printers, and Voice over Internet Protocol (VOIP) have very different processors and architectures that require very different offensive and defensive techniques, yet they all could be Critical Infrastructure/Key Resources (CIKR) and valid military targets. The type of expertise required to successfully operate in this space requires years of academic education and training and even more time to hone academic lessons into operationally relevant expertise.
Employment of fully competent and capable cyber forces on short notice requires constantly available and ready teams during peacetime. Even in cases in which individuals may possess the necessary skills and expertise to be a competent cyberspace operator, the standard military values of unit cohesion, intimate knowledge of team member’s capabilities, and unquestionable clarity of directions are still required for the force to operate effectively. The speed of cyberspace operations requires that operators be able to effectively predict their team members’ actions. That kind of unity and synergy can only be achieved through long-term training and employment of tools, techniques, procedures and operation as a cohesive unit.
On average, the Navy requires surface warfare officers to go through approximately 15 years of operational experience before we let them take command of a sea-going asset, yet we’re expecting cyber national mission force officers with less than two years’ training and, in many cases, no relevant operational experience to take command of cyber mission teams. This is a recipe for the kind of abject failure not seen since Desert One, the 1980 aborted attempt to free 52 American diplomats held captive at the Embassy in Tehran.
Cyberspace operators need to have enough academic, technical, and tactical experience to adjust to changing conditions and adjust tools, techniques, and procedures on the fly to react to operational realities because the enemy gets a vote. In a domain where an action can traverse the globe in 600 milliseconds, the ability to adjust capabilities and tactics to changing operational situations must be organic to the team. When an adversary malware is detected on operational networks, we cannot afford to package up a hard drive and air mail it to Navy Cyber Defense Operations Command and await a malware analysis report and mitigation recommendation. When a tool fails to operate, the firing unit may not have time to go back to the author to determine why; they must have the innate ability to adapt and overcome. When operating in contested space, there may not be time to go back to DIA or NSA for a full intelligence analysis on what an operator is seeing live on a network. This type of agility, specialized training, flexibility, and operational savvy simply cannot be mass-produced.
All Cyberspace Operations Require Support from Non-cyber Forces
As previously discussed, the Military Application of Cyber Effects is inherently asymmetric and should therefore be used as a force multiplier for other forces. Additionally, cyber forces require “beans and bullets” much as any other force. Survivable infrastructure, equipment procurement, training, facilities, sustenance, basic utilities, force protection, engineering, intelligence analysis, and more are required by cyberspace forces, but are not capabilities organic to those operational units. Rare will be the case when a cyberspace actor will operate alone and unafraid without significant external support. Additionally, cyber forces alone will not win a conflict. The effectiveness of MACE and cyber forces cannot be realized without the support of the joint services. That said, while for the foreseeable future cyber will be a supporting arm, one can imagine a future where cyber is the lead element supported by conventional traditional military art.
The Military Application of Cyber Effects and the forces that employ MACE will not be successfully integrated into doctrinal military planning and operations unless we can speak in the same doctrinal terms used by our brothers and sisters in arms. We cannot be successfully employed or considered for employment until we can explain what we bring to the fight in terms understood by our fellow Sailors, Marines, Soldiers and Airmen. To proficiently apply MACE, a professional core of operators must be created whose primary training and operational expertise and mission is cyberspace operations. This cannot be accomplished by existing military specialties that are conducting cyberspace operations between other specialty requirements; six months of training and an industry certification are not going to cut it.
Cyberspace must be brought into the planning process at inception. Building an operational plan and then “sprinkling” cyber on after the fact will lead to disjointed operations and effects and will yield nothing but failure. If cyber is to be a warfare area like air, surface, land, and subsurface warfare, it must be treated as such with a full-time and proficient body of experts, tactics and doctrine. We need to be honest with ourselves and others about what capabilities are realistic and what effects are achievable; recognizing this is paramount to proper integration with other warfare areas.
Cmdr. Pablo C. Breuer is the N6A, Deputy Assistant Chief of Staff for C4I, for Commander, U.S. Naval Forces Central Command/U.S. 5th Fleet (COMUSNAVCENT/C5F).