Cyber Warfare and Compellence
What does it mean to compel an adversary? For classical scholars, Clausewitz answered that “War is an act of force to compel an adversary to do our will.” It is a violent act that is instrumental in achieving a political aim. (Clausewitz 1832) This theoretical conception of warfare is significantly challenged by the advent of the cyber domain because this virtual battlefield lacks the bloody destructive character which has always typified warfare. How does one know if they are even at war if no one is dying, buildings aren’t being bombed, and enemy forces are nowhere to be seen? The central argument of Thomas Rid’s book “Cyber War will not take place” is that because cyber operations lack this violent character we have never truly known cyber war and will unlikely see so in the future. Cyber operations are nothing more than virtualized extensions of espionage, sabotage, and subversion rather than true acts of force that compel an adversary. (Rid 2012) In a survey of modern state-sponsored cyber attacks, Jensen et al found that cyber operations rarely, if ever, cause states to change their behavior. (Jensen, Valeriano, and Maness 2017) This paper argues that cyberattacks are poorly suited for making and enforcing compellent threats because of their inherently covert nature and instead are best applied as an enabler of, and integrated with, more traditional levers of national power.
Compellence and Coercion
Thomas Schelling introduced the concept of “compellence” in the 1966 book “Arms and Influence.” Compellence refers to the active threat and use of force to shape an adversary’s behavior and force them to yield. (Schelling 1966) While deterrence relies on preventing action through fear of consequences, compellence seeks to force action through fear of escalating consequences and the continued application of the “power to hurt.” (Schelling 1966) As Schelling noted, “The threat which compels rather than deters often requires that the punishment be administered until the other acts, rather than if he acts.” (Schelling 1966) As further clarified by Atkinson, “Compared to deterrent threats, compellent threats represent a clearer signal that states are attempting to impose costs on the other state.” (Atkinson, Jackson, and Williford 2021) Long before Schelling, Clausewitz wrote that acts of violence must be taken to their logical extreme by either forcing surrender or leaving the enemy completely defenseless: their military crushed, their land conquered, and the will of the people shattered beyond resistance. (Clausewitz 1832) In a modern context, a compellent threat would be Russia threatening to keep the gas pipelines turned off until Germany stops sending arms to Ukraine. A deterrent threat, by contrast, is Russia threatening to turn the gas off prior to NATO arms shipments. If a state has to follow through on its threats then deterrence has failed.?
In “Bombing to Win” Robert Pape provides an overall assessment of the coercive utility of aerial strategic bombing which was seen as the relatively “low cost” option to win wars compared to sending hundreds of thousands of troops to invade. (Pape 1996) Pape conceived of four different types of coercion based on the target: punishment, risk, decapitation, and denial. Coercion by punishment focused on the massive bombardment of civilian population centers such as in WW2. Coercion by risk provided a more escalatory and measured strategy which allowed an adversary to yield to prevent more cities from being destroyed. Coercion by decapitation focused on bombing key nerve centers and eliminating political leaders rendering the enemy defenseless. Finally, coercion by denial targeted the long tail of military logistics to prevent an adversary from being able to rearm and requip and thereby exhaust the force by attrition. (Pape 1996; Venable and Lukasik 2021)?
Cyber Power and Coercion
These strategies of coercion have often been applied to the prospect of cyber power as a new, instant, frictionless means to apply coercive power. Senior American national security officials such as former NSC Counterterrorism Coordinator Richard Clarke,? former Deputy Secretary of Defense William Lynn, and former CIA Director Leon Panetta have repeatedly warned of a “Cyber Pearl Harbor” or “Cyber 9/11” in which a sophisticated cyber attack would cause massive cascading failures across society. Leon Panetta testified that “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” (Bumiller and Shanker 2012) Some unseen adversary could engage in a decapitating first strike to end modern life in America and compel capitulation to their demands. (Clarke and Knake 2010; Lynn 2010; Bumiller and Shanker 2012) As noted by Thomas Rid in 2011 and continues to be true in 2022, such a game-changing decapitating cyber attack has yet to occur and such pronouncements remain the realm of fictional wargames such as seen in the novels “Ghostfleet” or “2034”. (Singer and Cole 2016; Rid 2012; Ackerman and Stavridis 2021)
In evaluating Pape’s theoretical framework for coercion, there is an empirical lack of a true “coercion by punishment” event in the cyber domain. The closest seen so far is an Israeli cyberattack against Iran’s Shahid Rajaee seaport in May 2020 in response to a failed Iranian cyberattack against an Israeli water treatment facility in April 2020. (Baram 2022) What is unique about this particular case is that then-Israeli PM Naftali Bennet openly acknowledged the cyberattack. Bennet stated that “Today it is possible to do things - harm the enemy - through cyber warfare. Now, all you need is a few people and a keyboard. In the end, cyber will become the most prominent area of combat in the future." (Fox 2022) The tit-for-tat cyber games between Israel and Iran represent more of a risk-based strategy than true coercion by punishment as each side is demonstrating capability but not going “all in” in their attempt to compel the other. True strategic punishment campaigns are characterized by massive devastation against a civilian population like the firebombing of Dresden and Tokyo and the Nazi Blitz of London to compel the government to surrender. (Pape 1996) The Israeli scholar Uri Tor would characterize these cyber games as a strategy of “cumulative deterrence” in which Israel and Iran are constantly engaging with one another in a game of costly signaling to establish red lines. The goal is not to prevent all cyber attacks but to use force to punish the adversary enough for transgressions such that they are disinclined from further escalation because you have continuously demonstrated your willingness and capacity to respond. (Tor 2017) Israel has continuously engaged in a disruptive cyber campaign against Iran’s nuclear program but these actions from the original Stuxnet worm in 2010 to the most recent cyber attack against the Natanz reactor site in 2021 have yet to compel Iran to stop their nuclear program. (Baram 2022; Chulov 2021; Jensen, Valeriano, and Maness 2017)
Amongst Pape’s coercive framework, a strategy of coercion by denial is the one most likely to be effective in the cyber domain, however, it operates fundamentally differently than with strategic air bombardment. Air raids target rear staging areas, command centers, fuel and ammo dumps, and airfields to cause the overall war machine to grind to a halt because these assets are cratered. Strategic cyber attacks being used as “shaping fires” would target ISR, navigation, communications, command and control, and logistics. US cyber operations doctrine urges that the goal here is to “degrade” the adversary by targeting their ability to plan and operate in wartime, not necessarily by kinetically destroying the critical assets. (JP 3-12 2018) The Chinese have adopted a “theory of victory” to use cyber attacks against the United States in order to slow down a response to a potential crisis over Taiwan. (Garamore 2021) Chinese military strategy is focused on obtaining asymmetric capabilities to counter what they perceive to be an American Achilles heel: the overreliance on satellites, networks, and other electronic systems needed to operate in wartime. Chinese military planners stress the necessity of, “‘destroying, damaging, and interfering with the enemy’s reconnaissance...and communications satellites,’ suggesting that such systems, as well as navigation and early warning satellites, could be among the targets of attacks designed to ‘blind and deafen the enemy.’”(OSD 2020) Cyber operations, therefore, are part of a broader integrated strategy of “Anti-Access/ Area Denial” (A2/AD) which would prevent or at least severely delay American forces ever reaching the theater and massing for a counterattack.?
The Nature of Cyber Power
Cyber operations fundamentally rely on exploiting unknown or unpatched vulnerabilities in computer networks and systems. Theoretically, cyber operations shift the offense/defense balance in favor of the attacker who can use a plethora of free tools to find a single weakness to gain a toehold in the network while defenders must work around the clock to monitor and patch every possible attack vector. It is far cheaper and easier to use malicious code than it is to send a special forces team and thus makes the option for sabotage much easier. (Rid 2012) However, malware is very brittle and a simple software update could plug the vulnerability which an entire operation relies upon, rendering years of work worthless. This is why agencies such as NSA, CYBERCOM, or the Israeli Unit 8200 are so loath to discuss their capabilities with any specificity. When former National Security Advisor John Bolton acknowledged in June 2019 that CYBERCOM was targeting the Russian power grid for potential cyber operations he gave no specifics on what America could or would do. Bolton only stated that “[We] say to Russia, or anybody else that’s engaged in cyber operations against us, ‘You will pay a price.’” Even acknowledging such a broad target set could disrupt ongoing operations as the Russians are now forewarned to upgrade and patch their systems, potentially discovering and neutralizing the backdoors which CYBERCOM is using to maintain its access. Cyber weapons require constant upgrades and pruning in order to remain effective because of the rapid cycle of software updates. For CYBERCOM to hold the Russian power grid at risk, for example, cyber operators would need to work continuously to develop and maintain multiple access points and repeatedly test and change out exploit shellcode to stay current with the underlying target system.? The useful lifespan of malware can be incredibly short and decays exponentially once the vulnerability is publicized necessitating absolute secrecy to safeguard these investments.?
Cyber operations are covert by nature not just to protect their effectiveness but also to safeguard these capabilities from being co-opted by the adversary. A unique predicament of cyber operations is that by using such malware not only do you disclose the knowledge of these vulnerabilities you also are potentially giving away extremely dangerous malware to the enemy to be used against you in the future. As Eugene Kaspersky, founder of the Kaspersky security lab which first reported on the Stuxnet malware remarked, “It’s not possible to copy-paste a cruise missile after it was used; even if you have the cruise missile in your hands, not every nation could reverse engineer it and produce the same. But software is software.”(Gibbs 2014) Iran was able to reverse engineer the malware used in the Stuxnet attack and repurpose the data wiping modules as the “Shamoon virus” in a follow up attack against Saudi Aramco in 2012. (Zetter 2015) Once malware is used or exposed in the wild it becomes a free for all. In April 2017, a hacking group known as “ShadowBrokers” released a Top Secret exploit called EternalBlue developed by the NSA which provided a critical level of access to Windows-based computers all over the world. (Newman 2018) This leak led to a global ransomware campaign by North Korean hackers called “WannaCry” which cost billions in damages and severely disrupted shipping operations at Maersk as well as locking hospitals out of patient records across the UK. (Newman 2017) States must therefore make significant calculations about whether a target is worth burning an exquisite cyber capability and potentially never being able to use it again or worse, having it come back to haunt them.?
Cyber and Compellent Threats
An empirical survey conducted by Jensen et al looking at over 100 known instances of state-sponsored cyber attacks between 2000 and 2014 found that they rarely, if ever, cause the target state to make concessions. (Jensen, Valeriano, and Maness 2017) Cyber attacks are regularly used for sabotage, disruption, and subversion but empirically they are yet to be instrumental in coercing state behavior. (Rid 2012; Jensen, Valeriano, and Maness 2017) Rid argues that cyber attacks have never and will never be instrumental in shaping state behavior because they are fundamentally nonviolent and thus lack the same coercive power of traditional acts of force. (Rid 2012) However, it should be noted that states often hold their top-tier cyber capabilities in reserve due to the unique challenges and risks posed by deploying them. (Kaplan 2016; Singer 2014) Perhaps if states demonstrated the true power and potential of the cyber weapons they developed they would be able to induce enough pain in an adversary to extract concessions. Such a strategy would be highly problematic, however, due to the immediate risk of escalation and the aforementioned risk of giving away capabilities.?
The use of cyber operations as the means to enforce a compellent threat is fundamentally problematic not only because of the risk of escalation and blowback but also because of cyber’s inherent unreliability. When the President orders a cruise missile strike on a target he can be reasonably certain that that target will be destroyed as ordered. Cyber operations relying on unpatched vulnerabilities are more an act of faith that those same vulnerabilities will still be present when a cyber mission is ordered. Even if the malware is extensively tested on simulated enemy systems, there is always going to be an underlying risk that the system has been updated and the vulnerabilities patched, rendering the malware useless. It creates a significant credibility issue if a leader issues a threat and is unable to reliably follow through on it. Coercive power is based on the credibility of the specific threat. (Cohen 1978) If President Biden threatened to use cyber operations to halt Russian oil production in response to the invasion of Ukraine, he would have very likely undermined his threat by telegraphing to the Russians exactly where and how to defend themselves. For cyber operations to remain effective they cannot be advertised beforehand.
A truly coercive cyber attack would need to overtly inflict pain on an adversary to extract a political price. The WannaCry campaign by the North Koreans in 2017 sought to rob major institutions in the same manner as online criminal gangs rather than extract political concessions. The North Koreans could've used the same malware to hold the world at ransom until sanctions against it were lifted but would need to do so in the open and thus invite direct retaliation. By not openly acknowledging their operations they can maintain diplomatic cover and extract significant financial gain while minimizing potential blowback. The various cyber powers seem to have tacitly agreed to a strategy of “strategic ambiguity” when it comes to cyber operations in order to maintain operational flexibility. Sean Kanuck, former National Intelligence Officer for Cyber at ODNI remarked, "Currently most countries, including ours, don't want to be incredibly specific about the red lines for two reasons: You don't want to invite people to do anything they want below that red line thinking they'll be able to do it with impunity, and secondly, you don't want to back yourself into a strategic corner where you have to respond if they do something above that red line or else lose credibility in a geopolitical sense." (Pomerleau 2018) Strategic ambiguity enables states to use cyber operations to achieve tactical objectives without triggering obvious retaliation while also providing flexible response options below the traditional threshold of armed conflict.?
Conclusions
Cyber power is most effective when it is used covertly in concert with other forms of national power. It can be used to knock out air defense systems to enable air raids, siphon money out of the bitcoin account of terrorists, and sabotage nuclear enrichment facilities. (Clarke and Knake 2010; US DOJ 2020; Kaplan 2016) Cyber operations are most effective against adversaries which are most reliant on modern digital systems to function. Cyber power can create asymmetric advantages for rising powers like China to level the playing field against a qualitatively superior foe like the United States. Well-planned cyber operations could deny aircraft from taking off, leave troops stranded in the field without higher support, and cause major disruption to logistics. However, we have yet to see a state truly integrate and deploy cyber operations for significant battlefield effects. The direct coercive potential of cyber operations is mitigated by the fact they must remain secret and are also potentially unreliable which undermines the credibility of threats. Given the continued issues with attribution in the cyber domain, it is likely that states will continue to use cyber operations to achieve tactical objectives while refraining from attempting to use cyber power for overt coercion in order to maximize operational flexibility.
领英推荐
Works Cited