Since the dawn of warfare, the prowess of combatants has been defined by how effectively they bring to bear the weapons of their time. Warriors hone their craft over years, their weapons becoming extensions of their own bodies. Whether these weapons be the sword, bow, musket, M-16, or F-35, they change little over the course of a warrior’s career. This, however, is not the case for the cyber warrior. This warrior wields instruments of amorphous design and exotic purpose, known to most as “cyber weapons.”
While the Department of Defense Dictionary of Military and Associated Terms has no definition of “weapon,” the word is used more than 150 times to define various other terms. One of these is the well-known expression “fires,” which is defined as: “The use of weapon systems or other actions to create specific lethal or nonlethal effects on a target.”1 This is of particular interest, as the term “cyber fires” has come into heavy use when referring to offensive cyber operations and related activities.2
If a weapon is said to deliver fires, then the effect of those fires should be specific and known. For example, when detonated 50 feet from a target, the 500-pound Mk 82 aircraft bomb delivers 17 psi of overpressure. Fragmentation of the bomb causes 32 mm of penetration in steel armor plate, and it will generate nearly a 100 percent fatality rate to unprotected human targets at the same range.3 Furthermore, the Mk 82 would be just as effective in destroying a CSK131 as it would a GAZ Tiger (both armored HMMWV equivalents). If a single Mk 82 failed to destroy a given target, the application of additional Mk 82s almost certainly would.
The laws of physics are immutable: When the amount of energy transferred to an object exceeds the strength of its molecular bonds, the result is inevitable. This is the world of kinetic strikes, the world of bombs and bullets. It is not, however, the world of cyberwarfare.
Nevertheless, commanders at sea, in the air, and on the ground require real-world effects from cyber weapons. These commanders also should know the effects will be delivered by a warfare domain of which they have no direct insight or control. The fifth domain of warfare—cyberspace—unlike the other domains, is an entirely human construct. The “laws” of this domain are remade on a near continual basis. Any tactic or tool a warfighter may find effective in one moment could be rendered wholly ineffective in the next with the flip of a single bit.
So where does this leave the notional cyber weapon? Can we make it as effective and reliable as the Mk 82?
Building an Effective Cyber Weapon
The process for developing, testing, manufacturing, and deploying the Mk 82 and similar munitions is well understood. But what of cyber weapons? Suppose a commander was told the effectiveness of a weapon depended entirely on a large constellation of variables, some predictable, many that are not, and some that are unknowable. This is where the Navy finds itself today when attempting to develop and deploy cyber weapons.
Consider just one potential variable when designing a cyber weapon: the target’s operating system. While this may seem simple to account for, note that Microsoft has released 14 major versions of its operating system in the past 15 years.4 Add in both 32-bit and 64-bit processor variants and there are now twice as many variables to contend with. Unlike the Mk 82, which will destroy a vehicle regardless of its make and manufacturer, a variant of a cyber weapon may have to be developed for each of the operating system versions described above to be effective. In addition, this does not account for custom configurations, patch levels, security products, or other applications that may interfere with the weapon’s effectiveness.
The variables to consider when fielding a cyber weapon could reach well into the thousands, if not higher. This assessment, of course, only contends with known variables. Accounting for the probability of unknown factors (such as network link volatility or system memory state) can take what was once considered a simple deterministic process to achieve an effect and turn it to a non-deterministic probability.
In other words, the effect that a cyber weapon brings to bear is often probabilistic in the best-case scenario, and profoundly nonspecific in the worst. Triggering third- and fourth-order effects far beyond the intent of the weapon’s creator is a frighteningly common occurrence.
The Necessity of Covert Action in Cyberspace
Assuming the myriad variables required to develop and test a cyber weapon have been accounted for, the weapon must eventually be fielded. U.S.C. Title 10 and Title 50 authorities define how most cyberwarfare operations should be conducted.5 To the uninitiated, the separation of these authorities appears clear: Title 10 specifies the bounds of offensive military actions in cyberspace; Title 50 authorizes covert activities—most specifically, intelligence collection. However, as most in the cyberwarfare profession are aware, this distinction can quickly break down in practice.6
The central point of conflict in this debate is that most, if not all, Title 10 offensive actions in cyberspace require covert “Title 50–like” actions to enable them. This becomes an issue as the United States tries to replicate traditional show-of-force activities—such as freedom of navigation operations in the South China Sea—in cyberspace. The intent of these activities is demonstrating to adversaries that the United States has both the capability and will to deter any assault against its interests.
The problem in cyberspace is that when a weapon is revealed overtly, in a way that explicitly demonstrates a capability, it likely will be the last time the capability can be used. Unlike the Mk 82, which will impart a specific amount of kinetic force every time it is deployed, a cyber weapon’s use carries with it a specific signature. With each use, the signature of the attack is more likely to be detected and mitigated.7
Worse still is when the vulnerability used to gain access to a target is discovered by the adversary. While signatures can possibly be modified, new vulnerabilities are finite and cannot be created. A show-of-force operation, or any operation that is, by design, meant to be discovered, will result in a capability that is no longer effective and loss of access to target systems. The best hope for retaining reproducible effects is to ensure that cyber-attacks are covert and nonattributable whenever possible and only executed overtly out of necessity.
Access and Tactical Warfare
Assuming the cyber weapon has remained undetected and unmitigated through its initial deployment, how can the Navy and Marine Corps enable its use by commanders at sea and on the ground? In most cases, offensive cyber operations cannot occur without access to target systems, and a weapon predeployed to targets in one geographic region will not help forces located in another.
In the realm of cyberwarfare access equals victory, and as with most victories, access typically is not achieved in a single hour or day; weeks, months, or even years of preparation are required. Furthermore, access to a given network that has taken months of preparation can be lost in an instant.8 New targets that require immediate action cannot not be engaged until appropriate preparation of the battlespace has occurred. This leaves most tactical and operational commanders with little recourse for delivering cyber effects to emergent targets without reaching back to strategic cyberwarfare assets.
As tantalizing as the concept of tactical cyberattacks is, there is a small and quickly vanishing number of use cases in which a previously unknown target could be engaged in this manner. Targets of opportunity in the cyberwarfare domain are few and far between.
The Ground Truth of Cyber Weapons
Given all this, if a cyber weapon’s specific effect cannot be known with certainty, and its effectiveness is reduced exponentially through each use, and it is only effective once access to a system is gained, does it meet the criteria to be called a weapon at all? This question reveals the uncomfortable truth in cyberwarfare: There is no cyber bullet, no cyber bomb, and, in fact, no cyber weapons at all.
What exists is a vast and ever-changing patchwork of semi-interconnected tools and techniques, with capabilities that look less like those of the warrior and more like those of a locksmith, thief, or saboteur. The tools used in this domain are developed in an iterative fashion and tested quickly, often only to ensure basic functionality. They are deployed in this manner because they must be able to maintain relevancy in a domain in which fundamental realities shift like sand under one’s feet.
Unlike the scientists and engineers who developed the Mk 82, cyber capability developers do not have years or decades of research to fall back on. They cannot rely on the immutable laws of nature and physics to ground their assumptions; the laws of cyberspace are being rewritten every hour of every day.
The Way Forward
Given the complexities of cyberwarfare, what is a commander to do if he or she can see the potential for cyber enabled effects but is unsure how to deploy or integrate them? Addressing the following points will provide a realistic assessment of how and when cyber effects could be deployed:
Acknowledge complexity. Commanders must understand that the more complex an order, the more time and resources will be required for its execution. They must realize that, given the myriad variables involved, ordering a new cyber effect on a new target is one of the most complex orders that can be issued.
Prepare your battlespace. Seemingly simple requests may require weeks or longer of prep work. A single antiair battery can be disabled in seconds by a kinetic strike. A similar action could take months for a cyber effect, requiring cyberwarfare elements to penetrate multiple layers of networks and defenses to stage the effect when it is needed. For example, cyber commands that support tactical units must ensure their theaters of operations are prepared well in advance to support tactical-level cyberwarfare activity.
Request effects, not specific capabilities. Shipboard and other tactical commanders are unlikely to have the technical insight to direct the use of a given cyberwarfare capability. Instead, when engaging with strategic and combatant command–level cyberwarfare elements, consider the objectives against a given target and request the effect required to achieve that objective.
Know the stakes. Employing cyber effects almost always will have unintended consequences. Show-of-force activities are a surefire way to lose a capability. Furthermore, effects that quickly disable or destroy a target should be used sparingly as they will quickly be discovered and rendered inert. The more spectacular or frequently used the effect, the likelier the loss of that capability. Capabilities that generate deception or low-grade degradation effects are more likely to be enduring.
Ultimately, commanders must have the ability to deploy a variety of cyber capabilities if the Navy is to fight effectively in the 21st century. However, the notion that the Navy and Marine Corps can engineer, test, and field a cyber weapon the same way it does conventional weapons is a fallacy that the services should seek to end. Doing so will require a paradigm shift in the thinking of leaders, removing the concept of weapon deployment from cyberwarfare and replacing it with that of effects generation.
Commanders who follow this strategy will be able to successfully drive the realistic delivery of cyber capabilities and effects and bring to bear the full potential of cyberwarfare.
1. U.S. Department of Defense, Dictionary of Military and Associated Terms (Washington, DC: Department of Defense, March 2017).
2. MIDN 3/C Edwin Lopez, USN, “Call of Duty: A Prediction of Future Wars?” USNI Blog, 22 April 2021; Amber Corrin, “Air Force Calls for Hybrid Approach to Cyber Warfare,” Defense Systems, 22 October 2010; and Alexander Kott, “Overview of Cyber Science and Technology Programs at the U.S. Army Research Laboratory,” Journal of Cyber Security and Information Systems 5, no. 1 (December 2016).
3. Ordtech Industries, “Mk82 500 Lbs Aircraft Bomb,” www.ordtech-industries.com/2products/Bomb_General/Mk82/Mk82.html; R. Karl Zipf Jr. and Kenneth L. Cashdollar, “Explosions and Refuge Chambers: Effect of Blast Pressure on Structures and the Human Body,” Centers for Disease Control, National Institute for Occupational Safety & Health.
4. Microsoft, “Operation System Version,” Windows App Development, 5 November 2021.
5. VADM Kevin D. Scott, USN, Joint Publication 3-12: Cyberspace Operations (Washington, DC: Joint Chiefs of Staff, 5 February 2013).
6. Andru E. Wall, “Demystifying the Title 10–Title 50 Debate: Distinguishing Military Operations, Intelligence Activities & Cover Action,” Harvard National Security Journal 3, no. 1 (2011): 85–141.
7. Kimberly K. Watson, “Deploying Indicators of Compromise (IOCs) for Network Defense,” Cybersecurity Automation and Threat Intelligence Sharing Best Practices (Laurel, MD: Johns Hopkins University Applied Physics Laboratory, February 2021).
8. David E. Sanger, “A Botnet Is Taken Down in an Operation by Microsoft, Not the Government,” The New York Times, 10 March 2020.