In 2011, retired Air Force General Michael Hayden asserted that rarely has anything been so important and so talked about with less clarity and less apparent understanding than cyber. Today, little has changed from a conventional warfighter’s perspective.
A wide array of objectives encompasses the term “cyber,” but the focus here will go toward the most practical application to the conventional warfighter—cyber effect operations (CEOs). One definition of CEO is a cyber operation with an aim to disrupt, deny, degrade, and/or destroy a target device, system, or network.1 This is likely the type of operation most people envision when they hear the term cyber; a computer hacker from across the globe disabling an adversary’s device.
Acclaimed author and cyber policy expert Max Smeets has crafted a simple yet encompassing framework of the five requirements to create and maintain a state cyber capacity: people, exploits, tools, infrastructure, and organization, also known as PETIO.2
Describing the components of the PETIO framework would do little without the context in which they are utilized and the challenges within each dimension. Several categories of CEO exist, such as denial of service, data manipulation, and system manipulation.3 Analyzing these dimensions through the PETIO framework can provide a greater level of understanding to conventional war fighters, leading to a significant improvement in future coordination.
People and Organization
Resource allocation, planning, and objective alignment occurs long before a CEO is conducted. Without a high level of experienced personnel to shape the confines in which orders are written, tasks may be given that are unfeasible or improbable. Cyber professionals with experience in strategy from a technical and national level must deliver sound recommendations during planning. CEO implications, political recourse, and future retaliation from the targeted entity must be weighed. Legal advisors also must offer critical feedback to ensure orders are within the scope of our legal framework. If any of these elements fail to provide proper recommendations, the result could be months or years of unproductive manpower and monetary expenditure.
More variables exist within this decision-making process than could ever be taught within a classroom. As the former technical director of the U.S. Cyber National Mission Force said, “No one has figured out how to replicate such a blend of skills and experience in any format besides on the job training.” Experience is a linchpin for cyber success even at the earliest stages of the process, and retention in any cyber field is critical for successful longevity. These skills are highly sought in the civilian world.
Smeets makes the argument that the tacit knowledge within CEO is potentially more important than that within conventional warfare.4 The targeting process for a missile strike is embedded with explicit knowledge like GPS coordinates, imagery, and mathematical models for collateral damage. Although a degree of explicit knowledge exists within CEO, the most important is tacit. A successful CEO requires an immense understanding of the architecture and even the culture of a target network.5 Rob Joyce, former Chief of NSA’s elite cyber group, Tailored Access Operations, said, “Why are we successful? We put the time in to know [the target] network. We put the time in to know it better than the people who designed it.”
Infrastructure describes the systems, hardware, and software used by an operator to maneuver through cyberspace. This infrastructure is designed to protect tactics, techniques, and procedures (TTPs) while allowing the operator to perform in an untraceable manner. Without it, unintended TTP transfer could occur by another actor observing and potentially “stealing” technical details.
Infrastructure for even a single operation is costly. The Russian-linked hacking organization Fancy Bear spent more than $95,000 in infrastructure per operation for their cyber activities, including the hacking and stealing of documents during the 2016 election.
Unfortunately, pieces of this infrastructure are delicate. A failed operation may result in a total or partial loss of infrastructure with high costs of time and money. Operations must be planned, controlled, and operated with expert precision to protect infrastructure.
Infrastructure also refers to the cyber ranges, or “training grounds” used by cyber professionals. Unlike in conventional warfare where munitions will have nearly identical effects within the confines of physics, the effects of a CEO are not as easily predictable. Vast infrastructure must be built and maintained to thoroughly test the potential impacts of a CEO while also allowing teams to home their skills.
Access, Exploits, and Tools
Next, access to the targeted network must be obtained. This can be achieved by acquiring credentials of a user or administrator or by compromising a vulnerability within the network, which is referred to as an exploit. While maneuvering on the infrastructure, the operator must use a combination of tools and exploits to arrive at the target device. Tools can be thought of as malware, which offer a higher level of functionality to be used against the target network.
Like infrastructure, access is also fragile. Access that took months or years to achieve could be lost because of a simple system upgrade that may be entirely unrelated to a defensive system.6
The process of identifying the necessary exploits and tools needed to infiltrate and operate within a target network while learning the network can be referred to as enumeration. Operators will identify specific tools that must be crafted by a specialized force of developers and vulnerability assessment specialists. Smeets notes that tools are often so specialized that each one must be crafted uniquely even if a tool already exists for a similar system.7 Subtle nuance between similar systems does provide a level of synergy in development and creation, but not as much as expected. Months of development time may exist to convert something that works against version 1.1.1 of a target to be able to work with version 1.1.2.
Furthermore, cyber teams may not know what tools will be needed until after the enumeration process. Crafting new tools for multiple teams in various phases of enumeration can be a challenge. This can mean either shifting timelines for CEO delivery dates or an increase in personnel to support timely tool development.
Maintaining access and gathering intelligence about the network without being caught requires a methodical, patient, and persistent approach. However, this methodology must be contrasted to the need to meet operational deadlines set by commanders. Having experienced personnel during the planning stages is critical. Without accurate and early timeline estimations, the endeavor may end up canceled despite a team’s efforts because it becomes obsolete.
Operational commanders may choose to forego a slow, methodical approach to meet timelines, which holds multiple risks. Moving faster during the enumeration phase often means a louder presence within the network, increasing the likelihood of identification. This increased pace could expedite success—but doing so may result in an unintentional transfer of the sensitive components that make up the infrastructure, exploits, tools, and TTPs to the adversary. Being identified may precipitate a loss of access and immense resource expenditure to get to that point. The consequences could be intensified if other teams use the same or similar components in their operations. Conventional warfighters must understand there is an inherent interconnectedness between all cyber operations, and a loss of access to one target may mean the loss of one or several others due to the sharing of capabilities across teams.
A constant struggle will exist within the cyber domain to meet operational commander’s requirements while protecting the infrastructure and TTPs of the operations.
Intelligence Collection vs. CEO
If successful, a team has arrived at the target with a CEO ready to be delivered when ordered to do so. A considerable amount of intelligence gathering is required to reach the end of the road. Not only did the gathered intelligence assist in the enumeration process, but it may be of value to other mission areas and warfighters. Conducting a CEO is very likely to end any intelligence collection moving forward.8 So, the benefit of conducting an effect must have a definable advantage over the intelligence value of an enduring collection campaign.9 Commanders must continually assess whether to continue with a CEO campaign or shift to an intelligence collection focus during the enumeration process as more information becomes available.
The argument for CEO versus intelligence collection has long been debated. Former U.S. Secretary of Defense Ashton Carter conveyed his dissatisfaction in the ability of the U.S. cyber force to eliminate ISIS, stating that Cyber Command “never really produced any effective cyber weapons or techniques. When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection.”
Once used for a CEO, TTPs are also vulnerable in two ways—the enemy may now have them in their own arsenal for future use against United States and allies’ systems and/or the TTPs may be compromised by a security product group (such as antivirus software) that can then update their software to mitigate future intrusions for users around the world.
Requirements can shift due to an evolving geopolitical environment. Mission changes are necessary to meet arising operational needs, but such mission shifts can have negative consequences. Shifting a cyber team to another target is not quite as straightforward as shifting a mission for conventional targeting. James McGhee, the legal advisor for the U.S. Special Operations Command North, concurs that planning these operations take more time than planning conventional, kinetic operations.
Along with the extensive time required to gain target knowledge, no network topology is the same. Different hardware, software, operating systems, updates, and firewalls present obstacles. A newly redirected team may have previously focused on a completely different set of systems and have to start from scratch for significant mission realignments.
The challenges associated with mission shifts, particularly if the new mission is substantially different, are important for conventional warfighters to understand. Giving a carrier hard right rudder still takes time before coming to a reciprocal course, and cyber moves in much the same sluggish manner.
Smeets details another significant challenge: “Causing any type of cyber effect, against any system or computer network, at an unspecific point in time, lacking strategic purpose, is easy. Causing a specific, targeted cyber effect, at a designated point in time, which achieves a strategic purpose, and outweighs the impact of negative consequences, is hard.” Like any strategic warfare effect, the use of CEO must be a means to a political end.10
Erik Gartzke states, “The inherent difficulty of credibly threatening cyberattacks without also compromising operational effectiveness means they are generally an inferior substitute to conventional warfare in performing the functions of coercion or conquest.” Threatening an adversary with a CEO shows our hand and allows an opportunity to mitigate the threatened network.
Anticipating target response is important for decision makers to understand potential outcomes of a CEO. This is difficult to predict due to various factors if the end state is to induce some level or coercion, leading to several possible outcomes:
- The target may be unable to define with certainty that a CEO took place. The target may attribute the incident to system failure or flaws within their own network.
- If the target does identify a CEO took place, they may be unable to determine where the CEO originated with any certainty.
- If the target identifies the CEO and its origin, they may avoid publicly acknowledging the CEO occurred to avoid displaying weakness on the world stage. If the target decides to blame a faulty system instead of a CEO, necessary mitigation can quietly occur to avoid future effects.
A CEO designed to provide an effect with an end state to support conventional warfare generally will not be impacted by those variables. The success of the CEO will hinge on successfully providing support to the conventional warfare operation and the end state therein. Thus, cyber may not be a silver bullet but rather another strategic weapon to use in conjunction in a multidomain environment.
To achieve a competitive advantage in great power competition, all warfare domains must have a better understanding of their counterpart’s capacity and limitations. Only then can decision makers and conventional warfighters blend cyber capabilities into their repertoire of multi-domain warfare.
1. Max Smeets, No Shortcuts: Why States Struggle to Develop a Military Cyber-Force (New York: Oxford University Press, 1 August 2022).
2. Smeets, No Shortcuts: Why States Struggle to Develop a Military Cyber-Force.
3. Smeets, No Shortcuts.
6. Michael V. Hayden, Playing to the Edge: American Intelligence in the Age of Terror (New York: Random House, 21 February 2017).