Preparing for Cyber War: A Clarion Call

This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.

In every War College in the world, two core principles of military planning are that “hope is not a plan” and “the enemy gets a vote.” Any plan developed without sensitivity to these two maxims is doomed to fail. They apply irrespective of the mode in which the conflict is fought, the nature of the enemy, or the weapons system employed. Unfortunately, some states seem to be disregarding the maxims with respect to cyber operations. They include certain allies and friends around the world, states that the United States will fight alongside during future conflicts. The consequences could prove calamitous, especially in terms of crafting complementary strategies and ensuring interoperability in the battlespace.

Hope is Not a Plan

When planning for the future, states cannot hope away scenarios, including two that are looming: “cyber-only conflict” and cyber operations as an aspect of traditional warfare (“cyberized conflict”). Ignoring them is shortsighted. With respect to the former, cyber operations can generate consequences that in certain cases are more effective, efficient, and severe than those generated kinetically. While it is true that conquest requires boots on the ground to seize enemy territory, conflict can also erupt when one state merely seeks to influence the decision-making of another, particularly when war aims are limited. In such cases, victory (or at least success in achieving underlying objectives) is achieved by imposing sufficient pain to alter the opponent’s cost-benefit calculations. Since cyber has opened the door to imposing costs remotely, without the necessity of resorting to conventional military operations that are especially susceptible to difficult-to-control escalatory dynamics, cyber operations may well prove the tool of choice in such scenarios.

As to cyber operations supplementing conventional operations, a cyber-enabled force enjoys substantial operational advantages over a non-cyber savvy foe. Indeed, cyber capabilities can offset striking asymmetries in conventional force structure. For instance, a party to a conflict with a superior air force cannot prevail against an enemy that can blind its integrated air defenses by cyber means, thereby allowing it to conduct a devastating first strike that destroys the former’s air force while still on the ground. And a cyber-enabled armed force that penetrates command and control systems to monitor communications and disrupt the direction of forces can operate inside its enemy’s “OODA loop” (observe, orient, decide, act). This drives the enemy into a reactive mode that permits the cyber-enabled force to determine the flow and pace of battle.

Prudent states create contingency plans for risky scenarios that cannot be ruled out; proper planning is necessarily sensitive to the legal environment in which the ensuing operations will take place. Accordingly, the time to unravel how jus ad bellum and jus in bello norms govern cyber operations is before hostilities break out. 

But, the process of doing so has been agonizingly slow. Many states have no position, confidential or public, on when the right of individual or collective self-defense provided for in Article 51 of the UN Charter and customary law applies. Some have yet to maturely grapple with the question of whether international humanitarian law (IHL) applies to cyber operations at all, and for those that have, important questions remain unanswered. These include whether civilian data qualifies as a civilian object enjoying IHL protections, when a cyber operation is an attack in the context of IHL’s assorted targeting rules, and under what circumstances civilians who engage in cyber operations lose their IHL protections from — and during — attacks. Very few states have even considered whether and when a cyber only conflict qualifies as an “armed conflict,” international or non-international, such that IHL applies. This actuality is problematic, since a failure to understand how international law limits or allows cyber operations is a bit like playing football without knowing the rules — the chances of winning are mighty slim. Some of our potential coalition partners appear to be hoping the game will simply never take place and that therefore there is no need to understand its rules.

The Enemy Gets a Vote

Let us assume the previous reality therapy bears fruit and military planning, based on firm legal positions, gets underway. As armed forces plan, they need to bear in mind that the enemy gets a vote. In other words, planning must always be sensitive to what the enemy is likely to, or might, do. This includes developing a sense of the extent to which it will, or will not, comply with IHL, and how enemy operations will affect fulfillment of one’s own legal obligations. Consider a number of examples.

In any toe-to-toe fight, a primary objective is to disrupt enemy C4ISR (command, control, communications, computers, intelligence, surveillance, and reconnaissance). The challenge in future conflict will be that much C4ISR cyber infrastructure is “dual-use” (used for both military and civilian purposes) and therefore a valid targetable military objective under IHL. The extent to which the enemy has elected to rely on dual use cyber infrastructure, rather than closed network military systems, will drive planning on how to disrupt its C4ISR Because of the connectivity involved, planners will have to carefully account for the likelihood of bleed-over into civilian systems. The two key issues in this regard are whether a cyber operation against the assets amounts to an “attack” (a term of art in IHL) such that the proportionality and precautions in attack requirements apply and what negative consequences for the enemy civilian population qualify as collateral damage in the context of those rules.

Military planning and the development of operational procedures and guidance become especially complex during asymmetrical conflict because the asymmetrically weaker party must find creative ways to compensate for its weakness. This in turn exacerbates planning calculations. To illustrate, I recently had the opportunity to visit the Israel Defense Forces (IDF) to examine its targeting systems and process, and the application of IHL therein. Much of the time was spent looking into how the IDF deals with Hamas and other Gaza-based organized armed groups in one of the paradigmatic asymmetrical conflicts of our times. Organized armed groups cannot possibly prevail over Israel on a conventional battlefield. Thus, at the strategic level, they target the civilian population as an Israeli center of gravity, primarily through rocket attacks. Unable to achieve military victory, the objective is to alter Israeli decision-making by placing its population at risk. This forces the IDF to conduct operations designed to deprive the enemy of this objective by focusing on protecting the population.

At the operational-tactical level of war, Hamas and other Israeli opponents employ tactics designed to foil Israeli strikes. These include human shielding, perfidy, and placing military objectives and fighters in the vicinity of civilians and civilian objects in violation of the IHL requirement to avoid locating the former, to the maximum extent feasible, in such locations. Doing so presents the IDF with a Faustian choice. Either Israeli forces refrain from attacking or they attack and cause civilian casualties and damage to civilian objects. In the latter case, the enemy leverages the collateral damage for lawfare purposes by creating the impression that the IDF targets protected persons and objects, or it violates the rule of proportionality and the requirement to take precautions in attack when striking military objectives. As a consequence, avoidance of collateral damage, even at the level accepted by IHL, lies at very heart of the IDF planning process and its operational procedures.

Analogous strategies and tactics can be expected during an asymmetrical conflict involving cyber operations. For instance, cyber attacks on civilian cyber infrastructure are no less likely than rocket attacks or the use of suicide bombers against civilians. Since the effectiveness of this strategic option increases in lock step with the frequency and severity of attacks, cyber attacks can be expected to be widespread and destructive. This dynamic will logically push states in the direction of operations that emphasize protection of the population from cyber attacks, an important planning consequence since resources that would otherwise be available to conduct offensive cyber operations may have to be re-tasked to defensive missions. Militaries that fail to plan for this eventuality in advance of armed conflict will be poorly organized, equipped, and trained to rebuff the enemy’s strategic goal of leveraging risk to the civilian population to its advantage.

The cyber variant of the “population at risk” strategy is particularly nefarious. In kinetic warfare, it is usually possible to eventually develop a counter-measure that deprives a weapon of its effectiveness, at least until development of a counter-countermeasure. For instance, Israel’s Iron Dome has achieved a very high success rate against rockets fired at urban areas. In cyber space, however, such a “fix” with respect to protecting the civilian population is less likely for three reasons. First, malware is very diverse and one size fits all countermeasures are usually unattainable. Second, the general population does not patch and update systems with sufficient frequency and care to reliably protect them from attack. Finally, technical attribution can be very difficult in cyber space, thereby making shooting back problematic.

At the operational-tactical level of war, asymmetrically disadvantaged opponents will likely launch their cyber operations from otherwise civilian systems to deter counter attack. This does not render the systems, which become “military objectives” in IHL parlance, immune from attack unless the resulting harm to civilians and civilian objects caused by the counter attack violates the rule of proportionality. However, the tactic will complicate matters in the same way that locating military assets in or near civilians and civilian structures does. Of particular concern in this respect is the fact that unlike most kinetic operations, collateral damage can be very widespread during a cyber attack due to the connectivity of the network into which one is striking. Thus, the choices presented the attacker may be either doing little beyond employing passive defensive measures such as anti-malware and intrusion detection software or striking back and handing the enemy a lawfare victory.

Spoofing, that is feigning the identity of an attacker, presents a particular challenge in this regard. It is highly likely that means will be employed to spoof civilian status. Indeed, when used to conduct an “attack,” as that term is understood in IHL, by feigning protected status, such operations amount to perfidy. Although unlawful, perfidious operations can, as demonstrated in asymmetrical conflicts from Gaza to Afghanistan, be highly effective.

The use of “zombie” computers (or “bots”) is a further example of how civilian cyber infrastructure can be employed for military purposes. A zombie computer is one over which remote control has been established. Although the zombie qualifies as a targetable military objective, attacking it presents the same dilemmas outlined above with respect to operating from civilian infrastructure. So too does the use of botnets to mount a distributed denial of service operation. The operation involves many zombies (sometimes thousands of them) to overwhelm the processing capacity of a targeted system. When this happens, the system loses functionality.

Again, the fact that the zombies had civilian status before conversion to military use raises the aforementioned challenges. Especially in the case of botnets, striking back at the IHL “attack” level poses thorny practical problems in terms of verifying target status as a military objective (if no longer being used and unlikely to be used in the future, it no longer qualifies) and assessing expected collateral damage during the proportionality and precautions in attack calculations. Moreover, many of the zombies will be located in neutral territory during an international armed conflict and abroad during a non-international one. This raises a number of complicated legal issues beyond the scope of this post for the side trying to fashion a response plan.

Finally, in an asymmetrical fight, the weaker side may look beyond its military forces to do battle, a fact demonstrated by the widespread use of civilians during recent conflicts for duties ranging from fighting to serving as lookouts. When cyber means are employed, the phenomenon can take on entirely new dimensions. In conventional hostilities, using civilians — either on an individual basis or as members of organized armed groups — requires some effort in terms of training and coordination. By contrast, simpler cyber operations can be mounted by anyone with access to the necessary malware and basic knowledge of how to use a computer. For instance, the asymmetrically disadvantaged side can simply post instructions with target IPs and malware online to encourage attacks. No further action on its part is necessary. This tactic was employed during the 2008 war between Russia and Georgia (although it is not certain that Russia orchestrated the activity). By the IHL rules governing direct participation in hostilities, all those who engage in cyber operations directed against the enemy become targetable for such time as they so participate. This is so irrespective of whether the operations rise to the level of an “IHL attack.”

The question for planners and commanders facing this highly probable scenario is how to respond to cyber direct participation that ranges widely across a population. Launching kinetic attacks against participants may be lawful, but both impractical and, from a lawfare perspective, counter productive. Moreover, estimating the likely collateral damage incident to hacking back at hundreds, perhaps thousands, of direct cyber participants raises many of the same questions that surfaced when considering botnet attacks. Obviously, this conundrum needs to be thought through in advance of the conflict; it is far too complex to address in a measured fashion once the attacks are underway.

These are but a few examples of how law and cyber warfare will influence each other in tomorrow’s conflicts. It is time to think such issues through and to fold them into military planning. After all, if you don’t know where you are going, you will probably end up somewhere else. Nowhere is this truer than on the battlefield.

No plan survives first contact with the enemy 

Returning to the original points, the arrival of cyber and cyberized conflict is imminent. Hoping it is not is a prescription for disaster on the battlefield. When it comes, the enemy will get a vote on how it unfolds. In particular, an asymmetrical conflict creates pernicious incentives to operate from and through civilian cyber infrastructure, sometimes in ways that may violate IHL. Armed forces will have to carefully consider how cyber operations are likely to occur in future conflict as they develop their own strategies, plans, tactics, and rules of engagement.

In fairness, it is difficult to anticipate the nature of future war. This reality is the basis for a third maxim War College graduates learn: “No plan survives first contact with the enemy.” There is a kernel of truth in this cautionary adage. But the key to successful military planning remains to prepare not only for eventualities that are certain, but also for those that are possible. Fortunately, the United States, particularly through U.S. Cyber Command and the Combatant Commands, has launched the process. But, as it stands today, we are likely to fight together with the armed forces of states that have disregarded this conspicuous imperative. The resulting lack of cyber (and legal) interoperability will inevitably sow confusion in coalition operations. For those states that are not planning for cyber war, this reality should serve as a clarion call.

The views expressed above are those of the author in his personal capacity. 

About the Author(s)

Michael Schmitt

Chair of Public International Law at the University of Exeter Law School in the United Kingdom, Charles H. Stockton Professor at the U.S. Naval War College’s Stockton Center for the Study of International Law, Francis Lieber Distinguished Scholar at the U.S. Military Academy at West Point, Director of Legal Affairs for Cyber Law International Follow him on Twitter (@Schmitt_ILaw).