For three decades, defense planners and analysts have worried about cyber war. It has not happened. Instead, now their fear is that cyber operations open a new space of strategic competition where adversaries can shift the balance of power without going to war. The sea change in the United States’ cyber strategy from deterrence toward persistent engagement aims to counter this threat. These current expectations, however, overestimate both the extent of this threat and its novelty. Rather than new instruments, my research, recently published in International Security, shows cyber operations are, in fact, instruments of subversion — an understudied mechanism used in covert operations. Subversion holds great strategic promise but faces an operational trilemma that limits its strategic value. Cyber operations face the same limitations. To assess their strategic value, we thus should not confuse what is theoretically possible with what is practically feasible. Otherwise, strategy risks fighting phantom threats.
Policy documents and media reports continue to describe cyber conflict in the language of war. “Cyber warriors” clash on the battlefield, and states engage in cyber arms races. In practice, however, cyber conflict looks nothing like this. Instead, it involves hackers — a nerdy bunch — who stealthily, creatively, and often opportunistically find ways to exploit vulnerabilities in adversary systems. Hacking means exploiting systems to make them do things not intended by their makers and users. It does not involve force, nor does it require military hardware. Unsurprisingly, cyber operations struggle to create violence and destruction. Rather, their reliance on secret exploitation reveals their subversive nature.
Subversion is a key instrument in non-military covert operations. It promises to bring down an enemy from within, stealthily and without using force. Instead, subversion hollows out the adversary’s sources of strength or even turns them against the adversary. It exploits weaknesses in institutions and societies to undermine their integrity and manipulate them. This strategic promise of weakening adversaries without going to war is great but so are subversion’s pitfalls. Actors face significant operational challenges they must overcome to reach their goals. These challenges pose an operational trilemma that limits its strategic value. In practice, subversion is often too slow, too weak, and too volatile to achieve strategic goals. The same applies to cyber operations.
Security scholars traditionally study war and the means of maintaining peace. States have, however, long also pursued shadowy means to get what they want without engaging in costly wars. Covert operations are secret instruments of statecraft that interfere in adversary affairs while obscuring the identity of their sponsor. They offer leaders a quiet option to exert power when diplomacy falls short and open war is too costly and risky. After being long neglected by security scholars, an emerging body of research examines the strategic benefits of engaging in secret wars. Yet, there are many types of covert operations, and only few of them involve military force. These non-military operations share a reliance on subversion.
Rather than through force, subversion produces outcomes by exploiting vulnerabilities in systems. Through exploitation, it either undermines the integrity of these systems or manipulates them to use them against the adversary. Cold War subversion primarily aimed to undermine or overthrow political systems, and the term has almost become synonymous with such types of operations and associated vague fears. Yet, historian Paul W. Blackstock’s work provides the foundation for a more systematic definition, identifying the distinguishing characteristic of subversion in its reliance on secret exploitation. Regime-change operations, for example, often exploit social tensions to mobilize groups against a government. The CIA-orchestrated coup in Iran in 1953 is a key example. Other operations exploit incomplete sovereignty, supporting local insurgents to destabilize regions and assert control. Russia’s takeover of Crimea offers the most recent example.
Apart from entire political systems, however, exploitation can also target smaller-scale institutions to infiltrate and manipulate them. The classic means of subversion are human spies, who can infiltrate targets under cover identities by exploiting pathologies of human psychology or flaws in security rules and practices. The Soviet KGB’s infamous “illegal agents” program is a key example. The effects subversion can produce depend on the type of system targeted and vary widely. They range from influence on public opinion to sabotage, economic disruption, and, in the extreme case, regime change.
Through exploitation, subversion promises a way to weaken adversaries at even lower risks and costs than secret war. Using force secretly can help limit escalation risks and reputational damage. Yet, doing so still requires guns and grunts. Subversion requires far fewer resources because it primarily relies on an adversary’s own assets to produce effects. Moreover, subversion hides not only the identity of the sponsor but the activity itself (known as a clandestine approach). Hence, if done right, it interferes without revealing that interference is taking place.
The parallels to cyber operations are obvious. Cyber operations share the reliance on exploitation, the range of effects, and the perceived strategic promise. Accordingly, a recent “intelligence turn” in cybersecurity scholarship highlights the parallels between cyber conflict and intelligence operations. Joshua Rovner argues that cyber conflict is an intelligence contest, laying out the strategic scope of cyber operations as means to collect information and covertly weaken adversaries. The strategic value of the latter type of operations, namely those pursuing active effects (i.e., manipulation and disruption of targeted systems rather than information collection), remains unclear though. Yet, those types of operations inform persistent fears around the cyber threats adversaries pose. Examining the subversive nature of active effect cyber operations clarifies their strategic value. It also explains why, in practice, they tend to fall short of expectations.
Instead of social systems, cyber operations subvert computer systems. Hacking, the core mechanism they employ, is by definition subversive since it involves the exploitation of vulnerabilities in computer programs. Programs, as Erickson explains, are “made up of a complex set of rules” while “exploiting a program is simply a clever way of getting the computer to do what you want it to do, even if the currently running program was designed to prevent that action.” Typically, hackers use such vulnerabilities to gain access to systems and install malicious programs, viruses that allow them to control and manipulate the system. In doing so, cyber operations promise a means to turn the computer systems that have produced such dramatic efficiency gains in modern societies into liabilities, using them to weaken the targeted society and state instead. Moreover, while traditional subversion requires infrastructure in the field to deploy and maintain human agents, cyber operations can exert influence entirely remotely. Hence, they promise even lower cost. Moreover, they enable potentially vastly greater scales of effect since computer viruses can proliferate automatically.
In theory, these advantages endow cyber operations with a near-irresistible strategic promise, namely an unprecedentedly effective way to shift the balance of power short of war. Yet, getting there in practice is hard. The same mechanism of exploitation that enables this promise also carries the seeds of failure. To explain why, it is useful to distinguish between the tactical, operational, and strategic levels of conflict. At the tactical level, cyber conflict involves the subversion of software and systems. Hackers often succeed, and examples of high-profile compromises such as the SolarWinds compromise continue to fill newspapers, evoking fears of proliferating cyber war. At the operational level, however, subversion poses a distinct set of challenges that constrain its effectiveness and limit its strategic value. Importantly, cyber operations face the same challenges.
Secret exploitation poses distinct operational challenges that constrain its speed, intensity, and control. Speed is limited because actors must reconnoiter target systems, identify flaws even their designers missed, develop means able to exploit them, and establish access — while obscuring all of this activity from the victim. Discovery allows the victim to neutralize most operations, typically by arresting or executing the spies involved. In cyber operations, victims can “patch” vulnerabilities, delete malware, or disconnect systems. There are limits to how much cyber subversions can achieve, because the intensity of the effect depends on what system is targeted. The greater the capacity of a system to wreak havoc — for instance, producing physical damage and destruction — the harder exploitation tends to be. Manipulating physical machinery by cyber means is highly challenging, for example, and such systems typically have added protection measures in place to prevent such meddling. Dependence on target systems also constrains control, since target systems remain unfamiliar and subversive actors only have control over parts of the system. Control is, furthermore, temporary since victims can neutralize it in different ways upon discovering subversion. Most importantly, the system may respond unexpectedly to manipulation, failing to produce the desired effects or producing unintended effects.
These constraining variables pose a trilemma. Efforts to improve one tend to produce corresponding losses across the remaining ones. For example, the faster one proceeds, the less time there is for reconnaissance and development, and accordingly the more limited the knowledge of the target system, the more limited the extent of control, and the greater the likelihood of failure or unintended consequences. This operational trilemma limits the strategic value of these kinds of operations. Subversion thus tends to be too slow, too weak, or too volatile to produce strategic value when and where it is needed. The same applies to cyber operations.
Consider Stuxnet. This operation, which produced the most intense effects by cyber means to date — namely, physical damage to nuclear enrichment centrifuges — required extensive development time. Forensic evidence indicates at least five years of development. Conversely, the attempted disruption of Ukraine’s election in 2014 moved very fast, at 2 months development time — but failed to produce its intended effect since the hackers missed the existence of backups. Finally, evidence of control loss abounds. It is no coincidence that one of the first computer viruses, the Morris Worm from 1988, was in fact an accident — the program was designed as a harmless network mapping tool, but it proliferated out of control and consumed far more resources than intended, shutting down most of the early internet.
Similarly, the infamous 2017 NotPetya operation, which disrupted businesses across 65 countries by disabling computer systems, is widely seen as “the most devastating cyber attack in history.” Some suggest this self-proliferating virus and the havoc it caused was a carefully calibrated signaling tool, designed to send a warning to businesses operating in Ukraine and/or to foster a perception of Ukraine as a failed state. Yet, rather than a carefully targeted effort, forensic evidence shows NotPetya’s authors lost control over its spread — leading to significant collateral damage beyond Ukraine, even affecting the state behind the operation: Russia. The same capacity for automated self-proliferation that made NotPetya’s massive scale possible led to a loss of control over its spread and effects. Without control, there is little predictability. And, without predictability, whether effects will contribute to strategic goals ultimately becomes a game of chance.
Consequently, rather than revolutionizing conflict, cyber operations represent an evolution of subversion. They offer a distinct set of tradeoffs compared to traditional subversion. They do likely have a scale advantage over traditional subversion since viruses can spread automatically across networks. Yet, this potential for automatic proliferation also likely brings an increased risk of control loss. Cyber operations thus have some distinct advantages and disadvantages, but overall they face the same operational trilemma as traditional subversion. This situation has two major implications for cyber conflict and its study.
First, cyber operations fulfill an independent strategic role as an alternative to warfare when diplomacy falls short but will rarely provide strategic value. Their strategic promise renders them highly attractive, if not irresistible to leaders — even as their shortcomings become more readily apparent. The same pattern applied to traditional subversion. Throughout the Cold War, leaders continued to opt for regime change attempts despite their abysmal track record. Hence, we can expect actors to continue to deploy cyber operations frequently. Accordingly, we will likely continue to see frequent intrusions and, less frequently, disruptions. Some of these disruptions will be large enough to produce strategically significant effects. Yet, because of the challenges involved, we can also expect cyber operations to rarely produce significant strategic value for their sponsors. They will be too slow, too weak, and too volatile to shift the balance of power in a targeted, predictable, and timely fashion in most circumstances.
Second, and consequently, the United States’ emerging strategy of persistent engagement may have it — at least partially — wrong. Its underlying idea is that states are subject to a structural condition of interconnectedness, which puts actors in constant contact and thus necessitates a strategy of persistent engagement to prevail. In practice, this involves continuous efforts to compromise adversary infrastructure, introduce friction in their operations and disrupt them where possible. Persistence is important. It is only one component of a successful subversive operation, however. Without sufficient consideration of the needs for secrecy, for example, the strategy risks giving away the element of surprise that is crucial for success. The more persistent one’s engagement, the more predictable one risks becoming. Moreover, the goal of persistent engagement is to improve stability by establishing and reinforcing tacitly agreed rules of behavior — most importantly, limiting the intensity of effects. Yet, rather than tacitly agreed rules, the trilemma that all subversion operations face is a more likely cause of the low intensity of cyber conflict we observe. Pushing adversaries too far is then likely to have the opposite effect of stabilizing conflict, as doing so may increase the perceived benefits of taking greater risks.
In short, cyber operations do not enable a new strategic space but rather offer new tools to pursue strategies of subversion. As such, explaining and prevailing in cyber conflict does not require new strategic theory. Rather, building on existing knowledge on strategies of subversion and their limitations promises key insights. Cyber operations share not only the strategic promise, but also the operational challenges, of subversion. The trilemma between speed, intensity, and control limits the actual strategic value they can deliver in most circumstances. Much current thought and strategy development focuses on what is theoretically possible, yet the trilemma limits what is practically feasible. Recognizing these limitations is crucial in order to clearly understand the strategic role of cyber operations and develop effective strategies that maximize their value within the constraints of the trilemma.
Lennart Maschmeyer is a Senior Researcher at the Center for Security Studies at ETH Zurich. He holds a PhD from the University of Toronto and co-chairs the FIRST Threat Intel Coalition as well as the European Cybersecurity Seminar. You can follow him @LenMaschmeyer.
Image by WeAreTape.com