Cybersecurity & Tech

Is There a Cyber Arms Race?

James Andrew Lewis
Thursday, February 29, 2024, 12:26 PM

A review of Max Smeets, "No Shortcuts: Why States Struggle to Develop a Military Cyber-Force" (Oxford University Press, 2023)

Cybersecurity Operations at Port San Antonio (Maj. Christopher Vasquez, https://commons.wikimedia.org/wiki/File:Cybersecurity_Operations_at_Port_San_Antonio.jpg; Public Domain)

Published by The Lawfare Institute
in Cooperation With
Brookings

Max Smeets’s “No Shortcuts: Why States Struggle to Develop a Military Cyber-Force” offers a thorough analysis of the challenges states face in developing military cyber capabilities. This is an ambitious book with a wealth of references. Its subtitle—“Why States Struggle to Develop a Military Cyber-Force”—is a bit of a misnomer. At least a dozen countries have competent cyber forces, now mostly used for intelligence and reconnaissance purposes (reconnaissance in the sense of identifying digital targets), and most of these forces are part of the larger national military organizations. What these forces may struggle to develop is not cyber capabilities but doctrine for the use of those capabilities and the political will to accept the risks this use may entail. 

Are military cyber capabilities an extension of states’ current uses of force, or are they sui generis, a unique new category of military action involving a broad array of actors. Scholars and analysts have struggled with this distinction. Smeets explores both ideas, with an emphasis on the latter, seeing cyber capabilities as a product of the commercial forces that shape the new domain. The book’s central themes—that cyber operations are complicated and states not well organized to carry them out—are accompanied by discussion of a range of other topics, including a useful typology of cyber actors, trends in cyber policy, the transfer among nations (intentional or otherwise) of cyber capabilities, the effect of artificial intelligence on cyber actions, and the role of non-state actors. After exploring these topics, the book ultimately returns to the theme that only a relative handful of states have surmounted the barriers to undertaking military cyber operations. 

But the range of hostile actions that states have undertaken and the number of state actors responsible for them runs counter to the book’s assertion “that states are barely able to field a military cyber force.” At least seven countries have used cyber operations for offensive purposes (as this Center for Strategic and International Studies inventory of incidents shows). Choosing not to use a capability is not the same as not possessing it. One way to think of this is to ask how many nations have advanced fighter aircraft. The answer is roughly 30, but less than 10 have used them in combat. There is significant (and suggestive) overlap between countries with advanced fighters and those with offensive cyber capabilities, in that advanced militaries acquire advanced capabilities. Leading examples include the United States’ National Security Agency and its military partner Cyber Command, Russia’s GRU (military intelligence), China’s People’s Liberation Army (PLA), the Israeli Defense Forces’ Unit 8200, and the United Kingdom’s National Cyber Force (a “unique partnership between” the Government Communications Headquarters and the Ministry of Defense). An equal number of smaller countries, including several members of NATO, as well as Iran and North Korea, also possess effective cyber forces. The integration of military and intelligence organizations is common in how states organize offensive cyber capabilities. 

Cyber operations by states seek to exploit these categories of cyber action to obtain advantage or to defend themselves from others. Malicious cyber activities fall into four categories: intelligence gathering (including surveillance and reconnaissance of targets for cyberattack), destructive cyberattacks (pace Ukraine, this is a very limited set), influence operations, and, in some instances, cybercrime to support regime goals, such as North Korea’s use of cybercrime to support the development of weapons of mass destruction. Espionage can include both conventional spying aimed at political-military targets or technological espionage, a major PLA activity (and Smeets has an extensive discussion of both Chinese and Russian cyber activities). States are very well organized for some of these tasks. Where they may lag is in developing offensive doctrine, fundamental principles on how to make effective military use of the new capability to attain national objectives. Nations need to develop the right set of plans and tools for using offensive cyber operations to attain strategic advantage. 

We are in a period of experimentation, as nations with cyber capabilities develop and test different operational approaches. Smeets usefully offers a framework he calls PETIO (people, exploits, tool sets, infrastructure, and organizational structure) to understand this. This framework emphasizes the importance of human talent and the need for careful integration of cyber resources into military and strategic planning. PETIO might helpfully be expanded to include strategy or doctrine, how nations plan to use cyber capabilities. Most military cyber doctrine is not public, and discussion often still reflects nuclear strategy concepts from the past century. The experience of the introduction of new military technologies suggests that initial ideas on how to use them will evolve in light of operational experience, something that, with a few exceptions, has fortunately been lacking in cyberwar.

Smeets includes a discussion of deterrence, noting that the U.S. and U.K. seem to be moving away from deterrence to a strategy of defend forward and persistent engagement. He asks if allies should take a similar path or should “focus on developing a deterrent posture,” which he seems to prefer. A deterrent strategy is politically preferable for democracies because it is an excuse for passivity. The discussion might be better cast as how can states create accountability in cyberspace for malicious actions, since a lack of accountability explains many of the problems we face. “No Shortcuts” is nonjudgmental in the sense that it does not condemn one side or the other in the global contest between authoritarians and democracies for their cyber actions. 

Smeets rightly points out the reluctance of smaller NATO members to accept a more active cyber strategy but does not discuss how the absence of credible threats renders deterrence ineffective. Why should a hostile power observe norms if there is no penalty for not doing so? Possessing cyber capabilities but not using them undercuts deterrence. Smeets’s proposals for improving defense (more realistic training, closer integration of military and intelligence capabilities, and a greater involvement of the private sector) do not address this fundamental problem of identifying counteractions (which need not involve the use of force, although they would have to be consequential) that could lead opponents to recalculate the risks and benefits of cyber action.

The book builds on Smeets’s earlier work on the transfer of cyber capabilities and asks if the motives for cyber transfers differ from those for conventional arms. Attempting to apply the discussion of arms transfers to cyber “weapons” is difficult. Complicating any discussion are the clandestine and intangible nature of many transfers and the willingness of all major states to use private actors as “cutouts” or proxies to disguise their involvement. Similarly, the discussion of the role of non-state actors (to which Smeets dedicates an entire chapter) is complicated. Non-state actors are better than states in finding vulnerabilities, often excellent in engaging in cybercrime, but not very useful as a military force. On a list of risks to the survival of the state or the accomplishment of its policies, they are far from the top. Private-sector actors have not played a major role in this new form of interstate conflict, although states make use of them as proxy forces. This is not unusual for irregular warfare, a category that may best describe cyber conflict. 

Smeets does well in explaining the mechanisms of transfer and how states manage the risks of transfers to potential opponents, but he faces the usual difficulties in explaining why particular transfers are significant, since none of the major cyber powers rely on external suppliers. There is a thriving unregulated market for cyber tools and no shortage of hackers in the world who are self-educated and self-equipped that states can draw upon. And, as Smeets points out with PETIO, technology is only one element needed for a viable offensive capability. The provision of training by external sources can be useful, but no major cyber power relies on external training. The exception involves commercial surveillance technologies, which are subject to very porous limits. All this suggests that transfers of cyber capabilities are not a central concern in understanding cyber conflict. 

The book’s multifaceted discussions of transfers and of the role of non-state actors could be expanded by a recognition that in an environment for conflict shaped by intangibles, the technology (hardware and software) for cyber offense is less important than how the technology is used. Drone conflict in Ukraine, which combines an ability to exploit the electromagnetic spectrum with software and relatively simple hardware, is an example of this trend in which the importance of advanced military hardware has been diluted. Smeets’s emphasis on “human capital” is a central and an important contribution. 

The book provides a compelling account of the use, risks, and value of zero day exploits (i.e., unknown exploits), but zero days are only part of the cyberattack story. Misconfiguration of systems provides opportunities for access, phishing remains useful, commercial software products still contain basic coding errors, and access through hacking third-party service providers is a preferred technique. State adversaries are inventive, resourceful, and determined, and the absence of a zero day will not discourage them. It may not even delay them. There are now efforts to remedy these coding problems, such as the U.S. software bill of materials initiative, and over time they will reduce the number of opportunities. This will increase the cost of exploits, and some hackers may be priced out of the market, but not anytime soon and not the leading cyber powers. 

Zero days are only part of the story, as cyberspace is built on a foundation of legacy code that is often vulnerable. Smeets makes the useful point that much of the discussion mischaracterizes the nature of cyberattack. Attack techniques can be perishable, but any plan will change. Smeets’s PETIO framework highlights that it is not the tools, but the skill and planning of the attacker, that produce success. 

Smeets’s thorough discussion of zero day and other exploits highlights that while states may not have a monopoly on the tools of violence in cyberspace, they retain a monopoly on the use of violence to achieve their national objectives. Drawing on the Ukraine experience, Smeets writes that cyberattacks (as opposed to cyber espionage) are most effective when used in combination with electronic warfare, disinformation, and precision-guided munitions. The most damaging actions would blend the use of precision-guided munitions and cyberattacks to disable or destroy critical targets in a campaign rather than sporadic or individual attacks. Cyber operations can also disrupt critical infrastructures such as finance, energy, transportation, and government services. The objective is to degrade informational advantage, communications, intelligence collection, and weapons systems and perhaps overwhelm defending decision-makers the same way that the pace of action in blitzkrieg paralyzed defenders (although this has not happened in Ukraine, despite repeated Russian efforts). States do struggle with organizing a “combined arms” approach to cyber, and few states could undertake this full range of actions because of the cost. 

Much of the book discusses activities other than war and actors other than states. The importance of these private actors in interstate conflict is exaggerated (an exaggeration that may reflect that private actors are often accompanied into battle by robust public relations efforts). Many malicious cyber actions have little strategic value. When one media outlet trumpeted that Not Petya (discussed in the book) was the most devastating cyberattack in history, it neglected to mention that the attack did nothing to advance Russia’s strategic goals or to harm the defense capabilities of its opponents. It was more an act of careless petulance by the GRU—a massive crime, but one of no strategic or military value. 

“No Shortcuts” shares the tendency in discussion of cyber actions of not recognizing that most are strategically pointless. How cyber actions can achieve this kind of strategic effect to degrade the military and economic capabilities of the opponent nation and erode its ability to defend its core interests should frame any discussion of them. There is the counterargument that many small, individually insignificant acts will finally add up to grave damage—but at the current rate, this seems unlikely. The book’s very thorough accounting of a range of cyber actions could have also discussed their significance. 

Warfare is complex, and, since 1949 and the detonation of a Soviet atomic bomb, it has been made more complicated by the constraints imposed by nuclear weapons on conflict between great powers. It is in this complex environment that states will cautiously explore how best to use cyber tools and operations to gain national advantage, their actions shaped by the risk of cyber operations triggering a damaging response. Cyberwarfare can best be understood in this larger strategic context, which helps explain why, frankly, so many cyber actions, other than those intended to collect intelligence, are of peripheral benefit. “No Shortcuts,” with its broad-ranging coverage and sourcing, is a useful resource and introduction to this new factor in state conflict and the strategic implications of cyber forces.


James Andrew Lewis is a senior vice president and program director at CSIS, where he writes on technology, security, and innovation. Before joining CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His government experience includes work on a range of politico-military and Asian security issues, as a negotiator on conventional arms transfers and advanced military technology, and in developing policies for satellites, encryption, and the Internet. Lewis led the U.S. delegation to the Wassenaar Arrangement Experts Group on advanced civil and military technologies and was the rapporteur for the 2010, 2013, and 2015 UN Group of Government Experts on Information Security. He was also assigned to U.S. Southern Command for Operation Just Cause and to U.S. Central Command for Operation Desert Shield. He received his Ph.D. from the University of Chicago.

Subscribe to Lawfare