A Theory of Cyberwarfare: Political and Military Objectives, Lines of Communication, and Targets

Photo by U.S. Air Force

By Jason Rivera |

The interwar period between 1918 and 1939 is well characterized by the term, “Revolution in Military Affairs.” This era of military history is remembered as critically important in terms of aviation advances and is often characterized by the remarkable progress in technology, weaponry, and general military strategy. During this era, modern militaries fielded squadrons of fighter and bomber aircraft as nations endeavored to achieve air superiority and overall military superiority through new and unexplored domains.[1] Throughout the Second World War, these modern militaries would deploy their air capabilities into a global conflict that proved to be more costly in terms of lives and destruction of property than any war in human history. By the end of World War II, airpower proved to be a critical component of the Allied Powers’ victory within both the European and the Pacific theaters of war.

Nearly 70 years later and after over a decade of wars in Iraq and Afghanistan, the United States and much of the Western world is headed toward another interwar period. Like the interwar period of the early 20th century, the world is likely to undergo yet another technological change that may have far-reaching implications on military strategy. Military forces throughout the world are exploring methods and means by which they may exert force within cyberspace and are allocating intellectual, financial, and human resources towards fielding a cyber force capable of conducting war in the 21st century. It is noteworthy that the FY 2014 U.S. defense budget’s top priority is the military’s transformation to a “smaller and leaner” force, yet all branches of the U.S. military receive drastic budget and force size increases for cyber operations.[2] Despite the heavy investment in cyber capabilities, it appears that the proverbial cart may have been placed before the horse; despite receiving massive amounts of financial and human resources, there appears to be no general consensus for a national strategy for military cyber operations, let alone an agreed upon understanding of the term ‘cyberwar.’

The rarity of public historical information on cyber conflict makes the development of military strategy in cyberspace a difficult objective to pursue. The details of cyber operations are often restricted and information regarding the development of network accesses, methods, and means are closely guarded industrial and state secrets. Furthermore, the nature of network administration gives ultimate authority to those who possess physical access to the network, giving administrators the exclusive capability to disconnect from the network and conduct remediation. It follows then that successful offensive cyber operations (OCO)[3] and computer network exploitation (CNE)[4] are more often than not carried out in a clandestine or covert manner as to not alert the network administrator. The resulting secrecy of operations within the cyber domain has hampered the development of military strategy within cyberspace as only limited numbers of personnel possess full access to the knowledge base necessary to formulate strategy.

This paper develops a framework that military planners can use to understand cyberspace as a battlefield terrain upon which cyber forces secure, exercise, and dispute control of computer systems and networks in order to achieve political and military objectives. The paper’s theory of cyberwarfare is undergirded by three critical assumptions. First, all state-sponsored military operations are conducted for the purpose of accomplishing nation-state political or military objectives. Second, cyberspace, inherent to the initial design of the Internet, is formulated upon lines of communication designed to transport information from point A to point B. Third, like the military concepts of key terrain or centers of gravity, there are key targets within cyberspace for which position and possession yield a decisive military advantage. Using the theory presented, this paper concludes by illustrating three lines of effort necessary for a state to effectively engage in cyberwarfare.

The Building Blocks of a Theory on Cyberwarfare

Over 100 years ago, naval strategist Sir Julian Corbett wrote Some Principles of Maritime Strategy to explicate national strategies for the use of naval forces. In part one of this text, Corbett begins by putting forth a theory of war largely inspired by 19th century wartime strategist Carl von Clausewitz, defining war as “an exertion of violence to secure a political end which we desire to attain.”[5] Given this well understood and accepted definition of war in the physical domain, it stands to reason that in an attempt to define cyberwarfare, one might assume that the purpose of cyberwarfare is to achieve political and strategic military objectives via cyberspace. Two other priorities described by Corbett are relevant to a strategy for cyberwarfare: lines of communication and the nature of the object.

Corbett focuses on the naval commander’s ability to secure seaborne lines of communication as a mode of securing command of the sea.[6] It is upon those critical lines of communication for which the necessary elements of warfighting power transit to and from the battlespace. In Corbett’s time, securing lines of communication were critical to the transit of logistical supplies, troops, information, weaponry, and all other necessary components required to wage intercontinental war. Similar to this manner of naval warfare, warfare in cyberspace also requires command and control of key lines of communication. Albeit distinct in their composition, the centrality of communication in the conduct of naval and cyberwarfare gives Corbett’s 19th century naval theories incredible explanatory power for understanding the methods and means by which warfare is conducted in the cyber domain.

Whereas naval lines of communication may be defined as important water passages, major canals, and large ports, cyber lines of communication can be thought of as the world’s critical Internet exchange points, oceanic fiber optic cable lines, major satellite communications (SATCOM) uplink /downlink facilities, and the world’s most subscribed-to internet service providers (ISP). At a more micro level, naval lines of communication may include small bodies of water such as lakes and rivers or minor boating facilities with small docks, whereas the micro level in the cyber domain may be characterized by complex and disparate distributions of logical lines of communication such as routers, switches, servers, and IP address linked networks. In either case, control of key lines of communication are critical to military strategy both in the naval domain and the cyber domain. Therefore any comprehensive theory that seeks to develop a national strategy to conduct cyberwarfare should include as a primary objective the need to secure critical cyber lines of communication, both physical (fiber optic cable, SATCOM, ISPs, etc.) and logical (network domains, routers, servers, etc.).

Corbett’s second contribution to a theory of cyberwarfare is the ability to comprehend the nature of the object. Corbett defined the nature of the object largely as those tactical or operational objectives that comprised the necessary benchmarks of overall wartime strategy.[7] More specifically, he defined these objects as having positive or negative aims, which in turn implied the need, respectively, for offensive or defensive strategies.[8] In the Russo-Japanese War, for example, in 1904 when Admiral Togo attacks Port Arthur in an attempt to contain the Russian fleet to the harbor, the key object of focus was the Russian fleet;[9] the political aim in this case was the resolution of rival imperialist ambitions over Manchuria and Korea. In the Spanish-American War, on the other hand, the object of war was limited to the liberation of Cuba whereas the political objective was to defeat Spanish aggression and take away their foothold in the Caribbean.[10] Unlike the Russo-Japanese War or the Spanish-American War, wartime operations in cyberspace are often characterized by the ever-ambiguous adversary, the anonymous environment that is the Internet, and the targeting of second and third order effects as opposed to the primary object in question. That is to say that, in cyberspace, the nature of the object is not as easily understood and therefore requires elaboration.

It would be easy to assume that the nature of the object in cyberspace operations is the adversary’s forces and strongholds or garrisons. This is where it is important to understand the key differences between the physical domains (land, sea, air, and space) and the cyber domain. One simple and concise definition of cyberspace is a domain characterized by the physical, logical, and social interconnectedness of computers and data networks.[11] Therefore, the nature of the object in cyberwarfare should be a physical, logical, or social component that can be affected — positively or negatively — via the use of interconnected computers and data networks. Similar to the limitations of land, sea, and air instruments of combat, the instruments of cyberwarfare must are also limited in their application; this application must be conceptually understood in order to formulate a theory on cyberwarfare.

In cyberwarfare, the key object should never be literally interpreted as people (soldiers, government officials, etc.), instruments of war (tanks, aircraft, etc.), fortifications (garrisons, ports, etc.), or geographic territory (land, cites, etc.). Rather, it should be understood that targeting strategy in the conduct of cyberwarfare should be focused on the computer-centric and networked components of those aforementioned wartime objects. It is not enough to postulate that the key targets within cyberwarfare are the computers and data networks of the friendly forces or the adversary; this supposition, while all-encompassing and simply defined, creates far too broad an area of focus. Strategy, while necessarily flexible and adaptive, must also be focused and directed towards quantifiable objectives.

The key targets within cyberspace are those computer operated and data networked critical infrastructure components required by both friendly forces and the adversary to conduct diplomacy, governance, military operations, commercial/economic business transactions, and day-to-day municipal functions within modern society. This position on the definition of key objects within cyberspace begs the question: what is intended by the term “critical infrastructure components”? Critical infrastructure is defined by United States Presidential Policy Directive (PPD) 21:

Critical infrastructure provides the essential services that underpin [modern] society [and are comprised of the] distributed networks, varied organizational structures and operating models (including multinational ownership), interdependent functions and systems in both the physical space and cyberspace, and governance constructs that involve multi-level authorities, responsibilities, and regulations.[12]

PPD 21 identifies the 16 sectors of critical infrastructure as follows:

Chemical Basic, specialty, and agricultural chemicals; pharmaceuticals; consumer products
Commercial Facilities Public assembly (arenas, zoos, museums, convention centers, etc.); sports leagues; gaming; lodging; outdoor events; entertainment and media; real estate; retail
Communications Voice and data services; satellite, wired, and wireless transmission systems; communications services providers and exchanges
Critical Manufacturing Metal, machinery, electrical equipment, appliance, component, and transportation equipment manufacturing
Dams Dam projects; hydropower generation facilities; navigation locks; levees, dikes, hurricane barriers, mine tailings; industrial waste impoundments; other water retention and water control facilities
Defense Industrial Base Worldwide industrial complexes that enable the research and development, design, production, delivery, and maintenance of military weapons systems, subsystems, and required components or parts
Emergency Services Law enforcement; fire and emergency services; emergency management; emergency medical services; public works; hazardous materials, search and rescue; explosive ordinance disposal; special weapons and tactics and tactical operations; aviation units; public safety answering points
Energy Petroleum, coal, and natural gas; electricity generated from nuclear, hydroelectric, solar, wind, and geothermal sources; electric utility and nonutility power producers; electric power substations and transmission systems
Financial Services Banks, credit unions, brokers, and other financial institutions that deposit funds and make payments to other parties, provide credit and liquidity to customers, invest funds for both long and short periods, and transfer financial risks between customers
Food & Agriculture Farms; restaurants; food manufacturing, processing, and storage facilities
Government Facilities Buildings that are owned or leased by federal, state, and local governments that are used for public business activities, commercial transactions, or recreational activities or that are not open to the public used for highly sensitive information, materials, processes, and equipment; special use military installations, embassies, courthouses, and national laboratories; education facilities; national monuments and icons
Healthcare and Public Health Critical infrastructure that protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters; hospitals and other medical facilities
Information Technology Virtual and distributed functions that produce and provide hardware, software, and information technology systems and services; helps provide and maintain the Internet in collaboration with the Communications Sector
Nuclear Reactors, Materials, and Waste Nuclear power plants; non-power nuclear reactors used for research, testing, and training; manufacturers of nuclear reactors or components; radioactive materials used primarily in medical, industrial, and academic settings; nuclear fuel cycle facilities; the transportation, storage, and disposal of nuclear and radioactive waste
Transportation Systems Aviation; highway infrastructure and motor carrier; maritime transportation systems; mass transit and passenger rail; pipeline systems; freight rail; postal and shipping
Water & Wastewater Systems Public drinking water systems; publicly owned wastewater treatment systems; potable water; sewage systems

In defining and illustrating the 16 areas of critical infrastructure, it is important to note that none of these sectors stand alone; rather, they are interdependent. A military garrison, for example, is encompassed by more than just the government facilities sector; modern military garrisons require chemical sector support for pharmaceuticals required by the garrison medical facility, communications support to conduct command and control of disparate elements, and the defense industrial base to supply, equip, and maintain the garrison’s warfighting resources. These same garrisons require internal or external energy production and distribution capabilities, financial mechanisms to transfer funds for the purchase of supplies, and will often have several on-base restaurants or a base commissary for the purchase of groceries (food and agriculture sector). These bases will be further empowered by a variety of other sectors, to include information technologies and the Internet, traffic lights, perhaps a railway system to transit heavy military equipment, and possess access to municipal water and wastewater distribution services. All sectors being considered, a single military garrison will often span across a considerable number of the 16 critical infrastructure sectors defined by PPD-21. Thus it stands to reason that in understanding the nature of targets in cyberwarfare, the key target is not the garrison in of itself, but rather the computers and data networked components required to manage the critical infrastructure systems necessary to maintain day-to-day operations at the garrison. In cyberwarfare, a force seeks to defend their own computer operated and networked critical infrastructure from invaders — the defensive, negative aim — while simultaneously seeking to advantageously posture their own capabilities against the computer operated and networked critical infrastructure of the adversary — the offensive, positive aim.

In summation, these explorations of targeting, objectives, and the nature of cyberspace as a domain of war elucidate lines of effort necessary to formulate a strategy for the conduct of cyberwarfare. The first effort is to define the political and strategic military objectives and conduct planning as to how cyberspace can be leveraged to achieve these objectives. The second effort is to secure both physical (fiber optic cable, SATCOM, ISPs, etc.) and logical (networks, routers, servers, etc.) cyber lines of communication in order to achieve superior offensive and defensive fighting positions within cyberspace. The third effort is to conduct tactical and operational targeting and defensive operations within cyberspace via computer operated and data networked critical infrastructure components. These critical infrastructure components are required by both friendly forces and the adversary to conduct diplomacy, governance, military operations, commercial/economic business transactions, and day-to-day municipal functions within modern society. The computer networked aspects of the 16 sectors of critical infrastructure as defined by PPD 21 should be considered the key terrain or centers of gravity in the conduct of cyberwarfare and should thus dictate the main objects of cyberwarfare.

Cyberwarfare and its Three Lines of Effort

An effective military fighting force operating within the cyber domain will be task-organized in such a manner as to complement the pursuit of the three lines of effort (LOEs) in cyberwarfare: the identification of political/military objectives, the control of lines of communication, and the attack and defense of the key tactical and operational targets within cyberspace.

Line of Effort 1: Develop Political and Military Objectives

Political and military objectives as they pertain to the role of cyberwarfare in the overall conduct of wartime operations are to be understood as taking place within realms of policy, statecraft, and grand-strategy. These objectives will be determined at echelons far above those who conduct strategic military planning and operations pertaining to cyberwarfare. It is therefore paramount that proper planning for cyberspace warfare be conducted in such a manner that cyberspace operations complement, and not detract from, the political and military objectives they are designed to support. This seems like a conceptually simple concept to grasp, however, several recent incidents of state-sponsored cyberspace operations have detracted from the likely political objectives of the sponsoring state. Consider the Russian attacks against Estonia in 2007 when, due to the removal of a Soviet Era war monument from the Estonian capital of Tallinn, a group of alleged “patriotic hackers” in Russia conducted denial of service attacks against Estonian government and financial websites.[13] These attacks, while temporarily debilitating to the Estonian people, failed to ultimately serve Russia’s political objectives — presumably to inspire fear and compliance within the Estonian government — and ultimately empowered Estonia by making Tallinn the headquarters location for the NATO Cyber Centre of Excellence.[14] The lesson to be learned from Russia’s debacle is that cyberspace operations, while capable of delivering potentially devastating effects, must be prudently planned in order to ensure cohesion with political and military objectives.

In the conduct of cyberwarfare, nation-states will generally possess two types of strategic aims – security-related aims and control-related aims. Security-related aims are those national strategies designed to promote Internet freedom, cooperation, and international security norms for cyberspace. Control-related aims are those national strategies designed to restrict Internet freedom, prevent cooperation, and promote or sponsor criminal activities in cyberspace. While the promotion of security-related and control-related aims are not mutually exclusive of each other – states will often support aims of both types – there are some generalities that can be inferred as to the types of aims a state will support. Democratic states that are leaders in the international community, possess flourishing economies, and have established rule of law tend to promote security-related aims. The following are some examples of strategic security-related aims:
–The promotion of Internet freedom.
–The promotion of cooperative Internet governance with a focus on an international multi-stakeholder model.
–Ensuring nations conduct cybersecurity due diligence.
–Promoting the Internet as an engine of economic growth.
–Combating cybercriminals.
–Combating industrial espionage.
–Combating the disruption of services.[15]

Conversely, autocratic states that diverge from the consensus of the international community, have economies that fall behind their primary competitors, and are noticeably lacking in terms of law enforcement capacities tend to promote control-related aims. The following are some examples of strategic control-related aims:
–The prevention of Internet freedom in order to combat popular unrest and political activism.
–The prevention of the multi-stakeholder model in order to deter a disadvantageous consensus.
–Dissuading nations from conducting cybersecurity due diligence to allow freedom of maneuver.
–State-sponsored industrial espionage.
–State-sponsored intelligence espionage.
–State-motivated or state-driven denial of services.
–State-sponsored destruction or alteration of physical and/or intellectual property.[16]

Line of Effort 2: Secure, Exercise, and/or Dispute Control of Lines of Communication

The capacity to secure and control cyber lines of communication is a function of military training and tactics. Given the proper training curriculum and given a steadily available pool of cyber expertise and knowledge, a military force within the cyber domain should be able to develop the capability to functionally navigate within computer networks, execute command line script for both offensive and defensive purposes, and have a sufficient understanding necessary to secure and control cyber lines of communication given the constraints of available technology and the adversary’s own strategy. As previously stated, these lines of communication are both physical (fiber optic cable, SATCOM, ISPs, etc.) and logical (network domains, routers, server domains, etc.).

The key devices that comprise network domains are networked end-point devices, switches, routers, and firewalls. An end-point device is any networked device used by a person to interface with the Internet. Desktops, laptops, smart phones, and networked printers are examples of networked devices. A switch is a multiport connection device on the data-link layer that provides a common point of connection between networked devices, hubs, and other switches.[17] A router is a network layer device designed to connect local area networks to each other.[18] A firewall is a device that is used to restrict access or the passage of data between networks.[19]

The following model presents a simplified diagram of how networks communicate with each other via the Internet. End-point devices, through the use of switches and routers, are able to transmit information through the Internet to other end-point devices. Switches facilitate communication among end-point devices within a network while routers facilitate communication between networks. Firewalls serve to prevent unauthorized passage of information from the Internet to the internal portions of the network. In the following model, network A is prevented from accessing the internal portions of network B and network B, likewise, is prevented from accessing the internal portions of network A. An end-point device can send information to an endpoint device in another network, but only so long as that transaction is authorized by the other network’s firewall. In order to secure, exercise, or dispute control of lines of communication, a network owner must maintain the integrity of their network domain — the defensive, negative aim — and the capacity to exert control over information within a foreign, non-owned network domain — the offensive, positive aim.

Art 7 - Fig 1

The process by which adversarial networks compete for leverage and control of both their own as well as foreign networks is known as Computer Network Exploitation (CNE).[20] In general, the CNE process should be understood to be the functional navigation and control of lines of communication. CNE is best understood as an eight-step process that includes: reconnaissance (exploring and conducting initial enumeration of a network), initial intrusion into a network (levying an exploit designed to gain user access), establishing a backdoor into a network (the means by which an intruder can ensure the ability to come back into the network at a later point without having to re-apply ‘loud’ exploits), obtaining user credentials, installing various utilities (levying software/malware exploits designed to achieve the intruder’s intended purpose), privilege escalation/lateral movement, data exfiltration/alteration, and maintaining persistence (ensuring the clandestine nature of the intruder’s presence, maintaining a low profile, and maintaining the ability to enter the network and exfiltrate/alter information at will).[21]

Once a cyber force achieves persistent presence and access within a network, that force possesses the capacity to either secure, exercise, or dispute command of that network. According to Sir Julian Corbett, the ability to secure command in naval warfare is the capacity to achieve local or temporary control of key maritime lines of communication.[22] In cyberspace, this concept is analogous to the defensive acts of tightly locking down a network via the use of firewalls, intrusion detection/protection systems, and antivirus programs or the offensive act of CNE. In the cases of both naval and cyber warfare, the ability to secure key lines of communication and prevent the adversary from doing the same are key to maintaining battlespace superiority. The ability to exercise control can be understood as the process by which a force uses lines of communication in order to conduct trade, movement operations, production, and otherwise all other functions that pertain to the receipt of economic/strategic benefits.[23] Within the cyber domain, this should be understood as a function of authorized and unauthorized usage of networks for the purposes of controlling the movement of information. A friendly force exercises control by conducting authorized use of networks via the facilitation of legitimate communications and information exchange; an adversarial force exercises control by conducting unauthorized use of foreign, non-owned networks via the facilitation of unauthorized data exfiltration and espionage operations.

Disputing command occurs when opposing forces maintain presence and conduct operations designed to weaken the adversary’s capacity to exercise control of the lines of communication.[24] In defensive network operations, disputing control would take the form of active defense measures designed to actively eject an adversary from the network, close off vulnerable vectors of infiltration, and drop Internet traffic from identified malicious IP ranges. In offensive network operations, disputing control should be understood as those efforts designed to reestablish presence within a foreign network after being detected — such as placing backdoors or finding alternative gateways for infiltration — or those efforts designed to deny the foreign network’s authorized users to access their network resources, such as denial of service attacks.

Line of Effort 3: Acquire and Engage the Target

Upon execution of CNE and decision-maker acceptance of CDE, a decision may then be made to conduct cyberattack or computer network defense response actions. A cyberattack can take many forms, to include denial of service, authentication spoofing, man-in-the-middle, ticket and hash falsification, remote unauthenticated exploits, end-user application exploits, command-line remote control tools, and port redirection attacks.[25] Computer network defense response actions (CND RA) are deliberate measures and activities designed to protect and defend computer systems and networks already under attack.[26] Unlike passive defense, CND RA can be thought of as counter-offensive measures designed to stop an attack in motion.

While the development of political objectives and CNE to control cyber lines of communication are documented, categorized, and understood, one of the paramount challenges in the conduct of cyberwarfare is target acquisition and engagement. Russia’s failure to exert influence over Estonia, for example, was partially due to a failure in planning but also due to a failure to acquire specific and well-planned targets.

In cyberspace operations, the object of offense or defense will almost always be some form of information. Even cyberattacks that yield physical effects are informational in nature. For example, Stuxnet affected Iran’s Natanz fuel enrichment plant by causing the rotor within the centrifuges to fly apart, but this physical effect was generated by a covert malware operation that affected information systems that controlled centrifuge function.[27] Information is the functional aspect of cyberspace and is the core purpose of its existence. In general, information can be created, stored, transferred, modified, deleted, secured, and processed.[28] Humanity derives usefulness from information via the means by which it is processed; therefore, a national targeting strategy should specifically target information processes that are most critical to a nation’s adversaries. Information, in general, is processed in one of two ways:

  • Information processed by humans exists in the form of ideas; the most valuable ideas within an organization comprise that organization’s intellectual property. Intellectual property is comprised of plans, schematics, formulas, strategic communications, etc.
  • Information processed by machines exists in the form of protocol; the most critical protocol within an organization comprises that organization’s critical control systems. Control systems include those protocols that operate network-centric weapons, life support systems, sensors, communications systems, transportation systems, etc.

Given the above, target acquisition and engagement strategies should focus on information — human ideas and machine protocol — that are the most critical to the achievement of political and military objectives. This proposition implies a need to categorize information in terms of offensive aims, defensive aims, and functional areas of technological expertise. This requires functional categories to best organize cyberspace fighting forces. The 16 areas of critical infrastructure provided in PPD-21 provide a useful baseline for cyber planners and strategists, laying down the general framework upon which society both leverages and relies upon computer systems and networks. The following are some examples of information targets that could be acquired and engaged in cyberspace operations:

Information processed by humans: ideas and intellectual property
— Military (Defense Industrial Base) Sector
o Weapons and systems development schematics
o Contingency plans, communications, and tactics, techniques, & procedures
— Financial Services Sector
o Illicit actor or rogue government finances
o Financial strategies
–Information Technology Sector
o Websites, web forums, and social media
o Plans and procedures for software/hardware development
–Government Sector
o Intelligence and economic communications data
o Political leadership and diplomatic communications data

Information processed by machines: protocol and control systems
–Military (Defense Industrial Base) Sector
o Air defense, radar acquisition, and sensory technologies
o Airborne, seaborne, or ground vehicle manufacturing components
–Communications Sector
o Mobile, SMS, and bluetooth technologies
o Satellite communications and publicly switched telephone networks
o Rail systems, aviation systems, and highway systems
o Pipelines, traffic lights / traffic management systems, and GPS navigation
–Information Technology Sector
o Wi-Fi, firewall systems, and databases
o Routers, switches, and fiber optic cables

Once a target is acquired and the decision is made to engage the target, there are four general categories of offensive capabilities that can be delivered through cyberspace. The first of these capabilities is the most passive: cyber espionage. Cyber espionage is the process of engaging a networked target for the purposes of conducting state-sponsored intelligence operations. The second offensive capability is the execution of network-enabled psychological operations. Psychological operations include the alteration of information processed humans (ideas and intellectual property) in order to sow confusion, distrust, rebellion, or other such emotional uncertainties amongst the adversary’s combatant or non-combatant population. The third offensive capability in cyberspace is the denial of service. This category includes those actions taken through cyberspace to either deny Internet service entirely or deny access to authorized users. The last and potentially most dangerous offensive capability in cyberspace is cyber sabotage. Cyber sabotage includes those actions conducted through the use of cyberspace designed to sabotage computers, computer networks, or networked machines in such a manner as to cause mechanical failure, procedural error, or physical destruction.

Art 7 - Fig 2

Cyberwarfare involves three distinct and methodical lines of effort (LOEs) — from the political objective and the control of lines of communication to the ultimate execution of a cyberattack or CND RA. The above model demonstrates these LOEs in a linear manner and serves to depict the processes necessary to conduct cyberwarfare operations. The linear nature of this model is critical as the various LOEs of cyber operations are predicated upon the successful execution of the previous LOE. For example, it would be difficult, and perhaps impossible, to rationally and successfully secure control of the correct lines of communication if the proper planning had not been conducted prior to the execution of reconnaissance and infiltration operations. In the same way, the process of acquiring and engaging the target would not be possible without the securing of the appropriate lines of communication necessary to deliver a cyber effect against the target. It is, therefore, critical that cyberwarfare operations be conducted using this linear model in order to ensure synchronization of endstate cyber effects with the original intent of the political/military objectives.

Case Studies

Understanding the principles outlined above benefits from an exploration of successful case studies, demonstrating how the three LOEs of cyberwarfare are executed in order to achieve political and military objectives.

Operation Orchard

In September 2007, international media sources reported that Israeli fighter jets had destroyed Syria’s al-Kibar Nuclear Reactor building complex in the middle of the Syrian desert.[29] It is widely believed that the Israelis were able to successfully infiltrate Syrian airspace by triggering a kill-switch installed in Syria’s air defense radar systems at Tall al-Abuad.[30] The event was followed by a series of accusations by the Syrian government, very little commentary from the Israeli government, and ultimately did not result in a protracted international conflict. The below table analyzes Operation Orchard using the theoretical model of cyberwarfare proposed above in order to better understand the conduct of this operation and its ultimate success.

LOEs of Cyberwarfare Description of Events
1 Develop Political & Military Objectives According to Israel’s own security doctrine, the Israeli State must maintain technological, efficacy-focused, and qualitative advantages over its adversaries. This implies that Israel must possess weapons and defensive systems that counter its adversaries in all aspects. i.e., Israel must possess a nuclear advantage over a regime such as Syria. Given this doctrine, it behooved Israel’s national security objectives to preemptively strike Syria’s al-Kibar nuclear reactor building complex.
2 Control Lines of Communication Israel has invested substantially in cyber warfare capabilities by improving their ability to conduct offensive and defensive computer network operations and leveraging its high-tech software cluster local to Tel Aviv and the IDF’s elite cyber element, Unit 8200. Some sources suggest that the coding for the Operation Orchard cyberattack was conducted by Unit 8200 and was designed to allow aircraft to leverage a kill-switch embedded within the microchips of Syria’s air defense systems. One possible CNE vector for conducting this cyberattack could have originated from a U.S. developed technology known as Suter – an airborne electronic warfare suite thought to transmit data streams consisting of sophisticated algorithms into enemy integrated air defense systems.
3 Acquire & Engage the Target The cyber target acquired within Operation Orchard was specifically integrated as part of a larger military operation. The target was precisely directed towards Syria’s air defense systems and was controlled in such a manner as to not bleed over to other sectors of Syria’s critical infrastructure. The algorithms and means used within this cyberattack could have easily bled over to the realms of electric power, however, the Israelis managed to cater their deployed cyberweapon without having any detrimental effect on the Syria’s electrical grid. This is an important aspect of the targeting process as bleed over could have had a negative impact on Israel’s strategic objectives by causing excess collateral damage and, thereby, turning international opinion against the Israeli cause.

The Russo-Georgian War of 2008

The conflict between Russia and Georgia originated from a territorial dispute over the independent regions of Abkhasia and South Ossetia in Georgia, where Russia had provided ‘peacekeepers’ and extended economic benefits to the people of Abkhasia and South Ossetia in order to possibly undermine Georgia’s political influence in the area.[31] In 2008, Georgia attempted to reassert its control over South Ossetia in which Russia reacted by responding with military force supported by a significant cyber offensive.[32] By the war’s end, Russia had effectively achieved the majority of its goals by demonstrating military superiority, successfully employing cyberpower in consort with physical power, and advancing the posture of its long-term political objectives. Unlike the 2007 Estonia incident, Russia was able to adequately mesh its cyberspace operations with its political objectives. The below table is an analysis of the LOEs of cyberwarfare and how these LOEs advanced Russia’s political and military objectives.

LOEs of Cyberwarfare Description of Events
1 Develop Political & Military Objectives The Vladimir Putin and Dmitry Medvedev administrations had carefully formulated their political and military objectives up to 2.5 years prior to the combined operations invasion of Georgia. These goals included the effective termination of Georgian sovereignty in South Ossetia and Abhkazia by empowering pro-Moscow separatists, expelling Georgian troops from secessionist enclaves, sending a strong signal to other former Soviet states (primarily Ukraine), and the provision of strong disincentives for pursuing NATO membership.
2 Control Lines of Communication Russia’s cyber warfare strategy was premised upon the objective of controlling military and government lines of communication within the Georgian state. Evidence suggests that reconnaissance efforts against Georgian government sites had taken place as early as 19 July 2008 – weeks prior to the outbreak of physical conflict. Russia was able to leverage the fact that that Georgia does not have its own Internet exchange point and was thereby reliant upon neighboring countries such as Armenia, Turkey, and Russia for almost 70% of its Internet exchange capacity. This allowed Russia to essentially canalize Georgian web activity via a few centralized points which in turn allowed Russian cyber forces to mass their efforts in order to target Georgian government web activity.
3 Acquire & Engage the Target The Russian cyber campaign disrupted and/or degraded a total of 38 Georgian and Western websites upon the initiation of the war, to include those of the Georgian President, the National Bank, the Ministry of Foreign Affairs, the Supreme Court, the Parliament, and U.S. and United Kingdom embassies in Georgia. Russian cyberforces primarily employed sophisticated Distributed Denial of Service (DDoS) methods against targets, incorporating SQL injections and cross-site scripting (XSS). Additionally, Russia managed to distribute its efforts to control LOCs by posting potential targets on a website known as “StopGeorgia.ru”, which provided a venue for Russia’s patriotic hacker population to engage lower-tier, easy to hit targets within Georgian web space. Unlike the Estonia incident in 2007, Russia’s 2008 cyber targeting efforts greatly enhanced their political objectives. The Georgian population has a relatively low number of Internet users and is not heavily reliant on IT-based infrastructure, which implies that the cyberattacks did not harm the population so much as they did the Georgian government. This allowed the Russians to effectively isolated the Georgian government away from its people and ensure that (unlike the Estonia incident) cyber targeting efforts did not have unnecessary collateral damage effects against the populous.


This paper proposes three lines of effort for cyberspace: 1) the formation of the political and/or military objective and prudent planning in order to ensure the appropriate usage of CNE capabilities; 2) achieving physical and logical control of lines of communication via the eight-step CNE process; and 3) the acquisition and tactical/operational engagement of key offensive or defensive targets in support of strategic political and/or military objectives. These LOEs represent the critical aspects of warfare within the cyber domain and must be carefully planned in parallel with political, diplomatic, and the other domains of military operations in order to achieve the desired strategic political end-state.

The examples and case studies demonstrate the need for governments and militaries to ensure appropriate alignment between political objectives and cyber targeting operations. Lack of unity of effort and alignment of purpose (such as in the case of Russia and Estonia) can result in the conduct of cyber warfare operations that achieve political end-states that are not only less than desirable, but entirely contrary to the original purpose of the cyber operation itself. The presence of unity of effort along with appropriate planning (such as in the case of Operation Orchard or the 2008 Russo-Georgian War) can result in the delivery of cyberattacks that serve as significant combat multipliers to strategic military operations. In some rare cases, cyber effects can be so carefully constructed and so well-aligned with political objectives that the cyberattack in of itself can serve as the primary line of effort and deliver a devastating blow to a force’s adversaries.

While much of cyberwarfare’s recorded history has been classified, one thing has become remarkably clear: the more strategically important cyberspace operations are to a nation’s political and military objectives, the more it appears to resemble wartime operations on the land, in the air, and in the sea.[33] That is, core military principles such as unity of effort, centers of gravity, concentration of force, and strategic surprise remain fundamental to the planning and execution of military operations within both the physical and cyber domains. Technologically proficient nation-states that consider these core military principles while wielding cyber capabilities will undoubtedly be globally influential forces in the 21st century. More dangerous, however, are those technologically capable actors that wield cyber capabilities, but do not consider core military principles. It is these states that will recklessly and dangerously act in the cyber domain and possibly bring their respective regions, if not the world, into chaos.

Jason Rivera is an MA candidate in Georgetown’s Security Studies Program and an active duty U.S. Army Officer. All views and information expressed originated solely with the author and do not represent the official positions or opinions of U.S. Cyber Command or the U.S. Department of Defense.


[1] Peter Paret, Makers of Modern Strategy: from Machiavelli to the Nuclear Age (Princeton, NJ: Princeton University Press, 1986),630–635.

[2] DoD Comptroller, “United States Department of Defense Fiscal Year 2014 Budget Request,” The Department of Defense, (Washington, DC: GPO, 2013), 2-2 & 3-5.

[3] Maren Leed, “Offensive Cyber Capabilities at the Operational Level: The Way Ahead,” Center for Strategic International Studies, (2013): v.

[4] Joint Chiefs of Staff, “Joint Publication 3-13: Information Operations,” (Washington, DC: GPO, 2006), GL-6.

[5] Julian S. Corbett, Some principles of maritime strategy, (Sussex, UK: Naval & Military Press, 2009), 30.

[6] Ibid., 315.

[7] Ibid., 309.

[8] Ibid.

[9] Lieutenant Commander Michael Berry, “The Russo-Japanese War: How Russia Created the Instrument of their Defeat,” US Marine Corps Command and Staff College, (2008): 26.

[10] Edward F. Dolan, The Spanish-American War, (Brookfield, CT: The Millbrook Press, 2001), 80.

[11] The United States Army Training and Doctrine Command divides cyberspace primarily into three realms: physical, logical, and social – Training and Doctrine Command, “TRADOC Pamphlet 525-7-8: Cyberspace Operations Concept Capability Plan 2016-2028,” Department of the Army, (Fort Eusis, VA: GPO, 2011), 8.

[12] Office of the Press Secretary, “Presidential Policy Directive – Critical Infrastructure Security and Resilience,” The White House, accessed January 26, 2014, http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.

[13] The Economist, “A cyber-riot: Estonia has faced down Russian rioters. But its websites are still under attack,” The Economist, accessed February 22, 2014, http://www.economist.com/node/9163598.

[14] Jason Healey, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, (Vienna, VA: Cyber Conflict Studies Association, 2013), 190-193.

[15] Christopher Painter, Coordinator for Cyber Issues, United States Department of State, Conference: Georgetown International Engagement on Cyber III, March 4, 2014

[16] Melissa Hathaway, former acting senior director for cyberspace at the National Security Council and president of Hathaway Global Strategies, Conference: Georgetown International Engagement on Cyber III, March 4, 2014.

[17] Shon Harris, CISSP All-in-One Exam Guide, Sixth Edition, (New York: McGraw Hill, 2013),617.

[18] Ibid., 615.

[19] Ibid., 628.

[20] Ibid., 4.

[21] Mandiant, “M Trends: the advanced persistent threat,” Mandiant, (2010): 3.

[22] Ibid., 5 and 321.

[23] Ibid., 233.

[24] Ibid., 320.

[25] Stuart McClure, et al., Hacking Exposed 7: Network Security Secrets & Solutions, (New York: McGraw Hill, 2012),162-204.

[26] Chairman of the Joint Chiefs of Staff, “Information Assurance (IA) and Support to Computer Network Defense (CND),” Joint Chiefs of Staff, (Washington, DC: GPO, 2013), GL-8.

[27] David Albright, et al., “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?” Institute for Science and International Security, (2010): 4.

[28] David Fahrenkrug, Colonel, United States Air Force, Class Seminar, February 6, 2014.

[29] Erich Follath & Holger Stark, (2009) “The Story of ‘Operation Orchard’: How Israel Destroyed Syria’s Al Kibar Nuclear Reactor,” Spiegel Online International, accessed February 22, 2014, http://www.spiegel.de/international/world/the-story-of-operation-orchard-how-israel-destroyed-syria-s-al-kibar-nuclear-reactor-a-658663.html.

[30] Real Clear Politics, (2013) “Significant Cyberattack Incidents: Operation Orchard, 2007,” Real Clear Politics, accessed February 22, 2014, http://www.realclearpolitics.com/lists/cyber_attacks/op_orchard.html.

[31] Jim Nichol, “Russia-Georgia Conflict in August 2008: Context and Implications for U.S. Interests,” Congressional Research Service, (Washington, DC: GPO, 2009), Summary Page.

[32] Ibid. 14 and 194.

[33] Ibid., 21.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.