Published by The Lawfare Institute
in Cooperation With
Information technology has revolutionized modern life, driving vast increases in economic productivity and enabling entirely new social interactions. Naturally, this technology was expected to transform international conflict as well. As the World Wide Web made its debut in the 1990s, warnings of a future of cyberwar where information trumps mass emerged. Subsequently, an alternative view predicted cyber capabilities to enable revolutionary increases in the effectiveness of conventional force by acting as force multipliers. The most recent wave of revolutionary theorizing argues that cyber operations enable a novel form of strategic competition and conflict short of war marked by unprecedented strategic value independent of the use of force. These revolutionary schools have two things in common. First, they focus on select properties of information technologies to draw inferences about the impact of their use. Second, evidence of the predicted revolution and its impact remains scarce—cyber operations continue to fall short of expectations.
To understand how cyber operations matter in conflict, examining how they function and what effects they can produce in practice—rather than speculating about what they could do in theory—is essential. My research, published recently in International Security, shows that cyber operations are not entirely novel tools, nor is their impact revolutionary. Rather, they are instruments of subversion that promise great gains in theory but are constrained in practice by a crippling operational trilemma that limits strategic value. Evidence from Ukraine—in many aspects the defining battleground of cyber conflict—underlines these limitations. Understanding this trilemma is important because prevailing in cyber conflict requires alleviating its constraints in offense while leveraging them against adversaries in defense.
Cyber Conflict and the Strategic Promise of Subversion
Cyber operations exploit information technologies to produce unintended and detrimental outcomes—from the victim’s perspective. Hacking, the key mechanism in cyber operations, means just that: exploiting flaws in the design of software and hardware to make machines do things they are not supposed to do. The reliance on exploitation rather than force reflects the subversive nature of cyber operations. Consequently, exploring the (understudied) role of subversion in international conflict helps explain the strategic role of cyber operations. Subversion has long offered states a way to interfere in adversary affairs without crossing the threshold of war. Ideally, it allows state actors to manipulate adversary policy, sway its public, erode foundations of strength through sabotage, and, in doing so, shift the balance of power in the subverter’s favor. In theory, subversion is capable of providing strategic value similar to warfare, yet at lower costs and risks.
Subversion holds this promise because subversive operations indirectly and secretly exploit an adversary’s own systems to manipulate these systems into producing outcomes detrimental to the adversary. The same applies to cyber operations. Traditional subversive operations used spies to target social systems: public and private organizations of all kinds, and entire political systems. Cyber operations target computer systems but use the same functional mechanisms of exploitation to manipulate the former toward producing unexpected and detrimental outcomes for victims.
Technological change promises even greater gains. Information technology continues to reach deeper and wider into modern societies. Hence, by exploiting that technology, cyber operations in theory enable ever greater scope and scale of effects. Claims in current academic scholarship that cyber operations have expanded both the scope and scale of traditional covert operations rest on this assumption. However, in practice, manipulating adversary systems to produce strategically relevant and useful effects is far from easy.
The Subversive Trilemma: Operational Constraints Limit Strategic Value
Accordingly, traditional subversion has regularly fallen short of its promise. Manipulating unfamiliar systems in another country to produce effects that are simultaneously unexpected for the victim and yet fully in line with one’s expectations poses steep operational challenges. Moreover, success requires keeping the exploitation secret long enough to prevent the victim from inducing countermeasures, posing a further nontrivial challenge. Secrecy in intelligence operations falls on a spectrum, from highly stealthy operations that take intensive efforts to obscure both the activity itself (known as a clandestine operation) and the identity of the sponsor (covert) to less stealthy operations as well as those that maintain only a pretense of plausible deniability. However, in cyber conflict there is a caveat: Because subversive operations, and thus cyber operations, depend on adversary systems to produce effects, access to and manipulation of these systems must remain hidden from the victim at least until the effect is produced. Doing so is important because upon discovery of a hostile subversive operation, the victim can take relatively straightforward steps to neutralize it: arrest or kill the spies involved in a traditional operation, or revoke access credentials, patch vulnerabilities, and remove malware used in a cyber operation.
My research shows that these challenges pose a set of countervailing trade-offs that pose a trilemma for subversive actors—and despite their use of novel technology, cyber operations face the same trilemma. These trade-offs concern operational speed, intensity of effects, and the degree of control. Speed is an issue because to exploit and manipulate adversary systems, actors must learn how they work and find vulnerabilities. This takes time. Traditional subversion targets social vulnerabilities, such as flaws in human psychology or security rules and practices. “Social engineering” techniques in cyber operations target the same. However, cyber operations can also target technical vulnerabilities by exploiting flaws in the logic of programming code that determines what information technologies “do.” Exploiting these flaws tends to be even more demanding than targeting social vulnerabilities, further slowing speed. Conversely, the faster one operates, the greater the chance of missing something, leading to failure.
Meanwhile, the more intense the effects one pursues, the more demanding that exploitation and manipulation tend to become. For starters, the more a target system is capable of producing strategically significant effects, the likelier the system is to be well protected—raising the requirements to evade detection. The greater the scope and scale of effects pursued, the greater the manipulation’s scope and scale need to be and, therefore, the greater the subverting actors’ reach into the target system. Expanding this reach in turn requires learning and adaptation, which takes (further) time.
The last point above leads to the third constraint, the ephemerality and precarity of control over adversary systems. Subversion produces effects through adversary systems. Consequently, subversion depends on systems designed and/or operated by the adversary. These systems are never fully familiar, nor is one’s reach absolute. Rather, subversive actors typically control only those parts of a system relevant to their objective. As a result, manipulating systems can produce outcomes that are unexpected not only for the victim but also for the subverter. Exploitation and manipulation are more art than science. In fact, the original meaning of the term “hacker” referred to “a person who enjoys exploring the details of programmable systems and how to stretch their capabilities” and “enjoys the intellectual challenge of creatively overcoming or circumventing limitations.” Because manipulation involves creative experimentation, it may either fail to produce intended outcomes or produce unintended outcomes—both reducing strategic value. Reducing the risk of such detrimental consequences requires either more time for reconnaissance and development, or limiting the scope and scale of effects pursued.
Because of these trade-offs, subversive actors face a trilemma among speed, intensity, and control where an improvement in any of these variable(s) tends to produce a corresponding loss in the remaining one(s). As illustrated in Figure 1, holding all else equal, the faster one operates, the lower intensity and control tend to be. Increasing control in turn tends to lower speed and intensity. The same applies to intensity increases, and vice versa.
Figure 1. Depiction of the “Subversive Trilemma” from International Security.
Finally, increasing two of these variables at once tends to doubly decrease the remaining one. High speed and high intensity make control loss highly likely, for example. Conversely, pursuing highly intense effects while striving to minimize the chance of premature discovery, failure to produce effects, or unintended consequences will require extensive preparation. This can take years, as in the infamous Stuxnet operation, which took two to five years of development and still spread out of control beyond the intended target. Because of this trilemma, subversive operations tend to be either too slow, too weak, or too volatile to provide strategic value.
Evidence From Ukraine: 2014-2022
Evidence from the Russia-Ukraine conflict since 2014 supports these predictions. For several reasons, this conflict is where one would most expect to see the effectiveness and strategic value of cyber operations that prevailing theories predict. First, the aggressor is widely seen as one of the world’s foremost cyber powers with a reputation for recklessness. Second, Russia’s semicovert aggression against Ukraine from 2014 to 2018 led observers to coin the term “hybrid war,” a supposed revolutionary development in conflict short of war enabled by, among other things, the use of cyber operations. Third, Russia has experimented with the use of offensive cyber operations against Ukraine over several years, leading some observers to call it Russia’s “test lab for cyberwar.” Hence, if there was a way out of the trilemma through the evolution of capabilities, this conflict is where one would most expect to see it. Finally, the recent escalation to large-scale conventional warfare removed most barriers of restraint that could conceivably have led Russia to hold back more powerful capabilities.
Yet, the track record of Russia’s cyber operations against Ukraine underlines the limitations imposed by the trilemma. Between 2014 and 2018, Russia carried out five major disruptive cyber operations against Ukraine. They were part of a larger subversive campaign using both traditional and cyber means. I focus on the cyber dimension, and the operations pursued election interference, critical infrastructure sabotage, and economic warfare.
By and large, these operations failed to provide strategic value for Russia. Strategic value of operations and campaigns can be measured based on two outcomes: shifts in the balance of power and contributions toward achievements of the aggressor’s strategic goals. Russia has pursued two key goals in its aggression against Ukraine since 2014. The first goal is to prevent Ukraine from joining the Western alliance. The second goal, a corollary of the first, is to undermine public support for a pro-Western policy, and for politicians and government institutions aligned with it.
My analysis and field work in Ukraine showed that four out of the five cyber operations produced no measurable strategic value. Moreover, despite experimentation, Russian operators failed to escape the constraints of the trilemma. The 2017 NotPetya virus caused widespread economic disruption that did affect the balance of power by erasing half a percentage point from Ukraine’s gross domestic product. Yet its broad spread was the result of a control loss, and its successor, BadRabbit, shows clear efforts to improve control—yet at the cost of strategic impact. Considering their lack of individual impact, there is also little reason to assume these operations achieved a cumulative impact of the kind current theories predict. On the contrary, Russia’s escalation to conventional warfare indicates the opposite: Its subversive campaign, of which the cyber operations were a part, failed. In other words, as the alternative to force fell short, Russia reverted to war.
As Russia started massing its troops, many analysts predicted escalation in the cyber domain as well. Some even went as far as speculating that Russia could use cyber operations to substitute force. As with previous cyberwar warnings, these predictions mostly speculated on what is possible over examining what is feasible. Moreover, even if Russia had for some reason held back its cyber capabilities, the strategic context just laid out provided little reason to expect an escalation in cyberwar. After all, Russia had already tried to achieve its goals through subversion, and failed. Why go through the enormous costs and risks of mounting a conventional invasion before using supposedly less costly and as-effective cyber options? Based on this assessment, I argued earlier this year with Nadiya Kostyuk that cyber activity accompanying the invasion was likely, but that significant targeted damage was unlikely—rather, we predicted that collateral damage as a result of control loss was the main risk.
Russian cyber activity has largely been in line with these predictions. There has been a lot of low-intensity disruptive activity with mechanisms that require relatively little preparation, such as deploying disk wipers that delete data and disable systems, defacing websites, and mounting distributed denial of service attacks that temporarily disable systems and services. An attempt at causing more significant damage by disrupting the power grid failed entirely. The reason, it became clear, was insufficient preparation. “Sandworm,” the hacking group behind the attempt, repurposed existing code it had used in 2016 for the same objective rather than developing new malware. Consequently, the victims discovered the intrusion before it could produce an effect.
Breathless media reporting and marketing reports by private firms continue to play up the danger of cyber conflict. A Microsoft report from June even goes as far as attempting to establish equivalency between disabled computers and the assassination of Archduke Ferdinand that contributed to the outbreak of World War I. Yet there is no evidence any of these operations had a measurable impact on the course of conflict or Ukraine’s capacity to resist—much less any measurable contributions toward Russia’s apparent war goals. Tellingly, a Microsoft report from April promising analysis of Russia’s destructive hybrid war against Ukraine concedes it is “not able to evaluate their broader strategic impact.”
There is one exception from this pattern of low-cost, low-impact activity: the disruption of Viasat satellite communications services that hit precisely at the time Russia’s invasion started. This operation caused lasting damage to affected devices, permanently disrupting communications for users until they could source a replacement. Significantly, the Ukrainian military uses the system, and the deputy head of Ukraine’s special communications service, Victor Zhora, suggested this outage caused a “huge loss of communications.” It is possible this operation afforded a tactical advantage to Russian forces. Yet it is worth keeping in mind that despite their overwhelming material advantage, and this possible tactical advantage, Russian forces still fell far short of expectations during the initial phase of the invasion. Moreover, a reliable source from within Ukraine told me there was no evidence of an impact on military operations themselves. Instead, the main impact was on other customers of the satellite service, foremost operators of wind turbines across Europe whose access to their turbines’ monitoring software was suddenly cut off. Available evidence thus suggests the operation failed to produce a measurable impact on the target, while the uncontrolled spread of the malware involved produced significant collateral damage—raising international attention to this operation and, thus, incentivizing cybersecurity firms to analyze the tools used, thereby “burning” them for future use.
Conclusion and Policy Implications
This state of evidence suggests that rather than a revolutionary new instrument of power, cyber operations constitute an evolution in instruments of subversion that share both its promise and pitfalls. Under favorable conditions, especially enough time, cyber operations can conceivably impact the balance of power and weaken adversaries by eroding their pillars of strength. Under most circumstances, however, and particularly in urgent crises, due to the trilemma they will remain too slow, too weak, and too volatile to make a difference.
Three major implications for strategy and national security follow from this situation. First, policymakers and defense planners should focus on feasible effects under these constraints in prioritizing resource allocation and building counterstrategies. Otherwise, they risk not only wasting resources but also fumbling responses. In particular, a prevailing focus both in policy and in education on hypothetical “Cyber Pearl Harbor” scenarios risks wasting valuable time and money on countering highly unlikely threats that could be better spent on the relatively basic measures that can help foil most cyberattacks. Second, incorporating the trilemma into strategies of cyber conflict would improve both the offense’s efficiency and its effectiveness. Rather than fantasizing about cyber missiles knocking railway cars off the tracks in Russia, effective and efficient use of cyber operations would maximize their potential for slow-burning erosion and disruption over the long term—considering particularly the role of speed as a limiting factor. Third, defenders can leverage the trilemma against adversaries. Resilience and persistence, the two key pillars of current defensive strategies, are certainly important. But counterintelligence says that so is deception, misdirection, and monitoring of adversary activity to slow down adversaries, make them waste resources, and lose control. In short, the goal is to maximize efficiency under the trilemma for oneself, while minimizing it for the adversary. Creativity and cunning, not just persistence, is key.