Military Review English Edition May-June 2014 | Page 7

OFFENSIVE CYBERSPACE OPERATIONS However, two main problems hinder effective inclusion of OCO in deliberate operational planning. The first problem is that planning staffs have misconceptions about OCO capabilities and limitations within an operational environment. Moreover, staffs are uncomfortable with the highly classified and technically complex aspects of the cyberspace domain because they do not understand them. The second problem is that OCO do not fit neatly into the joint targeting cycle and require much extra work and time to incorporate into deliberate planning. Misconceptions About and Challenges to the Operational Employment of OCO Among the many common misconceptions about OCO, two are particularly significant. The first misconception is that OCO are nonlethal enablers that play a marginal role in operations. The second is that since details of OCO are either inscrutable due to their technical complexity or inaccessible due to their classification, they are not worth the trouble of trying to employ at an operational level. The “it’s just computers” misconception. A common perception among planners is that OCO are nonlethal means of attacking an opponent’s networks, with little physical effect. However, over the last decade OCO have become more than just a nonlethal enabler like electronic warfare. The nature and potential of OCO have not changed significantly, but our understanding of them has. A revolutionary weapon system typically starts out as an asymmetric weapon that can, under favorable conditions, be used to counter traditional forms of military power. A historical example is the use of gunpowder weapons in the hands of the Hussites, a band of 15th-century religious dissenters who used primitive firearms to defeat armored knights.1 In the 21st century, offensive cyberspace capabilities can give state and nonstate actors a new asymmetric weapon to use against traditional seats of power. An event in Estonia in 2007 is considered by some to represent the first offensive cyberspace attack against a nation. It began after the Estonian government removed a World War II Soviet war memorial commemorating a Russian victory over the Nazis.2 The Estonian government suspected MILITARY REVIEW May-June 2014 Russia of coordinating subsequent retaliatory cyber strikes at Estonia’s digital infrastructure, government command and control (C2), financial institutions, and media networks.3 The massive attacks shut down government agencies’ emails, published false documents, and severely limited Internet access. The digital bombardment lasted two weeks and forced a major bank, Hansabank, to shut down online services for more than an hour; its losses eventually were estimated around $1 million.4 The denial and disruption of government, media, and financial networks caused confusion and chaos without physical damage or destruction. The attack did great economic damage to Estonia. Coordinating a defensive response was very difficult because the attack was so widely dispersed—no single Estonian authority was responsible for defense of so many different cyberspace assets.5 How new asymmetric weapons become integrated into a standard military arsenal. After military forces have used a new asymmetric weapon successfully, they sometimes adopt it as a complement to the traditional military arsenal. For HussiteWagon, Alois Niederstätter, 15th century (Archive of the Austrian National Library) 5