Cyber ​​attacks are acts of war

Military cyber operationsState hacking does not decide a war

Dr. Matthias Schulze is deputy head of the security policy research group at the Science and Politics Foundation. He conducts research on cyber conflicts and cyber security. He runs the podcast on these topics. This article is part of his study "Military Cyber ​​Operations: Benefits, Limitations and Lessons for Germany", which will be published on Monday.

For political scientist Joshua Rovner, the term cyber war is misleading. Cyber ​​attacks follow less the logic of war and violence than the game of intrigue, deception and subversion of secret services. Using cyber attacks for military purposes makes about as much sense as stealing secret documents with a tank: theoretically feasible, but certainly not the best method of choice.

If this thesis is correct, two questions arise that nobody in Germany really wants to answer. What are military cyber attacks for? And more specifically, what does the Bundeswehr's Cyber ​​and Information Room Command actually want to use cyber attacks militarily for?

Cyber ​​Defense: Theory and Practice

The Federal Government's strategic documents, such as the White Paper or the Defense Policy Guidelines, only give very vague answers to these questions.

In the event of a defense, the Bundeswehr should take care of "defense aspects of national cybersecurity". This means that if an armed attack triggers a state of tension or a state of defense, the Bundeswehr may launch cyber attacks to defend itself. That’s the theory.

In practice, cyber attacks tend to lack the characteristics of armed attacks such as widespread violence and destruction. It is therefore unclear exactly when the Bundeswehr may become active. Because civil authorities such as the Federal Office for Information Security and the police are usually responsible for cyber defense. In most cases, the Bundeswehr is therefore not allowed to do more than defend its own networks.

In order to resolve the ambiguity and allow the Bundeswehr to take action earlier, the inspector of the cyber and information space suggested the creation of an upstream “digital defense case”. But the initiative failed because of fundamental rights problems.

Cyber ​​attack: silence and secrecy

What about foreign assignments? In the strategic guidelines of the Bundeswehr, cyber capabilities are referred to as "supporting, complementary and substituting means" to support conventional armed forces in combat missions. How exactly this should look is not stated.

In the conception of the Bundeswehr, the terms “coordinated influencing of opposing systems and critical infrastructures”, “information warfare” and effects in the “electromagnetic spectrum” are used. So does Germany want to hack critical foreign infrastructures and switch off the electricity somewhere? It doesn't get any more specific here either.

In some press statements, General Leinhos thinks about "triggering remote controlled booby traps". And then there is the hack of an Afghan cell phone provider in 2016 to find out geoposition data from hostage-takers. Apart from that, surprisingly little is learned about the purpose of Bundeswehr cyber attacks.

Military cyber attacks seem to follow the logic of secret services here too: They are good for monitoring target persons and are wrapped in a cloak of silence and secrecy.

Cyber ​​and war: poorly suited

In order to answer what cyber attacks are good for from a military point of view, it must first be clarified which tasks armed forces have. Historically, armed forces were created to conquer or defend physical territory and armed defeat against adversaries. Ultimately, this is supposed to enforce peace.

Cyber ​​attacks are extremely unsuitable for these goals. Much like an air force alone cannot conquer territory, cyber commands alone cannot win a war. As a rule, physical troops cannot be digitally disarmed or beaten down permanently.

The problem is the potential resilience of the opponent, i.e. the ability to restart after a cyber attack and to be ready for action. The US cybercommand experienced this in the Syria conflict in 2016. The US wanted to hack and thereby paralyze the digital propaganda activity of the Islamic State. This initially succeeded, but as soon as social media accounts went offline, the IS created new ones. So the opponent was extremely resilient.

The digital activity of the IS only declined significantly with the physical push back by Allied troops. US Secretary of Defense Carter was disappointed in the aftermath of military cyber attacks: "The cybercommand has never really produced effective cyber weapons or techniques against IS."

Cyber ​​skills are also of little use in asymmetrical conflicts, the dominant type of conflict nowadays. Modern computerized weapon systems from high-tech states can be hacked. AK-47 assault rifles and improvised pick-up trucks have not yet been used, but it is precisely these that are used by numerous guerrilla and rebel groups around the world.

In vast desert areas such as Afghanistan or in jungle contexts such as in the Congo, it is difficult to even find sufficiently digitized targets that could be hacked. Cyber ​​attacks have so far hardly been suitable for conflict scenarios in less digitized regions with weak statehood, especially those areas in which the Bundeswehr is most active.

The real opponent is called complexity

What about digitized opponents such as states? In the past, cyber attacks were used in interstate conflicts, such as by Russia in Ukraine.

A simple rule of thumb applies here that determines the usefulness of military cyber attacks: Cyber ​​attacks with the military intention of physically destroying targets are often more complex and more error-prone than cyber attacks for the purpose of espionage, for example.

The US learned this lesson in 2016. At that time, the US cybercommand was secretly preparing a strategic cyber attack against Iran - air defense, military communications, power supply. It was an emergency plan in case the diplomatic negotiations on the nuclear program failed.

Although the US cybercommand has several thousand of the best hackers, it called off the attack: it was too complex and too risky. Since IT systems are interdependently networked, it is difficult to estimate in advance what collateral effects a failure of the whole of Iran would have had, for example on financial and trade flows in the region or global stock exchange prices.

Great effort and limited effect

Anyone who wants to switch off a country electronically over a longer period of time also needs dozens of unknown IT weaknesses in critical infrastructures such as energy providers. From this, malware is tailored for individual target configurations, which takes a lot of time.

This specialized malware has a limited use-by date. It can become worthless with every update of the target system. It is therefore extremely complex to keep an eye on the interactions between dozens of interlinked zero-day cyber attacks.

Cyber ​​espionage is also often the logical precondition for military cyber attacks with a destructive effect. With this, important information about the interaction of opposing infrastructures and defense systems can be obtained. This espionage access is often more valuable than electronically switching off a target and thus losing access.

In the absence of this intelligence, military cyber attacks run an enormous risk of failure and unexpected collateral damage. Complex attacks such as Stuxnet are therefore extensively simulated and tested, which in turn means a longer preparation time.

Cyber ​​in crisis

The long preparation time makes cyber capabilities extremely unusable in unexpected crisis situations. The US cybercommand also had this experience when it wanted to use cyber capabilities against the Libyan air defense in 2011 in order to enforce a no-fly zone.

Since there was no secret service information about the nature of the enemy systems, cruise missiles were used instead of cyber attacks to permanently destroy the Libyan air defense.

Instead of hoping for error-prone and time-consuming cyber attacks, military decision-makers tend to rely on familiar, conventional means when in doubt.

Little noise and little smoke

Even if cyber attacks are carried out successfully in armed conflicts, their military effect has so far been rather limited. Russia, for example, uses cyber attacks to support armed forces in Ukraine, for example to spy on artillery positions and thus to facilitate conventional attacks. In 2007, Israel also used malware against a Syrian radar system so that the Israeli air force could switch off a test reactor unnoticed.

However, this complementary interaction between cyber and conventional attacks often does not work properly in practice. The slow development cycles of malware often do not match the military operations planning of conventional armed forces, where quick action is often required before a window of opportunity closes.

Military cyber attacks are therefore more relevant to the secret service, even in conflict situations, and so far have at least not been decisive for the war.

Cyber ​​espionage: Aggressive and dangerous

Now what about the national defense scenario? Since most military equipment today is powered by software that is full of security gaps, a conventional attack on Germany, for example with tanks, could at least in theory be severely disrupted and slowed down by means of cyber attacks.

But there is a catch in practice. In order for a digitized tank to be paralyzed by a cyber attack in a national defense situation, malware must first be developed for the control systems of that tank. Ideally, a copy of the source code must be stolen by cyber espionage, even in peacetime.

The Bundeswehr's Cyber ​​and Information Room Command wants to incorporate information about zero-day vulnerabilities in opposing systems into its own cyber situation report. Where this information comes from remains unanswered.

In order to obtain such information, states hack arms manufacturers, defense ministries, operational commandos or even defense systems, for example those used to control nuclear weapons. Cyber ​​espionage is used to “prepare the battlefield”, as it is called in US jargon. This can shorten the long development times of malware.

However, this intelligence pre-emption logic is extremely dangerous. For cyber attacks to be effective in the case of national defense, offensive cyber espionage attacks must be carried out in peacetime in order to obtain the information that is needed for the defensive.

This fact distinguishes cyber "reconnaissance" from traditional military reconnaissance. Traditional education is more passive and often harmless. Reconnaissance using radar or spy satellites generally does not violate the territorial integrity of opponents.

Cyber ​​intelligence or espionage is more aggressive, as systems in foreign countries have to be actively broken into. This means that aggressive acts that are unfriendly under international law will be carried out. States react to this for their part with armament and the legalization of "hack-backs".

War and Peace: The borderline softened

It seems to be true: Cyber ​​attacks follow less a military, but more a secret service logic. The result is secrecy and the softening of the line between war and peace. This makes the actions of the armed forces less transparent.

Since the Bundeswehr is a parliamentary army, parliamentary control should be strengthened in order to compensate for the secrecy of the military.

Would you like more critical reporting?

Our work at is financed almost exclusively by voluntary donations from our readers. With an editorial staff of currently 15 people, this enables us to journalistically work on many important topics and debates in a digital society. With your support, we can clarify even more, conduct investigative research much more often, provide more background information - and defend even more fundamental digital rights!

You too can support our work now with yours Donation.

About the author

Guest Post

Guest contributions are contributions from people who do not belong to the editorial team. Sometimes we approach authors and publishers to ask them about guest contributions, sometimes the authors approach us. Guest contributions do not necessarily reflect the opinion of the editors.
Published 08/09/2020 at 09:00