Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Offensive cyber operations in the test of time

A year since Daniel Moore published his book on offensive cyber operations, he revisits his main tenets
Main Top Image
This image was created by with the assistance of Midjourney

In 2022, I published ‘Offensive Cyber Operations: Understanding Intangible Warfare’. The book attempted to capture the breadth, depth, and nuances of offensive cyber operations. I analysed campaign complexities through four major claims and by focusing on four case studies: the United States, Russia, China, and Iran.

A year has now passed since publication. Did I get it mostly right?

The answer, on the whole, is yes.

Joint offensive operations

Claim 1: Conducting joint offensive cyber operations – in harmony with an overarching military strategy – is difficult to do consistently well

Unique to military operations, offensive cyber does not work at a battlefield tempo – at least not easily. Preparing a single strategic capability may require days to years of careful work: target development, network intrusion, intelligence collection, pre-positioning, and bespoke research and development. This process is resource-expensive and high-risk, and the resulting capability may only be used in a handful of instances. Despite the perception, a cyber operation done well is anything but cheap. It requires both investment and patience.

I predicted that only top-tier threat actors would launch strategic offensive cyber operations and would do so infrequently. Military planners know that capabilities are not useful when used in isolation: they must be used jointly. Offensive cyber operations have proven difficult to integrate effectively with other military activities, and therefore are often shunned by impatient forces in favour of more predictable, well-understood means.

We continue to see precious few instances of offensive operations. Even a war at the scale of the Russian invasion of Ukraine has not publicly yielded many examples. The most notable incident thus far was the 2022 attack against the Viasat satellite network, which purportedly impacted the Ukrainian military at the early stages of the invasion. The Viasat attack demonstrated a rare alignment of objectives, targets, forces, and effects. But it was a one-off, and all attacks that followed have been opportunistic wipers employed against wartime objectives with little regard for harmonising effects or truly supporting manoeuvring forces.

Cyber operations & electronic warfare

Claim 2: Cyberwarfare and electronic warfare are wartime siblings and share both history and use

Researchers underplay the crucial relationship between offensive cyber operations and electronic warfare. They are operational siblings. This relationship is more than a curiosity: offensive cyber operations can and should be used as an extension of electronic warfare in tactical scenarios. As battlefields become increasingly packed with transmitting equipment and data streams, combining electronic warfare and cyber capabilities offers significant military potential.

Electronic warfare has evolved well beyond simply transmitting disruptive patterns on the electromagnetic spectrum. Such capabilities can now produce meaningful data, resulting in feeding junk readings to undiscerning sensor software, overriding command and control telemetry, or exploiting protocol vulnerabilities. Considering electronic warfare may now impact the target’s software or even its underlying network, these tactics should be viewed at least partly through the lens of offensive cyber operations. More and more scholars and practitioners agree.

Civilian technology, including radios, phones, laptops, and drones, is commonplace on the battlefield. While practitioners often (rightly) mock the label “military-grade” as insubstantial, military hardware has often undergone useful “hardening” — investment to ensure survivability under harsh, adversarial circumstances. Civilian equivalents rarely have the same qualities, for good reason – a hobbyist using a commercial drone does not require the same anti-jamming defences that a fielded unit requires when directing deep artillery strikes. Yet nowadays, both may end up using the same equipment.

The explosive use of commercial off-the-shelf hardware and software in wartime sharpens my year-old argument. Tactical targeting of both civilian and military equipment by cyber-enabled electronic warfare will only become more frequent. These activities should be considered part of cyberwarfare, alongside the classic network intrusion approach.

An eager Russia

Claim 3: Russia is a prolific, technically capable cyber offensive actor, but consistently disappoints

Russia is often considered a top-tier user of offensive cyber capabilities. Perhaps controversially, I argued instead that they are severely hamstrung by their own operational culture. Russian cyber forces are operationally impatient and lack discipline. As a result, they often create massive collateral harm or radically undershoot their objectives.

In the past year, this claim has become even more evident. Nearly every major Russian cyber operation was riddled with issues. Even the Viasat attack was a sledgehammer where a scalpel may have fared better. Cascading impacts against a range of critical non-combatant targets demonstrated poor tradecraft and further codified Russia as an irresponsible belligerent. Russia has had limited success in fielding effective coordinated strategic operations following Viasat, a further indication that its forces are not up to the task. Opportunistic wipers that roughly correspond to targets of kinetic operations are of limited use to the Russian military campaign.

Moscow is still unable to overcome the limitations of its own operational culture. Strokes of technical brilliance are shrouded by internal competition, poor leadership demanding instant results, a disregard for consequences, and limited effective coordination of cyber and kinetic operations.

Comparably, Russian security services remain dangerous adversaries. Their eagerness to target civilian critical infrastructure and wanton disregard for collateral damage means that they pose a grave threat to both their intended targets and those who happen to share infrastructure, software, or equipment with their targets. However, their limited ability to consistently execute against military objectives means that they remain unproven in wartime.

An adaptive China

Claim 4: China is an adaptive, ascendant threat, one largely yet untested in conflict but attentive to lessons painfully learned by others

I previously claimed that China shows promise in its cohesion and adaptability. Chinese officials have marshalled their national resources to build up a potent cyber force. They have established software vulnerability pipelines, developed a quasi-private sector, and unified their military structure to conduct cyber operations effectively. Similarly, they have a proven track record of implementing lessons learned by others, including in the field of cyber operations.

However, we have yet to see what they can achieve. Although we have observed reasonably high-quality Chinese network operations for several years, we have little public evidence of bleeding-edge offensive operations indicative of an ability to degrade bespoke Western military hardware or networks.

Nonetheless, they appear to be getting better. Reporting from private-sector threat intelligence companies and the government suggest that Chinese tradecraft is improving. Some security companies note that Chinese intrusions are becoming harder to observe. Even when detected, Chinese threat actors demonstrate more mature efforts at evasion, persistence, and pursuit of objectives. This trajectory suggests that China’s longer-term military goals, such as its targeting of Taiwan, may have also matured. When paired with a robust Chinese doctrine and structure encouraging integrated use of offensive cyber within military operations, they are set up to do well.

Conclusion

Even short-term predictions in cyberspace are volatile. Public visibility is limited, and our experience short-lived. My assessments have held so far because each of my claims holistically examined each country — through doctrine, leaks, technical documents, geopolitical context, and visible operational activity. The most effective way to produce sustainable analysis in cybersecurity is by relying on the full range of sources our field has to offer.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.