Enable breadcrumbs token at /includes/pageheader.html.twig

Disruptive by Design: Cyber Operations and Total War

The history of air power theory and practice offers considerations for those preparing to defend against cyber warfare.

By Maj. Brian Kerg, USMC

The history of air power theory and practice offers considerations for those preparing to defend against cyber warfare. Most early air power advocates emphasized strategic bombing and its potential to quickly compel an enemy to sue for peace.

Gen. Curtis LeMay, U.S. Army Air Corps, who oversaw the shift to strategic bombing, said following World War II, “I suppose if I had lost the war, I would have been tried as a war criminal.”

While the United States began the war by prioritizing precision bombing, it proved ineffective. Gen. LeMay oversaw the shift to strategic bombing with a goal of maximum destruction. Gen. LeMay further summarized the heart of the strategy this way: “I’ll tell you what war is about. You’ve got to kill people, and when you’ve killed enough, they stop fighting.”

While this is not how World War II played out, campaign planning often focused on the seizure of airfields to further extend the range of heavy bombers and maximize opportunities to destroy industrial centers. Arguably, the dropping of the atomic bombs saw the full manifestation of air power theory in action.    

Cyber warfare theory stands in sharp contrast to air power theory. There is no meaningful strategic advocacy for cyber as a means to break an enemy’s will to fight. Indeed, strategists and military planners would be hard-pressed to make the case that the ultimate destructive power of a nonkinetic domain could ever rival that of strategic bombing. Congruent with the nature of cyberspace, offensive cyber operations focus largely on intelligence and espionage activities rather than on inflicting the type of destruction traditionally associated with conventional warfare. When cyber attacks are conducted, they are usually precise and piecemeal. The release of the Stuxnet worm, which destroyed nearly one-fifth of Iran’s nuclear centrifuges, remains the highwater mark for such operations.

Still, cyber attacks are increasingly common, and they have strategic impacts on daily life. The Colonial Pipeline hack effectively crippled the eastern seaboard of the United States for a week, the SolarWinds hack handicapped nearly 250 businesses and government agencies as they scrambled to secure this breach, and the cyber attack against meat processing company JBS disrupted a pillar of the nation’s food supply. While no massively lethal attack has yet occurred, a cyber attack against the water plant in Oldsmar, Florida, was a hair’s breadth away from poisoning thousands of people.

Cyber planners and operators necessarily consider the cost of deploying any given exploit. Many are ‘use it and lose it’ in nature, in that deploying an exploit reveals the weakness upon which the exploit depends, allowing it to be patched. But in a conventional conflict, an ambitious enemy might seek to maximize the destructive potential of cyber warfare by deploying and sustaining as many cyber attacks as possible, with the goal of wreaking societal chaos and national paralysis within the targeted country. This could result in mass casualties among the civilian population through scenarios like the Oldsmar water-plant attack. Indeed, systems destruction warfare is a theory of victory espoused by the People’s Republic of China, and a massive cyber attack against the operational systems upon which the United States depends would meet this theory’s criteria.

While the most likely cyber attacks will continue to be launched against precisely selected targets, public and private entities must consider the ramifications of a massive, sustained cyber attack aimed at maximizing systematic destruction and human suffering on a national scale. In a conventional war, no target will be off-limits. Whole-of-society efforts for defense, resilience and recovery of the networks on which the nation depends, coordinated by the Cybersecurity and Infrastructure Security Agency, should be planned today to prepare for such a conflict.

Brian Kerg is a Marine Corps officer and writer. He is a nonresident fellow at Marine Corps University’s Brute Krulak Center for Innovation and Creativity and currently serves as a student at the School of Advanced Warfighting. Follow or contact him on Twitter @BrianKerg.