In his book Offensive Cyber Operations Moore is disappointed in the warfare revolution promised by the introduction of computers. He presents the US secretary of Defense as being disappointed in the effectiveness of US Cyber Command in the battle against ISIS in 2016. At the same time, he presents UK's GCHQ tooting its cyberhorn in the campaign against Daesh in 2020.
Camo or jeans
Moore uses this contrast to introduce two different categories of offensive cyber operations:
- short event-based operations by camouflage units
- extended presence-based operations by intelligence units in jeans
At this point, we discover Moore's aversion to cyberwar terminology, which implies war based on 100% cyber. However, the destruction of enemy targets still works better using rockets than keyboards. Instead of the mythical cyberwar, Moore prefers to use a spectrum of violence that starts with cyber operations and ends with cyber warfare. To determine where operations fall within this range, he introduces five criteria:
- target
- physical impact
- adversary
- goal
- relation between adversary and goal
Moore dedicates an entire chapter to illustrate these criteria and covers SolarWinds (few points, only some data loss), US Democratic National Convention (more points but a non-military strategic target), Stuxnet (full points), and many more examples. Your offensive cyber operations need to be extravagant before reaching the warfare threshold!
Old wine
According to Moore, cyber warfare isn't entirely new; it is an evolution of previous forms of intangible warfare: electronic warfare and command & control warfare. To illustrate, he covers the disruption of german night radar in the second world war, the jamming of rocket guidance in the Yom-Kippur war of 1973, and Desert Storm. Cyber warfare is nothing more than operationalizing the fact that the entire world is networked together within only a few milliseconds.
Surprise, deception, and destruction
Cyber scores very low on the destruction aspect of warfare, which has strategic and operational consequences in deploying cyber. Moore spends 33% of his book illustrating vividly how various states employ cyber to achieve their political and military goals:
- The US (high quality but bureaucratic)
- RU (aggressive but poorly done)
- CN (masters in presence-based operations)
- IRN (aggressive but sloppy)
Special operation
Moore had already finished his book when Russia started its special operation in Ukraine. Still, fortunately, he spends almost forty pages on that other potential special operation by the People's Republic of China (PRC) against the Republic of China (ROC), also known as Taiwan. This analysis is the showpiece of his book, where various threads come together: China is proficient in presence-based operations but untested in event-based operations required for a successful invasion of Taiwan. Moore already concluded we could not expect much destruction from cyber, but China will need all the deception and surprise. Not only to land in Taiwan but also to deceive or surprise the US 7th fleet. To top it off, Moore applies threat modeling to various military systems and data protocols to identify risks for Taiwan and opportunities for China.
Cyberwar may be bullshit, but Moore vividly illustrates the vulnerabilities and opportunities of cyber in today's warfare.