Aviation electronics technician 3rd class conducts maintenance on aircraft targeting systems in aircraft intermediate maintenance department maintenance shop on USS Ronald Reagan, Philippine Sea, July 25, 2020 (U.S. Navy/Jason Tarleton)
principles for shows of force, deter- Differentiating rence, proportionality, and rules for warfare that rely on predictable and repeatable characteristics of the physical weapons employed. The advent of cyber Kinetic and Cyber warfare in the modern era, however, has illustrated that the assumptions used for the employment of kinetic weapons Weapons to Improve do not necessarily apply to the employ- ment of cyber capabilities. For example, unlike a physical missile or bomb, it is Integrated Combat difficult to predict the precise effects, measure the resulting proportionality, or estimate the collateral effects atten- By Josiah Dykstra, Chris Inglis, and Thomas S. Walcott dant to the use of a computer virus. As we discuss, the differences between kinetic weapons and cyber weapons arfare, with a history as old are discernible, manageable, and have as humanity itself, has been far-reaching implications for strate- Dr. Josiah Dykstra is a Technical Fellow in the predominantly conducted gic military doctrine, planning, and Cybersecurity Collaboration Center at the National W Security Agency. Chris Inglis is the Robert and through the application of physical operational employment in both power Mary M. Looker Professor in Cyber Security Studies force to disrupt, degrade, or destroy projection and defense. at the U.S. Naval Academy. Thomas S. Walcott is the Technical Director in the Cyber National physical assets. That long history has In order to wage and win modern Mission Force at U.S. Cyber Command. led to well-developed doctrine and conflict, the attributes of kinetic and
116 Features / Differentiating Kinetic and Cyber Weapons JFQ 99, 4th Quarter 2020 cyber weapons must be fully understood • Is it possible to limit the weapon’s that are grouped as differences in weap- singly and in combination. To date, dis- effects to those desired with accept- ons characteristics, targeting, and policy cussion and debate about the attributes able impact to innocent parties and and practice between cyber weapons and of cyber weapons have focused on a few assets? their kinetic counterparts. The table sum- basic characteristics, such as perishabil- • Will the use of the weapon contrib- marizes these differences. ity—that is, making it difficult to achieve ute to, or risk undermining, stability, the same precision, let alone confidence, the ability of the employing organi- Differences in Weapons that typically results from the use of ki- zation to manage escalation, and/ Characteristics netic weapons. For military leaders, and or other desired characteristics of Many discussions about cyber weapons the policymakers who determine the pur- adversary engagement? have focused on the basic attributes of poses and applications of military power, the cyber domain, such as the global The answers to these questions depend, the differences between kinetic and cyber interconnected network; the highly fluid in part, not only on situational factors weapons prompt a reevaluation of how interplay of its constituent components but also on a firm understanding of these individuals employ weapons and of hardware, software, and configura- weapon nuances. We draw out those measure their effectiveness, which foun- tion; and the resulting fragility of access details in the following sections. dationally relies on a clear articulation of paths needed by cyber operators to To frame the discussion, we must differences and similarities between the reach their intended targets. Contem- consider the weapons’ definitions. kinetic and cyber environments. We pro- porary discussions of cyber weapons Unfortunately, the Department of pose and describe a strategic framework, have also explored their high degree of Defense (DOD) does not explicitly define though not exhaustive, that could be perishability and rapid obsolescence.5 weapon in doctrine, though DOD does applied to any instrument of power em- These traits are becoming commonly use the word within other definitions. We ployed by a nation-state; we then describe understood today but are alone insuffi- start, therefore, with a dictionary defini- distinctions between kinetic and cyber cient to allow for a comparison of cyber tion for weapon as “an instrument of any weapons to draw out both differences and kinetic weapons. The additional kind used in warfare or in combat to at- and strategic implications. differences below can aid tactical and tack and overcome an enemy.”2 Notably, This article compares instruments of strategic thinking. weapons are traditionally employed to offensive kinetic and cyber power across Kinetic weapons typically gener- create both lethal and nonlethal effects. three key areas: weapons characteristics, ate access and effect (by force) nearly Joint Publication (JP) 3-12, Cyberspace targeting, and policy/practice.1 These instantaneously, while cyber weapons Operations, defines cyberspace capability as thematic categories emerged as we identi- necessarily separate access and effect into “a device or computer program, including fied 18 individual differences between two distinct actions, often divided by any combination of software, firmware, or kinetic and cyber weapons. The weapons a significant expanse of time (in some hardware, designed to create an effect in characteristics category includes differ- cases, cyber access is developed weeks or through cyberspace.”3 For the purposes ences in the inherent properties of the or months in advance of the intended of this discussion, we consider a cyberspace weapons as well as in the effects they can effect). In the Joint Operational Access capability distinct from (yet predicated deliver. The targeting category highlights Concept, the phrase operational access is on) some mechanism that enables access divergences in how the weapon influences defined as “the ability to project military to the system within which the intended target selection and pursuit. The policy force into an operational area with suf- effect will be achieved. JP 3-0, Joint and practice category covers differences ficient freedom of action to accomplish Operations, acknowledges that cyberspace in the current environment and maturity the mission.”6 Kinetic weapons can pro- attack is one capability that could create of the weapons. duce such access for force projection and nonlethal effects; other examples include As we unpack these areas, military provide antiaccess and area denial against electronic attack, military information sup- leaders should keep in mind three fram- opposing forces. Cyber weapons typically port operations, and nonlethal weapons. ing questions that can help guide the separate access from effect, and they often The military action known as fires, states selection and application of any weapon require a significant effort to construct JP 3-0, is to “use available weapons and and that apply equally well to kinetic and access tailored to the given target and other systems to create a specific effect on cyber: its environment. For example, denial- a target.”4 Cyberspace attack actions are a of-service attacks leverage the access Is the weapon able to achieve the form of fires and “create noticeable denial • provided by a path from the aggressor desired effect within the constraints effects (that is, degradation, disruption, or to functioning networks. Data destruc- of time available for planning and destruction) in cyberspace or manipulation tion attacks control access provided by execution, the professional skills of that leads to denial effects in the physical another means, such as remote exploita- the human operators, and materiel domains.” tion or social engineering, but the key to resources? In the following sections we intro- their success remains an access path from duce and differentiate 18 characteristics the attacker to the intended target. The
JFQ 99, 4th Quarter 2020 Dykstra, Inglis, and Walcott 117 Gunner and cannon crewmember, assigned to Chaos Battery, 4th Battalion, 319th Airborne Field Artillery Regiment, 173rd Airborne Brigade, dials in target of M777 Howitzer during live-fire exercise as part of Saber Junction 19, at 7th Army Training Command’s Grafenwoehr Training Area, Germany, September 11, 2019 (U.S. Army/Thomas Mort) implication is that cyber weapons require correct decryption key. Indeed, ransom- be observed and copied using playback significant tailoring, prepositioning, and/ ware relies on reversibility in order to be capabilities of digital systems designed or bundling with a target-specific, access- effective; demonstration of the capability to monitor the flow and storage of data creating capability. to deny access and the subject’s belief and software, even if it requires the cyber Kinetic weapons almost always pro- that it can be undone are the predicate attack to highlight the significance of duce irreversible physical effects, whereas to the victim’s willingness to pay ransom. a recorded session. The result is a high cyber weapons can produce completely Importantly, reversibility can be an asset likelihood that the cyber weapon will be reversible effects. Although a small frac- or limitation of cyber weapons, depend- copied intact and studied by an adversary, tion of weapons (for example, rubber ing on the objective of their use.7 even if the capture itself is after the attack. bullets) can deliver a quickly recoverable It is difficult to reverse-engineer Some experts have compared this situ- outcome, most are intended to produce and reuse kinetic weapons, since they ation to living in a glass house, arguing permanent or slow-recovery effects. are typically damaged beyond reuse as a that the use of cyber for offense neces- While cyber weapons can produce perma- condition of their employment. Because sitates the preparation and deployment of nent damage to the physical world—such cyber weapons are often comprised of defenses from the adversary repurposing as in the case of Stuxnet, which caused easily replicable software, they offer more the weapon against the attacker.8 In the physical destruction of centrifuges—other ability for others to observe, analyze, physical world, weapons platforms can cyber effects can be completely reversed and reuse the weapon by simply copying be kept at a distance from their target by either the attacker or the victim. the software and replaying the context and thereby protected from harm. For example, when a denial-of-service of its employment. Given the previously Ammunition from kinetic weapons is attack stops, the target systems return described time delay in constructing expendable and, once expended, is gener- to normal. Encryption, such as used in access and effecting employment of the ally difficult, impossible, or pointless to ransomware, is also reversible given the cyber weapon, many cyber attacks can reconstruct and replay.9
118 Features / Differentiating Kinetic and Cyber Weapons JFQ 99, 4th Quarter 2020 Although in the physical world some Table. Differences Between Kinetic and Cyber Weapons weapons—including nuclear, biological, Kinetic Weapons Cyber Weapons and chemical—challenge weaponeers’ Generate access Leverage access abilities to precisely constrain the physical Difficult to reverse-engineer and impacts when employed, kinetic weapons Use may result in others adopting it too repurpose typically have a quantifiable local effect Permanent effect Potentially reversible effects governed by attributes of the physical world. And while a nuclear device cannot Weapon Local effect Possible global effect be configured to destroy only the brick Consistent effect Variable effect buildings in a particular area, it could be Scale with volume Scale with use configured and employed to constrain Fixed effect Tailorable effect its effects to a physical region. Cyber ef- Predictable effect and effectiveness Sensitive to environmental changes fects, however, may deliver both local and High barriers for entry Low barriers for entry cascading effects, determined through configuration of the weapon, the target, One weapon, one target One weapon, many targets Can be significant prepositioning and the domain of cyberspace. Across Minimal geographic prepositioning the relatively brief span of the history of Targeting (system-specific) cyber weapons’ employment, seemingly Positive control Opportunistic localized domain and network hijacking Coarse targeting Surgical targeting attacks have often affected the global Significant experience Little experience Internet. The Petya attack attributed to Unambiguous intent Potentially ambiguous intent Russia in summer 2017 is an excellent Policy and Limited value below level of armed conflict Useful in all levels case in point. Though generally assessed Practice to be an attack by Russia on govern- Overtly attributable Tailorable attribution ment systems operated by Ukraine,10 Confident Mixed confidence the strike quickly spread to nongovern- mental systems across Europe—in one number, or volume of the payload, of imagine that a weapon capable of delet- case knocking out most of the global weapons deployed. Because ammunition ing a specific file could be rapidly and information technology system and as- is expendable, one kinetic weapon at the easily tailored to delete any or many other sociated global command and control of point of delivery impacts one target. And files. A consequence is that more prepara- the Maersk shipping line, among many while the number of kinetic payloads tion may be necessary to offer equivalent other widespread effects felt well outside delivered in an area can be increased, preparedness and confidence in defend- Ukraine.11 there is generally a correlation between ing against the cyber weapon. Kinetic weapons deliver consistent, payload mass, velocity, and kinetic effect. Kinetic weapons can yield predictable fixed effects that correspond with the at- A single cyber weapon could be used outcomes because the relevant variables tributes of the weapon in a world where against one or many targets simply by influencing the outcomes are well under- the physical properties of the target and coding the weapons effects, thus enabling stood. The laws of physics and their effect its environs, such as gravity and air den- inherent and impressively responsive scal- on kinetic weapons have been studied sity, are relatively stable. The same cyber ability. Ransomware is one example of the and documented, and environmental weapon could potentially be used for same cyber weapon reused against many changes have highly predictable and variable effect, depending on the nuances targets. A defensive corollary is that de- quantifiable impacts on the effective- of coding from subtle (so-called spyware) fending against kinetic weapons requires ness of a kinetic weapon. Cyber effects to dramatic (ransomware). Similarly, a a per-instance cost. Scaling defense for are extremely sensitive to changes in the fixed kinetic effect means that outcomes many targets against a cyber weapon, environment, from subtle changes in the cannot be tailored to a target. Cyber such as with antivirus software, is com- target’s software, hardware, or user set- weapons are malleable and can be easily paratively more cost effective.12 tings, to dynamic global networking that changed or tailored with high granular- Military planners likewise benefit serves as the connection between attacker ity to produce a custom effect on only a when given choices across a spectrum of and target. Small, potentially unobserved specific device or chip. effects. Kinetic weapons offer fixed ef- changes to software or networking could Modern military operations require fects; that is, the effect is predetermined significantly impact the effectiveness of a agility and adaptability in plans and crisis at the time a given weapon is created. cyber weapon that relies on very specific response, including the flexibility to Cyber weapons could also be created software settings. scale operations up and down. Scaling with a prescribed action or outcome but Finally, we note the difference in the the effects from kinetic attacks gener- are likely to offer a tailorable effect at accessibility of kinetic and cyber weapons. ally comes from increasing the literal the time of employment. One can easily Today, entry-level cyber weapons are
JFQ 99, 4th Quarter 2020 Dykstra, Inglis, and Walcott 119 Marines with Marine Corps Forces Cyberspace Command in operations center at Lasswell Hall aboard Fort Meade, Maryland, February 5, 2020 (U.S. Marine Corps/Jacob Osborne) increasingly common as a commodity conversely, continue to remain out of Another important distinction is the widely shared by aggressors of vary- reach in cost, expertise, or availability to standoff range from the target. Kinetic ing technical capability. The pervasive many adversaries. weapons can be effective with minimal availability, low cost, and low expertise prepositioning relative to the target—this necessary to operate them mean that Differences in Targeting is particularly true for kinetic weapons of cyber weapons could be employed by The first difference in the targeting long geographic range. Physical geog- many state and nonstate actors. Tools category is in the weapon-to-target raphy matters much less in cyberspace, that are freely available (for example, the ratio. At the point of impact, a kinetic but the complex digital environment widely available Metasploit) or on the weapon is intended for a single target. often demands significant prepositioning open market (Core Impact) are easily Although the scope and scale of the and initial preparation of the battlespace weaponized for cyber attack. For the target may vary, even kinetic weapons of before the cyber weapon can reach the United States, this situation is both a mass destruction are limited in time and target. liability, in effectively arming more ad- space. Conversely, cyber weapons offer Targeting is affected by the degree versaries through the increased exposure an ability to affect many targets across of control over the target (the find and of U.S. cyber weapons, and a potential time and space, in some cases leverag- fix problem) and the weapon (the finish opportunity, by raising the cost to ad- ing each target as the launch platform problem). Precise targeting and posi- versaries of conducting cyber attacks by for the next. Cyber weapons are not tive control over the selection of targets forcing them to counter the greater num- expended on use unless someone devel- for delivery of effects are important to ber of platforms that economies of scale ops an inoculation, such as a patch— achieving military objectives and avoid- allow the United States to bring to bear. and even in that case, the inoculation ing collateral damage. Cyber weapons In general, large-scale kinetic weapons, may not be global. may require a mix of opportunistic and
120 Features / Differentiating Kinetic and Cyber Weapons JFQ 99, 4th Quarter 2020 discriminating targeting. Stuxnet is a case modern nations. Cyber weapons, how- the experience necessary to grow confi- study where the weapon was designed ever, can convey ambiguous messaging, dence in their effectiveness. to roam across many systems, infecting either in their intended effect or in their those that met the target criteria while linkage to a particular actor (the attacker) Evolution of Cyber Weapons bypassing those that did not.13 This is an or a discernible campaign. This situation as a Strategic Capability example of opportunistic access as op- might be preferred if the cyber weapon Comprehensive national security posed to positive control over the systems was an enabler for an integrated kinetic requires the consideration and coordi- infected. It further illustrates the differ- attack; it could be most undesirable if nated use of all instruments of power ence between access and effect. the cyber attack was the main effort in a across every phase of conflict. It is Drawing distinctions in the granular- campaign designed to impose costs and important to highlight that cyber has ity and precision allowed by kinetic or message the adversary. only recently emerged as a full instru- cyber weapons makes it easy to highlight Cyber weapons offer unique value in ment of power and strategic capability the difference between the coarse target- all stages of conflict and confrontation, for the United States. This development ing and surgical effect of cyber weapons. and they can be particularly effective was possible given a confluence of delib- Stuxnet had a surgical effect against spe- when employed below the level of armed erate thought and exploration, as well cific targets, coupled with (comparatively) conflict. Continuous global gray zone as significant milestones in law, policy, coarse targeting for access. Precise target- conflict in cyber exchanges is likely to and strategy, but much work remains to ing requires good technical design and occur for the foreseeable future.15 Kinetic elevate cyber’s maturity to the level long good intelligence.14 There are few, if any, weapons, conversely, are by definition not enjoyed by the kinetic realm of warfare. kinetic weapons that can operate with employed outside of armed conflict—this The growing maturity, especially in the coarse access and surgical effect. may be the most distinguishing and area of policy and practice, will con- important difference between kinetic and tinue to shape the future of integrated Differences in Policy cyber weapons. In June 2019, the press warfare. and Practice reported that U.S. Cyber Command In 2018, the Defense Science Board Today, the accumulated experience with (USCYBERCOM) carried out cyber at- (DSB) Task Force on Cyber as a Strategic cyber weapons has not yet achieved tacks against Iran in response to Iranian Capability determined that DOD “must the same maturity as that with kinetic aggression.16 Although the attack was co- move beyond tactical applications for weapons. There is a robust wealth of ordinated with plans for kinetic weapons, cyber and realize cyber as a strategic ca- experience in the development, analy- the cyber option was executed because pability.”18 The task force was also asked sis, and use of kinetic weapons; most the United States apparently elected not to compare cyber with kinetic capabilities, have evolved slowly over decades or to exercise kinetic options. This scenario including unintended consequences and centuries of refinement and applica- may demonstrate that cyber was a less collateral damage. Key conclusions of the tion. The Joint Technical Coordinating escalatory, nonkinetic option that still DSB’s final report were that, regardless of Group for Munitions Effectiveness, for provided a response and message to Iran. the means employed to generate a given example, was established in 1964 to For nation-states, kinetic weapons effect, a strategic capability had the fol- provide weapons effectiveness data in carry an overt attribution of the instiga- lowing generic attributes: joint munitions effectiveness manuals. tor. Attribution in cyberspace remains The capability can create a discern- No such structure exists for cyber a difficult problem, as tools and in- • ible, and preferably enduring, effect weapons. Furthermore, militaries have frastructure are easily obfuscated and on a target’s materiel, efficiency, extensive experience, including train- manipulated.17 Cyber weapons, therefore, and/or will (that is, the adversary ing, in employing kinetic weapons. The offer customized attribution. Revealing respects and is influenced by the relatively recent emergence of cyber attribution at a time of the attacker’s capability). weapons has not yet had sufficient choosing is a powerful capability. The capability is sufficiently well time to produce the same amount of Humans, including leaders and • developed and mature that it can experience. As a result, hesitance and decisionmakers, weigh their choices, in generate the desired effect within uncertainty about integrating cyber as a part, according to their confidence in the a reasonable time of a stated need strategic weapon remain. options available. Modern military leaders (that is, it is responsive to policy and When weapons are deployed, their have high confidence in kinetic weapons, combatant commander needs). use conveys a message to the adversary. owing to experience and training. Today, The capability can be regenerated The intent behind the use of kinetic cyber weapons bring mixed confidence in • within a reasonable time (that is, it weapons is nearly always unambiguous. the effects and effectiveness of the weap- can support campaigns in addition to The escalation of conflict means that both ons. Persistent operational engagement, one-time [tactical] strikes). sides understand, on some level, what the combined with science and technology in other seeks to achieve through the con- modeling and simulation, will help build Four milestones over the past 2 years flict. The use of force is the last resort for were instrumental in transforming this
JFQ 99, 4th Quarter 2020 Dykstra, Inglis, and Walcott 121 Air Force special tactics operators cross field to approach second target building during operability training at Eglin Range, Florida, April 22, 2020 (U.S. Air Force/Rose Gudex) aspiration to reality. National Security of integrated kinetic and cyber warfare. generally most effective when integrated Presidential Memorandum 13, U.S. Cyber attacks, independent from kinetic with other fires.”23 At present, there is in- Cyber Operations Policy, provided the action, are increasingly common, sup- sufficient experience to validate that claim necessary policy,19 the National Defense ported by nation-states, and undertaken other than intuition. Cyber and kinetic Authorization Act for fiscal year 2019 by independent actors. Yet even conven- weapons can be incredibly powerful on provided the statutory basis,20 and the tional warfare is beginning to integrate their own and can achieve a desired mili- DOD Cyber Strategy provided the doc- cyber capability—for example, Russia’s tary outcome independently. If the ideal trine.21 Furthermore, USCYBERCOM invasion of Ukraine was preceded by of military dominance is to avoid armed was elevated to a combatant command, cyber attacks against critical infrastruc- conflict altogether, cyber capabilities pres- and its present commander, General Paul ture. The United States must quickly ent unique opportunities to produce a Nakasone, USA, has begun to employ learn to integrate cyber capabilities to wide range of effects. these newly assigned authorities under the greatest possible effect. Nuanced insight about the differences the doctrine of persistent engagement.22 The differences between kinetic and between weapons allows military leaders These milestones demonstrate that cyber weapons explored in this article to more fully integrate kinetic and cyber. the United States is willing and able to demonstrate that the capabilities are dis- Apart, the kinetic and cyber domains may employ cyber capabilities, albeit in combi- tinct but complementary and potentially not deter or stop a modern adversary. nation with other capabilities, to protect multiplicative in impact when applied in New options must be made with respect itself in and through cyberspace. combination. Some researchers have hy- to the differences between the domains. pothesized that integrating the weapons The military is beginning to learn how, The Future of Integrated will even present new and expanded op- where, and when to use cyber weapons. Kinetic and Cyber Combat tions for military power. JP 3-12 appears That knowledge will then allow leaders The ability to win and prevent modern to support this assertion, stating that “cy- to determine if these domains could be wars brings an urgent need to under- berspace attack capabilities, although they leveraged in a complementary fashion. stand the unique risks and opportunities can be used in a stand-alone context, are
122 Features / Differentiating Kinetic and Cyber Weapons JFQ 99, 4th Quarter 2020 Many open questions remain about focus of significant academic and governmental understood and defenses are known). Second, research, making it an area where both practice cyber weapons represent the code that produces the integration of kinetic and cyber and theory are rapidly evolving. See, for ex- the effect and are distinct from the access vector combat. By presenting an even broader ample, Michael P. Fischerkeller and Richard J. that enables the effect; defenses against the full scope of possible effects, hybrid kinetic- Harknett, “Deterrence Is Not a Credible Strat- spectrum of possible access vectors can be quite cyber weapons systems and operations egy for Cyberspace,” Orbis 61, no. 3 (2017), costly and might not scale well. raise new questions about the practice of 381–393, available at
JFQ 99, 4th Quarter 2020 Dykstra, Inglis, and Walcott 123