Angwin: Let’s start with the basics: What is cyberwarfare?
Maschmeyer: In the mid-’90s, when the World Wide Web was developed, this idea of cyberwar first emerged. It was the idea that if you exploit information technology, it will give you new opportunities in warfare. Exactly to what degree it impacts war is up for debate, but many assumed cybertactics would revolutionize warfare. This belief was based on the assumption that operations that exploited information technology would be extremely fast, effective, hard to detect, and would, in some way, approximate what you would otherwise only achieve with weapons. This view became quite influential and started impacting policy.
Angwin: Do you believe that cyberwarfare has the potential to revolutionize war?
The problem with this belief is that it remains a hypothetical idea that hasn’t happened in practice. It’s based on what is theoretically possible with this technology, but it neglects all the practical challenges that are involved with achieving a massive surprise attack. There has been more research in recent years showing that it is actually very hard to cause physical effects
through cyberoperations. It takes a long time, it’s really complex, and a lot of things can go wrong with these operations.
I have been looking at cyberwarfare systematically and empirically in order to understand how these operations work and what can actually be achieved. What I realize more and more is that cyberoperations aren’t that new, they have much more in common with old style intelligence and covert operations, like traditional espionage with spies. Specifically, I argue they are a new form of subversion
, which works through infiltrating, exploiting, and manipulating systems. Yes, there are new targets and technology, but the mechanism of exploiting and infiltrating systems is very much the same.
Angwin: In light of your work, how do you understand the threat of Russian cyberwarfare in the war in Ukraine?
There has been a lot of sensationalist reporting, especially on the 2015 and 2016 power grid attacks in Ukraine
. You had all these stories saying, “Hey, they showed they can do it, so next they’re going to hit the U.S.” If you look at these Russian operations in more detail, you see that they actually didn’t have too much of any economic or psychological effect. The first outage only lasted for around six hours, and the second only lasted 75 minutes.
It is plausible that there could be damaging cyberattacks, but you wonder why we haven’t seen them yet, especially since “cyberwarfare” is supposedly less risky, cheaper, and just as effective as warfare. But if that was true, wouldn’t Russia have done this before they invaded Ukraine? I think this tells us something about the limitations of cyberoperations. If you take a step back, it’s very clear that Russia’s “cyberwarfare” has failed
. Otherwise there would be no need for Russia to move in its troops. So, yes, more Russian cyberwarfare is plausible, but it neglects all the constraints of these operations.
Angwin: Can you explain some of the constraints of cyberwarfare?
Maschmeyer: Sure. First, you have to find a system that actually is capable of producing the effect you want. For example, if you want to attack a power grid, you first need to find a power plant that is computerized, so it can be shut down. Then, in that computer system, you have to find vulnerabilities or flaws in the system to exploit. That takes a lot of time—for more complex systems, it usually takes months or years.
If you’ve passed this hurdle, next comes the stage of reconnaissance, figuring out how the system works and how you can get control of the relevant parts of the system. With the power grid example, you would need to get to the industrial control systems, which usually takes months from what we’ve seen in practice. Next, you need to find a vulnerability in those specific control systems that you can manipulate. Finally, you have to pass all of these steps without being detected.
By examining real-world cyberoperations, I distilled three factors that create a trilemma
for the feasibility of successful and effective cyberwarfare. The three factors are: the speed of an operation, the intensity of the effects that you want to produce, and the level of control you have over the system you’re targeting and the desired effects. The trilemma is that you cannot increase all of these variables at once, but instead the more you increase one, the more you tend to lose out on the remaining ones. For example, if you go faster, you have less time for reconnaissance and developing the virus that will exploit the system you’re targeting, which means the intensity of the effects and the control that you have will be relatively lower—and vice versa. This trilemma is why, in practice, most cyberoperations tend to be either too slow or too weak or too volatile to produce strategic value.
Angwin: Can you give an example of a cyberoperation that illustrates these interrelated challenges?
While Russian cyberoperations have, by and large, fallen short of achieving the goal of weakening Ukraine’s society and ability to resist, there was one exception: the NotPetya virus
in 2017. This virus traveled around the world and affected 65 countries
and encrypted data on the computers it affected. This attack caused significant economic damage, and worldwide it cost around $10 billion of damage.
However, it also affected Russia, which is a sign that something probably didn’t go as planned. For example, the state-owned oil giant in Russia was affected by this operation. If you look at the code, or the sequence of how the virus spreads, and how it was designed, it’s very clear that the hackers had no way to control where it would spread once they released it. ESET, a cybersecurity firm from the Czech Republic, concluded that Russia lost control over this risk
, and this means there was a lot of collateral damage.
Even though it was a significant event, it still confirms these constraints that exist with cyberoperations. In this case it illustrates the challenge of volatility—where you lose control over the effects. If you can’t control the effects, these operations aren’t very valuable because you could just as easily harm yourself.
Angwin: Even though NotPetya caused a lot of damage, you still think we shouldn’t be overly concerned about cyberwarfare?
We should not dismiss the threat but be realistic about its extent—especially compared to actual warfare but also to traditional sabotage. Let me give an example to illustrate my point. In 2017, this ammunition depot blew up in Ukraine, producing a vast shockwave that caused a lot of damage to the surrounding area and destroyed a huge amount of ammunition. One estimate was that it cost $800 million (U.S.) of damage and also weakened Ukraine’s military capabilities. Later, there was an investigation by Ukraine’s law enforcement agency that found that a few individuals in civilian clothes had bribed a security guard, walked into the facility with a lighter, cigarettes, and a canister of a flammable substance, and set it on fire. [Press reports at the time
said Ukraine attributed the sabotage to a possible drone strike.]
No cybersabotage has come close to causing this degree of damage. Not just the damage but the simplicity of this attack compared to working for 19 or 31 months to get into the power grid to cause a temporary outage. This is why for states that have to deal with actual warfare, as Ukraine is experiencing now, cyberattacks are at worst a secondary threat.