Cyber-Warfare – Command-and-Control Analogue

Introduction

Many news agencies have debated whether the breach on the SolarWinds platform was a new way of a state-actors attacking systems. Yet, it was instead the exploitation of existing vulnerabilities. Indeed, Coalition forces in Operation Desert Storm achieved the same effect of disrupting Saddam’s command-and-control structure through a vulnerability in the way they directed the war-fighting effort in Kuwait. In the aftermath of the 2007 Estonian Distributed Denial of Service attacks (DDoS), NATO analysts concluded “it was highly likely that a key objective of the attack was to test and demonstrate cyber capabilities, with the outcome of sowing confusion and uncertainty.” This conclusion, and many other examples like it, led policy makers to focus on the question of whether cyber-warfare/digital warfare is a new warfighting domain – however, with that question came a challenge to define what that meant. Their framing was:

Cyberspace is contested at all times as malign actors increasingly seek to destabilise the Alliance by employing malicious cyber activities and campaigns. Potential adversaries seek to degrade our critical infrastructure, interfere with our government services, extract intelligence, steal intellectual property and impede our military activities. Russia’s war of aggression against Ukraine has highlighted the extent to which cyber activities are a feature of modern conflict.

Although NATO framed an inconsistent connection between existing methods of warfare, such as command-and-control (C2W), it makes it harder for policy makers to determine if an incident is a criminal act or an act of war.

Even by NATO’s own admission it recognizes that cyber-attacks are going to be “a major component of conventional warfare”:

In the summer of 2008, the conflict between Russia and Georgia demonstrated that cyber-attacks have the potential to become a major component of conventional warfare.

Indeed, during the COVID Pandemic under the threat of increased cyber-attacks the Australian 2020 Cyber Security Strategy adopted similar language which begins to describe an adversarial benefiting effect:

Nation states and state-sponsored actors seek to compromise networks to obtain economic, policy, legal, defence and security information for their advantage. Nation states and state-sponsored actors may also seek to achieve disruptive or destructive effects against their targets during peacetime or in a conflict setting.

The subsequent Cyber Security Strategy 2023-2030, continues the theme of describing benefitting effects as “malign cyber operations” describing state-actors as using “cyber-operations” to steal information and challenge [Australian] sovereignty. Matching how the U.S Army defines warfare in Field-Manual – 3-0 – Operations:

The object of war is to impose a nation(s) or group(s) will on its enemy in pursuit of policy objectives.

As the language aligns in both the Australian strategy and FM-3-0 with the conceptual understanding of what warfare is, the conclusion is inescapable. Digital warfare is conventional warfare—the benefiting effect being the achievement of an adversarial political objective.

Australian Policy Responses

In response and aligned with these strategies, Australian legislators passed the Security of Critical Infrastructure Act in 2018 (and subsequent amendments to include cyber-security) to manage the national security risks of espionage, sabotage, and coercion. Over time, this piece of legislation became the capstone, where risks to Australian critical infrastructure are managed through a “Critical Infrastructure Risk Management Plan” (CIRMP) through the lens of an “all-hazards” approach.

“All-hazards” is the identification of risks associated with organizational assets across governance, information, cyber, personnel and physical domains; for example: Would a trusted individual have an opportunity to undertake malicious activities without being identified?

In practice, the act recognizes organizations across 11 Sectors: communications, financial services, data storage or processing, defense industry, higher education, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewage. All are thus required to identify hazards that may affect the confidentiality and availability of their critical infrastructure assets.

It appears that a key intention of Australian policymakers was to support organizations in identifying and managing both natural hazards and adversarial impacts. However, the challenge of clearly distinguishing between the effects of natural events, criminal activity, and warfare can make it difficult for policymakers to develop guidance that is practical and actionable for business leaders. However, the inability to make the distinction between the effects of natural hazards, criminal acts, or warfare inhibits policymakers developing guidance which is actionable by business leaders.

While the SOCI Act framework manages risk, expanding it to recognize that “digital warfare” is essentially C2W — both seeking to “disrupt and dominate” the flow of information—provides policymakers with operationally grounded methods to distinguish between a criminal act and an act of war.

However, the fact remains that we do not have a consistent way to connect “digital warfare” with C2W in doctrinal terms; to do so, we need to understand what warfare is comprised of, and who the threat is through the frame of existing doctrine. This gap can only be closed if we accept that “digital warfare” is C2W in disguise, given the mutually beneficial effects of both are inseparable.

Warfighting Conceptually

Given they are inseparable, having a clear understanding of what “mutually beneficial effects” are is required. To do so, a conceptual understanding of warfare is required to establish how different forms of warfare appear along with the threats they impose.

FM-3-0 Operations establishes that the object of war is to impose a competing nation’s will on another through either Conventional or Irregular Warfare:

• Conventional warfare is a violent struggle for domination between nation-states or coalitions of nation-states (ADP 3-0). Conventional warfare is generally carried out by two or more military forces through armed conflict.
• Irregular warfare is the overt, clandestine, and covert employment of military and non-military capabilities by state and non-state actors to achieve policy objectives other than military domination of an enemy, either as the primary approach or in concert with conventional warfare.
• In practice, a threat in conventional and irregular warfare may involve nation-state adversaries and/or non-state state actors using a mixture of regular, irregular, terrorist, or criminal elements all unified to achieve a mutually beneficial effect.

“Mutually beneficial effects” can be described as being either the destruction, domination, or disruption of an enemy’s ability to communicate with their forces; thereby achieving the political objective.

Operation Desert Storm

Operation Desert Storm (hereafter, ODS) is a prime example of achieving a mutually beneficial effect, given as it was supported by clear and actionable political and military objectives, which led to the disruption of Iraqi command and control infrastructure.

The political objectives being:

• Immediate, complete, and unconditional withdrawal of all Iraqi forces from Kuwait;
• Restoration of Kuwait’s legitimate government;
• Security and stability of Saudi Arabia; and
• Safety and protection of American citizens abroad.

The political objectives being directly linked to key military objectives:

• Neutralization of the Iraqi national command authority’s ability to direct military operations;
• Ejection of Iraqi forces from Kuwait and the destruction of Iraq’s offensive threat to the region, including the Republican Guard in the Kuwait Theater of Operations;

None of these political or military objectives could have been possible without the existence of a vulnerability in Saddam’s top-down command style. The then Secretary of Defense Dick Cheney described Saddam’s Centers of Gravity (COGs) as being: “the heart of what allowed Iraq to maintain its occupation of Kuwait.” This referred to Iraqi leadership command facilities, electrical production infrastructure powering military and industrial systems, and core command, control, and communication systems.

It was the vulnerability in Saddam’s chain of command which enabled the success of the military objectives and by extension the political objectives. This is the lens by which policymakers can adopt to determine if a cyber-attack is either a criminal act or an act of war.

SolarWinds Platform

In revisiting the SolarWinds Platform through the lens of C2W it becomes clear that the adversarial intent was to achieve the benefiting effect of gaining access to other environments to achieve a political goal. This assessment is supported by the findings of the UKs National Cyber Security Centre in partnership with other U.S. Agencies (the NSA, CISA, and the FBI), which concluded it was very likely the threat actor was state-sponsored.

During proceedings the SEC contended the SolarWinds organization deliberately misled investors by concealing the company’s poor cybersecurity practices, risks, and vulnerabilities, which only came to light after the SUNBURST attack. One of the vulnerabilities was a flaw in the way SolarWinds restricted access to the Virtual Private Network (VPN), which was exploited by the state-actor.

Conceptually, this is the same as the vulnerability which appeared in Saddam’s command and control style. Putting it simply, if a vulnerability did not exist, the opportunity for exploitation would not have been possible.

However, it was not just the one vulnerability which led to the attack. It was the combination of the flaw in the VPN access control, and the lack of rigorous testing and verification of code which led to the deployment of malicious code to other environments.

Without a clear conceptual understanding of the motivations of the actor, the political test of C2W is impossible. However, given the way in which the SolarWinds platform was leveraged to distribute malicious code, it is possible to infer that the intent was to achieve a “mutually beneficial effect.”

2007 Estonian Hacks

On the other hand, the 2007 Estonian DDoS campaign had all the hallmarks of a political campaign designed to achieve strategic humiliation of Estonian nationalistic pride. NATO analysts believed the motivations of the attack stemmed from an ideological divide over the movement of a Soviet-Era statue in Tallinn. For the Estonians, it represented the memories of being a part of the Soviet Union; for the Russians, it represented a desecration of a hero.

The NATO Cooperative Cyber Defense Centre of Excellence analyzed the technical elements of the DDoS Campaign and identified the traffic contained overt political, and derogatory phrases referring to then Estonian Prime Minister Andrus Ansip as a fascist for his government approving the relocation of the statue.

While the traffic wasn’t directly attributable to a state-actor, it originated from a group of individuals with the help message being displayed in the Russian language, matching the intent of actor(s) to pursue a political objective.

NATO analysts concluded that in addition to the physical effects of the disruption, there was a component of testing cyber capabilities and the psychological element of sowing confusion.

Conclusion

After a major cybersecurity incident, our reflex has been to label it as “new.” This has led to fragmented language across policy settings.

This is exemplified by the SolarWinds Platform Breach malicious SUNBURST code being called novel hacking techniques, while news agencies called the tradecraft phenomenal. In reality, it was just the exploitation of existing vulnerabilities (whether it was zero-day or not).

Dick Cheney made the same point, when discussing the victory of Operation Desert Storm, as it was the successful exploitation of flaws within Saddam’s command-and-control Structure.

While the 2007 Estonian DDoS attack did not have the same weaknesses, it was to test cyber capabilities, and as a byproduct to sow confusion and discord to achieve a political objective, even if the actor wasn’t directly attributed to it.

By treating these incidents as disconnected from established war-fighting concepts, we risk producing strategies that cannot reliably distinguish between criminal acts and acts of war.

Viewing digital incidents through the lens of C2W—as the exploitation of a vulnerability to achieve a benefiting effect in pursuit of political advantage—gives policymakers a tested framework for detection, deterrence, and response.

We do not need to invent new terminology to describe what is, fundamentally, an established form of warfare.

Disclaimer

• Any direct attribution of a state-actor has been drawn from existing official, or academic publications, any discussion of such is purely interpretive using existing doctrine and does not equate to an official stance.
• The opinions expressed do not reflect any of the institutions I have been employed with or will work for in the future. Nor does it represent the views of any other official institution.
• The use of the Interim Congressional Report “Conduct of the Persian Gulf Conflict” does not equate to the author agreeing to the politics of Dick Cheney’s later actions as Vice President of the United States.
• The use of the SEC filings for the SolarWinds attack is to ensure any discussion regarding the events is drawn from an official source and does not equate to a stance on the case.
• As of 2025 SEC reached a preliminary settlement with SolarWinds.
• The author is not knowingly or willingly endorsing any derogatory remarks which were made about the then Estonian Prime Minister.

The post Cyber-Warfare – Command-and-Control Analogue appeared first on Small Wars Journal by Arizona State University.