A realistic evaluation of cyber weapon concepts

Bottom Line Up Front
Cyber attacks against the power grid have little strategic value
- Cyber against the adversary’s power grid is worse than useless
- It actually increases adversary’s cohesion and strengthens their resolve
- Has little to no impact on the capability of the adversary to make war
- Bolsters policy-maker’s reason to engage in war
This is going to hurt me more than you
I’m going to talk about the Manhattan blackout and cyber. But I gotta make some things clear. I’m discussing the theory of conflict in the cyber domain, where the cyber attack “take out the power grid” is frequently used as an example of … worst case scenario, or terrible major attack, or whatever. Taking out the power grid is a big deal in cyber war discourse. I say, it’s about as brilliant as punching yourself in the face before a fight. I’ll use the event of the Manhattan blackout as an example of the impotency of a power grid attack.
The July 13th 2019 blackout in Manhattan is a perfect example of why the power grid is a piss poor target in a cyber conflict. Again, this is not about the actual Manhattan blackout.m; it’s not about the root cause; the impact, or the effects on people. This is a piece on about cyber warfare strategy and why the power grid is terrible choice of target. The blackout in Manhattan is simply a relevant event to illustrate my point.
Cyberwar experts have a strong tendency to worry about critical national infrastructure’s vulnerability to cyber attack. In principle I completely agree, critical infrastructure should be secured against attack. I don’t think that attacking the power grid is the pinnacle of cyber warfare. In fact, I think taking down an adversary’s power grid is possibly one of the least effective cyber attacks a state could deploy.
Cyber is the continuation of politics by other memes
The Manhattan blackout, I believe, proves my point that critical national infrastructure (such as the power grid) is not anywhere near as important a target as people claim. The impact is short term and localised.
Not only is the effect of a blackout limited, but using the Clausewitz paradoxical trinity reveals that it fails as a mechanism of state coercion.
- Enmity: people’s passion for war
- Chance: military’s ability to effect events in war
- Reason: policy makers reason for war
A cyber weapon that disables the adversary’s power grid may have tactical or operational utility, or under the right circumstances, strategic value. But in the general case, at a strategic level, cyber attacks against the power grid are negligible at best and counter productive at worst.
What is a cyber weapon?
the effect is localised, and therefore not good as a tool of imposing your will on another state. because it has such a low utility as a technique for coercion, it is not strategically useful.
it is tactically useful, operationally useful, and maybe in certain cases strategically useful, but fundamentally the “cyber the power grid” attack is just not a great capability. Not as a strategic tool for a state to impose its will, or effect its policy on other states.
An attack against the powergrid causes the people targeted to become more cohesive as a whole, it unites them against an external enemy. Generally speaking, a weapon that makes the other side more determined to fight you is not a good weapon.
a strategically useful cyber weapon would have some capabiltity to: “deny, destroy, degrade, deceive, disrupt” — the target at a strategic level, at a level that impacts the state: either the people, the economy, or the military.
the power grid as a target does not provide that capability. Against the economy, the ability of the target to continue to wage war, it has no impact. Against the people, it makes them more cohesive and hardens their resolve. No electricy can cause tragedy at a small scale, but fundamentally it is just a nuisance, not a huge deal.
Clausewitz, Conflict, Cyber
Clausewitz created an analytic framework for appraising states at war. The paradoxical trinity is covered very well elsewhere, but I’ll provide a brief sketch of the concepts. If you don’t want to see spoilers for On War, feel free to skip this section.
SPOILERS: now entering spoilers for “On War”
ENMITY
does a cyber attack blackout reduce people’s passion for war?
No, definitely not. If anything it improves cohesion and strengthens resolve. People can unite against a common enemy who caused them tangible harm (“I didn’t have internet for hours!”). An attack so blatant that there is no doubt it was a hostile act by a foreign state will strengthen ingroup bonds.
CHANCE
does a cyber attack blackout reduce the capacity and/or capability of the military to wage war?
not at all. The military have a lot of slack, redundancy and buffer in their supply chains. The short duration of power outages would be easily absorbed.
REASON
does a blackout change the reason policy makers chose war?
I don’t see how. The people will be more passionate about supporting the war, demand retaliation. The short duration of the blackout and the limited scope of its negative effects mean there’s no real long lasting harm inflicted.
Cyber von Clausewitz
- war is the continuation of politics by other means
- All politics is local
- In cyber, everything is local
There is another factor, which I will not address here, about norms. Attacking civilian critical national infrastructure signals that attacks again civilians are ok. This is generally frowned upon.
Why this matters
The effect of an attack against the power grid is localised and ephemeral, therefore it is not useful as a tool for imposing your will on another state. Because it has such low utility for coercion it is not strategically useful. In certain circumstances it could be tactically or operationally useful, but it is very unlikely it will ever be strategically useful.
The reason that cyber attacks against the power grid are not useful attacks is that they unite people, they create cohesion against an external threat, and they have no long term lasting impact on the target. Attacking the power grid encourages the adversary to fight with more resolve and determination than before.
Essentially, using cyber to cause blackouts not only has no impact on the adversary’s capability or decision to wage war, it actually makes them more cohesive and resolved to fight. As a strategic weapon, it literally makes the adversary more determined and willing to engage in conflict.
Making the enemy more aggressive and resolved to fight, without weakening their capability to do so, is not a good capability for a cyber weapon.
The power grid is an interesting example and this post assumes that recovery time is a few hours and week within a bounceback capability.
However, what if it lasts 12 hours in the dead of the winter, what if 24,48,72, 1 week?
To be clear I’m not going for Hollywood fearmongrting here, I’m just pointing out that a grid taken out for longer is far more interesting. You’d have to shut down generation capability as that excess energy has nowhere to go. If you affect each subsystem independently and disable centralised control, recovery becomes longer.
Finally, to break the resolve to fight, the population has to believe it can happen again. That requires some propaganda.