Cyberwarfare is an overnight success, a new theater of operations in the history of warfare. Like many overnight successes, it has been decades in the making. Our world has become increasingly reliant on computers, and on networking them together, and this has given us many great advances in our lives, but it has also created a new battleground, one which the United States is not prepared for.

The key differentiator, the “disruptive force” in startup terms, between cyber and other theaters is the relative cheapness of force projection. In military terms 1 a “battlespace” represents the strategy that unites the armed forces across multiple theatre’s of operation, including land, air, sea, outer space, and cyber2. Within most of those theaters the cost to conduct operations is expensive. Troops must be trained, equipped, physically deployed, and often put themselves in danger to carry out their missions. Cyber in contrast, removes several of those variables. Troops must still be trained, and equipped but equipment is far cheaper. There is no need for physical deployment, and there is little risk of danger when carrying out operations. This leads to the disruptive advantage: cyberwarfare is a cheap, fast, and safe way to project force compared to conventional warfare.

Cyber Vs Meatspace

Cyber operations are very different from conventional ones, in ways that may not be completely obvious. For simplicity, conventional operations in the real world (“IRL” as my generation calls it…) will be called “meatspace3” to contrast it with cyberspace.

Relative speed comparisons

Logarithmic bar chart comparing the speed of various physical objects with a humble “ping”. The Globemaster, at 567 mph, doesn’t even rate a line on the chart.

Operations conducted in meatspace require the transport of physical matter from one location to another. This can be fast, Trident 2 missiles can reach Mach 24, about 18.4k miles per hour. Moving people is much slower, a C-17 Globemaster III moves at about Mach 0.74, around 567 miles per hour. These are one way transits however, and not a fair comparison. Cyberspace typically requires a back and forth transport for communication. The B-52 is a long range bomber that has a maximum speed of around 600 miles per hour. It is about 6078 miles from Los Angeles to Moscow, which makes a round trip around 20 hours. I live in Los Angeles and I pinged https://kp.ru, a Russian news site. It takes 211 milliseconds for a roundtrip message to come back. This means the delivery of a packet of data in cyberspace is over three hundred thousand times faster! It is reasonable to note that a cyberattack is not normally launched by sending a single packet, some attacks may take months of planning, but the speed of delivery is the key item I want to focus on here.

Physical danger is largely negated for cyberwarfare operations as well. Cyberpunk media of the 80’s, William Gibson’s Neuromancer, or Masamune Shirow’s Ghost in the Shell, brought tales of computer networks as dangerous as a real world fortification. Black ICE programs would be able to kill attackers over an internet connection. Cybernetic attachments to a brain would allow people’s bodies to be directly controlled, and fuses physically integrated into bodies[^gists-fuses] would offer protection against attempted electrical overloads of those brains. No such hazards exist in the real world today. Cyber operations can be carried out without any risk of physical danger to the attacker. Even the attackers computers cannot be attacked back through any sort of conventional means.

Picture showing physical vs virtual topologies

Figure showing how physical topology and domination of a particular space does not affect virtual connectivity around that space.

The only saving grace of cyberwarfare is the difficulty in being able to acquire targets, especially those of a military nature. The topology of digital communication and meatspace is very different. To be exposed to remote attack most devices, excluding supply chain attacks, have to be connected to the internet. Failing that they would need to be accessible via some other means, some as wifi, radio, or bluetooth signal, to be attacked4. This is actually a boon for many military systems since they are not normally connected to the external world. Conversely, many civilian devices are. This leads to an unfortunate setup where it is easier, and often more desirable, to launch cyberattacks against civilian infrastructure than military.

Impacts of Cyberwarfare

When attacking infrastructure via cyberwarfare there are a few common techniques that have been observed to date: Informational, loss of availability, and economic. These can be co-mingled or treated as separate tactics by an attacker.

Venn Diagram of attack types

Venn diagram showing the attack types and how they can each overlap.

Informational attacks are a tactic to either gather information. Espionage, in other words. This is one of the oldest types of cyber attack, dating back to the 80’s when Markus Hess5 broke into various networks, including LBL, to steal national secrets. More recently the 2015 hack of the OPM resulted in the loss of millions of records, including those of numerous people with security clearances.

Sabotage, characterized by a lack of availability to a resource, is the cyber attack most likely to cause immediate, visible damage. Critical infrastructure such as power plants, water treatment facilities, and hospitals all rely on computers functioning correctly in order to carry out their operations. The fact that the safety critical mechanisms should not be connected to the network has not stopped this from occurring. Kyiv, the capital of Ukraine, suffered a cyberattack against it’s power supply in 2016. A San Francisco Bay Area water treatment plant had an attacker break in and delete programs used to run the plant in 2021. Hospitals are attacked so frequently that finding examples of a hospital needing to shut down due to a cyberattack is easy to find. The 2021 Colonial Pipeline attack was intended as an extortion attempt but effectively resulted in sabotaging the delivery of oil within the US.

Economic attacks extort money from organizations in order to funnel money back to the attackers. The 2024 Change Healthcare attack was a prominent example where a criminal group removed access to healthcare records and demanded a ransom to restore access. Attackers are not just limited to organized crime. North Korea has carried out attacks against ATMs, stolen cryptocurrency, and held healthcare systems hostage, all to send money back to their government.

Something that has been consistent in all of this has been the victims have been civilians and non-military infrastructure. It is tragic that these are the targets, but important to note they are targets of opportunity. In recent years military assets have begun to be targeted as well. Russian spyware known as “X-Agent” was believed to have been installed on the phones of Ukrainian soldiers to broadcast the location of artillery units in 2016. In 2018, Russia successfully jammed GPS signals during a NATO exercise, showing that they could remove the ability to for units to finely map their position. Russia has also displayed the ability to infiltrate encrypted chat groups via malicious QR codes and previously sent SMS text messages urging troops to surrender. With the rise of AI and ever sophisticated simulations of voices, it is only a matter of time until fake orders are attempted to be sent.

Force Projection in Cyberwarfare

The primary disruptive elements of cyberwarfare are: speed, safety, and cost. Speed and safety have already been covered in “[[Cyberwarfare#Cyber Vs Meatspace]]”.

R&D vs Manufacturing Bar Chart

Costs for R&D vs Manufacturing of different weapons. Drones R&D is left blank as it is unknown. Drone manufacturing is so cheap (at least for Ukrainian conflict drones) that it does not show up on the. chart. Cyberweapons have zero cost to manufacture, since they are replicated data.

Cost is the final disruptive factor in cyberwarfare. A cyberweapon, a weaponized CVE, such as a computer virus or new hacking technique, has zero marginal cost to replicate once created. To create a cyberweapon researchers must work on discovering them, at whatever salaries they are paid. For this discussion we can assume $500k / person for top quality researchers in place like the United States6. Tooling, such as replicating the target network or acquiring copies of the software being ran is of fairly marginal cost. Compare this to conventional weapons. A BGM-109 Tomahawk missile costs around $2M to purchase a single one7. The cost to develop the “Block V” (most modern version) of the missiles appears to be around $100M8. Drones, a new disruptor in physical warfare, are fairly cheap. A drone will cost somewhere between $300 - $25,000 to buy one in the ongoing Russian invasion of the Ukraine9, with development costs being fairly unknown. Drones, it is also useful to point out, may be used multiple times if they are not “kamikaze” drones strapped with explosives.

An alternative to in-house creation is to buy an existing CVE. The cost to purchase existing, but not widely known, CVEs, often known as “zero days” is increasing, but still relatively cheap. Zero days in 2014 would max out around $300k for high quality ones. At least one company in 2024 was offering to purchase vulnerabilities for up to $9M on mobile devices, $2M on desktops, and decreasing amounts for various other tools one would expect to find in personal and enterprise networks^[zero-day-cost]. Purchasing an already researched exploit does have a higher up front cost than an R&D team, but due to the zero marginal cost in replication they are still lower cost than other weapons.

Making it easier to project force without fear of reprisal is the issue of attribution for attacks. Many of the prior attacks described cannot be traced back to known assailants10. This is due, in part, to the ease of having a connection appear to come from another source. A connection that originates in say, Russia, may be the result of a Russian attacker, or it may be the result of the connection being routed through Russia to hide the attackers identity. In many cases attempts to attribute attacks to nation sponsored attackers, such as Russia or China, are based on best guesses from reviewing code, prior attack patterns, etc. It would not be hard for a determined attacker to create a false flag event or otherwise attempt to imitate someone else. The difficulties around attribution in turn lead to further issues with being able to determine who and where to retaliate against in the event of an attack.

Topology picture from before, but showing severed paths and how a single path remains for most of the nodes

Topology picture from before, but now with many of the paths severed. There is still a remaining path for the majority of the nodes, so they can still be used to send traffic or reached by an attacker.

The differences in topologies are a further mixed blessing for force projection. In conventional warfare, control of one space, such as air, or land, allows for control of another space. Bombers can attack ground units, ground units with AA batteries can shoot down planes. Cyberwarfare operates on an entirely different topology where the front line of the battlespace no longer has meaning. Every reachable computer is a front line in the cyber battlespace. Control of the physical world only allows for coarse grained control over cyber connectivity. A connection can be severed by destroying physical infra, but new paths will be discovered if they exist. Large scale solutions like country wide firewalls are known to not work; One of the things the Great Firewall of China is famous for is it’s porous nature11. Tying back to dangers being focused primarily on civilian infrastructure, most military units should not be connected to the wider internet, but on isolated networks if they are connected at all. This reduces the ability of an attacker to gain access to deployed military units and attempt to sabotage them.

Supply chain attacks pose a further risk. Sabotage of factories is not a new concept. Oskar Schindler in World War 2 ensured that his munitions factory produced dud shells. Numerous other acts of sabotage can be found elsewhere. Cyber supply chain attacks are different though, in that they allow for covert operations. Solarwinds is the modern day poster child for backdoors that allow attackers access. Prior to that Juniper Networks had a 2015 attack where their VPN software, used to secure communications across the internet, had a backdoor that would let attackers decrypt the traffic. Attacks like this are subtle, and may linger for years before being discovered.

Perhaps the only saving grace of all of this is the ease of patching vulnerabilities and reducing the attack surface. Missiles and guns tend to inflict approximately the same amount of damage, barring improvements in armor, to their targets over time. Vulnerabilities, once known, can be patched and are no longer effective. Going back to espionage analogies, using a zero-day is equivalent to potentially burning a source. If the attack is noted in detail it can be fixed, and the patches rolled out at the same zero marginal cost it took to replicate the attack. This gives defenders a powerful countermeasure - just keep your systems up to date.

In conclusion, force projection in cyberwarfare is much cheaper, much faster, and much easier to deploy (especially against civilian targets) than traditional military assets. This is what makes cyberwarfare disruptively cheap.

Where do we go From Here?

Every tactic has a counter. Cyberwarfare is no exception, and the final topic is: What are the counters to cyberwarfare? To properly counter cyber attacks one must prepare for every component to be a front line. Resiliency must be built into every possible item. Finally this closes out with some thoughts about the current state of US Federal Certifications for cybersecurity and how to improve them.

Computer system under attack, with different parts exploded into more detail

Figure showing a target under attack from the internet. An electrical generation system is expanded into a computer, and from there expanded into subcomponents and a Software Bill of Materials (SBOM).

In the cyber domain, every computing device becomes a front line that can be attacked by an enemy. Internet connected devices are the most obvious, but anything that communicates remotely, over wifi, over bluetooth, over radio, over ethernet, is a potential target for attack. The first step to overcome this is to embrace a zero trust architecture.

Zero Trust is a concept that has evolved over the years. It has a debatable history, but these days it means that one should assume the network they are on, and anyone being interacted with, may be compromised12. To handle this zero trust starts by assuming that attackers may be listening in on, or actively manipulating communications. This is countered by encrypting all traffic sent across the network. Next anyone talking to a device is suspect. By requiring authentication whenever another device talks to you, identities can be established and interlopers will be unable to impersonate devices13. Next, one can assume the communicating device may be compromised and may make dangerous requests. By limiting the authorizations, the ability to carry out actions, to the minimum required, the risks there are mitigated. This can go much further, resiliency against deliberately malformed inputs can be tested for, properties of how a device booted up can be queried via TPM PCRs, and so forth. Every action taken here increases the difficulty of carrying out an attack, since even a compromised device will have limited ability to affect other devices on the network.

To prevent the code the devices themselves run from being a target of attack, the supply chains for the code must themselves be hardened. Weaknesses here are what lead to successful attacks at SolarWinds and Juniper. Hardened supply chains have to cover every aspect of the software creation process. Inputs must come from trusted sources. Every bit of work done on code must be traceable to the developer that created it, and it must not be possible for them to impersonate others. The build environment must be completely isolated from possible tampering. The outputs of a build must themselves be cryptographically signed to ensure they are not changed. It’s worth noting that there is no Federal certification for secure supply chains, though there is an industry equivalent known as Supply-chain Levels for Software Artifacts (SLSA) that is being actively improved over time.

Once the image for a device has been delivered, work is not yet done. Every component is a source of possible compromise and must be inventoried and cross referenced with known CVEs (security vulnerabilities) in order to find issues. SBOMs14, or Software Bill of Materials, provide details on every component in a given piece of software. By cross referencing components with known CVEs, every organization is able to monitor the potential risk of the assets they control. SBOMs are still not widely adopted, but are an important part of understanding when they are issues and when one needs to update.

Updates must themselves become more frequent. Out of date software is very common, owing to issues with quality regressions, interoperability, outages caused by upgrades, and numerous other issues. These cannot be excuses though. Updates must become an ordinary part of device maintenance and issues around disruption and other excuses must be taken seriously and minimized as much as possible.

Hand in hand with updates is backups and rapid restorations from backups. Data, and the transformations of data, is a key part of many cyber systems. Loss of access to data is how attacks such as ransomware and other forms of sabotage are able to get a foothold. By ensuring that backups are frequent, kept safe from danger, and possible to quickly restore onto a clean system, dangers of ransomware and other attacks are minimized.

The final tactic to close with is to prepare for a disconnected future. The world of today is very online, and there is a heavy reliance on internet communications via satellite, via wifi, via radio. Many US homes these days have several devices that will not function without an active internet connection, even if that connection adds little to no value. This reliance on connectivity is susceptible to sabotage. A 2022 attack by the Ukraine against Russia failed because satellite internet was not provided[^ukraine-done]. Signals also leak locations, allowing for attackers to discover, and target, the sources of transmissions. Finally, signals are possible to jam. Both Russian and the Ukraine have jammed each others signals throughout the war, preventing the use of drones. Russia has, in 2025, come up with an innovative solution. Rather than rely on remote signals to control their drones, use a fiber optic cable to control them15. Cables do not leak signals, and cannot be jammed. There is still however a reliance on connectivity. Autonomous weapons, powered by AI[^slaugherbots], may represent a new means of carrying out attacks without reliance on connectivity.

Certifications

Certifications are the means for the government to decide if a product meets their requirements. While there are individual testing programs, certifications by and large drive all of this. The current certification process is slow, expensive, and prevents the government from being able to use the latest, and best, products in a timely manner. This process is in dire need of reform in favor of standards that are free to access, and fast to certify. For this last part I will focus on the FIPS 140 and NDcPP certifications, since those are the two I am most familiar with.

Reform is the important part here. I am in no means advocating for an end to certifications. Bad actors16 have made it clear that they will sell faulty equipment if they see a chance. I once saw, but can no longer find, an apocryphal story concerning why the nuts in cookies sold to the military must be within a minimum and maximum size. Since I cannot find it I will make up a new apocryphal story: The government says “We need masks, to fight the spread of COVID. Sell us masks.” All that was specified was a mask is a face covering. Sellers can now come and sell masks, but they can also cut corners. Because there is no minimum hole size, a piece of plastic wrap you put across your face can count. So now the government adds a minimum hole size to the requirements. Now because there is no maximum hole size, fish netting you wrap across your face counts as a mask. So now the government adds a maximum hole size to the requirements. Various other issues arise, and subject matter experts think about what they want. For COVID face masks this is ASTM F3502-21 and costs $76 to view.

The FIPS 140-3 standard, similarly, costs money to view. The relevent documents are ISO/IEC 19790 and ISO/IEC 24759, and they combined cost a few hundred dollars to buy and are licensed to the person purchasing it, licensing the viewing of them for an entire company costs more money. On top of it a Security Level 1 (the lowest) certification make cost around $100k to have an independent third party verify it. These two scenarios combine to limit the set of possible vendors to those that have already achieved a good enough product market fit to spend this amount of money on the certifications. Drone builders in their garages, and startups without a lot of venture capital funding, need not apply. The barrier to even viewing the standard creates additional hurdles around accessibility and meeting the requirements. The amount of money is small for an established company or a small team, but it is also prohibitive for collaborations done in the open, such as for open source. Free cryptographic software, such as OpenSSL, the Go Crypto libraries, etc, allow for a marginal cost ability to create products which are secure for use. Yet, in order to meet government requirements, changes need to be made that only a small group that purchased the docs can understand, and having secure certified libraries often involves an upcharge that reduces the number of vendors in the market. A market with a reduced number of vendors is not a competitive market, which in turn reduces the quality of goods the government receives.

Time is another factor. Reportedly, FIPS 140-3 certifications currently have a waitlist of about 2 years17 from government submission to government review. This does not include development time, nor time for a lab to review the work. This is just sitting in a queue, waiting for someone from the government to review it. Two years is an enormous amount of time for a tech product to have to wait, and in the event that an issue is found in the FIPS 140-3 certified product, fixing it invalidates the certification and requires a new one. This further drives down the value of the program, to the point where other certifications18 are suggesting that modules with bug fixes and no longer valid FIPS 140-3 certifications be used.

NDcPP, the collaborative Protection Profile for Network Devices19, and part of the Common Criteria family of certifications, is better in some aspects here, but still has its own issues. Certifications are based on freely available documents, and are prescriptive in terms of both the requirements and what is tested. This greatly eases the process of meeting the requirements, since anyone is able to view, comment, and suggest solutions to meet the requirements. The process is somewhat faster as well, on the order of months to achieve a certification once paperwork is submitted. The downside is that NDcPP is very specific in what it certifies. An entire image, tied to a specific item, is what is certified. Take the same image and put it in a slightly different product, certification no longer applies. Take the image and fix a bug, even one completely unrelated to security, certification no longer applies. This is similar to the FIPS 140-3 re-certification issue, and results in the same set of compliance problems for anyone trying to follow the rules on only using certified products.

It is my belief that reform around these certifications would result in less work needed from the government, a faster process for certification, and still be approximately as safe. Reform for FIPS 140-3 would take the form of offering a “fast track” option. Have NSA (which had a large hand in the requirements) or NIST build their own Security Level 1 crypto module, call it the “in-house” module. Offer this module in open source form, along with all of the ACVP test harness code needed to test on processors. If someone wants to use the module as is for SL1 product, and provide working ACVP tests for it, fast track a vendor affirmation20 for that product onto the “in-house” module. If this was offered as a dynamically linked library, I’d expect massive demand. The majority of certifications for FIPS 140-3 Security Level 1 are software, and many of the firmware ones are likely software based as well. Reform for NDcPP would be making the process of certifying additional platforms easier and making it possible to fix bugs outside of a “feature boundary” easier. Much of NDcPP, and other Common Criteria protection profiles, is just going over a set of test cases and checking the results. There is little reason that this cannot be made more programmatic and sped up, especially for re-certifications of a prior passing image.

The final item to close out on is to note there is no government standard today for a security hardened software supply chain. SLSA comes close, but is primarily self attested (which isn’t a bad thing!), and is still undergoing a significant amount of revisions. This is particularly interesting, because supply chain risk is a real attack which will only get more valuable over time.

Reforming certification will save the government time, which saves money, which gets products meeting the requirements to market quicker.

Conclusion

Cyberwarfare is an underexplored part of the battlespace. It is far cheaper, faster, and safer for operators than conventional warfare. It has tremendous potential for use in sabotage, and gathering information, and has a high risk of being used against civilian infrastructure. The US is not well equipped to defend against it, especially in the civilian space. To mitigate these risks, the US must prioritize rapid certification reforms, supply-chain hardening, and widespread adoption of zero-trust architectures.

  1. I have never served and did research across various public resources. Wikipedia was very valuable for much of this research. ↩︎

  2. I have decided not to list information warfare here because after reading up about it, information warfare feels like a meta-category to catch how gathering intelligence and updates don’t cleanly fit into other theaters. Info warfare also heavily skews towards cyber anyways. ↩︎

  3. We ain’t nothin’ but mammals, but IRL some of us get cut open like cantaloupes. ↩︎

  4. Most cyberattacks are launched using the internet to attack other internet connected systems, this is easy and safe to do. If a bridge from a closed off network to the internet can be created, for example by establishing a connection to the internet, attackers can continue to connect remotely as long as the connection remains active. Unless the network is completely sealed off from the internet this doesn’t require anything as fancy as connecting a satellite terminal into a network, conventional programs like ssh can be used to establish a remotely controllable connection from the internet to the inner network via a technique called a “reverse tunnel”. ↩︎

  5. as chronicled in Clifford Stoll’s very delightful book, The Cuckoo’s Egg. ↩︎

  6. Job postings for a Principal Product Security Researcher at PANW look like a top comp of 255k. Sr. Principal Software Engineer Vulnerability Research Reverse Engineering at Northrop Grumman is offering a top comp of around $200k. Doubling to estimate the all-in cost for the employer for things like health insurance, taxes, HR stuff, etc. This is also for US jobs, which do have a higher cost of living than other countries. ↩︎

  7. Taken from https://en.wikipedia.org/wiki/Tomahawk_(missile_family)#cite_note-4 which cites https://news.usni.org/2021/06/02/anti-ship-missiles-top-marines-2-95b-fiscal-year-2022-wishlist which cites a Marine Corp doc of desired priorities to fund at https://s3.documentcloud.org/documents/20796573/marine22upl_.pdf. 48 Tomahawk missiles are listed with a cost of 96 million, 96 million / 48 = 2M each. ↩︎

  8. Taken from https://www.dacis.com/budget/budget_pdf/FY20/RDTE/N/0204229N_214.pdf where I looked at Page 1, 0545 Tomahawk and am basing this on the FY 2018 values. I am not including prior years since I suspect that may be for prior generations and that doesn’t feel as useful for the point being made. ↩︎

  9. Ukraine costs seem to range from the low $300 - $20k USD based on https://ukrainedefensesupport.org/wp-content/uploads/2023/12/How-to-buy-drones-for-Ukraine.pdf which is primarily attempting to source drones from DJI. Using a commercial / hobbyist supplier lets Ukraine take advantage of economies of scale. Russia appears to be using domestic defense companies (https://www.csis.org/analysis/calculating-cost-effectiveness-russias-drone-strikes) and their drones seem to be quoted anywhere from $35k - $80k USD. ↩︎

  10. Kapersky in 2012 described cyberattacks as “terrorism” not “warfare” due to the issues with attribution. I don’t fully agree with that since terrorism is typically associated with the terrorists taking credit in an effort to force a population to submit to their demands. This feels more like covert operations, where the attackers identity and motivations are not always clear. ↩︎

  11. I’m not going to footnote this one too closely, but it is very easy to figure out how to bypass the Great Firewall of China. ↩︎

  12. NIST SP 800-207 covers Zero Trust as a formalized general concept. ↩︎

  13. Consistently requiring authentication can also prevent attacks where an AI will imitate a superior giving an order. ↩︎

  14. https://www.cisa.gov/sbom ↩︎

  15. https://www.forbes.com/sites/davidaxe/2025/03/10/a-russian-fiber-optic-drone-slipped-into-a-camouflaged-dugout-and-discovered-a-valuable-ukrainian-howitzer/ ↩︎

  16. See https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/press-releases/california-company-charged-conspiring-sell-misbranded-n95-masks-hospital-early-months-covid-19 and https://www.justice.gov/usao-nj/pr/chinese-manufacturer-charged-exporting-defective-and-misbranded-masks-falsely-purporting for examples. ↩︎

  17. I do not believe it to be caused by laziness. CMVP, the division of NIST that reviews this, is reportedly both understaffed for this work and in a hiring freeze as of 2025-03. ↩︎

  18. See the FedRAMP guidance on this. Quoting: “Sometimes it is not possible to meet requirements for both using FIPS-validated modules and using software without known vulnerabilities at the same time. In such situations, FedRAMP generally prefers the elimination of known vulnerabilities through patches or updates (update stream usage) over continuing to use known-vulnerable software that is FIPS-validated (validated module stream usage).” ↩︎

  19. I would love to understand why the acronym does not match the name. I was, jokingly, told once that it uses a ring buffer. ↩︎

  20. Vendor affirmation is where a new platform (combination of OS + CPU essentially) is added to a list within the FIPS 140-3 Security Policy where that addition means “This seems to work fine, the vendor said it is very similar to the ones we formally tested.” ↩︎