Academics are among those who have oversimplified that “brandishing a cyber capability for signaling purposes is counterproductive when, by the very act of revealing it, the capability can be rendered inert.” This makes sense at the broadest technical and theoretical levels: yes, once revealed, a vulnerability can be patched. But this exaggeration misses the overall dynamics of cybersecurity: vulnerabilities are actively exploited for years. After being brandished, cyber capabilities would not instantly become inert. Rather, they have a long shelf life, making them more useful tools for coercion and deterrence.
During the Cold War, the Soviet and American militaries routinely brandished their weapons. These intentional displays of military capabilities were meant to cow the other side: “Look at how terrible your forces are under our command; no one better mess with us.” Focused on such aspects of deterrence, it was only natural for academics, policymakers, and practitioners to examine how states might brandish offensive cyber capabilities to deter or coerce a rival.
Cyber brandishing could be exceptionally specific, such as penetrating into a sensitive system—say in the Pentagon or the White House—to leave a calling card or hacking an electrical grid to flicker the lights at a specific time.
But brandishing can also be more general, such as what I call Cartwright Conjecture, named after the former Vice Chairman of America’s Joint Chiefs of Staff, General James Cartwright, who warned in 2011 that “we’ve got to talk about our offensive capabilities … to make them credible so that people know there’s a penalty” for attacking the United States.
Likewise, President Biden warned Russian President Vladimir Putin: “[W]e have significant cyber capability. And he knows it. He does not know exactly what it is, but it is significant.” Biden was publicly warning Putin about using cyber capabilities against American infrastructure, brandishing with a general threat of America’s cyber puissance.
Despite this enthusiasm from such senior figures, academics have been widely skeptical about brandishing. Martin Libicki was one of the first of such academics, as he often is in deep thinking about cyber conflict. “Brandishing a cyberwar capability, particularly if specific,” he wrote in 2013, “makes it harder to use such a capability because brandishing is likely to persuade the target to redouble its efforts to find or route around the exploited flaw.” There are, he wrote, no May Day parades or mushroom clouds over Bikini atoll to flaunt capability and get an adversary to back down.
After all, cyber capabilities and campaigns (and sometimes even their effects) are invisible. As Erik Gartzke and Jon Lindsay note, most cyber operations require deception to succeed, so that “attackers who fail to be deceptive will find that the vulnerabilities on which they depend will readily be patched and access vectors will be closed.” Accordingly, militaries highly classify nearly every aspect of their cyber operations.
Erica Borghard and Jacqueline Schneider raised other reasons for doubt: that cyber operations can lack an observable effect; any signals may get lost in the general geopolitical noise; and the timing is hard to get right, as the operation might be discovered at an inopportune time. Still the use-it-and-lose-it dynamic is mentioned most often.
That consensus among academics is unfortunately out of line with the technical realities of cybersecurity.
The historical record is clear: brandishing power drops off gradually, not suddenly. The slope of that degradation depends on at least two related factors: (1) how early the vulnerability is discovered and patched and (2) how specific a target set is that an attacker wants to brandish against.
Discovery and Patching
Let’s look at an example: an adversary just brandished a dangerous new exploit. Now what? That brandishing threat will likely remain potent since the whole process of discovery, developing patches, and applying them still takes weeks, not hours, which may be more than enough time for brandishing impact during a high-stakes, militarized crisis.
For example, Log4Shell, a major vulnerability in Log4j logging software, is perhaps the “most serious” vulnerability ever, yet developers still require two weeks to develop fixes. Nearly a year after affecting over 15 billion devices worldwide, “roughly a quarter or more of the Log4j downloads … are still full of vulnerable versions.” The U.S. Cyber Safety Review Board called it “an endemic vulnerability,” as it will “remain in systems for many years to come, perhaps a decade or longer.”
One federal agency reported spending over 33,000 hours to develop fixes, in an effort to highlight just how difficult patching—which is considered “basic cyber hygiene”—can actually be in exceptionally complex modern information technology environments.
And the Log4Shell vulnerability is not some bizarre, extreme exception. Two years after it caused the stunning global meltdowns of NotPetya and WannaCry, the Eternal Blue vulnerability was still powering the most detected ransomware of 2019 with more than 1 million machines still exploitable.
This is an unfortunate, general trend. A forthcoming paper by Sasha Romanosky and his colleagues at RAND covers their shocking analysis of 5.2 million exploit attempts using 9,000 unique vulnerabilities; Some of their findings include: 66 percent of exploits used vulnerabilities which were at least five years old and 37 percent used those which were at least 10 years old.
Excellent research by Kenna Security shows how these dynamics play out over time:
Before the patch is available, attackers have the momentum. Defenders are clearly handicapped until that patch is available. And the longer they wait for a patch, the more momentum attackers will gain.
One to two weeks after the patch becomes available, defenders gain the momentum. That momentum lasts roughly six to seven months, meaning that for that time, defenders are actually remediating systems at a faster rate than attackers are attempting to exploit them.
After six to seven months, the attackers once again overtake the defenders and gain back the momentum. The “plateau of remediation” seen in different survival curves—depicting how some organizations still haven’t addressed this vuln—is what gives control back to the attackers.
During the times of attacker momentum, brandishing should remain especially effective.
Specificity of Target Set
The use-it-and-lose-it dynamic is most correct if the brandishing attack is against an especially narrow target, such as a single government department or company.
The most well-resourced and well-organized defenders should be able to patch or eject adversaries quickly. But “quickly” is quite relative. Defenders likely would need to engage in “hand-to-hand combat” over days or weeks to expel electronic intruders, as the State Department found out in 2014 against Russian intelligence teams.
Such elite organizations are so rare that longtime security professional Richard Bejtlich has dubbed them the security one percent. The vast majority of defenders are not nearly capable enough to deal with these elite organizations, as they need an average of 75 days to contain a breach after detecting it.
So, narrowly targeted brandishing threats may be viable for more than long enough in a high-stakes crisis, even against well-defended organizations.
Worse still, the most successful brandishing may not be such one-to-one attacks against a lone target. Rather, the most spectacularly impactful cyber incidents have generally been “one-on-multitude.” In these types of attacks, adversaries use the scale afforded by the internet to affect hundreds, thousands, or millions of targets with the same campaign. The vast scale of such attacks will tempt states to use one-on-multitude attacks for brandishing purposes.
The most relevant recent case study here is the Russian Sunburst campaign against SolarWinds and other organizations. Discovered in late 2020, it remains one of the most significant national security cyber operations ever. Yet three months later, the U.S. government could still only assert that it had “largely,” but not wholly, eradicated the Russian presence (that is, ejected them from federal systems, which is the third factor of brandishing power) which could enable Russian brandishing threats.
As I wrote in early 2022, before Russia’s invasion into Ukraine last February, imagine for a moment that Sunburst had not yet been discovered. If so, the Biden administration would have been facing:
a shocking misapprehension of the actual correlation of forces, completely underestimating the strength of Putin’s hand. The United States would be held at substantial risk, and no one would know. At least, no one outside of Russia …
Even with existing malware functionality, the Russian espionage team could have rebooted all infected systems at a specific time, say just after a major Putin speech warning the United States to back down.
Such a cyber brandishing move might have been counterproductive given what is now known about the strength of U.S. and European support for Ukraine. That, however, is perhaps more about geopolitics than because cyber is an inherently weak weapon to brandish.
Lessons about cyber conflict must be based not just on abstract assessments of their characteristics but on the technical and historical realities. Revealing a specific capability does start the clock on its obsolescence, but that clock does wind down slowly. Cyber capabilities, moreover, have and will continue to be useful for brandishing.
In the long peace after the end of the Cold War, there were few reasons to brandish any kind of weapons, as states simply did not invade one another. States will be willing to take more risks in the coming crises of great power competitions, with Russia already making nuclear threats. Brandishing of all types will become more common.
Some of that brandishing will be of cyber capabilities and, surely, much of that will be bluster and hype. But cyber capabilities can be dangerous and can be brandished. Policymakers must continue to respect that danger.