The damage that most military weapons do is irreversible. When a gun fires and a bullet strikes a target, it’s impossible to bring a life back from the dead.
But experts say that cyber weapons, which are reversible, can be even more effective precisely because their consequences can be mitigated. Navy and Air Force researchers predict that the use of reversible cyber weapons might become so standard that anything short might be considered a war crime.
“Coercion is about sticks and carrots,” said Max Smeets, a cybersecurity postdoctoral fellow at Stanford University. Although cyber operations are usually thought of to punish or raise costs on an adversary, it is possible that some enemies can react as a reward if they are reversible, Smeets said.
The concept of reversible cyberattacks is similar to ransomware, when a criminal can hold data hostage for money. An example of a reversible offensive cyberattack would be encrypting an enemy’s data to force a change in behavior and then decrypting that information once there has been an agreement.
“State actors might ironically be able to learn some lessons from criminal ransomware attacks — in this case there is a clear reward when complying” because you get your data back, Smeets said. “State actors, such as the U.S. Cyber Command, may be interested in reversibility not just because of its coercive value, but also its legal dimension. In simple terms, cyberattacks might cause collateral damage, but if you can actually reverse it, there are more options for usage.”
There are many tactics to make cyberattacks reversible. Smeets said another example is copying data, and then deleting it from an owner’s system to hold the information ransom.
Military researchers at the Naval Postgraduate school and the Air Force Research Institute have also looked into the concept. They found reversible cyberattacks could focus on "obfuscation of a victim’s system by the attacker by data manipulations … (and) deception by the attacker of the victim to make them think their systems are not operational when they actually are. ” The research was conducted by Neil Rowe, Simson Garfinkel, Robert Beverly, and Panayotis Yannakogeorgos.
The military researchers went so far as to argue that in the future, non-reversible cyberattacks may be “interpreted as violating the laws of warfare in regard to unjustified force when reversible methods are easily available.”
Smeets’ argument for reversible cyberattacks was presented as part of a recently released paper by Strategic Studies Quarterly. He argued that reversible cyberattacks are similar to economic sanctions, but more potent.
“Sanctions are inherently public, which leads to additional reputational costs for the aggressor if it backs down post-action. The value of (cyber operations) is that these activities could potentially take place in a covert manner, making it easier for a leader to save face,” Smeets wrote.
He also acknowledged there could be drawbacks. Victims may lose confidence in their systems during a reversible cyberattack and consider them a sunk-cost, meaning an operation might have the same properties as a physical weapon.