3OS Paper #5
Abstract: American rivals already fight a total war in cyberspace—pre-positioning in critical infrastructure, stealing intellectual property (IP) at scale, funding regimes via ransomware, and “hacking the voter” through platform algorithms. We still treat cyber like exquisite, slow, intelligence-gated magic reserved for strategic set-pieces. This paper argues for treating cyber as a maneuver domain: normalize cyber fires in targeting, collapse approval timelines to hours and minutes, and mobilize the U.S. private-sector arsenal as today’s industrial base. Stuxnet proved strategic effect; Russia demonstrates tactical fusion; China shows patient pre-conflict shaping. Either integrate civilian cyber power and contest persistently—or watch our own market strength weaponized against us.
Introduction: From Enabler to Domain — Because We Are Already at War
- Cyber is not merely support for the “real” fight; it is a battlespace on par with land, sea, air, and space.
- Adversaries wage continuous, state-directed campaigns: espionage, pre-positioning in critical infrastructure, ransomware funding regimes, and “hacking the voter.”
- The U.S. still acts like these are “incidents,” not battles—an error our rivals exploit.
We’ve spent decades treating cyber like an optional enabler—useful for exquisitely timed strikes, a boutique tool kept behind glass for the “big day.” That view is obsolete. Cyber is a maneuver domain, and our rivals have been operating as if it were for years. The People’s Republic of China (PRC) places state-sponsored operators inside U.S. critical infrastructure to pre-position effects for crisis or conflict, using “living off the land” techniques to evade detection.[1] Russia’s doctrine stretches seamlessly from the tactical battlefield to the American newsfeed: DDoS against ministries and media when tanks roll, and “hack the voter” through platform algorithms when the tanks are parked.[2],[3],[4] North Korea runs ransomware and crypto theft at scale to fund the regime.[5],[6],[7] Iran probes and compromises U.S. critical infrastructure—up to and including municipal control systems—while conducting broad campaigns against federal and critical-infra networks.[8],[9]
Call it what it is: from a nation-state perspective, we are already in total war in the cyber domain. Total war here is descriptive, not legalistic: persistent, state-directed campaigns across the national attack surface. The only question is whether we will keep pretending it’s peacetime. Our addiction to exquisite, slow, intelligence community (IC)-gated cyber has become a strategic illusion—one that trades real tactical wins for the appearance of control.
1) Cyber as a Domain, Not an Enabler
- Cyber is a full-fledged domain of warfare, not a support function.
- From a nation-state perspective, the fight is persistent and already total.
- Adversaries exploit our refusal to call it war; they count victories in IP, pre-positioned access, and political effects.
Cyber is not a helpdesk, a router farm, or a pipeline for other forces. It is a battlespace. Our adversaries prize persistence over pyrotechnics: stealthy access, long dwell, and timing leverage. The PRC has operationalized this with campaign-level patience—“living off the land” (abusing legitimate admin tools and native services) to persist across IT environments in U.S. critical infrastructure.[1],[10] U.S. doctrine formally recognizes cyberspace as a domain, but operational practice still too often treats it like a boutique capability for “exquisite” targets rather than the daily fight.[11],[12]
Meanwhile, Russia reframed the battlefield itself: hack voters, not voting machines. The Senate Intelligence Committee and multiple investigations documented Kremlin-directed social media operations that reached at least 126 million Facebook users—algorithmic exploitation as an instrument of state power.[2],[3],[4],[13],[14] Our rivals know they’re at war. They write campaign plans. We file incident tickets, and until we change authorities, targeting, and timelines, we’ll keep doing exactly that. That delta—not technology—is the center of gravity.
2) Stuxnet: Strategic Success (and a Missed Doctrinal Opportunity)
- Proof of concept: cyber can achieve strategic effect against hardened, segmented targets.
- Three reasons it mattered: covert insertion, long-term persistence, and physical destruction.
- But it was bespoke and slow—our failure was treating it as an exception, not a model for doctrine and force design.
If cyber needed a proof of concept, Stuxnet supplied it. The malware infiltrated air-gapped Iranian nuclear facilities, maintained persistence, manipulated programmable logic controllers (PLCs), and destroyed centrifuges—delaying a nuclear program without a single kinetic strike.[15],[16],[17] That’s strategic-level effect—covert action that created real-world damage and strategic delay.
Yet Stuxnet’s very sophistication allowed a dangerous misreading: because it was bespoke, we treated it as a one-off museum piece rather than a design pattern. The lesson wasn’t “build one Stuxnet per target.” The lesson was “normalize cyber fires and effects alongside other fires”—and then resource the institutions, targeting processes, and training pipelines to do it on demand. We largely didn’t. We instead treated Stuxnet like a nuclear weapon, hidden behind a wall of bureaucracy where every "zero day" is protected like Oppenheimer's secrets. Much of this is due to the organization of cyber command itself as part of the IC and dangerously removed from operations. The National Security Agency (NSA) operates a finely tuned electronic intelligence gathering organization and strategic cyber espionage outfit, but the organizational design and approvals inherited from the IC often impose days-long delay to cyber effects at all levels which has essentially hamstrung the use of the entire domain for any tactical effects. The inability to utilize cyber effects in a timely manner, hidden behind multiple days of coordination and approval processes, has made the integration of cyber effects beyond day-two of the conflict exceedingly rare, and difficult for the typical commander to integrate into a scheme of maneuver.
3) Russia Leading at the Tactical Level (and in the Feed)
- Georgia (2008): crude but effective cyber-kinetic integration.
- Crimea & Eastern Ukraine: faster, localized effects (EW, GPS spoofing, misinformation) embedded with maneuver units.
- Strategic layer: “hack the voter” by exploiting social media algorithms—mass-reach influence as a state capability.
In Georgia in 2008, Russian operations combined DDoS, defacements, and information ops to degrade C2 and situational awareness while maneuver forces seized initiative.[18],[19] In Ukraine, Russia refined its approach: power grid intrusions and destructive malware (e.g., 2015 grid attack; later Industroyer/NotPetya) that demonstrated a willingness to impose real-world costs; tactical EW and spoofing complicated Ukrainian operations.[20],[21],[22] What Russia did in 2008 resembles the partial, uneven cyber/kinetic coordination the U.S. often attempts today: a combined pre-planned first day operation followed by disjointed use of cyber relatively independently of the maneuver warfare operations that were much more coordinated across disparate domains. By Ukraine, Russia's operational integration of cyber had vaulted far beyond the myopic IC focused use of tactical cyber. We'd be intelligent to learn from such changes.
Beyond the battlefield, Russia operationalized algorithmic manipulation. The Senate’s multi-volume investigation, Justice Department filings, and independent analyses document how the IRA leveraged U.S. platforms to amplify polarizing content and shape perception—“hacking the voter,” not the tally.[2],[3],[4],[13],[14] U.S. Cyber Command’s 2018 disruption of the IRA during the midterms showed we can contest this space—but it also underscored that the fight is continuous and cross-domain.[23] The lesson is not that we can’t contest—only that we rarely contest fast enough or low enough.
4) The Contractor Paradox
- At the tactical/operational level, contractors cannot deliver combat power: they don’t hold ground, absorb risk, or survive long dwell cycles.
- On paper, they “save money”; in a real fight, those savings collapse.
- In cyber, the logic flips: the civilian market is the decisive arsenal.
Contractors are invaluable in garrison and logistics, but they are not a substitute for soldiers at the tactical point of friction. Congress, GAO, RAND, and service studies have spent years documenting oversight gaps, mission risk, and the structural limits of contractors in contingency operations.[24],[25],[26],[27]
Contractors were seen as all the rage for a while; paid exorbitant amounts of money in all-cash deals, mercenaries from companies like Blackwater or Triple Canopy could fulfill roles that the government couldn't for the scale needed, or so was assumed. Policymakers often compared a single contractor’s cash comp - reaching stratospheric amounts - to one deployed soldier’s base pay—ignoring the other hidden costs borne by the force. The $300k annual income for mercenaries to the pittance that an enlisted infantryman (11B) in the US Army made for the same amount of time, discounted the following: the government was training the infantry, they were rotating them in and out - for every one with boots on ground, there were at least two more in rotation somewhere, at least one in training for the next cycle and at least one rebounding from a previous cycle, plus they all get full benefits with the potential for lifetime benefits for injury or death. That contracted mercenary receives none of that and is a party of one, with no additional folks to "back them up" on the back side. In reality, the mercenary seems cheaper. Except they have no tail. They aren't sustainable. And those savings collapse in a protracted fight. It's why the operational arms of the IC loves contractors, but even the blackest of ops by Joint Special Operations Command (JSOC) uses active duty personnel.
But in cyber, the center of gravity sits outside the Pentagon. The U.S. private sector leads the world in cloud, security services, AI tooling, and software supply chains. That civilian ecosystem is not an optional “supplier” - it is the arsenal. Treating it as peripheral is a recipe for defeat in a domain where innovation cycles are measured in weeks.
The paradox is simple: contractors ultimately weaken you at the firebase in the traditional combat domains; they are indispensable in the cyber fight because the free market is the battlefield.
5) Tapping Civilian Market Power—or Losing It
- Make the U.S. tech/cyber ecosystem a deliberate national asset (today’s equivalent of the WWII arsenal).
- Protect and accelerate: outpace adversary exploitation of venture pipelines and supply chains.
- If we don’t mobilize it, they will weaponize it—against us.
In WWII, our advantage wasn’t a single weapons system—it was industrial mobilization. Today, our economic arsenal is software, cloud, and security services. By 2025, global security spending is projected around $210B+, while U.S. business R&D alone reached roughly $892B in 2022—capital, talent, and tooling that dwarf government cyber budgets.[28],[29] At the same time, PRC intelligence services have run long-horizon campaigns (APT10 et al.) to steal IP and exploit managed service providers, while state-linked entities probe and pre-position inside U.S. infrastructure.[1],[10],[30],[31] Analyses of Chinese capital flows into sensitive technology sectors and congressional testimony reinforce the risks in venture pipelines and dual-use R&D leakage.[32],[33]
If we do not deliberately integrate, protect, and accelerate the civilian cyber ecosystem, adversaries will continue to co-opt it—from code repos and cloud tenants to VC term sheets. Our choice is to mobilize the arsenal—or watch it mobilized against us.
6) Strategy for Victory
- Normalize cyber as a domain across doctrine, training, targeting, and acquisitions (hours and minutes, not weeks and months).
- Build cyber fires into joint targeting cycles; train maneuver leaders to request and integrate effects.
- Operationalize public-private teaming; protect IP and infrastructure; establish credible cyber deterrence.
Start with doctrine and process. Integrate cyber effects into standard fires processes and Joint Targeting Coordination Board (JTCB) rhythms. Collapse authorization timelines so tactical formations can request and receive effects at the speed of contact. Train leaders—platoon to corps—to understand cyber as maneuver, not middleware. Use software acquisition pathways and continuous ATOs aligned to DevSecOps to deliver capability on operational timelines.
Then mobilize the arsenal. Treat the U.S. cyber/tech ecosystem as a national asset to be protected and integrated. Implement the DoD Cyber Strategy’s “defend forward” and persistent engagement postures in concert with the White House’s National Cybersecurity Strategy Implementation Plan—linking federal demand signals, rapid authorities, and protective measures for critical infrastructure and the defense industrial base.[12],[34] Build channels for surge teaming with cloud providers, MSSPs, and critical vendors that are pre-negotiated, pre-cleared, and exercised quarterly—not invented during crisis. Finally, make deterrence credible: state clearly that destructive attacks on civilian infrastructure will incur costs across domains. Anything less invites the next escalation.
Conclusion: Cyber or Defeat
Pearl Harbor punished those who misread carriers. The early GWOT era punished those who misread networks. Stuxnet proved cyber’s capacity for strategic effect. Russia’s hybrid model shows how tactical effects and algorithmic influence fuse into one campaign. The PRC's campaigns in our infrastructure show what pre-conflict shaping looks like at nation-state scale. We can keep treating this as IT—tickets, ATOs, and quarterly metrics—or we can fight a war that’s already here. The Third Offset Strategy is theater without cyber at the core. The arsenal exists. Mobilize it.
References
2 U.S. Senate Select Committee on Intelligence. 2020. Russian Active Measures Campaigns and Interference in the 2016 U.S. Election. Multi-volume report.
and
United States District Court. 2018. "United States of America vs. IRA." Criminal Complaint. February 16.
4 U.S. Department of Justice. 2019. Report on the Investigation into Russian Interference in the 2016 Presidential Election (Mueller Report), Vol. I. March 7.
and
Office of the Director of National Intelligence. 2017. "Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution" January 6.
5 U.S. Department of Justice. 2021. Three North Korean Military Hackers Indicted… February 17.
6 UK Foreign & Commonwealth Office. 2017. Attribution of WannaCry to North Korean actors. December 19.
and
NSA, CISA, HHS, et al. 2023. #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities. February.
and
United States District Court. 2018. "United States of America vs. Park Jin Hyok." Criminal Complaint. June 8.
7 FBI, CISA, DoD, NIS, KISA, NPA. 2024. North Korea Cyber Group Conducts Global Espionage… July 25.
9 CISA & FBI. 2022. Iranian Government-Sponsored APT Actors Compromise Federal Network. November 25.
10 NSA, CISA, et al. 2023. PRC State-Sponsored Actor Living off the Land to Evade Detection. May 24.
11 Joint Chiefs of Staff. 2018. Joint Publication 3-12: Cyberspace Operations. June 8.
12 U.S. Department of Defense. 2023. DoD Cyber Strategy — Unclassified Summary. September 12.
15 Symantec. 2011. W32.Stuxnet Dossier. February.
17 Zetter, Kim. 2014. Countdown to Zero Day (excerpt & coverage). November 11.
18 NATO CCDCOE. 2008. Cyber Attacks Against Georgia: Legal Lessons.
19 Hollis, David. 2011. Cyberwar Case Study: Georgia 2008. Small Wars Journal.
20 E-ISAC & SANS ICS. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. March 18.
22 Cranny-Evans, Sam & Withington, Thomas. 2022. Preliminary Lessons from Russia’s EW in Ukraine. RUSI.
and
McCrory, Duncan. 2023. Electronic Warfare in Ukraine: Preliminary Lessons for NATO Air Power Capability Development October.
and
C4ADS. 2025. Above Us Only Stars. March 19.
26 Ellen, Barbara, et al. 2005. How Should the Army Use Contractors on the Battlefield? RAND.
27 Luckey, John. 2009. Inherently Governmental Functions and DoD. CRS.
28 Express Computer (citing Gartner). 2025. Worldwide security spending to reach ~$213B in 2025. July 29.
and
Eberly, David. 2025. "Gartner Forecasts $213 billion in 2025 Security Spending." The National CIO Review. July 31.
29 National Science Foundation (NCSES). 2025. U.S. R&D Totaled $892 Billion in 2022. February 27.
30 CISA. 2018. Chinese Cyber Activity Targeting Managed Service Providers (APT10).
32 CSET. 2020. Chinese Investment in U.S. Artificial Intelligence Companies. September.
34 The White House. 2023. National Cybersecurity Strategy — Implementation Plan. July.