Oxford University Press, 2022, ISBN 978-0197661628 213 pp.
Reviewed by Mark Grzegorzewski, PhD, Department of Security Studies and International Affairs, Embry-Riddle Aeronautical University
How many countries have military cyber forces today? The focus is often on the same major cyber powers, e.g., China, Russia, and the United States. As Max Smeets explains in the introduction to No Shortcuts: Why States Struggle to Develop a Military Cyber-Force, at least 40 countries have established a cyber military command or similar structure. However, quantity is not quality, and many of these programs are extremely underdeveloped and underprepared to compete with major cyber powers. So why do these states struggle?
Smeets, a senior researcher at the Center for Security Studies at ETH Zurich and director of the European Cyber Conflict Research Initiative, breaks the book into 3 parts. The first part, Chapters 1 and 2, discusses main concepts and provides an empirical overview of cyber-force development. The second part, Chapters 3 through 6, focused on the internal state dynamics of cyber capability development. The final part, Chapters 7 through 9 (plus the conclusion), explores how external actors can influence a state’s cyber capability development.
Smeets introduces key terminology in chapter 1 for discussing cyber operations, emphasizing the importance of defining what a “cyber weapon” is and examining the intended effects such weapons seek. By understanding these effects—disrupt, deny, degrade, destroy (D4), or espionage—readers can better grasp the purpose behind cyber operations. Smeets smartly integrates the Lockheed Martin Cyber Kill Chain methodology to show that while the effects of operations may differ, the steps involved remain consistent. The distinction lies in intent rather than process.
In chapter 2, Smeets evaluates global cyber capabilities, noting that capturing cyber capabilities depends on how one defines “cyber-attack.” He traces the evolution of cyber policies from the early 2000s, which began modestly and expanded comprehensively around 2010. However, Smeets notes that having a cyber strategy signifies intent, not capability. Countries differ significantly in the authorities and responsibilities within their cyber operations. While some countries have launched military cyber programs, few have been directly observed conducting operations to achieve cyber effects.
Chapter 3 explores the development of cyber programs, which are shaped by a state’s assumptions about its threat landscape. For instance, a country focused on generating spam may create a decentralized and low-maintenance program, whereas one prioritizing access to critical information may invest in a sophisticated and tightly controlled system. Smeets argues that cyber operations serve as flexible tools rather than strategic weapons due to challenges in both attribution and coercion. Timing is crucial for the success of cyber operations, especially when they act as supporting forces, and where missteps can have severe consequences.
Smeets in Chapter 4 provides a typology to classify cyberspace actors by comparing their operational constraints with available resources. Operational constraints include factors like the interplay between intelligence collection and military cyber operations, while resources refer to financial and organizational capacity. The most dangerous actors are those with minimal constraints and ample resources, such as Russia. Smeets also presents a detailed case study of the Netherlands’ cyber program, which exemplifies typical cyber programs that are highly constrained organizationally and underfunded.
Chapter 5 introduces Smeet’s PETIO framework—people, exploits, toolsets, infrastructure, and organizational structure—as a method to evaluate a state’s ability to develop offensive cyber capabilities. Among these, people are highlighted as the most critical component of cyber operations. While other elements of the framework are necessary, operations cannot succeed without the right individuals in “thought jobs” that require human understanding and execution. Technology cannot replace this role, as cyber effects inherently target people. The second element, exploits, refers to the payloads delivering effects. While zero-day exploits are desirable due to their unpatched nature, they are not a universal solution. Organizations may have already patched against specific vulnerabilities, making persistence and focus key to long-term exploitation rather than zero-days alone. Tools, the third element, enable attackers to execute malware within target systems. Here, a tradeoff exists: sophisticated toolsets make operations quieter but are costly and time-consuming to replace if detected. To mitigate this, attackers often “live off the land” by using tools already present within the target network. Infrastructure is the fourth element. It includes both access to the target’s infrastructure for exploitation and a sandbox infrastructure for testing capabilities. Secondary infrastructure is often reused post-operation to reduce costs, rather than being “burned.” Lastly, organizational structure ties these elements together. Acronyms like CRAMP (capabilities, requirements, authorities, mission, permissions) are used to assess cyber organizational capabilities, but PETIO provides a broader framework. CRAMP may be seen as a subset within the organizational structure element, emphasizing that successful cyber operations depend on the right people understanding and sequencing all elements effectively.
Chapter 7 explores the impact of experience on cyber organizations. Smeets introduces the concept of an experience curve, borrowed from business literature, to argue more seasoned organizations possess greater resources and capabilities. The chapter underscores the intuitive idea that consistent practice enhances skills, making organizations more effective through shared experiences. This leads to the development of organizational tactics, techniques, and procedures (TTPs), enabling more efficient deployment of offensive capabilities. Additionally, Smeets emphasizes the importance of exploitation frameworks, which streamline the pairing of exploits with payloads, allowing more time for creating specialized, high-quality payloads.
Chapter 8 investigates unintentional cyber capability transfers, categorizing four different types. First, when a state deploys a cyber capability, other states can learn from the operation. Second, states might gain deep access to adversary networks, allowing them to witness and learn from operations in real time. Third, tools can be exposed publicly, as seen in the Shadow Brokers incident, and repurposed by other states. Fourth, government employees may leave state service and bring their expertise to contracting roles for other nations, such as former NSA employees running cyber operations for the UAE.
The role of non-state actors is the focus of Chapter 9. Smeets examines how individual hackers and contracting firms find and weaponize vulnerabilities for sale to governments, driving up exploit prices and reducing overall security. He notes the zero-day market is plagued by extreme information asymmetry and is flooded with low-quality exploits. As a result, governments prefer to work with select, trusted sellers, as tracking down ineffective exploits is impractical.
Smeets concludes the book by asserting that most states have not crossed the barrier to entry in cyber operations due to significant internal and operational constraints. Financial and organizational limitations further restrict states’ ability to conduct cyber effect operations. For these states, the quickest way to establish a military cyber force is through non-state actors (“cyber proxies”). While this strategy has advantages, it also poses risks, particularly the danger of intermediaries retaining informational advantages over the state.
A gentle critique of the book is its structure. Smeets acknowledges in the preface that some material was tested in his cyber lectures and two chapters were recent journal submissions. While each chapter stands alone effectively, a more integrated approach and different sequencing could have enhanced the logical flow. Nevertheless, the book is highly recommended for those in cyber policy or strategy. It is accessible, logical, and original. It essential reading for the field.
