While many questions exist about the nature of cyber operations and their impact, few have questioned if states are capable of undertaking offensive action in the first place. Max Smeets concludes that many do not. In his new book, No Shortcuts: Why States Struggle to Develop a Military Cyber-Force, Smeets describes the practical constraints that have limited the use of cyber effect operations. Interviews with officials suggest something counterintuitive and important. While cyberspace operations are perceived as a way for weaker countries to close gaps in military strength, they require organizational resources and coordination that has only made the gap wider.

Many countries have built cyberspace agencies, but not many have conducted cyberspace operations. In his careful historical review, Smeets describes three distinct periods of “organizational diffusion” in which cyber military organizations gained prominence: the early 2000s-2010, 2011-2014, and 2014-2018. Yet only seven countries have undertaken cyber effect operations – the United States, China, Russia, the United Kingdom, North Korea, Iran, and Israel (32). Not all states have the wherewithal to operate effectively. Successful actions depend on money, talent, personnel, training, coordination, and so on. It is one thing to stand up a new organization, and quite another to make it work.

In addition to organizational challenges, states face a variety of other barriers to action.  Strategic considerations include skepticism about the expected returns from cyberspace operations. Legal or normative constraints are the patchwork of national and international laws and norms surrounding cyber effect operations that states may or may not be willing to violate. Chapter 4 expands on this by dividing based on two variables: constraints and capabilities. Not surprisingly, states with high capabilities and low constraints are most likely to act.

The mix of capabilities and constraints also helps explain different approaches to cyberspace operations. States with relative low capabilities but few constraints may opt for “tools-based” targeting, which assumes the willingness to strike at any target with available tools as soon as a vulnerability is discovered. Leaders who are insensitive to norms and insulated from laws are more likely to choose this approach. States with higher constraints, on the other hand, are more likely to opt for “target-based” operations. These require significant knowledge of the target system, bespoke tools for achieving certain effects, and careful efforts to reduce the danger of collateral damage. States with high capabilities may be able to cause more trouble, but they will focus on less destructive operations out of concern for internal opposition and international denouncement.

In chapter 5, Smeets returns to the theme that animates the book: the organizational demands of cyberspace operations. He develops a framework for assessing organizational capability based around a snappy acronym: PETIO (people, exploits, toolsets, infrastructure, and organizational structure). Smeets claims that people are the most important aspect of this framework because talented individuals underly the ability for operations to occur. Exploits and tools are necessary for people to do their jobs. Infrastructure is the backbone of the operation that has individuals ready and able to use their tools to succeed in the operation. Finally, organizational structure can aid or impede individuals in their operations by integrating resources and knowledge or by blurring the lines between the military and espionage, which increases risks of exposure and potentially brings the security dilemma into the cyber realm. This is an undesirable option because of the risk that, as Robert Jervis said, “the means by which a state tries to increase its security decrease the security of others” which can cause a cycle of each state trying to maintain security superiority while decreasing the security of others.

Chapter 6 discusses ways that states can improve their organizations through the “experience curve.” The first way is through learning, where individuals become more competent as they practice their tasks. The second is scale, where organizations become more effective as they grow. Finally, technological improvements allow organizations to make progress that would not have previously been possible. Smeets concludes this chapter by discussing the potential upsides and threats that may emerge because of AI. His analysis provides a balanced analysis of potential benefits and harms that AI can provide for cyber operations. I agree with his argument for the slow rollout of new techniques. Many algorithms already work within a black box and states must be careful about the potential damage that can come from AI.

Near the end of the book, Smeets moves from domestic to international questions. In chapter 7, Smeets reviews the intentional sharing of cyber assets, and in chapter 8 he discusses unintentional transfers. He begins by claiming that transfers only make sense if states agree on how to use an asset, and if an asset cannot be turned against the provider In most cases, it makes more sense to help the partner develop its own underlying capabilities. Smeets posits that cyber asset transfers are different, both because they are rivalrous goods and because of the difficulties of attribution. I generally agree that cyber assets are more difficult to transfer, but believe that Smeets has underplayed the significance of his caveat. While many states, especially allied states, may use the same vendors for technology, there are still many applications that are used by adversaries that would not come back to harm the assert provider. If these states coordinated on sharing exploits for these technologies, they would be able to target specific countries, such as the NotPetya operation which targeted an accounting software called M.E. Doc that was widely used in Ukraine.

No Shortcuts is based on compelling interviews and thorough case studies. Smeets does an excellent job of establishing key terms, and he avoids making claims which are outside of the scope of his topic. It succeeds as an academic review and will surely be useful for cybersecurity researchers. That said, it may be difficult for non-specialist readers. It helps to have a preexisting knowledge of cyberspace technologies to grasp the organizational demands of cyberspace operations.

Some of Smeets’ conclusions are debatable. One is his argument that claims organizations integration may lead to escalation of cyber operations. Smeets posits that the as states increase integration, others will feel threatened and intrude into their networks to gain early warning about threats. This may lead to a series of escalatory operations caused by mutual fear of each state’s capabilities. While the concept of the security dilemma has significant evidence in the physical world, the concept of a cyber security dilemma has several problems. The first problem is related to Smeets concept of target-based targeting. States may feel threatened, but it is not guaranteed that they will be able to develop tools to act against said state. This differs from the kinetic security dilemma that is used as a point of reference. In the traditional dilemma, states can more easily build up weapons because bombs and guns can be used versus any enemy, not need to be specifically targeted like cyber operations. Additionally, Smeets does not differentiate between the organizational integration of small and medium sized states versus large states. If states other than the seven that have undertaken cyber effect operations increase integration, larger states should not be worried about these changes.

Despite these issues, this book provides an excellent contribution to the literature on offensive cyber operations and organizational structure. It challenges traditional conceptions of cyber effect operations to propose a new and different way of thinking. This book will be useful for academics who aim to further expand research into the real choices behind the use of cyber operations. This book provides a unique insight into why more states do not use cyber effect operations in a way that can be of use to policymakers and academics alike.