The discussion of the concept of cyber warfare weapons jumps between a few threads that make them harder to understand than really is needed. One of the conceptual problems is that there are types or generations of cyber weapons and they work upon different aspects of cyberspace. This is a minimally difficult concept to master but it illuminates the vapid interest without depth that pundits and policy makers take towards cyber. Much as the land domain has seen different generations of weapons, from bludgeons, to muskets that then became machine guns and artillery we see the same in cyber. This is an expected occurrence and only of note because we attempt to discuss the topic as if we’re agreed all weapons are muskets.
There are three definitive layers to cyberspace that define it. Various authors have discussed them using different terms but for the sake of brevity we’ll call the three layers the cognitive, logical and physical layers of cyberspace. Some would immediately jump to the pseudo technical terms of logical and physical as being the Internet but that is a false assumption. The internet specifically refers to the internet protocol and addressing schema. There are many different protocols (logical) layers that also do long haul that are not part of the wiring (physical) elements of the Internet. Everything from various radio communications to special protocols that are used for telemetry on the telephone system would apply. By far the Internet is a big dog in this domain, but it is but one of the dogs in the hunt.
The cognitive layer is a required layer and is acted upon and through the various aspects of cyberspace. Social engineering attacks would not be possible if this layer did not exist. Dan Kuhel at the National Defense University refers to connectivity, content, and context among many other elements of this cognitive layer. Without the cognitive layer cyber is a mere technical problem. With cognition the cyber problem is much more difficult to define and further to understand.
The three generations of cyber weapons are as follows:
Generation 1: (Anti) radiation electronic warfare weapons that can blind, cripple, degrade or incapacitate through traditional electronic warfare means. These are effectively command and control weapons. Lineman pliers and a JDAM are equally 1st generation cyber weapons. The cutting of the telegraph lines by Native Americans to disrupt soldier’s movements in the Indian Wars, and the blowing up of the Baghdad telephone company in the Persian Gulf War are the same effective generational weaponized effects. The only barriers to entry are based on level of effect desired. Traditional effects are degradation, disruption of communication with very closely controlled deployment and targeting.
Generation 2: Software and hardware derived technical implementations that allow for vulnerabilities to be exploited in the systems of systems or specific targets. These are characterized by their requirement that somebody has an exploitable feature in systems design, configuration, or software implementations. This is further characterized by heavy reliance on network infrastructures though they may not be the primary mechanism of exploitation. There is varying levels of barrier to entry. Traditional characteristics are of espionage and sabotage with varying level of sophistication and control of deployment.
Generation 3: Fusions of generation 1 & 2 weapons then become point and shoot weapons that can destroy, degrade or disrupt the adversaries systems without requiring the vulnerabilities to be exploited. The adversary is no longer required to make a mistake. These kinds of weapons simply destroy the command and control, (communication and coordination) behaviors of cyber infrastructures. Emerging characteristics are of selective targeting and speed of deployment.
As a slight diversion from the main topic, I often get the query, how do you exploit somebody in cyberspace without a network? That is a great question. The first part of this question is assumption that the network is required, and a bias toward network centric operation. The second part of this question is the concept that only exploits against vulnerabilities count as cyber conflict. All of which is due to a current bias in the conflict realm towards effects that are kinetic and ignore the idea of the Boyd OODA loop. Where observe, orient, decide and act are element of decision-making that allow a commander to evolve an engagement toward a particular conclusion.
To answer the diversion we will consider the concept of big data. Big data is a buzzword that applies to large data sets and the mechanisms of analysis of those large data sets. If you have a significantly large data set, an avatar of an individual can be created, and inputs evaluated of behaviors of that person based on particular stimuli. This is done in advertising extensively to increase sales. It can be done to identify trends that the individual may not be even aware they are exhibiting. As such without ever reaching across the network to exploit a vulnerability the information assets can be utilized to create a strategic consequence.
Why this is important is that generation one weapons primarily work against the availability of systems and the inherent infrastructures that they operate upon. While generation two weapons tend to operate at the logical layers against the protocols and applications that run on top of the network. Finally generation three weapons appear to be destined to work against the entirety of the systems of systems infrastructures inclusive of the human being.
In the rice-bowl politics of Washington DC there is an effusive desire to bend cyber towards exclusive electromagnetic spectrum weapons. Within this construct we can see that those weapons would be generation one weapons and included within the taxonomy. The querulous point made my these proponents is that there is nothing in cyber that doesn’t use the electromagnetic spectrum so therefore that is the defining characteristic. Unfortunately things like quantum computing, TCP/IP avian delivery mechanisms, and other esoterica break their model. In the world of science I only need one example to refute the principle espoused, and that is not merely academic. It is the founding principle of logic we use for creating the rules.
The discussion of what else besides electromagnetic spectrum might be involved is heavily biased by the network centric nature of the principles and their inherent biases. Technologists have a tendency to ignore the human entity in the network and in information technology professionals often refer to their users as (L)users. This creates a seam upon which an adversary can apply force.
The focus on the generations of weapons isn’t about merely separating or binning them into artificial constructs. It is an attempt to create an awareness that there is a larger depth and breadth to the conflict spectrum across the cyber domain. The focus on things like the power grid inherently create angst against a cyber attack but would the weapons of that attack look like? If the weapon is a generation one weapon it likely will be a form of disruption and have an effect against availability. That though is only one form the attack could take.
Focusing on one aspect of the weapons used in the cyber domain or one set of targets has a tendency to create a false sense of fear ignoring the resiliency of the various networks, but it also ignores the inter-connected nature of the various networks which is inherently fragile. Further that same bias of ignoring the human component in both variations (resiliency and fragility) to the network gives a poor metric for risk assessment.
In the 2004 Report of the commission to assess the threat to the United States from Electromagnetic Pulse (EMP) Attack Volume 1 on page 9 a very interesting graphic depicts in the interconnected nature of the maxi-infrastructure of networks.
This ties the critical infrastructures and the various networks together in a tidy picture. What is missing is the other networks. There are the familial networks of the humans involved, the cash and tender networks outside of the financial trading networks, the actual highway and shipping networks of traffic lanes (never mind traffic controls), and so many other networks. The human networks were part of what Enron exploited to create rolling brown outs in the California region. The mechanisms of legislation and deregulation allowed for a sideways attack that disrupted, degraded, and ultimately created political chaos.
That fusion of the various disruption techniques is part of what makes generation three cyber weapons more powerful than generation one or two. Though a focus on the “point and shoot” aspect will create imagery of some kind of “cyber rifle” instead think of a mechanism to instantly digest the components of a system and know the critical fault lines. Perhaps we’ll simply start with generation 1 and 2 fusions to create generation 3 weapons. Simply put I don’t know. It does appear that a disconnect exists in the discussion of cyber weaponry and how it might be employed against an adversary.
When thinking about the various networks it is possible to lose focus that any attack against a nation will have a purpose and rarely will that purpose be to attack a network. There will be some strategic consequence that inherently and adversary will be trying to accomplish. Even if that consequential effect may be only to slow down a nation-state actors response. Currently we talk extensively about attacks to confidentiality and integrity of information systems. Rarely are we talking about the inherent consequence of those attacks. The metrics of discussion are the number of passwords lost, the number of accounts disrupted, and the discussion does not focus on what that means. In summary we focus on the mechanism of the attack rather than the effect of the attack. That then is conflated with the attack tool type rather than the consequence.
Given a good taxonomy of the types of cyber weapons an effects based discussion could be possible. If you use high energy radio frequency to disrupt or degrade the communications of an adversary you have an understanding of the utility of the weapon. If a zero day exploit and an access to particular adversary systems is used to create the same disruptions a cost for effect analysis is possible. This kind of operational risk assessment relies on understanding the weapons types and their effects.