How to wage cyber warfare: Puzzle pieces, Part 3

Cyber warfare claimed by many is done by none. Most of the stuff identified as cyber warfare and security we see is actually defensive in nature. If we actually secured our computing systems a lot of the risks of damage would disappear. The level of effort for cyber adversaries would increase and the noise level of current attacks would decrease allowing for better detection. Yet we as a populace rarely are willing to put the time, effort, and resources into actually fixing security problems. The risk reward equation infects decision cycles like the flu. A big part of that is because we the users are a big part of the problem. Taking short cuts, breaking the rules, thinking how could this hurt this one time. The other problem is that the security architectures and system architectures of information technology is horribly flawed. Much of what we actually do is passive, chaotic, rarely planned, and almost always responding rather than protecting. In other words many claim to be involved but most are simply charlatans mouthing the words and never singing. 

Clausewitz was a Prussian military theorist who discussed military doctrine, capacity to make war and from a practitioners perspective. Much of what he wrote was open enough to be considered theory of national security with war being the central theme. His famous quote of war as a continuation of politics should have us looking at cyber warfare and identifying that thread there. Since we are discussing war in the cyber realm a theoretical construct from the Europe of yesterday should do handily. What we need to do is build a doctrine of cyber warfare. We need a set of principles that can be used to explain patterns of cyber warfare.  Clausewitz discussed in “On War” how an Army could back up against a swamp and use the morass of the swamp to protect themselves from an advancing enemy. In many ways this is actually what we do with our zones of defense and defense in depth theories. Clausewitz though was willing to say that spies, and interlopers (saboteurs) could come through the swamp singly and create havoc so keep guards posted anyways. A good idea for our cyber defenses too.

Whatever military philosophy we choose to use there are patterns of human based conflict that we can identify. Those patterns are found all over the literature and can be expanded to fill in the gaps of understanding for cyber warfare (any government agency willing to fund this effort should contact me a few $100K should do the trick). Patterns of conflict in cyber space are highly asymmetrical, are cheap to accomplish, can have huge dividends and are remarkably risk free.  It is my primary assertion that cyber warfare due to the previous attributes is guerilla warfare and as such will only be fed and strengthened by the application of large-scale force.

Putting the pieces together on the way to a doctrine allows us to determine a few things. One of the first things is the continuing misapplication of cognitive power on the definitions of terms and techniques.  The second problem is the time compression of the decision cycle. The cyber adversary is less interested in the definition, taxonomical derivative, or ontological merits of an argument than they are interested in the application of cyber power. Debate over the defensive and rudimentary responses to cyber adversaries is part of the organizational drag that a cyber adversary can exploit. While committees of the nation state meet and determine the return on investment of an action the cyber adversary takes action at the speed of the network. Decision cycle parasitic loss is the amount of money lost while waiting for bureaucracies to take action. This is a large loss in strategic position as the overhead of top-down organizational hierarchies fails to meet the assault. Leadership in this space and doctrine should be by intention. This is a valid area of research to meet the doctrinal objectives in decision science when the time cycle is measured in milliseconds.

Cyber warfare is conflict on the terrain of cyber space not on the Internet. As discussed in other sections the Internet is not the “all”. The global information grid inclusive of people through kinetic responses winding through the different communications technologies and mediums make up this inclusive cyber space. It is big. No. I mean it is REALLY big. I shiver every time I read that cyber warfare is people posting on a blog, generating a denial of service attack, or changing a web page. My scope is slightly larger. I see Bhopal in my nightmares. Where human error exists, where danger occurs, technology seeps in to solve the perceived risk. Cyber warfare is the shim on the door of security opening what was protected against to the horrors society fears most. It isn’t script kiddies and hackers with the latest version of Metasploit that we should be scared of. The terrain of cyber warfare is not the Internet. The terrain of cyber warfare is cyber space and the nuclear weapons are SCADA. The bombers of cyber space are Profibus, MODBUS, MODBUS+, and DeciceNet along with others.

Beyond information operations and into the realm of indirect fire is where cyber warfare is taking us. Cyber warfare is a complex kinetic form of war. The tools and ideas are well worn. The unmanned aerial vehicle is a complex unified control system of a really massive SCADA system. The UAV has sensors, turns network command and control into actions, and delivers a heck of a kinetic response.  We talk about SCADA a lot, and it should be noted that there is more to cyber warfare than SCADA. Simple exploitation of networks violates confidentiality and allows for spying remotely. The use of closed circuit television (CCTV) systems for targeting already occurs by the Police in London to catch criminals. We know that open CCTV networks are used by criminals too. Why could an insurgent not use a CCTV system as a form of reconnaissance? Many CCTV are actually wireless and have little in the way of security protecting them from exploitation.

Information operations doctrine (JP-3-13) does not claim unmanned aerial vehicles as part of the computer network operations space. The nature of technology and specifically information enhancing/adapting technology is that a certain level of ubiquity or pervasiveness is reached and the technology disappears and becomes part of the background. This is why people don’t notice CCTV systems in stores and can accept them. They are part of the background noise of technological society. Similarly other technologies are adapted and become part of the background in the military like iPods and laptops. Yet the various issues with those technologies follows them into ubiquity along with the exploitable vulnerabilities. When discussing doctrine there is almost a need to discuss a doctrine of technology.

At this point we are bumping up against actual operational characteristics of cyber warfare. One functional component of cyber warfare is computer network exploitation (CNE). This primary function is the infantry of cyber warfare. In the Marine Corps every Marine is a rifleman and CNE is the most basic skill. The principles of CNE are being covered in a class I am teaching as part of “red teaming” or “network audit” but the basics are reconnaissance of the target network, figuring out the possible attack vectors, determining a strategy of attack, implementation of the attack, achieving the mission objective, obstruction and obfuscation of attribution (sometimes done along the whole trail), recovery and or retreat. This will be a large part of discussion in the June time frame.

Finally, when considering the doctrine of cyber warfare we’ve only opened the can of worms we’re still not fishing. The doctrine needs objectives, structure, a community of practitioners, and a detailed capabilities statement.  The elements restricting a vigorous debate are the silos of parochialism as the different government agencies swagger into each debate. As they do so the flexible, capable, resilient players have been pushed aside. Exactly opposite of what is needed to wage offensive cyber warfare. The doctrine of cyber warfare is being written by the typewriter generation to be implemented by the Game Boy generation.

2 comments for “How to wage cyber warfare: Puzzle pieces, Part 3

Leave a Reply