With this ten part series I wanted to get some ideas down and hopefully start some discussion. Over the last few weeks each segment has looked at cyber warfare from a different viewpoint. I’ve been told that my blog posts are way to long and that nobody reads my stuff, but I’d rather provide detailed content over other options. Right or wrong each segment tried to look from a high level at what cyber warfare means. I have succeeded at creating some stir with several other blogs picking up on themes and posts. Here at the end of the series I thought I’d try and clarify a few things and tell you where the future is going to take me. Expect a few minor rants too.
First we should look at the idea of spectrum. Cyber warfare like any form of conflict covers a spectrum from the mundane to the civilization ending form of conflict. Imagination can fill in the details. Simple information operations dealing with communication and trying to sway opinion through cyber space is a use of cyber tools. Is it war? Propaganda alone is rarely war. There must be other elements to rise to that level even if the transition from “not war” to “yes war” is muddy. I think culturally that line will always be muddy.
I firmly believe that much of cyber warfare is in the form of low intensity conflict. A greater volume of the current conflict space in cyber takes on aspects of that form of conflict. That does not mean that all cyber warfare is low intensity conflict, but that there is a form that follows that analogy. That United States has only had limited engagement in high intensity land based warfare since World War 2, but extensive involvement in low intensity conflict characterized as small wars. I think cyber space and cyber warfare will follow a similar model, as political purpose is the driving enabler rather than capability.
I tried to not be too technical in the blog posts. If I were to flesh these posts out I would add the technical support of the ideas. One thing that is missing is a discussion of a cyber warfare infrastructure. At some point in the future I’ll post about the centurion and sentry infrastructure for cyber warfare I have developed. Currently my grad students are fleshing out and testing an attack and reconnaissance taxonomy I developed several years ago. The taxonomy merged with the weaponized infrastructure takes on attributes of bot-nets, intrusion detection systems, and intrusion protection systems while allowing for systematic destruction of cyber infrastructure. If you take the taxonomy and use game engine type AIs to run the tools it becomes nearly trivial to rip a nation-states cyber heart out. This kind of infrastructure is not cheap to build. However, the entire infrastructure can be hidden using other people’s machines (OPM).
Estonia, South Ossetia, Iran, and so many other cyber conflicts show a relative low effect over a long time engagement. A key point being that war of attrition is flipped in the cyber model. Attrition is greater against the attacker than the defender changing a principle of western and eastern warfare. The attacker can flourish and test for a long time having no success at little cost while the defender must succeed every time. Though this principle is well understood, what is not understood is that the attacker once successful must dominate for a millennia of computer time the defender or be rendered toothless. The issue is that time compression in cyber space is especially effective at numbing or absorbing shocks in the real world from having large scale impacts. Unless the first onslaught of a cyber attack is spectacular and involving highly effective results it will not be able to maintain. Time and time again we see administrators simply unplugging systems rather than withstand the attack. As long as that is a possibility cyber will still be held from being a high intensity conflict tool. Where it is not a possibility is when cyber reaches out through kinetic means. That is different.
Leadership is a huge issue with cyber warfare. Looking at the current information assurance and security professionals who have been taught primarily defensive techniques in school or through certification systems is like looking at unarmed guards to become instantly Marines. The educational system and government organizations still have not adapted to the idea of cyber conflict other than as a defensive engagement. Few if any schools are even teaching hostile cyber conflict that is realistic of the actual environment. Many educational institutions are actively hostile to any kind of “training hackers” curriculum that would fix the problem. Like wise “hacker” classes don’t really teach cyber conflict. There is a big difference between civilians with hunting rifles and soldiers with tanks. Education will become pivotal and it is more than just a black art. It is a living art.
Leadership will mean closing the education gap. The problem will be finding leadership that understands defensive and offensive cyber warfare. This is truly a miniscule pool of people. This lack of leadership has manifested itself in many strange and peculiar policy decisions.
I am particularly concerned with nation states hiring hackers for cyber warfare instead of professionals. Whereas, the university education system has faltered and created stovepipes of education that are deep and ill suited to the multi-disciplinary nature of cyber conflict. Whereas, the government struggles to understand the myriad disciplines it takes to be a truly elite symbiotic cybernetic individual. There is a lie in the facts. If you look at most journeyman hackers they are experts at one facet or element of hacking that they are preeminent at. They build the best dang hammers for a particular task and everything becomes a nail.
Whether the task is hacking OS, kernel, writing web exploits, shredding SCADA, there are very talented individuals nobody has noticed. Every now and then one comes through my classes who can do it all. Then my job becomes teaching them how to think because their self obsessed study has left them with blind spots. One key point though. The ones who are superb, who are truly extraordinary; by default have one specific characteristic. Nobody knows who they are and they are on nobody’s radar because they are truly gifted. Rule one of the hacker elite is to not get caught. If you do get caught then it pretty much assured you aren’t elite considering the woeful government efforts currently.
Which journal or academic publication would accept finely crafted research detailing an exploit of current technology? Well in my estimation the answer is none. Western society is all about glamorizing and sensationalizing the counter-technology culture. Society though is not willing to allow that cybernetic sub-group to flourish other than in small-constrained bounds. Academia is a steadfast barrier followed closely by manifestations of control culture. Control culture being the fear, uncertainty, and doubt that exists and feeds repressive copyright and use restrictions through legislation. This control culture is what chaffs at the cyber space denizens. A shift in thinking at the highest levels will be required. Whether that has truly happened with current US leadership is doubtful. Even a Lessig moment of sanity would likely not erase 30+ years of cyber repression of expression.
In the patchwork of policy, law, organizational culture and structure, there exists the most basic of issues. Why this problem is all broken up and looks like Humpty Dumpty had a super glue accident is that nobody gets it. Nobody has had a clear moment to understand that cyber defense is built on an understanding of cyber offense. What are you going to defend against? There is a structure to conflict identified by many military theorists that the adversary who strikes first dictates the order of battle. Cyber defense has been woeful and poor the last 40+ years barely moving forward and solving no basic information security problems because a political correct narrative superseded logic and common sense defining information security as a defensive only task. What are you going to defend against? What are rules the defender dictates to the attacker? You can choose the terrain as defender but rarely can you define the scope or depth of the conflict. Cyber warfare exists as a child with half a brain and missing fundamental characteristics of being a whole person. It is a requirement that cyber warfare leadership weld these aspects back together and fixes the more onerous issues of research, policy, and culture. In history the general who only fought defensive warfare had one title above all others. Vanquished.