9 July 2017

STRUGGLING WITH CYBER: A CRITICAL LOOK AT WAGING WAR ONLINE

DANIEL MOORE

If media coverage is to be believed, we are in the midst of a cyberwar with daily attacks occurring across several theaters. Between dropping “cyber-bombs” on the Islamic State, Chinese intruders pilfering precious technology, and Russian information operations shaping the U.S. political process, it seems that the continuous power struggle between nations is now most commonly waged on the internet. While there might be some truth to that narrative, the reality is — of course — more nuanced. It’s difficult to define and explain attacks that are entirely virtual. To understand this, one must understand a few points about offensive network operations. First, cyber operations are not as novel as they appear. Rather, they draw heavily from the integration of electronic warfare into joint operations. Second, different nations have largely different perspectives on how to employ network capabilities to achieve political objectives. Third, most incidents we label as “cyberattacks” or “cyber warfare” do not in fact merit being called such.

Cyber Evolution

The United States and NATO have declared networks to be a fifth domain of warfare, cementing the perception that it is novel and distinct. We have also seen massive investments and doctrinal updates towards cyber-related activities. But network operations are neither entirely novel nor do they necessarily constitute warfare. Perhaps then we should stop automatically defining them as such. Labelling an incident an “attack” can have tremendous consequences, especially when carried out by one nation against another. Indeed, NATO’s secretary general just revealed that that alliance’s leaders “decided that a cyberattack can trigger Article 5.” It is therefore crucial that everyone from the world leader to the average citizen have an informed understanding of what exactly constitutes an “attack.”

Offensive network operations — essentially military cyber-attacks — are a combination of information operations, intelligence collection, and electronic warfare. As such, they draw familiar characteristics from each of these, creating a unique but not altogether new activity. Much like their electronic predecessors, offensive network operations target the trust between operators and equipment. They do this by influencing the flow and presentation of data. If operators can’t rely on their sensors, communication links, or autonomous platforms, they are not left with much else. Rather than physically targeting human beings or equipment, network operations can qualify as attacks when they seek to degrade, disrupt, or destroy software and networks.

Let’s turn to a classic example of electronic warfare: targeting radars to cripple anti-air defenses. This is traditionally done either by either flooding the radar image with false matches, interfering with the transmission itself, or influencing the radar waves returned by a hostile aircraft so it appears as something else. These are essentially all external means of making the radar less functional.

A modern network attack on the same air defense network may instead use internal means. By penetrating the air defense network, an adversary may alter the inner workings of the network’s radars or targeting systems. Friendly aircraft could be recoded as hostile aircraft and vice versa, or altogether wiped off the radar image. Targeting coordinates might be altered so that any missiles launched would hit empty space. Those are only a few of the possibilities for a nuanced but significant operation against an air defense system.

The myth of the high-impact high-availability cyberattack is pervasive but ultimately difficult to implement at scale. As with their predecessors in electronic warfare, network operations are voracious consumers of accurate intelligence. It is impossible to conduct high-quality, impactful offensive network operations without first gaining in-depth familiarity with the specific target. In most cases, in order to shut down military equipment by way of a cyberattack, an attacker would need to (a) obtain access to the platform or network, (b) analyze the system for specific vulnerabilities, (c) weaponize an exploit capable of achieving the operational goal, (d) maintain a covert foothold in the network until the attack is needed, and, finally, (e) successfully execute the attack and perform a bomb damage assessment — the digital equivalent of observing the impact of an armed attack on a target. This process will not only vary per type of military hardware, but potentially even per different deployments of the same hardware. Even the same equipment deployed in other scenarios and configurations might call for a new operation.

Cyber capabilities that work “out of the box” often provide little more than good tactical value. In a recent publication, the U.S. Army detailed how its fire teams utilize cyber capabilities against the Islamic State’s communication networks used by the Islamic State in the field. Much like classic jamming, Army operators attack the communication network itself rather than its electromagnetic transmissions. Network operations are therefore often viewed as a component of joint operations, contributing to warfighting efforts by supporting other domains and reducing adversary capability to do the same. They do not include all adversarial interactions in cyberspace.

Differing Perspectives

The West does not hold monopoly over all matters cyber, but it does seem to have a monopoly on its obsession with the terminology. While Western audiences obsess about “cyberattacks” and “cyberwar,” other nations have been busily integrating network operations into their doctrine in unique ways. Different approaches to targeting networks represent varying requirements and doctrine. Where China might use network operations to offset conventional superiority of a highly connected force such as that of the U.S. military, Israel might view network operations as a set of tools that enable stealthier, less violent strikes.

Russia has an elaborate history of maneuvering to influence the flow and shape of information. However, it has no independent concept of “cyber warfare.” The Russian transliteration of the term (kibervoyna) is primarily used when discussing Western approaches to network operations. Instead, Russian military doctrine and official literature as analyzed by experts portray network attacks holistically, as another toolset used both in peace and wartime to help facilitate political success. In this sense, cyberattacks are a specific set of capabilities on an expansive information operations spectrum. There are ample examples to perfectly encapsulate different facets of this approach. An earlier case is the 2007 Estonia incident, when the removal of a Soviet-era war memorial from a Tallinn square triggered a barrage of denial of service attacks against Estonian websites, ostensibly facilitated by Russia to signal its political displeasure. While the attack had minimal lasting effect or political value, it was heard loudly and clearly in Estonia and the rest of NATO. Both quickly proceeded to establish NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn.

The breach of the U.S. Democratic National Committee in 2016 and the clumsy but effective disinformation campaign that followed was an unprecedented breach of sovereignty perpetrated through a network intrusion. It embodied the Russian approach to information operations, which view them in part as a means of beneficially shaping the political landscape in peacetime, thereby creating more favorable outcomes befitting Russian grand strategy. In this sense, while the operation was not an attack or cyberwar by any meaningful metric, it indicated the type of operations for which network intrusions are often more suitable for when used strategically to pursue political objectives.

There are other operational Russian examples that show the usefulness of cyberattacks in political signaling. In December 2015, a portion of the Ukrainian power grid suffered several hours of outage. Ukrainian authorities quickly identified it as a Russian-perpetrated network attack. It caused minimal lasting damage and had dubious impact in the ongoing war in the country’s east, but it at the very least sent an unmistakable message: If conflict escalates, attacks against critical infrastructure are both on the table and within Moscow’s technical and operational reach. While we have no visibility into political messaging that may have accompanied the operation, it perhaps was an attempt at political coercion or deterrence by way of cyberattack.

A controversial report by the U.S. information security company CrowdStrike suggests that Russia also relies on cyber operations for direct battlefield assistance. A network operation tied to Russian intelligence by technical indicators successfully targeted a mobile phone application supposedly used by Ukrainian military forces to calculate and direct fire for a specific type of artillery. If the details are even partially true, it suggests that a network operation directly contributed to physically targeting military hardware. However, as the operation was only used to collect intelligence on artillery locations rather than tamper with guidance calculation, the operation would again fall more within the bounds of an intelligence maneuver than an actual attack. If the operation had also covertly altered the targeting information as to impact the accuracy of Ukrainian artillery fire, that could have constituted a cyber-attack.

Alternatively, Chinese doctrine has gradually cemented the role of network operations as a key component in shattering conventional asymmetries. This approach permeates beyond the battlefield to economic and politicalagendas. Operations to illicitly acquire intellectual property can allow getting access to cutting edge technologies instead of expensively developing or purchasing them, thereby subverting the need for long and costly research processes. At the same time, vast outfits of indeterminably-affiliated online users identify potential online political hotspots and troll via commentary to skew public opinion. Other units attempt to infiltrate adversary military networks to preposition for possible wartime efforts.

After the first Gulf War, the People’s Liberation Army identified the unmistakable reality of the modern U.S. doctrine. It was made glaringly obvious that integrating joint warfare based on an unprecedented flow of networked sensory data allowed effective direction of resources and combat operations. Simultaneously, networked joint warfare created new so-called centers of gravity. The dependence of American forces on continuous data means if one can reduce the availability of that data or corrupt it, one can severely impact U.S. military operations. Those writing Chinese military doctrine gradually responded, with increasing references to network attacks designed to hinder forward-deployed U.S. regional forces. If the Chinese military sought to move against Taiwan or targets in the South China Sea, targeting U.S. forces through cyberspace could presumably slow their ability to muster an effective response to defend an ally. China could do this by tampering with logistical data, undermining sensors, or disrupting communication.

Excluding for Clarity

An intelligence operation — no matter how successful — is not intrinsically an armed attack. When intruders breached the U.S. Office of Personnel Management in 2015 and made off with an exorbitant amount of sensitive information, some in the government elected to label the intrusion an attack on U.S. infrastructure. By contrast, the Chinese government — which was, according to Washington, responsible for the operation — quickly labelled the theft as a criminal incident and even claimed to arrest the perpetrators. Aside from sharp rhetoric, the United States had precious little recourse available that would not be disproportionately escalatory. The reason for this was simple: While undoubtedly an embarrassing loss of important, the OPM breach was by no means an attack. Valuable intelligence was stolen, but no system or network was impacted in any way.

Influence campaigns also do not automatically merit being called attacks. At times, nations seeking to change the political climate of other countries would seek to do so by trying to covertly shape public discourse and sharing of information. This particular brand of information operations is practiced by many nations and often referred to as “active measures” when wielded by Russia. Perhaps the most notable such case was the alleged intervention of Russian intelligence agencies in the contentious 2016 U.S. election process. The hack into the Democratic National Committee turned into an awkwardly spun web of disinformation seemingly intent on discrediting the Clinton-led Democratic campaign. Even a brazen operation that constituted a meaningful breach of national sovereignty did not eventually qualify as an actual attack by Russia on the United States. Could it have triggered hostilities between Russia and the United States under different circumstances? Perhaps. It was, after all, a blatant political intervention. Ironically, even official Russian doctrine specifically lists significant breaches of political sovereignty as one of its top military threats:

Use of information and communication technologies for the military-political purposes to take actions which run counter to international law, being aimed against sovereignty, political independence, territorial integrity of states and posing threat to the international peace, security, global and regional stability.

But despite its significance, the operation against the Democratic National Convention did not truly qualify as network-enabled violence on its own. While documents were perhaps tampered with for political effect, no system, network, or platform were directly degraded or manipulated in the operation. As then-Director of National Intelligence Clapper confirmed, it was an aggressive influence operation, it was a successful espionage campaign, but it wasn’t a cyberattack.

Lastly, intrusions and theft perpetrated for a financial motive — especially but not exclusively when carried out by criminal groups — are neither attacks nor do they constitute cyberwar. Even if a skilled malware group with possible links to the Russian government exclusively targets customers of Western banks, it does not indicate political will or a military circumstance. Similarly, a national effort by North Korea to target the SWIFT financial network in an elaborate network operation to steal vast amounts of money does not inherently mean it is an attack. Were the intruders to cripple SWIFT networks just as North Korean intruders previously targeted Sony, rather than just a theft of money, that could arguably be framed as an attack on the global financial order. Instead, it was an elaborate and illegal operation certainly in breach of international norms but otherwise non-violent in nature. The operation was just a modern, networked version of criminal activities North Korea routinely undertakes to subvert crippling sanctions — a cyber-enabled bank robbery.

Focusing on Reality

It’s crucial to pinpoint what cyber warfare actually means. Definitions inform perception and discussion, which in turn affects the shaping of public policy. If all manners of network intrusions continue to be labelled as cyberattacks — or, worse, as warfare — the discussion around actual offensive network operation suffers immeasurably. Intelligence operations are not comfortably on the spectrum of war. Nor is crime. Nor are peacetime influence operations, as wildly successful and sovereignty-breaching as they may be. Taking the notion that intelligence operations constitute attacks risks further increasing already rising global tension levels. If an operation is perceived as an attack, the victim is then expected to respond with the toolset reserved for confronting attacks. Instead, intelligence campaigns are accepted as commonplace between rivals and allies alike. Victims may attempt to mitigate, pursue counter-measures, or even deter, but the playing field is decidedly calmer than that of the battlefield.

There are still plenty of visible instances in which network operations are integrated into actual military doctrine across all levels of warfare. From assisting combatants in degrading enemy communication infrastructure to disabling air defense networks, the potential for meaningful integration of network operations into joint doctrine is immense. For tactical value, these operations require extensive research and development to identify vulnerabilities in targeted adversary military hardware. For strategic operations, attacks must be predicated by elaborate peacetime intelligence operations designed to acquire access to the sensitive systems later targeted in conflict. This means that the more comprehensive and impactful the network attack seeks to be, the more prepositioning and accurate, consistent intelligence is required to enable success.

It is more constructive to view “cyber warfare” as offensive network operations aimed at attaining military objectives. This is a thoroughly restrictive definition excluding the overwhelming majority of intrusions reported on daily, but it is meant to be so. It still leaves a wide range of possibilities, from the most tactical attacks against a local communication grid to operational attacks against defensive hardware, costly strategic operations meant to cripple joint warfare throughout a theatre, and even attacks against critical infrastructure to weaken populace resolve. Different capabilities and resources characterizes each tier of operations, but they all reliably fall within the military gamut.

When next confronted with a network intrusion characterized as an attack, it is important to ask who was targeted and how were they impacted? If it’s written up or described as cyber warfare, it is even more important to ask; who was involved on both sides? Was there a discernible military-political objective? Were victim assets degraded, disrupted, or destroyed in any meaningful way? Applying these simple questions to most of what is commonly labelled as cyber warfare will immediately exclude almost all such cases. That’s for the better.

Daniel Moore is a PhD candidate focusing on cyber-warfare at the Department of War Studies at King’s College London, and also works as a lead threat intelligence engineer.

No comments: