by Dr. Bjoern Dennis Prange
By Dr. Dennis Prange and edited by Andy Norton
NOTE: This is part 3 of a 4-part series on Asynchronous Warfare.
In part 1 of this blog series, we described the roots of the cyberwar that we’re already fighting, which lie in proven, historic conventional warfare tactics that give the advantage to what appears to be an underpowered enemy. In part 2, we described the strategy behind asynchronous warfare usage and the three phases of protracted conflict that lead to ultimate victory.
In today’s post, we’ll shift gears and discuss how the asynchronous warfare strategies and tactics developed in conventional warfare apply to the cyber realm. We discuss the overall objective of the criminals waging this cyberwar, and revisit the three phases of asynchronous warfare as they apply to cyberwarfare: 1) preparing the online battlefield, 2) conflict in the cyber “gray zone,” and, 3) the coup de grace.
Asynchronous Warfare 2.0
The cyber realm has attracted a variety of revisionist actors who do not have the means to win in a conventional conflict against the West, but who do have a good understanding of the possibilities afforded by the Internet.
Instead of measuring threats in terms of potential deaths, as is done with conventional warfare, the more reasonable way to measure them would be the degree to which systemic function is impeded – that is, whether an attacked system is still able to function properly. Given that the orderly function of our societal systems and subsystems is the core requirement for the stability of our complex societies, the collapse of these systems can lead to chaotic circumstances (and then potentially to the death of many). Therein lies the objective of the attackers in today’s asynchronous war.
The cyber realm as a battle space is attractive for several reasons:
Cyber operations offer compelling cost-benefit-ratios for attackers who do not have sufficient conventional means to win an all-out (conventional) war, but who do have many bright young IT minds.1
Personal assets do not have to be physically infiltrated into another country to develop a covert infrastructure or occupy sensitive positions in the attacked society.
Attackers can operate in ambiguity, which oftentimes makes attribution difficult, if not impossible.2
Finally, given that every advanced system, military and civilian, will in the future be operated autonomously, there is no denying that an enemy’s control over IT-operations will become even more critical than it already is today.
The Target is the Economy, Which Depends on Technology
In military parlance, a vulnerability that, when properly exploited, decides a conflict is called a Center of Gravity. With the ever further increasing inter-operability of every military unit, from a tank battalion to a carrier strike group and upwards, becoming a reality, IT-based command and control systems are perhaps the closest incarnation of a perfect Center of Gravity that ever existed. Given the world’s (and especially the West’s) rapidly increasing dependence on IT for its organizations to function, cyber operations move from the fringes to the very center of future warfare.
This development is obviously not limited to the military but takes place in all other sectors of society as well, especially the economy. From critical infrastructure, supporting our fragile urban existence with water and electricity, to the captains of industry producing the wealth necessary to keep things running, all elements of an economy depend on the uninterrupted operation of IT systems. This would, in and of itself, be problematic enough if we still lived in an age in which hacking is “only” related to criminal intention. It is a fact, however, that when it comes to organized cybercrime there is no longer a strict separation between organs of the state and the criminal civilian elements, and that a core element of Western liberal order must be considered weakened today by the efforts of a wide variety of combatants – whether civilian or military – in these undeclared wars.
The appeal and resulting impact of cyberconflict are not hard to see:
Successful attacks against companies damage the reputation of the government as a capable defender of society.
Attacks weaken the attacked state by stealing innovative knowledge.
Attacks carry a low risk of (potentially military) escalation if uncovered.
Since the development of technology in the West is the job of civilian companies, critical knowledge in the defense, software, finance, pharmaceutical, or biotech industries, to name but a few, could be stolen or – even worse – corrupted by foreign invaders.3 In addition, the economic damage caused by cyberattacks impact countries by pushing them towards economic recession and depression. Economic downturns in individual nations could encourage an internal focus on politics and facilitate an environment of a political isolationism agenda and an abandoning of foreign policy commitments. Every cyberattack that causes economic damage is potentially another nail in the coffin of existing international treaties and relations and yet another victory for a divide and conquer strategy.
Three Phases – Redux
Earlier we described the three phases of an asynchronous warfare strategy as applied to conventional warfare. We now explore how these same three phases apply to cyber warfare.
Phase I: Social Media Subversion and Digital Insurgent Infrastructure
(Dis-)Information Operations: If a country engages in an asynchronous war against a much stronger adversary today, it would begin with Information Warfare4 operations in the cyber realm.5 This allows the attacker to prepare the battlefield long in advance. By meddling with the U.S. presidential election, for instance, the Russian troll armies tried to “undermine public faith in the US democratic process“6 and on a more general level “to undermine the US-led liberal democratic order.”7
The idea behind these measures, which in quite a similar form also took place on numerous other occasions throughout Europe, is to create a double effect: not only could a certain limited effect on election results be achieved, but the interference with elections also signaled clearly to the respective populations that someone was “inside” the election process. For liberal societies that draw their legitimacy to a large extent from the trust the citizens have in due process, this poses a great danger. “Russian disinformation does not aim to provide answers, but to provoke doubt, disagreement and, ultimately, paralysis.”8With criminals using new technological capabilities such as Artificial Intelligence and machine learning, the fight to discern the truth from a fake is becoming increasingly difficult.9
Napoleon was not short – Social Disinformation: It is not surprising that the battlefields for information warfare today are social media networks. Because social media puts an end to journalism’s monopoly on information dissemination, the direct access to millions of citizens provides attackers unparalleled opportunities for undermining order and creating social discord10. Today, any type of news – real or fake – can reach social media users more or less unfiltered. Given that humans are strongly influenced by their primordial instincts, the oftentimes flavorful pieces of uncontextualized raw information tilt the balance between rational thought and emotion markedly to the latter. Social media is the perfect arena for the great simplifiers and those intent on undermining the truth and trust.
“Better” yet, public opinion can also be influenced with relatively frugal means. A person working as disinformation mercenary in a “troll farm” or directly for government agencies is oftentimes supported by a considerable number of automated social media accounts (“bots”), affording a single person tremendous impact. The bot’s job is to trick the algorithms of social networks into believing that the troll’s post receives a lot of support by other users, create a weight of opinion that makes it look like there is huge support for an argument, while in fact it is artificially created.11 With the combination of a number of trolls proficient in the respective foreign language and a supporting army of social media bots, much damage can be done by little means.
Infiltration: While these are the more or less overt operations in phase one, another operation, equally important at least, is taking place in much greater secrecy. Whereas in former times insurgent infrastructures were created through the dangerous business of approaching persons and convincing them to become members of a cell, it is the infiltration of cyber assets into Western IT systems in all spheres of society that creates the basis for the second phase of attack.12
According to experts, countries such as Russia, China, North Korea, and Iran have been mapping IT systems of the U.S. industry for years.13 Then-Director of National Intelligence James Clapper reported in 2015:
“… Russian cyber actors are developing means to access industrial control systems (ICS) remotely. These systems manage critical infrastructures such as electric power grids, urban mass-transit systems, air traffic control, and oil and gas distribution networks. These unspecified Russian actors have successfully compromised the product supply chains of three ICS vendors so that customers download exploitative malware directly from the vendors’ websites along with routine software updates, according to private sector cybersecurity experts.”14
In July 2018, Homeland Security Officials reported that Russian military hackers were targeting the American electric utility grid, where they attempted to plant malware.15
The covert mapping of IT systems provides attackers an excellent understanding of their strengths and weaknesses. This allows them to launch effective attacks and/or take them over and use them for their own purposes in the future. Speaking metaphorically, through mapping, attackers learn on what pillars the entire system rests and how it functions – in order to plant explosives in the right places.
In fact, the truth is very close to this metaphor. Intelligence agencies in Western countries are increasingly vocal about the danger of foreign cyber operators capable of bringing down entire IT systems. In April 2018, U.S. and British intelligence services published a joint statement in which they warned of a global campaign against millions of machines used to direct data traffic on the Internet. Targets again were of functional and symbolic importance, including critical infrastructure16 and communications providers, government departments, and large corporations.17 Director of U.S. National Intelligence Dan Coats stated in July 2018 that “the digital infrastructure that serves this country is literally under attack.”18
Phase II: Conflict in the Cyber “Gray Zone”
In the logic of asynchronous warfare, the second phase begins when sufficient doubts about the cyber defensive capabilities of the government and security apparatus have been planted in the minds of a segment of a targeted population and when the “insurgent” infrastructure is sufficiently established. These conflicts take place in what was recently described as a “gray zone.”19 One of the characteristics of a gray zone is that actions can by intent and motivation be linked to certain actors, while it is impossible to prove their perpetration with a degree of certainty that would convince a court – or even public opinion – of the perpetrator’s guilt.
Strategically, this creates an atmosphere of diffuse uncertainty, in which it becomes difficult for the attacked to reassure their citizens and allies that they are actually in charge of what happens.20 Notably, in Phase II the attackers use chaos and disorder as a weapon to undermine governments. That said, they are not interested in creating a situation that is completely uncontrollable for all times. Although adept at navigating markedly more disorderly waters than the West generally is, the aspired end-goal is a situation that can be controlled, either through proxies from a distance or directly through conventional structures of authoritarian rule.
In terms of asynchronous warfare theory, the attackers are in the phase of violent subversion in which they attack highly symbolic assets of the defender and plant a covert infrastructure. Through highly symbolic actions they signal to the attacked population that they could wreak havoc if they chose to and that their defenders, in contrast, are helpless guardians. But what are highly symbolic targets? A matrix of symbolic value could be constructed along the lines of the factors of quality and quantity.
From a qualitative point of view, the greater the nimbus of power that goes along with an organization, the greater the symbolic success if it can be hacked. From the standpoint of symbolic communication, embarrassing the CIA, FBI, or Special Operations Command, for example, is worth much more than hacking the Department of Veterans Affairs or Agriculture. Given the highly symbolic position the economy has, especially in liberal societies, corporations are prime targets as well. Although few citizens are usually interested in how their security is organized, most would recognize it as a symbolic defeat if a corporation such as Apple, Microsoft, or IBM would be operationally disabled through a hacking attack.
The quantitative dimension refers to the number of people affected. A classical example is the public transportation infrastructure. Although not really severe in terms of ultimate consequences, a break down of the New York City Subway for even a short time will affect a lot of people.
The cyber age brings a new dimension to this matrix, however. Through scalability, successful attacks on one device can have cross-sectional effects. There is software that is so basic and used in so many cases that it could lead to major problems if successfully attacked. Examples include pacemakers21, insulin pumps, and other such devices that probably keep millions of people in the Western world alive and well. Another is Microsoft Windows, on whose function the vast majority of computer operations depend. Never before was it theoretically possible to affect so many individuals and entities with so little means.
A very basic threat matrix of symbolic impact can easily be made for a great variety of topics, in this case for the health care sector.
The operational aim of the attacks is to encourage the defender to concentrate his scarce IT-security resources around his most important assets. The attacker’s hope is that the defender thereby exposes or neglects his IT-periphery, which makes it possible to incrementally increase control over ever-larger segments of an IT-system. This principle, notably, is equally applicable for a single corporation network or an entire country.
In order to support this retrenchment movement, spectacular attacks on high-value targets will from time to time occur, but mostly for symbolic reasons. One especially thorny problem connected to different levels of security at the center and the periphery is supply chain security.22 National or international subcontractors who are not properly secured are easy prey for attacks while at the same time providing oftentimes easy access to the client company.23
Pushing for cyber due diligence to make sure that subcontractors (and their subcontractors and so forth) are compliant with cybersecurity regulations is, therefore, a tremendously important aspect of defense. Given the expenses this implies, large corporations are well advised to price in the costs for cybersecurity throughout their entire supply chain.
On a tactical level, Phase II operations in the cyber realm also share some of the basic characteristics with their analogue siblings, especially with regard to the factors of time and place. Time is on the attacker’s side in two senses: not only could an attacker decide to start an ongoing attack at any time, but, more importantly, he can position his software long in advance in the IT system and decide when to activate it. Choosing the place could in the cyber context mean choosing an attack vector: not only can an attacker decide what part of the IT system to attack, but he can attack parts that are not immediately critical but might be useful in a bigger context. He could, for example, hope for cascading effects that may indirectly bring down much bigger targets than the one he actually hacked.
There is one marked difference to earlier times, however: Today’s cyber attackers have an important advantage over their earlier precursors insofar as their “gray zone” fighting can be conducted mostly in the dark, whereas fighting for local control was inevitably a public affair.
There are also similarities. In both cases, the attacker strives to eventually reach a position of control over a country – either physical control or economic gain by weakening the economy of the attacked – compelling the defender to do what he, the attacker, wishes. Only that today this includes the ability to control or harm the defender’s IT systems.
As soon as a sufficient degree of control over IT systems is established, the (often quite extended) process of tilting the balance of forces is the next main priority. This includes control of an increasing number of IT systems, the sophistication of attack and defense methods, and financial and intellectual property assets. This is the state of conflict the West is probably currently in with regard to Russia and China.
While cyberattacks are simply a given in this day and age, at least for the time being spectacular offensives with the aim to destroy or permanently disable a system are at least not overly common in the West. That said, there are international cases that demonstrate fairly well the approach as well as the intentions expected to be seen in Phase II operations. An especially descriptive example is the operations Russia conducted in Ukraine in 2015. More recently, a potential Russian-Iranian cooperation managed to damage thousands of computers at the world’s largest corporation, Saudi Aramco, with malware named Triton.24 There’s suspicion that the hackers were attempting to start an explosion at a petrochemical plant jointly owned by Saudi Aramco and Dow Chemical by compromising controllers (thought to be secure) intended to regulate critical factors such as voltage, pressure, and temperatures.25
Phase III: Overt Fighting – Really?
In asynchronous warfare 1.0, the third strategic phase is devoted to conventional battles to eradicate the defender’s last organized resistance. For the time being, this will also be valid for the end of an asynchronous warfare 2.0.
That said, there is at least the theoretical possibility that the struggle ends differently in the 2.0 variant. Spinning the idea of the IT systems as Centers of Gravity further, the question is whether it would not be enough to control the systems that control the weapons. Corrupting, for example, command and control systems of the U.S. military to a degree where no commander could be sure that the information he receives is genuine would create a situation in which fighting becomes pointless. Although this is a dystopian view of the future, it is not entirely unrealistic either.
Let’s look at another scenario: if an attacker were indeed able to control computers running with Microsoft Windows, and could switch his control off and on as the Russians did with their control over the Ukrainian power plants, how long would it take for the West to consider a truce with the attackers? You will now probably be tempted to say that this is impossible or at least highly unlikely. And you would perhaps be right. But since we have such a hard time detecting ongoing long-term attacks, can we be sure about it?
NEXT: Part 4 – OODA Loop 2.0 and the four Golden Rules for captains of industry.
No comments:
Post a Comment