18 July 2022

WHEN IRREGULAR BECOMES EVERYWHERE: THE CYBERED FIGHT IN UNWANTED PLACES

Chris Demchak

In early 2021, major democracies around the world woke up to find that a Chinese government–associated cyberattack group Hafnium had left open a backdoor access point in Microsoft exchange servers’ software across their countries with no regard to who else might also take advantage of the widely distributed technology. What followed was a massive escalation of widespread cyberattacks by state-sponsored and criminal groups globally. With “attack attempts doubling every few hours,” cybersecurity analysts across the United States and its allies rang alarm bells. “Tens of thousands of servers have been hacked around the world. They’re being hacked faster than we can count.” In the United States, the FBI took the unprecedented step of obtaining a warrant to electronically enter hundreds of infected American computers to delete the malicious software left by the Chinese. The nation-state adversary had not only used cyber to achieve its own aims, but also handed its cyber weapons over to the global criminal community as part of their campaign.

Since its inception, the internet has presented security challenges but, for far too long, advanced democracies have clung to a utopian vision of a globally munificent cyberspace, ignoring what has emerged in the form a globally integrated and cybered conflict. The United States and its allies have also critically misunderstood the networked information fragilities of their democratic societies and institutions.

Because cyberspace underlies and enables the information environment, information operations and cyber operations are blended and often indistinguishable—psychological operations and propaganda today rely on cyberspace to deliver their intended message. Our adversaries have expanded the cybered fight beyond our connected networks into the content absorbed by our democratic publics, thus influencing the collective cognition of the population enough to endanger democracy itself. Cybered conflict is now simultaneously more irregular and more integral to the spectrum of human and state interactions along the conflict continuum. It has moved us beyond the reemergent great power competition to an ubiquitous great systems conflict.

For three reasons, public and private senior leaders have been generally slow to recognize, let alone to act against the emerging foreign malign influencers. The first is a lingering and deeply felt utopian perception of the internet itself. The second is a widespread lack of understanding of the systemic nature of cybered conflict and its challenges to the transparency, tolerance, trust, and prosperity of open societies. The third is a continuing underassessment of the threat’s competence in executing successful disruptive and false cybered disinformation campaigns, and forcing democratic nations to defend where they have never wanted to intervene.

Cyberspace as a False Utopia

Leaders in the United States and allied democracies did not collectively recognize how cyberspace, and the information and data it carries, could be weaponized in a system-versus-system struggle for global position in large part because of how it was first developed and promoted in the mid-1990s, and then commercially expanded. Marked by Western euphoria over the fall of the Soviet Union, the American and allied zeitgeist of the 1990s celebrated the westernized world’s rule of law, its international liberal economic system, and its democratizing innovation—the internet. Among advanced democracies, cyberspace was idealized to be the harbinger of peace, democracy, and prosperity, with an enduring corollary that any government regulation would kill innovation. As a result, the United States and its allies in particular took a hands-off approach to the industries building and expanding the societal substrate irrespective of how insecurely it was built.

As a result, malicious cyber actors have had free rein to exploit the shoddily created underlying cyber infrastructure. The American aversion to regulating cyberspace in particular defined any nonmilitary cyberattack as a one-off, personal or corporate, due diligence problem, even though they were costing the United States and other democracies dearly. Only by the late 2000s did major westernized powers began publicly admitting that cyberattacks by hostile states were a top national security risk, threatening future prosperity and strategic options. Even so, most states created defensive cyber strategies with limited regulatory or institutional mandates.

Comprehensive Struggle of Cybered Conflict

A general lack of understanding of cybered conflict continues to delay effective whole-of-society systemic responses to cyber insecurity, leaving the factors underpinning cybered conflict unmitigated. Analytically, cyberspace is a substrate linking and underpinning all the critical functions of the modern society. This substrate is conceptually best viewed as three layers with network and software connectivity as the foundation, content or data as the next layer, and cognition or how recipients interpret the world given the cybered lenses as the top layer. The substrate connects all the social, economic, and technical subsystems of a state into a huge, complex socio-technical-economic system (STES) that then becomes linked to and interdependent with other nations’ STESs. In principle, anything connected to the internet can be reached electronically by anything else connected to it. To be online is to be targetable by malicious cyber actors, increasingly so as more of a nation’s STES is digitized and globally connected.

To understand how cyberspace everywhere can be weaponized, envision cybered conflict as a vicious cycle in which the basic insecurities of the underlying cyber substrate work through society to make the nation weak to robust cyber power. The cycle exists because the largely American IT industries rushed to capitalize on the new information world, pushing software out the door with little to no thought to how others might abuse shortcomings in their programming. In so doing, they embedded—and continue to embed—throughout the substrate five offense advantages. Now any malign actor anywhere with little to no money can (1) create a large scale of organization to attack others, (2) easily reach out to collect formerly high-quality information from targets at any proximity to themselves, (3) choose multiple tools of attack using any level of precision in operations or effects, (4) ensure deception in the choice of tools to buy time and make advances before discovery, and (5) keep themselves and their origins opaque to defenders to avoid identification and punishment.

These five offense advantages then double from two to four of the major sources of complex systemic surprises that nations normally have to address. The first two are the normal nationally relevant complex system surprises emanating (1) from large-scale enterprises individually and (2) from consortiums of interdependent groups of enterprises. Cyberspace today, however, now imposes on the nation a tsunami of potentially disruptive and certainly costly surprises (3) from a global community of malign actors and (4) from a smaller but even more dangerous groups of state-sponsored wicked actors or advanced persistent threats. Both use the five advantages to successfully attack masses of systems through the cyberspace substrate. With these actors’ successes, defending nations manifest a low level of systemic resilience against the first three layers of complex system surprise and limited, if any, effective responses to state-sponsored actors. In short, a state unable to defend against or disrupt these attacks is a weak cyber power.

As a national government realizes the damage—which may take years—its leaders have options to mitigate, if not disrupt, the cycle. They could alter cyberspace’s connectivity, content, or cognition layers in their nations. They can orchestrate the reduction of the five offense advantages embedded in cyber products made by the IT capital goods industries. They can enhance resilience and forward disruption competencies affecting societal surprises. But, in democracies, none of this is possible unless they have the domestic mandate to do so. If they do not, especially if they do not understand the need for such mandates, then this negative cycle repeats and the systemic consequences mount, ensuring the continued weak cyber power of democratic states in particular.

Without the understanding of, or the mandate to intervene in, this vicious cycle, a nation can be losing a cybered conflict and not realize it until the losses are massive and recovery potentially out of reach. Currently, for advanced democratic countries, the losses are an estimated 1-2 percent of GDP per annum. The compounding loss of economic resilience through cyber means can hollow the future means of defense in even large economies. The founding commander of US Cyber Command noted in 2012 that the two-decade accumulation of losses to the US economy from cyberspace insecurity constituted the “greatest transfer of wealth in history.” In the same year, the Bockel Report by the French Senate declared such losses to be “the systematic pillaging of its diplomatic, cultural, scientific, and economic inheritance.”

A major and enduring difficulty is that not only did the early utopian zeitgeist blind democracies to the need to mitigate the five offense advantages and the rise of the bad actors, defending in the top two layers of the cyberspace substrate—content and cognition—are not arenas in which democracies want or are prepared to fight. In principle, democracies endorsing the free speech (content) and free thinking (cognition) of their citizenry have difficulty even proactively strategizing about measures that are perceived as violating their own values. Despite public recognition of the Russian interference in the US 2016 presidential election, in the Brexit decision in the UK, and in financially supporting far-right groups in Europe, democratic societies have proven slow to develop effective strategic responses to the expansion of the cybered battlespace through content and cognition. With this defense disarray, irregular information conflict furthers the wider cybered conflict between great systems such as the US and China.

Adversaries Learn Fast

Authoritarian adversaries practice cyber-enabled information influence on their own populations, transferring the tools, tactics, and operations abroad to vulnerable democracies. Just as successful major criminal networks spend time and effort in mapping targeted networks, major adversaries map the undefended areas of democratic STES. They experiment across all three layers of cyberspace at home and abroad. No aspect of the cybered conflict cycle is immune. Just as adversaries succeeded in exploiting the five offense advantages and employed members of the globe’s malign and wicked actor community, they also migrated to other undefended layers of democratic cyberspace including content and cognition.

For the full range of governmental manipulation of the cyberspace substrate, the best example of the authoritarian cyber anchor state is China because of its increasingly central role in the technological life of the world and of the comprehensive nature of its internal control of its own cyberspace, sharply contrasting with the westernized model of the open national cyberspace. Furthermore, China promotes itself as such, with policy statements consistently highlighting its exceptional size, stability, and growth in wealth as evidence that the “China Dream” model of governance is better than democracy. China is globally known for its regulation of the content that its citizens are allowed to see. Its internetted cognitive manipulation techniques are widely recognized for their success in manipulating societal pressure in order to install and reinforce spontaneous social censorship as well. Early on in cyberspace’s history, China moved overseas virtually through its “patriotic hacking” to extract billions in technological intellectual property, cash, economic control, and massive amounts of data usable for a wide variety of other campaigns. Chinese leader Xi Jinping himself has acknowledged the power possible in being the nation with more data than any other single state, much of it stolen, coerced, or copied.

Over the past decade, however, Chinese state cyber-attack campaigns have moved beyond economic or espionage objectives to more dedicated, Chinese information campaigns targeting democratic populations, using increasingly sophisticated and effective tools and techniques. The objectives include furthering positive views of China but now also enhancing negative images of democratic leaders seen as obstacles to China’s strategic dominance. More recently China’s information campaigns have adopted methods of infiltration and coercion closely associated with Russian population influence manipulations, especially in Asian nations, but also in European and North American states.

As the authoritarian cyber bad actor state, Russia weaponizes information to an extent and with ubiquitous global reach that the old Soviet leaders could have only dreamt. Putin’s kleptocracy has transferred information tools from its Soviet history and more recent criminal past consistently to its phishing and other deceptive campaigns inducing westernized populations to allow malicious software to be installed on their machines. Russia’s pathologically aggrieved revisionist history narrative is used to deepen cybered societal control at home. Even before the invasion of Ukraine in February 2022, Russian operatives had already laid the groundwork of misleading reports and falsifications around the world in order to build a global acceptance of, or at least confusion about, the conflict. In Putin’s resurgent Soviet-style Russia, cyberspace has become a major vector of government intervention in a weak emulation of China. Moreover, cyber-skilled criminals face jail or becoming state-directed proxies while social media troll farms implement information campaigns locally and globally through open cyber connections, inserting disruptive, false narratives into democratic political systems across the globe.

New Narrative Required Across Collective Cyber Defense

Democracies are on their back feet in the pervasive great systems conflict already underway in this century. Yet two items—one a traumatic event and the other a self-evident but not yet obvious or implemented solution—offer some optimism. The first is the Russo-Ukrainian War, which has unified democratic societies in ways only a common, clear-cut, and imminent enemy with destructive strategies can. While it is not clear how long this relative unity will last, that it emerged despite the very clear Russian energy leverage over Europe is encouraging indeed.

The second is the rising tide of calls for collective cyber defense to compensate for the overwhelming scale of the authoritarian assaults on consolidated democracies. One idea—a cyber operational resilience alliance—offers a vision of a future where the governments of the consolidated democracies and their telecommunications and IT capital goods actors coalesce to defend democratic information technologies. The objectives are to unite in order to scale up to meet the demographic scale and strategic coherence of China, to buy time to build out current defenses in a federated, multinational, private-public defense system, and then to transform the underlying substrate in ways that preclude this level of system threat from emerging again while reintroducing the safe, democratic, resilience internet envision from the outset.

Consolidated democracies constitute less than ten percent of the globe’s population, and democracy itself is a much more fragile minority regime than is understood. A new collective narrative and action—even in unwanted places—is essential to ensure democracy’s survival and prosperity in a future, deeply cybered, hostile, and increasingly authoritarian world.

No comments: