Today's Cyber Operations

On May 5th this year the Israel Defense Force (IDF) tweeted an announcement on the use of kinetic force to destroy a building as a follow up to their cyber defensive tactics pinpointing where active enemy cyber attackers were operating. This is interesting because it’s been noted as the first example of cyberattacks and cyberdefense activities directly resulting in an airstrike against a specifically identified cyberthreat in an ongoing battle. Meaning that it wasn’t the employment of cyber operations in retaliation to a previous event, but rather analogous to calling in an airstrike to take out a tank raining munitions on your position. The intent here was to destroy an enemy’s active cyber operations attacking Israel during a battle.

Let that sink in... It’s one thing to disrupt an enemy in cyberspace and launch cyberweapons to influence the physical world – which was commonly considered impossible before Stuxnet - but this is a case where traditional weapons were targeted at virtual weapons, and more importantly, the people using them during an ongoing war as a real-time response.

One can’t deny that the perceived separation between cyber and physical is most definitely a thing of the past and the role of cyberspace is now fully interlocked as the fifth dimension of warfare.

Flashback

In mid-2001, I talked about the potential for a “digital Pearl Harbor”. In fact, based on an article I wrote on this very topic a difference of opinion surfaced with Marcus Ranum resulting in some discussion about publishing a face-off, like what he and Bruce Schneier had done for years in Information Security Magazine. Alas, I chickened out, but started writing more about cyberwar and cyberweapons, and especially about cyber operations teams in China, North Korea, Israel, Iran, Russia, India, and here in the US, to name a few.

I’ve always been fascinated with the role of cybersecurity in military activities. There’s a long history of electronic warfare, of course, but many may be surprised to learn that the use of technology we generally associate with the internet and traditional computing has been used in operations for nearly three decades. There are examples of the successful employment of modern cyberweapons and cyber operations tactics occurring in the 90’s. In many ways, while Stuxnet has become the iconic cyberweapon since its publicized discovery in 2010, there are others that existed well before that event. In fact, it’s widely accepted that Stuxnet started being developed back in 2004, which presumably was a derivative of other cyberweapons developed even before then.

Real-time Operations

Fast forward to today, cyber operations are commonplace and a fixture in many governments around the world. It’s moved rapidly from being loosely defined and having mixed capabilities to advanced tactics, techniques, and procedures empowered by sophisticated tools and very, very smart people.

Moreover, the evolution and escalation of the employment of cyber operations has been astonishing. A month after IDF’s airstrike, as the US called off airstrikes against Iranian targets in retaliation for the downing of an American drone and the attacks on oil tankers in the region, the US unabashedly launched cyberattacks against intelligence groups and military communication systems and networks in Iran that were responsible for enabling the attacks on oil tankers. They’re still trying to get back on line at the time of this writing, which is no doubt due to the US Cyber Command (USCYBERCOM).

USCYBERCOM is represented by roughly 133 different teams comprised of about 6,187 military and civilian resources in the Cyber Mission Force (CMF) operating with a budget of $610 million and led by United States Army Gen. Paul M. Nakasone. The DoD Cyber strategy is to “defend forward, shape the day-to-day competition, and prepare for war” enabling the Department “to compete, deter, and win in the cyberspace domain.” Importantly, and quite noteworthy is the operating construct to enable the strategy is founded on the approach of persistent engagement. This encompasses “building resilience into US networks and systems, defending attacks as far forward as possible and contesting adversary attempts to disrupt our nation’s key government and military functions.”

Defending attacks ‘as forward as possible’ is pretty telling. Just like cyber commands in other countries USCYBERCOM supports kinetic and information attacks and as such is interlocked with organizations like USCENTCOM, USAFRICOM, and USSOCOM (to name a few) to ensure synchronization between cyberoperations and actions in the field ensuring the greatest effect on the target in real-time. The sophistication of coordination combined with the rapid application of a unified attack is the differentiating factor of today’s cyber commands.

Consider Israel’s Unit 8200, which pound for pound “punches well above its weight on cyber-related issues,“ says Prime Minister Benjamin Netanyahu. They work seamlessly within the IDF and with other organizations, such as the Mossad to perform highly coordinated and fully joined operations, and reportedly include Unit 81 that provides for front line high-tech solutions. Unit 81 soldiers go downrange with special forces teams in an effort to see how advanced tech is and can be used in the field. It’s essentially targeted at arming the soldier with cyberweapons and cyber related capabilities to improve effectiveness and expand capabilities. This is an example of attacking as forward as possible.

Using Cyberweapons

As with any new weapon system, it’s use exposes its existence. If fact this applies to all forms of maintaining an advantage in warfare, whether with weapon systems, intelligence assets, or technology. Typically, the greater the advantage the greater the expense; so, employing that capability is usually reserved for when the bang is worth the buck. This is the basis of arguments that the employment of cyber operations, such as those against Iran in June, came at a far too great a price. As a result, Iran now has more insights into the US’s capabilities and it’s only a matter of time when that intelligence will make to other countries. This is a real concern because Iran’s cyber army has been growing exponentially in capability and can extract meaningful intelligence and insights from the attack.

The counter argument is that each domain of warfare has its own unique characteristics that influence strategy. The concept of exposure of a weapon system is a very real concern in the physical space. Weapons development, building, testing, training, and fielding a weapon is an expensive and laborious venture. And once it’s used in anger, everyone knows about it and can start employing compensating measures, which diminishes the weapon’s effectiveness. This is far less devastating in cyberwar simply because there are: less (if any) physical elements making retooling more rapid, the environment is less static than the other domains providing for new vectors of assault, and the target environment is constantly evolving and introducing new opportunities of compromise.

Also, cyberweapons have a shelf-life. If you’re using a zero-day and have built your entire attack strategy based on that capability, there’s the risk a researcher discovers and publishes it encouraging the vendor to push out a patch closing the hole you were banking on. So, while you don’t want to necessarily reveal your new secret weapon to the enemy, you still need to be prepared to use it when the time comes, or it may not work as intended.

The net results are cyber operations are continuously building, deploying, and leveraging cyber capabilities in the field and will continue to do so for a very simple reason - it’s incredibly effective. And because it’s so effective each country must keep up with the other creating build-defend-build better cycle. Of course, this back and forth between countries is ancient, but now it can occur in days and not years resulting in hyper-fast development and innovation.

Perspective

Cyber operations is a well-established and extraordinarily effective military apparatus that operates in a synchronized manner with other departments and across all domains. What was once theory limited to operating in cyberspace and perceived as being relegated to launching weaponized worms and viruses, is now a deployable capability that is fully integrated into the entire mission lifecycle. More importantly is the real-time applicability of cyber operations that are infused with traditional elements operating and in contact with the enemy.

Admittedly, from this point forward it’s going to get very complicated. More and more countries are rapidly coming on-line with cyber operation forces as others dramatically expand and improve exiting capabilities. This understandably creates a new global dynamic when one takes into consideration the war on terror, geopolitical volatility, and economic instability.

Add to all this that the rules of engagement (ROE) are still, shall we say, emerging. There’s no standard or, more importantly, no meaningful history to draw from in order to frame cyberwar. For example, is using social media data of private citizens to identify, target, and destroy an active enemy acceptable? What about the employment of citizens to take up cyberarms against an invading force? Are they protected under the Geneva Convention or do we need a new article to address cyberwar?

Some feel we need a Cyber Geneva Convention. In February 2017, Microsoft President and Chief Legal Officer Brad Smith gave a speech at RSA calling for a Cyber Geneva Convention, and in the following year formed the Cyber Security Tech Accord. In late 2017 the World Economic Forum (WEF) called for a Digital Geneva Convention. And the International Committee of the Red Cross (ICRC) had an event in early 2018 in Dubai called the Cyber Dimension of Humanitarian Action in Cities, expressing that in 2030 2/3rds of the world’s population will live in cities and those cities will be highly connected, which dramatically increase the risk of “collateral damage” of cyberattacks.

Cyberspace is becoming crowded and as more and more features of our physical world become connected cyberwar has the potential to have greater and greater impacts. There’s a lot to consider and a lot of moving parts. And this is just getting started.