by Matthew Miller, Jon Brickey and Gregory Conti
Since the dawn of time, when one caveman first struck another, humans have relied on a natural understanding of their physical environment to conduct warfare. We have an inborn ability to understand the laws of the physical world. In order to shoot an artillery round farther, just add more powder; to provide cover for protection against bullets, hide behind a rock. A private might accidentally shoot the wrong target, but the potential damage is limited by the maximum range of his or her rifle. The laws of physics, however, are counterintuitive in cyberspace. In cyberspace, our understanding of the “laws of physics” is turned on its head. Weapons can be reproduced instantly, “bullets” travel at near the speed of light, destroyed targets can be brought back from the dead, and a seventeen year old can command an army. As human beings we are at a distinct disadvantage when thinking intuitively about cyber warfare. In this article we study where our intuition fails us in cyber warfare and suggest alternate ways to think about the conduct of cyber war that account for the vast differences between the kinetic and the non-kinetic fight. A correct understanding and appreciation of these differences and common misconceptions is absolutely necessary to conduct cyber warfare and to integrate cyber effects into the kinetic battlefield. To ground this work we need to define the term “cyber.” There is significant and evolving debate regarding the precise definition of cyber. For purposes of this article we define cyber as a spectrum of cyberspace operations including Computer Network Attack (CNA), Computer Network Exploitation (CNE), and Computer Network Defense (CND).
The Attacker has the Advantage over the Defender
In classic military doctrine, the defender has a distinct advantage over the attacker. In today’s model of cyber security, defenders build layers of defenses to protect the confidentiality, integrity, and availability of critical assets. Security professionals pour millions of dollars into such defenses, but with only limited success. A Maginot Line strategy rarely works in cyberspace because attackers need only find a single flaw to launch a successful attack. Perfect defense is impossible; the astronomic complexity of the software and hardware woven into our information systems and networks is beyond human comprehension. As an example, the Windows XP operating system alone has more than 45 million lines of computer code, creating an immense attack surface. Many aspects of computer security cannot be solved by computers, such as determining the exact operation of a piece of untrusted software. Attackers however, can probe these complex systems to find a flaw and are frequently successful. Hardware and software monocultures, such as widespread use of a single operating system or web browser, amplify the impact of these discoveries by facilitating widespread compromise. Against a determined adversary, many security experts believe we cannot keep our computers secure, compromise is simply a function of time and dedicated resources. Common defenses, such as antivirus systems are reaching the end of their usefulness and cannot be relied upon for effective defense. Even air-gapped networks, not directly connected to the Internet, have proven vulnerable to mobile malicious code. Recent research indicates that defenders must field 1,000 times the resources (money, people, time, compute power, etc.) to reach parity with attackers in cyberspace; this is not a winning proposition for the defender.
Figure 1: In cyber warfare, adversary tactics evolve on a daily basis, unlike the notional Krasnovian Army formerly used in training exercises. (Image Source: Krasnovia.com)
We aren’t Fighting the Krasnovian Army
During the Cold War, military planners could rely upon relatively fixed threat doctrine, see Figure 1. We knew the capabilities of threat units and could plan accordingly. In the cyber domain, threat Tactics, Techniques and Procedures (TTPs) are constantly changing. One day we may have a distributed denial of service attack, the next day a phishing attempt. We could also have a drive-by download, a USB stick dropped in a parking lot or something else entirely new. The list goes on and on because new capabilities and TTPs are developed on a daily basis. Adversaries include well-resourced nation states and large online criminal organizations; however, even small groups and individuals can join the fray and have a tremendous impact. In some ways we are already at war. We have much to learn by studying insurgency and applying those lessons in cyberspace.
Reserve Forces may be more Capable than Active Duty Troops
In kinetic operations, reserve forces have always been at a distinct disadvantage, often equipped with older equipment and less frequent training opportunities. However, reserve personnel are at their best when their civilian careers match their military roles. Truck drivers are a textbook example. Great opportunity lies for the military to recruit Reserve and National Guard personnel who are experts in cyber security; and we need to. The high churn of active duty forces between assignments inside and outside cyber continually degrade their skills. Embracing the value of reserve cyber experts, and civilian cyber experts, bears great promise for the future cyber workforce.
A Computer Can Be Turned into a Brick
Cyber Attacks can have devastating real world effects. We tend to think in terms of lost or corrupted data as a result of an attack, however computer hardware can be destroyed, or “bricked,” by corrupting its internal firmware and other means. This happens fairly rarely today because many malicious applications are tied to online crime and avoid harming their host. However, we should assume that our adversaries in a time of war will not be reluctant to destroy our information systems, weapon systems, and our Nation’s critical infrastructure, including financial systems. Beyond just disabling or destroying computer hardware, software, and data, malicious software can also cause significant physical damage. Experts have warned of vulnerabilities in the SCADA systems which control water, power, communication, transport, and manufacturing systems. Stuxnet provided a very clear example of such capabilities by reportedly destroying centrifuges used to enrich uranium. We shouldn’t forget that our weapon systems are heavily reliant on computer technology and may be vulnerable. The recent virus found in a military drone command center may be a warning of things to come. Our military depends on its technical advantage. If we lose our communication and information processing systems we will be severely degraded as a military and possibly rendered combat ineffective.
Cyber Terrain is more like a Parallel Dimension than Physical Space
We have been navigating physical terrain since birth, but networks aren’t physical space. Cyberspace crosscuts the physical domains of air, land, sea, and space, and touches at myriad points. Networks aren’t physical battlefields. Attacks can transit the globe at near the speed of light. Battles can be won or lost in milliseconds. In this virtual world, distance approaches zero. Enemies can teleport, appearing from numerous locations around the globe in the blink of an eye. Cyberspace is a man-made domain, it is constantly shifting as new nodes are added and others disappear. Grid squares can move (by changing a network address) or lie (spoofing a network address). Laws and military doctrine were written with physical boundaries in mind, but national borders in cyberspace are intertwined in complex ways unanticipated by the law. Unit boundaries, measured in kilometers of dirt are frequently meaningless. A cyberspace attacker may instantly appear in a brigade operations center in Afghanistan or a game console in New Jersey.
Adversaries Can Easily Camouflage, Deceive or Disappear
Deception is easy on the Internet. Identities can be spoofed or stolen. Age, date of birth, gender, appearance, and marital status are all malleable. Adversaries can operate invisibly or leave little trace behind by cleaning logs. Attackers may disappear and reappear instantly on the other side of the world, by simply changing network connections or paths.. History itself may even be rewritten by altering system log files or other data. The nature of the Internet allows many people to share the same identity (by sharing the same authentication credentials) and one person to appear as many (by creating numerous user accounts). Trust is often misplaced. The end result is that is that things aren’t necessarily what they might appear to be in cyberspace.
The Law of War and Cyber Policy Cannot Keep up with Technology
The law of war is well understood around the world and briefed to every service member. The law of cyber war is unsettled. Most legal professionals and judges have limited understanding of technology. One leading cyber warfare legal expert describes the situation in stark terms – explain technology to lawyers at the third grade level and to judges and juries at a first grade level (Clark’s Law). Of course, technically savvy legal experts and policy makers exist, but the rapid advance of technology guarantees law and policy will lag years, if not decades, behind what is technically feasible today. For the foreseeable future, military leaders will be constantly challenged with navigating this legal and policy morass and petitioning policy makers for updated laws.
Your Weapon Systems May Work Once, Twice, or Not at All
If you’ve seen Star Trek, you are probably familiar with the Borg. In numerous episodes the Enterprise crew attempts to defeat borg drones by calibrating their phasers. However, the Borg quickly adapt and the phasers are no longer effective. The same holds true for cyber weaponry.
We see this cycle repeated on a daily basis. New vulnerabilities and exploits are discovered and weaponized, but once used or disclosed vendors will patch systems, antivirus companies will issue new signatures, and security professionals will develop countermeasures. Unlike our M16’s, we cannot be assured that cyber capabilities will work after first use, if at all. The result is an ongoing cyber arms race and a burgeoning malware economy to acquire newer and better techniques.
Without an understanding of technology and networks, computers are just magic black boxes that sit on our desks. In the kinetic realm, warfighting leaders are developed over decades of developmental assignments, operational experiences, and training programs that are among the best in the world. While work is ongoing to develop cyber career paths, we are in the early stages. At the same time, there is a common misconception that “leaders are leaders” and that anyone can effectively lead cyber warfare units. Cyberspace is a new operational domain, and as we have tried to illustrate in this article, many of our instincts are wrong. The generalist leader model, where everyone is replaceable, may work within an operational domain (Air, Land, Sea, Space, Cyberspace), but leaders forced into other domains are at a distinct disadvantage, at best. There is a reason why we don’t place Army officers in charge of aircraft carriers. That being said you go to war with the Army you have, not the Army you wish you had. We need to fight to understand the domain of cyberspace and learn to effectively lead cyber warriors.
A Seventeen Year Old can Command an Army
Adversary leaders in cyberspace need not be seasoned fifty year old General Officers, and unless they are part of a traditional nation-state military organization, they almost certainly will not. Adversary leaders will likely emerge based on merit and possess significant experience online. Some will possess traditional schooling, but others will be self-taught and may have tapped the exceptional free resources available online from organizations including Wikipedia and Khan Academy, even MIT or Stanford. Some will have experience in leading distributed teams, possibly Clan Armies in online games and virtual worlds. Their weapon systems can be actively controlled or passively controlled via pre-programmed logic. Lawyers won’t be involved (a major agility advantage), and organizational structures will be more like a fluid New Model Army than a rigid hierarchical organization. As a result, adversaries will be very agile. The command post, where a commander monitors maps and receives briefings from their staff to make decisions often has little utility when fighting in the cyber domain. The speed of decision making required is beyond human capacity. In an era where a network packet can travel around the globe in milliseconds carrying an attack payload, by necessity, algorithms will increasingly do much of the fighting. Future cyber warfare will be far more like high-speed trading on Wall Street than briefing the commander on potential courses of action.
The infrastructure of the Internet is remarkably resilient. The ability to route around physical destruction is built into the Internet’s design. There is no Internet kill switch, but there are certainly weaknesses that could be exploited by a determined adversary to disrupt its proper function. When we move above the physical and logical infrastructure planes which comprise the Internet, we should think in terms of specific end users and computing systems. Spear phishing via email accounts has long proven to provide precise means of targeting end users. Drive by downloads of malicious software hosted on compromised websites is another well known way to target users. Social networking sites are yet another means of spreading malicious software and targeting users. Attackers can destroy companies overnight by humiliating leaders or stealing intellectual property. However, as we’ve discussed elsewhere in this article, false identities can be easily created, complicating targeting. Attacks also bring the real possibility of collateral damage and limited effectiveness. For example, data can be replicated on multiple servers in various locations around the world, so even a successful attack may be quickly negated as a mirror-image of the server is brought online.
Figure 2: Any networked device, including consumer electronics such as the digital picture frame, is a potential enemy combatant. (photo source: Wikimedia Commons)
An Enemy Combatant can be the Digital Picture Frame at Grandma’s House
In cyberspace virtually any computing device is a potential threat or ally. The rise of the Internet of Things, where many physical items will include computer processors and network connectivity, means we will face many potential combatants in cyberspace, see Figure 2. These devices may be compromised during design, manufacture, or anytime thereafter. Imagine if attackers discovered a flaw that allowed successful compromise of a common gaming console. We could be fighting an Army of tens of millions of PlayStations. This scenario isn’t out of the realm of the possibility; botnets of more than one million hosts exist today. Research indicates that bot armies can be rented for as little as nine dollars an hour. Your next combat kill may be a robot or a refrigerator.
You Probably Won’t Know Who is Shooting at You
In Internet combat you likely won’t know who is shooting at you. Anonymity was built into the design of the Internet. Network traffic is comprised of packets that need only a source address and a destination address. Theoretically, the source address would be that of the attacker and the destination address would be the target. In reality, the source address can be easily spoofed and set to any network device anywhere in the world. To blindly return fire, you could, and most likely will, hit an innocent. Even if the source address is accurate, the attacker could have routed the attack through numerous intermediary nodes, some of which are in the United States, in allied countries, or in countries with no desire to help the US military. In most cases, attribution requires tedious step-by-step analysis—walking back node-by-node to the attacker—and patience to cope with legal and bureaucratic barriers at every turn. There are even anonymity networks that are designed to protect against such attribution attempts that are remarkably resistant to analysis. Note that these anonymity networks, and the design of the larger Internet, were designed to allow open sharing of information, not to facilitate cyber warfare attribution. As a result, accurately identifying aggressors may take weeks, months, or even prove impossible.
Figure 3: WWII-era censorship poster from the U.S. Library of Congress. Censorship in the digital age is far less simple.
Digital information is slippery. Even the most aggressive attempts at limiting disclosure are not foolproof. Previous attempts at censoring communications, see Figure 3, look quaint in an era where an easily concealed 20 dollar thumb drive can hold 21 million pages of text. Encryption provides an all but impenetrable layer to mask malicious activity. Military censorship is an uphill battle that will only catch a few honest or inept people; true threats will likely take much longer or may never be detected. Censorship attempts also have a counterintuitive secondary effect—they often make the information more available. Coined the Streisand effect, attempts to remove information from the Internet tends to increase proliferation. For example, attempts to prevent dissemination of Wikileaks data (that was widely available online) only drew additional attention to the disclosure and prevented law-abiding Department of Defense personnel from studying the documents. To compound the problem of information disclosure, social networking sites entice disclosure of sensitive personal information from government employees and service members, opening the door to misuse.
Calling for “Cyber Support” is not the same as “Calling for Fire”
There is a trend now to consider cyber operations as being analogous to artillery fire missions. Fire missions are straightforward: get on the radio, pass along target grid coordinates, and moments later artillery rounds come raining in. The same isn’t true for cyber operations. As we’ve discussed earlier, cyber weapons aren’t guaranteed to work and even if they do their controllers may be reluctant to expend them against many objectives. Targeting is difficult and may span multiple countries, far beyond the sector of a tactical unit. Even a single bit in error could result in collateral damage. While details of government cyber operations are not publicly available, civilian red team and penetration testing operations require extensive, time consuming planning. The murky law of cyber warfare compounds the problem, whereas the law of kinetic warfare is largely settled. Lawyers will be involved in cyber warfare, and you can be certain the timelines of many cyber operations will rarely approach the responsiveness of simple artillery fire for the foreseeable future.
Like it or not, Geeks are Warfighters
Cyberspace is the domain of technical experts, in some ways a hybrid of traditional Signals Intelligence and Communications domains, but in other ways altogether different. This cultural shift is uncomfortable for many. Technologists have historically not fared well in the military. Those with technical expertise may be reluctant to lead, lest their skills atrophy, and those without technical skills may not like the shift in power and status to the technologists. Human resources processes are a significant part of the problem. Military human resource systems were designed for interchangeable personnel in well defined specialties. Current guidelines in the Army require frequent moves and check-the-block career progression. Manning documents are based on outdated and slow-to-evolve specialty codes. Given the critical shortage of cyber security professionals, restrictive manning documents artificially constrain available positions to only a small, and often ill prepared, percentage of the force. One potential solution is the creation of a Special Forces-like model where candidates can be rigorously assessed and the best can be selected from across the force.
Cyber operations, alone or in concert with traditional kinetic operations, are intrinsic part of all future warfare. This article was designed to highlight how our physical world instincts often fail us when thinking about cyberspace. Cyberspace operations present both a critical national threat and a significant advantage to the defense of our country. By better understanding cyberspace and its laws of physics we will be better prepared for both.
The views expressed in this article are those of the authors and do not reflect the official policy or position of West Point, the Department of the Army, Army Cyber Command, US Cyber Command, or the United States Government.