CEPA Article: Russia Won’t Play the Cyber Card, Yet

My article from CEPA (Center for European Policy Analysis). Read the full text following this link. 

In reality, the absence of cyber-attacks beyond Ukraine indicates a very rational Russian fear of disclosing and compromising capabilities beyond its own. That is the good news. The bad news is that the absence of a cyber-offensive does not mean these advanced capabilities do not exist.

From the text.

“The recent cyberattacks in Ukraine have been unsophisticated and have
had close to no strategic impact. The distributed denial-of-service (DDoS) cyber-attacks are low-end efforts, a nuisance that most corporations already have systems to mitigate. Such DDoS attacks will not bring down a country or force it to submit to foreign will. These are very significantly different from advanced offensive cyber weapons. Top-of-the-range cyber weapons are designed to destroy, degrade, and disrupt systems, eradicate trust and pollute data integrity. DDoS and website defacements do not even come close in their effects.

A Russian cyber-offensive would showcase its full range of advanced offensive cyber capabilities against Ukraine, along with its tactics, techniques, and procedures (TTP), which would then be compromised. NATO and other neighboring nations, including China and Iran, would know the extent of Russian capabilities and have effective insights into Russia’s modus operandi.

From a Russian point of view, if a potential adversary understood its TTP, strategic surprise would evaporate, and the Russian cyber force would lose the initiative in a more strategically significant future conflict.

Understanding the Russian point of view is essential because it is the Russians who conduct their offensive actions. This might sound like stating the obvious, but currently, the prevailing conventional wisdom is a Western think-tank-driven context, which in my opinion, is inaccurate. There is nothing for the Russians to strategically gain by unleashing their full, advanced cyber arsenal against Ukraine or NATO at this juncture. In an open conflict between Russia and NATO, the Kremlin’s calculation would be different and might well justify the use of advanced cyber capabilities.

In reality, the absence of cyber-attacks beyond Ukraine indicates a very rational Russian fear of disclosing and compromising capabilities beyond its own. That is the good news. The bad news is that the absence of a cyber-offensive does not mean these advanced capabilities do not exist.”

Jan Kallberg

Demilitarize civilian cyber defense

An cyber crimes specialist with the U.S. Department of Homeland Security, looks at the arms of a confiscated hard drive that he took apart. Once the hard drive is fixed, he will put it back together to extract evidence from it. (Josh Denmark/U.S. Defense Department)
U.S. Defense Department cyber units are incrementally becoming a part of the response to ransomware and system intrusions orchestrated from foreign soil. But diverting the military capabilities to augment national civilian cyber defense gaps is an unsustainable and strategically counterproductive policy.

The U.S. concept of cyber deterrence has failed repeatedly, which is especially visible in the blatant and aggressive SolarWinds hack where the assumed Russian intelligence services, as commonly attributed in the public discourse, established a presence in our digital bloodstream. According to the Cyberspace Solarium Commission, cyber deterrence is established by imposing high costs to exploit our systems. As seen from the Kremlin, the cost must be nothing because blatantly there is no deterrence; otherwise, the Russian intelligence services should have restrained from hacking into the Department of Homeland Security.

After the robust mitigation effort in response to the SolarWinds hack, waves of ransomware attacks have continued. In the last years, especially after Colonial Pipeline and JBS ransomware attacks, there has been an increasing political and public demand for a federal response. The demand is rational; the public and businesses pay taxes and expect protection against foreign attacks, but using military assets is not optimal.

Presidential Policy Directive 41, titled “United States Cyber Incident Coordination,” from 2016 establishes the DHS-led federal response to a significant cyber incident. There are three thrusts: asset response, threat response and intelligence support. Assets are operative cyber units assisting impacted entities to recover; threat response seeks to hold the perpetrators accountable; and intelligence support provides cyberthreat awareness.

The operative response — the assets — is dependent on defense resources. The majority of the operative cyber units reside within the Department of Defense, including the National Security Agency, as the cyber units of the FBI and the Secret Service are limited.

In reality, our national civilian cyber defense relies heavily on defense assets. So what started with someone in an office deciding to click on an email with ransomware, locking up the computer assets of the individual’s employer, has suddenly escalated to a national defense mission.

The core of cyber operations is a set of tactics, techniques and procedures, which creates capabilities to achieve objectives in or through cyberspace. Successful offensive cyberspace operations are dependent on surprise — the exploitation of a vulnerability that was unknown or unanticipated — leading to the desired objective.

The political scientist Kenneth N. Waltz stated that nuclear arms’ geopolitical power resides not in what you do but instead what you can do with these arms. Few nuclear deterrence analogies work in cyber, but Waltz’s does: As long as a potential adversary can not assess what the cyber forces can achieve in offensive cyber, uncertainties will restrain the potential adversary. Over time, the adversary’s restrained posture consolidates to an equilibrium: cyber deterrence contingent on secrecy. Cyber deterrence evaporates when a potential adversary understands, through reverse engineering or observation, our tactics, techniques and procedure.

By constantly flexing the military’s cyber muscles to defend the homeland from inbound criminal cyber activity, the public demand for a broad federal response to illegal cyber activity is satisfied. Still, over time, bit by bit, the potential adversary will understand our military’s offensive cyber operations’ tactics, techniques and procedures. Even worse, the adversary will understand what we can not do and then seek to operate in the cyber vacuum where we have no reach. Our blind spots become apparent.

Offensive cyber capabilities are supported by the operators’ ability to retain and acquire ever-evolving skills. The more time the military cyber force spends tracing criminal gangs and bitcoins or defending targeted civilian entities, the less time the cyber operators have to train for and support military operations to, hopefully, be able to deliver a strategic surprise to an adversary. Defending point-of-sales terminals from ransomware does not upkeep the competence to protect weapon systems from hostile cyberattacks.

Even if the Department of Defense diverts thousands of cyber personnel, it can not uphold a national cyber defense. U.S. gross domestic product is reaching $25 trillion; it is a target surface that requires more comprehensive solutions.

First and foremost, the shared burden to uphold the national cyber defense falls primarily on private businesses, states and local government, federal law enforcement, and DHS.

Second, even if DHS has many roles as a cyberthreat information clearinghouse and the lead agency at incidents, the department lacks a sizable operative component.

Third, establishing a DHS operative cyber unit is limited net cost due to higher military asset costs. When not engaged, the civilian unit can disseminate and train businesses as well as state and local governments to be a part of the national cyber defense.

Establishing a civilian federal asset response is necessary. The civilian response will replace the military cyber asset response, which returns to the military’s primary mission: defense. The move will safeguard military cyber capabilities and increase uncertainty for the adversary. Uncertainty translates to deterrence, leading to fewer significant cyber incidents. We can no longer surrender the initiative and be constantly reactive; it is a failed national strategy.

Jan Kallberg

Our Critical Infrastructure – Their Cyber Range

There is a risk that we overanalyze attacks on critical infrastructure and try  to find a strategic intent where there are none. Our potential adversaries, in my view, could attack critical American infrastructure for other reasons than executing a national strategy. In many cases, it can be as simple as hostile totalitarian nations that do not respect international humanitarian law, use critical American infrastructure as a cyber range. Naturally, the focus of their top-tier operators is on conducting missions within the strategic direction, but the lower echelon operators can use foreign critical infrastructure as a training ground. If the political elite sanctions these actions, nothing stops a rogue nation from attacking our power grid, waterworks, and public utilities to train their future, advanced cyber operators. The end game is not critical infrastructure – but critical infrastructure provides an educational opportunity.

Naturally, we have to defend critical infrastructure because by doing so, we protect the welfare of the American people and the functions of our society. That said, only because it is vital for us doesn’t automatically mean that it is crucial for the adversary.

Cyberattacks on critical infrastructure can have different intents. There is a similarity between cyber and national intelligence; both are trying to make sense of limited information looking at a denied information environment. In reality, our knowledge of the strategic intent and goals of our potential adversaries is limited.

We can study the adversary’s doctrine, published statements, tactics, technics, and events, but significant gaps exist to understand the intent of the attacks. We are assessing the adversary’s strategic intent from the outside, which are often qualified guesses, with all the uncertainty that comes with it. Then to assess strategic intent, many times, logic and past behavior are the only guidance. Nation-state actors tend to seek a geopolitical end goal, change policy, destabilize the target nation, or acquire the information they can use for their benefit.

Attacks on critical infrastructure make the news headline, and for a less able potential adversary, it can serve as a way to show their internal audience that they can threaten the United States. In 2013, Iranian hackers broke into the control system of a dam in Rye Brook, N.Y. The actual damage was limited due to circumstances the hackers did not know. Maintenance procedures occurred at the facility, which limited the risk for broader damage.

The limited intrusion in the control system made national news, engaged the State of New York, elected officials, Department of Justice, the Federal Bureau of Investigations, Department of Homeland Security, and several more agencies. Time Magazine called it in the headline; ”Iranian Cyber Attack on New York Dam Shows Future of War.”

When attacks occur on critical domestic infrastructure, it is not a given that it has a strategic intent to damage the U.S.; the attacks can also be a message to the attacker’s population that their country can strike the Americans in their homeland. For a geopolitically inferior country that seeks to be a threat and a challenger to the U.S., examples are Iran or North Korea; the massive American reaction to a limited attack on critical infrastructure serves its purpose. The attacker had shown its domestic audience that they could shake the Americans, primarily when U.S. authorities attributed the attack to Iranian hackers, making it easier to present it as news for the Iranian audience. Cyber-attacks become a risk-free way of picking a fight with the Americans without risking escalation.
Numerous cyber-attacks on critical American infrastructure could be a way to harass the American society and have no other justification than hostile authoritarian senior leaders has it as an outlet for their frustration and anger against the U.S.

Attackers seeking to maximize civilian hardship as a tool to bring down a targeted society have historically faced a reversed reaction. The German bombings of the civilian targets during the 1940’s air campaign “the Blitz” only hardened the British resistance against the Nazis. An attacker needs to take into consideration the potential outfall of a significant attack on critical infrastructure. The reactions to Pearl Harbor and 9-11 show that there is a risk for any adversary to attack the American homeland and that such an attack might unify American society instead of injecting fear and force submission to foreign will.

Critical infrastructure is a significant attack vector to track and defend. Still, cyberattacks on U.S. critical infrastructure create massive reactions, which are often predictable, are by itself a vulnerability if orchestrated by an adversary following the Soviet/Russian concept of reflexive control.

The War Game Revival

 

The sudden fall of Kabul, when the Afghan government imploded in a few days, shows how hard it is to predict and assess future developments. War games have had a revival in the last years to understand potential geopolitical risks better. War games are tools to support our thinking and force us to accept that developments can happen, which we did not anticipate, but games also have a flip side. War games can act as afterburners for our confirmation bias and inward self-confirming thinking. Would an Afghanistan-focused wargame design from two years ago had a potential outcome of a governmental implosion in a few days? Maybe not.

Awareness of how bias plays into the games is key to success. Wargames revival occurs for a good reason. Well-designed war games make us better thinkers; the games can be a cost-effective way to simulate various outcomes, and you can go back and repeat the game with lessons learned.
Wargames are rules-driven; the rules create the mechanical underpinnings that decide outcomes, either success or failure. Rules are condensed assumptions. There resides a significant vulnerability. Are we designing the games that operate within the realm of our own aggregated bias?
We operate in large organizations that have modeled how things should work. The timely execution of missions is predictable according to doctrine. In reality, things don’t play out the way we planned; we know it, but the question is, how do you quantify a variety of outcomes and codify them into rules?

Our war games and lessons learned from war games are never perfect. The games are intellectual exercises to think about how situations could unfold and deal with the results. In the interwar years, the U.S. made a rightful decision to focus on Japan as a potential adversary. Significant time and efforts went into war planning based on studies and wargames that simulated the potential Pacific fight. The U.S. assumed one major decisive battle between the U.S. Navy and the Imperial Japanese Navy, where lines of battleships fought it out at a distance. In the plans, that was the crescendo of the Pacific war. The plans missed the technical advances and importance of airpower, air carriers, and submarines. Who was setting up the wargames? Who created the rules? A cadre of officers who had served in the surface fleet and knew how large ships fought. There is naturally more to the story of the interwar war planning, but as an example, this short comment serves its purpose.

How do we avoid creating war games that only confirm our predisposition and lures us into believing that we are prepared – instead of presenting the war we have to fight?

How do you incorporate all these uncertainties into a war game? Naturally, it is impossible, but keeping the biases at least to a degree mitigated ensures value.

Study historical battles can also give insights. In the 1980s, sizeable commercial war games featured massive maps, numerous die-cut unit counters, and hours of playtime. One of these games was SPI’s “Wacht am Rhein,” which was a game about the Battle of the Bulge from start to end. The game visualizes one thing – it doesn’t matter how many units you can throw into battle if they are stuck in a traffic jam. Historical war games can teach us lessons that need to be maintained in our memory to avoid repeating the mistakes from the past.

Bias in wargame design is hard to root out. The viable way forward is to challenge the assumptions and the rules. Outsiders do it better than insiders because they will see the ”officially ignored” flaws. These outsiders must be cognizant enough to understand the game but have minimal ties to the outcome, so they are free to voice their opinion. There are experts out there. Commercial lawyers challenge assumptions and are experts in asking questions. It can be worth a few billable hours to ask them to find the flaws. Colleagues are not suitable to challenge and the ”officially ignored” flaws because they are marinated in the ideas that established the ”officially ignored” flaws. Academics dependent on DOD funding could gravitate toward accepting the ”officially ignored” flaws, just a fundamental human behavior, and the fewer ties to the initiator of the game, the better.

Another way to address uncertainty and bias is repeated games. The first game, cyber, has the effects we anticipate. The second game, cyber, has limited effect and turns out to be an operative dud. In the third game, cyber effects proliferate and have a more significant impact than we anticipated. I use these quick examples to show that there is value in repeated games. The repeated games become a journey of realization and afterthoughts due to the variety of factors and outcomes. We can then afterward use our logic and understanding to arrange the outcomes to understand reality better. The repeated games limit the range and impact of specific bias due to the variety of conditions.

The revival of wargaming is needed because wargaming can be a low-cost, high-return, intellectual endeavor. Hopefully, we can navigate away from the risks of groupthink and confirmation bias embedded in poor design. The intellectual journey that the war games take us on will make our current and future decision-makers better equipped to understand an increasingly complex world.

 

Jan Kallberg, Ph.D.

 

How the Founding Fathers helped make the US cyber-resilient

The Founding Fathers have done more for U.S. strategic cyber resiliency than other modern initiatives. Their contribution is a stable society, that can absorb attacks without falling into chaos, mayhem, and entropy. Stable countries have a significant advantage in future nation-state cyber-information conflicts. If nation states seek to conduct decisive cyberwar, victory will not come from anecdotal exploits, but instead by launching systematic, destabilizing attacks on the targeted society that bring them down to the point that they are subject to foreign will. Societal stability is not created overnight, it is the product of decades and even centuries of good government, civil liberties, fairness, and trust building.

Why does it matter? Because the strategic tools to bring down and degrade a society will not provide the effects sought. That means for an adversary seeking strategic advantages by attacking U.S. critical infrastructure the risk of retribution can outweigh the benefit.

The blackout in the northeast in 2003 is an example of how an American population will react when a significant share of critical infrastructure is degraded by hostile cyberattacks. The reaction showed that instead of imploding into chaos and looting, the affected population acted orderly and helped strangers. They demonstrated a high degree of resiliency. The reason why Americans act orderly and have such resiliency is a product of how we have designed our society, which leads back to the Founding Fathers. Americans are invested in the success of their society. Therefore, they do not turn on each other in a crisis.

Historically, the tactic of attacking a stable society by generating hardship has failed more than it has succeeded. One example is the Blitz 1940, the German bombings of metropolitan areas and infrastructure, which only hardened the British resistance against Nazi-Germany. After Dunkirk, several British parliamentarians were in favor of a separate peace with Germany. After the blitz, British politicians were united against Germany and fought Nazi Germany single-handed until USSR and the United States entered the war.

A strategic cyber campaign will fail to destabilize the targeted society if the institutions remain intact following the assault or successfully operate in a degraded environment. From an American perspective, it is crucial for a defender to ensure the cyberattacks never reach the magnitude that forces society over the threshold to entropy. In America’s favor, the threshold is far higher than our potential adversaries’. By guarding what we believe in – fairness, opportunity, liberty, equality, and open and free democracy – America can become more resilient.

We generally underestimate how stable America is, especially compared to potential foreign adversaries. There is a deterrent embedded in that fact: the risks for an adversary might outweigh the potential gains.

Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy or the Department of Defense.

The Zero Domain – Cyber Space Superiority through Acceleration beyond the Adversary’s Comprehension

THE ZERO DOMAIN

In the upcoming Fall 2018 issue of the Cyber Defense Review, I present a concept – the Zero Domain. The Zero Domain concept is battlespace singularity through acceleration. There is a point along the trajectory of accelerated warfare where only one warfighting nation comprehend what is unfolding and the sees the cyber terrain; it is an upper barrier for comprehension where the acceleration makes the cyber engagement unilateral.

I intentionally use the word accelerated warfare, because it has a driver and a command of the events unfolding, even if it is only one actor of two, meanwhile hyperwar suggests events unfolding without control or ability to steer the engagement fully.

It is questionable and even unlikely that cyber supremacy can be reached by overwhelming capabilities manifested by stacking more technical capacity and adding attack vectors. The alternative is to use time as the vehicle to supremacy by accelerating the velocity in the engagements beyond the speed at which the enemy can target, precisely execute and comprehend the events unfolding. The space created beyond the adversary’s comprehension is titled the Zero Domain. Military traditionally sees the battles space as land, sea, air, space and cyber domains. When fighting the battle beyond the adversary’s comprehension, no traditional warfighting domain that serves as a battle space; it is a not a vacuum nor an unclaimed terra nullius, but instead the Zero Domain. In the Zero Domain, cyberspace superiority surface as the outfall of the accelerated time and a digital space-separated singularity that benefit the more rapid actor. The Zero Domain has a time space that is only accessible by the rapid actor and a digital landscape that is not accessible to the slower actor due to the execution velocity in the enhanced accelerated warfare. Velocity achieves cyber Anti Access/Area Denial (A2/AD), which can be achieved without active initial interchanges by accelerating the execution and cyber ability in a solitaire state. During this process, any adversarial probing engagements only affect the actor on the approach to the Comprehension Barrier and once arrived in the Zero Domain there is a complete state of Anti Access/Area Denial (A2/AD) present. From that point forward, the actor that reached the Zero Domain has cyberspace singularity where the accelerated actor is the only actor that can understand the digital landscape, engage unilaterally without an adversarial ability to counterattack or interfere, and hold the ability to decide when, how, and where to attack. In the Zero Domain, the accelerated singularity forges the battlefield gravity and thrust into a single power that denies adversarial cyber operations and acts as one force of destruction, extraction, corruption, and exploitation of targeted adversarial digital assets.

When breaking the Comprehension Barrier the first of the adversary’s final points of comprehension is human deliberation, directly followed by pre-authorization and machine learning, and then these final points of comprehension are passed, and the rapid actor enters the Zero Domain.

Key to victory has been the concept of being able to be inside the opponents OODA-loop, and thereby distort, degrade, and derail any of the opponent’s OODA. In accelerated warfare beyond the Comprehension Barrier, there is no need to be inside the opponent’s OODA loop because the accelerated warfare concept is to remove the OODA loop for the opponent and by doing so decapitate the opponent’s ability to coordinate, seek effect, and command. In the Zero Domain, the opposing force has no contact with their enemy, and their OODA loop is evaporated.

The Zero Domain is the warfighting domain where accelerated velocity in the warfighting operations removes the enemy’s presence. It is the domain with zero opponents. It is not an area denial, because the enemy is unable to accelerate to the level that they can enter the battle space, and it is not access denial because the enemy has never been a part of the later fight since the Comprehension Barrier was broken through.

Even if adversarial nations invest heavily in quantum, machine learning, and artificial intelligence, I am not convinced that these adversarial authoritarian regimes can capitalize on their potential technological peer-status to America. The Zero Domain concept has an American advantage because we are less afraid of allowing degrees of freedom in operations, whereas the totalitarian and authoritarian states are slowed down by their culture of fear and need for control. An actor that is slowed down will lower the threshold for the Comprehension Barrier and enable the American force to reach the Zero Domain earlier in the future fight and establish information superiority as confluency of cyber and information operations.

Jan Kallberg, PhD

Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy.The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy or the Department of Defense.

Legalizing Private Hack Backs leads to Federal Risks

During the last year several op-ed articles and commentaries have proposed that private companies should have the right to strike back if cyber attacked and conduct their own offensive cyber operations.

The demarcation in cyber between the government sphere and the private sphere is important to uphold because it influences how we see the state and the framework in which states interact. One reason why we have a nation state is to, in a uniform and structured way, under the guidance of a representative democracy, deal with foreign hostility and malicious activity. The state is given its powers by the citizenry to protect the nation utilizing a monopoly on violence. The state then acts under the existing laws on behalf of the citizens to ensure the intentions of the population it represents. These powers create an authority that federal government utilizes to enforce compliance of the laws and handle our relations with foreign powers. If the federal government cannot uphold the authority, legitimacy and confidence in government will suffer. The national interest in protecting legitimacy and authority and to maintain the confidence in the federal government is by far stronger than the benefits of a few private entities departing on their own cyber odysseys to retaliate against foreign cyber attacks.

I would like to visualize the importance of demarcation between government and private entities with an example. A failed bank robbery leads to a standoff where the robbers are encircled by government law enforcement. The government upholds its monopoly on violence based on laws that permit the government, on behalf of the people, to engage the robbers in a potential shootout. All other citizens are instructed to leave the area. The law enforcement officers seek to solve the situation without any violence. This is how we have designed the demarcation between the government and the private sphere in the analog world.
If the US decides to allow companies to strike back on foreign cyber attacks, then the US has abandoned this demarcation between nation state and private sphere. Going back to the bank robbers that are surrounded by law enforcement, using the logic of the private cyber retaliation, any bank customer who had an account in the robbed bank could show up at the standoff and open fire at the robbers at their own discretion and depart directly afterward leaving the police to sort out the shootout and the aftermath with no responsibility for the triggering event.
Abandoning the clear demarcation between government and private sphere leads to entropy, loss of control, and is counterproductive for the national cyberdefense and the national interest.
The counter argument is that the private companies are defenseless against cyber attacks and therefore they will have the right to self-defense.
The Commission on the Theft of American Intellectual Property published a report that was a strong proponent of allowing private companies to strike back and even retaliate against cyber attackers. According to the commission these counter strikes should be conducted as follows: “Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.”

The proponents for private cyber retaliation base their view on several assumptions. First, that the private company can attribute the attack and determine who is attacking them. The second assumption is that the counterstriking companies have the cyber resources to engage, even if it is a state-sponsored organization on the other end, and that there will be no damages. A third hidden assumption is that the events do not lead to uncontrolled escalation and that the cyber interchanges only affect the engaged parties.

An attacker has other options and can seek to attack other entities and institutions as a reprisal for the counterattack. If the initial attacker is a state-sponsored organization in a foreign country, multinational companies can have significant business and interests at risk if the situation escalates. Private companies will not be responsible for the aftermath and the entropy that can occur undermines the American stance and the nation loses its higher ground in challenging the state sponsors behind the cyber attacks in the framework of the international community.
The answer to who should hack back, if deciding to do so, is simple; it should be the federal government for the same reason that you would not fly on a passport issued by your neighbor across the street. Only the federal government is suitable to engage foreign nations and the private entities therein.

The unaddressed core problem is that we have not yet been able to create mechanisms to transfer cyber incidents from the private realm to the authorities. This limited ability during the short timeframe an attack occurs leads to initially a cyber attacker’s advantage, but this will be solved over time and does not outweigh the damages from an undermined federal authority due to entropy in cyber.