Strife

The Academic Blog of the Department of War Studies, King's College London

You are here: Home / Archives for Cyber Operations

Cyber Operations

Offensive Cyber Series: Dr Daniel Moore on Cyber Operations, Part II

by

Photo Credit: Ecole polytechnique / Paris / France, licensed with CC BY-SA 2.0.

This is part II of Ed Stacey’s interview with Dr Daniel Moore on cyber operations for Strife’s Offensive Cyber Series. You can find Part I here.

ES: Thinking about alliances more broadly, what sort of opportunities and challenges do allies face when conducting joint operations in cyberspace?

DM: Allied operations on networks – I am not a fan of cyberspace – are contentious as well. They are a good measure more sensitive than any conventional equivalent that you can think of. It is not like having a joint military operation: it means putting your sensitive infrastructure and capabilities on the line alongside an ally. That is not to say it does not happen and there have been documented cases which were purportedly joint operations by multiple countries. So I think it will happen, but there are complexities involved. I know that NATO has already declared that they are together, as an alliance, bringing forward cyber capabilities that they will use jointly. I welcome that declaration, even if I am sceptical as to what it actually means.

I would tend to believe that, considering how porous NATO is as an entity and how there are varying levels of trust within NATO, truly sensitive capabilities will be kept off the table by individual member states in favour of their own arsenals and sets of strategic capabilities. This is not to say it is not possible, but it is unlikely that at a NATO level you will see joint operations that are truly strategic in nature. What you might see is allied members that are operating together. I do not think that, for example, a joint UK-US operation against a target is out of the question, especially if one brings a certain set of capabilities to the table and one brings others – somebody gives the tools, this unit has the relevant exploits, this intelligence organisation had already developed access to that adversary and so on. Melding that together has a lot of advantages, but it requires a level of operational intimacy that is higher than what you would be able to achieve at the NATO alliance level.

ES: Moving beyond the state, what role does the private sector play in the operational side of offensive cyber? Do we have the equivalent of private military contractors in cyberspace, for example?

DM: There is a massive role for the private sector across the entire operational chain within offensive cyber operations. I would say a few things on this. Yes, they cover the entire chain of operations and that includes vulnerability research, exploit development, malicious tool development and then even specific outfits that carry out the entire operational lifecycle, so actually conduct the intrusion itself for whatever purposes. In some cases, it is part of an industrial-defence complex like in the US, for example, where you have some of the giant players in defence developing offensive capabilities, both on the event- and presence-based side of things. And ostensibly you would have some of those folks contributing contractors and operators to actually facilitate operations.

But in other countries that have a more freeform or less mature public sector model for facilitating offensive cyber operations, the reliance on third party private organisations is immense. If you look, for example, at some of the US indictments against Iranian entities, you will see that they charged quite a few Iranian private companies for engaging in offensive cyber operations. The same happens in China as well, where you see private sector entities engaging in operations driven by public sector objectives. In some cases, they are entirely subsumed by a government entity, whereas in others they are just doing work on their behalf. In some cases, you actually see them use the same infrastructure in one beat for national security objectives, then the workday ends and they pivot and start doing ransomware to get some more cash in the evenings – using the same tools or infrastructure, or something slightly different. So, yes, the private sector plays an immense role throughout this entire ecosystem, mostly because the cost of entry is low and the opportunities are vast.

ES: Just to finish, you have a book coming out soon on offensive cyber. Can you tell us anything about what to expect and does it have a title or release date yet?

DM: The book is planned for release in October. It will be titled Offensive Cyber Operations: Understanding Intangible Warfare, and it is basically a heavily processed version of my PhD thesis that has been adapted, firstly, with some additional content to reflect more case studies, but also to appeal to anybody who is interested in the topic without necessarily having a background in cyber nor military strategy and doctrine. So it is trying to bridge the gap and make the book accessible, exactly to dispel some of the ambiguities around the utility of cyber operations. Questions like, how they are currently being used? What can they be used for? What does the “cyber war” narrative mean? When does an offensive cyber operation actually qualify as an act of cyber warfare? And, most importantly, what are the key differences between how different countries approach offensive cyber operations? Things like organisational culture, different levels of maturity, strategic doctrine and even just circumstance really shape how counties approach the space.

So I tackle four case studies – Russia, the US, China and Iran – and each one of those countries has unique advantages and disadvantages, they bring something else to the table and have an entirely different set of circumstances for how they engage. For example, the Iranians are incredibly aggressive and loud in their offensive cyber operations. But the other side to this is that they lack discipline, their tools tend to be of a lower quality and while they are able to achieve tactical impact, it does not always translate to long-term success.

The US is very methodical in its approach – you can see, taste and smell the bureaucracy in every major operation that it does. But that bureaucratic entanglement and the constant tension between the National Security Agency, Cyber Command and other involved military entities results in a more ponderous approach to cyber operations, although those organisations obviously bring a tonne of access and capability.

With the Russians, you can clearly see how they do not address cyber operations as a distinct field. Instead, they look at the information spectrum more holistically, which is of pivotal importance to them – so shaping what is “the truth” and creating the narrative for longer-term strategic success is more important than the specifics. That being said, they are also one of the most prolific offensive actors that we have seen, including multiple attacks against global critical infrastructure and various aggressive worms that exacted a heavy toll from targets. So for Russia, if you start looking at their military doctrine, you can see just how much they borrow, not only from their past in electronic warfare but also their extensive past in information operations, and how those blend together to create a broader spectrum of information capabilities in which offensive cyber operations are just one component.

And finally, the Chinese are prolific actors in cyber espionage – provably so. They have significant technical capabilities, perhaps somewhat shy of their American counterparts but they are high up there. They took interesting steps to solidify their cyber capabilities under a military mandate when they established the Strategic Support Force, which again – like the NCF – tried to resolve organisational tensions by coalescing those capabilities. But they are largely unproven in the offensive space. They do have an interesting scenario on their plate to which cyber could and may play a role, which is any attempt at reclaiming Taiwan – something I look at extensively in the book and how that shapes their offensive posture.

So the book is a combination of a broader analysis of the significance of cyber operations and then how they are concretely applied by different nations for different purposes.

The next interview in Strife’s Offensive Cyber Series is with Amy Ertan on AI and military innovation. It will be released in two parts on Thursday 17th and Friday 18th June 2021.

Offensive Cyber Series: Dr Daniel Moore on Cyber Operations, Part I

by

Photo Credit: dustball, licensed with CC BY-NC 2.0

On Wednesday 10th March, Strife Interviewer Ed Stacey sat down with Dr Daniel Moore to discuss the operational side of offensive cyber. For part two of Strife’s Offensive Cyber Series, Dr Moore expands on his thinking about presence-based and event-based offensive cyber operations and discusses related topics such as the emergence of new organisational cyber structures, allied operations on networks and his upcoming book Offensive Cyber Operations: Understanding Intangible Warfare, slated for release in October 2021.

Ed Stacey: Danny, you have written in the past about distinguishing between presence-based and event-based offensive cyber operations. What are the key differences between the two?

Danny Moore: I came up with the distinction between presence-based and event-based operations as a commentary on the lack of distinction in most of the publicly accessible cyber doctrine documentation. Mostly what we see are offensive cyber operations treated as a uniform spectrum of possibilities that have the same considerations, the same set of staff associated with them and the same set of circumstances under which you would want to use them. But that is not the case.

A lot of the literature you see focusses on the technical deployment of offensive cyber operations – the malicious software involved in the process, the intended effect, what it means to pivot within a network – but that really only encompasses a fraction of the activity itself when we are talking about military-scale or even intelligence agency-scale of operations, at least where it counts. So I came up with this distinction to differentiate between what I think are two supercategories of operation that are so different in the circumstance, and so unique in how they would be utilised, that they are worth examining separately because they have distinct sets of advantages and disadvantages.

Presence-based operations are like the classic intelligence operation that has an offensive finisher. So you have everything that you normally would with an intelligence operation, including compromising the adversary’s network, establishing a foothold, pivoting within and gathering relevant information. But then there are additional offensive layers too, such as looking for the appropriate targets within the network that would yield the intended impact and weaponizing your access in a way that would facilitate achieving the objective. For example, would you need dedicated tooling in order to have an effect on the target? Or say you are looking to have a real-world, physical impact or even adversely degrade specific types of software and hardware, which would require significant capabilities. But crucially, the operation is managed over the period of at least many weeks, if not months and sometimes even years. And it can be a strategic set of capabilities that you would use possibly even just once, when needed, because once exposed it is likely to be counteracted, at least in the medium-term.

Event-based operations are completely different in that sense. They are the most robust equivalent that you could have to a proper weapon, in the military sense of the word. It is intended to be something that you can bundle, package up and deploy in multiple circumstances. Imagine – and I think this is the most helpful analogy – it is almost an evolution of electronic warfare, something that you can deploy on a ship or with a squad or even within an existing air defence grid. What it does is, instead of just communicating in electromagnetic signal, it also attempts to facilitate a software attack on the other side. And that sequence involves a completely different set of circumstances. You do not need to have an extended period of intelligence penetration of the network that you are targeting – that contact is likely to be minimal. Instead, what you have is an extensive research and development process where you collect the right technical intelligence in order to understand the target, craft the actual tool and then make it much more robust so that it can be used multiple times against the same or equivalent targets and not be as brittle to detection, so stealth is not really a component.

So that distinction is just a high-level way of saying that the circumstances are different, the types of manpower associated are different, but also that there are unique advantages and disadvantages when using each.

ES: What sort of benefits do states and their militaries and intelligence agencies gain by making this distinction?

DM: If you acknowledge these differences at a strategic and doctrinal level, it facilities much better planning and integration of cyber capabilities into military operations. As you know, there is a constant tension between intelligence agencies and their equivalents in the conventional military around how offensive cyber capabilities are used. The question here is: how close is the relationship between the intelligence agency – which is the natural owner of offensive cyber capabilities, for historical reasons and usually a strong link to signals intelligence – and the military, which wants to incorporate these capabilities and to have a level of predictability, repeatability and dependability from these activities for planning purposes? That tension is always there and it is not going away entirely, but how this distinction helps is to group capabilities in a way that facilitates better planning.

If you have a supercategory of operation that relies heavily on intelligence-led penetration, pivoting and analysis, for example, that comfortably lives with the extreme assistance of an intelligence agency, if not actual ownership – and that will vary between countries. Whereas the more packageable type of capability is easier to hand-off to a military commander or even specific units operating in the field. It is something that you can sign off and say: this will not compromise my capabilities in a significant way if it is used in the field incorrectly, or even correctly, and gets exposed in some way, shape or form. So it is about different levels of sensitivities, it is about facilitating planning and I think it takes the conversation around what offensive cyber operations actually look like to a more realistic place that supports the conversation, rather than limits it.

ES: Focussing on the organisational tensions that you mentioned, new structures like the UK’s National Cyber Force (NCF) are emerging around the world. What are the operational implications of these efforts?

DM: The short answer is that the NCF is an acknowledgement of a process that has been happening for many years. That is, the acknowledgement that you need to build a bridge between the intelligence agency, which is the natural owner of these capabilities, and the military, that wants to use them in a predictable and effective way. So you are seeing outfits like this come up in multiple countries. It allows for more transparent planning and for better doctrinal literature around how cyber capabilities integrate into military planning. That is not to say it will fix everything, but it decouples the almost symbiotic relationship between intelligence agencies and offensive cyber operations.

Intelligence agencies will always play a significant part because, as I said and have written about as well, they have an important role to play in these types of operations. But we have matured enough in our understanding to be able to have a distinct, separate conversation about them that includes other elements in military planning that do not just draw from intelligence agencies. So the NCF and other equivalent entities are an acknowledgement of the distinctness of the field.

ES: This next question is from Dr Tim Stevens, who I spoke to last week for part one of this series. Will NATO allies follow the US’ lead and adopt a posture of persistent engagement in cyberspace? And just to add to that, if they did, what sort of operational challenges and opportunities would they face in doing so?

DM: The conversation around the US’ persistent engagement and defend forward mentality for cyber operations is one that is ambivalent and a little contentious, even within the US itself – whether or not it is working, whether or not it is the best approach and, even, what it is actually trying to achieve. If you read the literature on this, you will find many different interpretations for what it is actually meant to do. So will NATO or specific member states choose to adopt elements of this? Possibly. But it is unlikely to manifest in the same way.

The perception from the US that they are in constant competition with their adversaries in and against networks is accurate. We have increased friction as a result of how the internet is structured and how sensitive networks are structured. You consistently have to fend off adversaries and seek to engage them, ideally outside your own networks – a good concept to have and a good operational model to keep in mind. And I think it is a great way to educate military leaders and planners around the unique circumstances of operating against networks. That said, I do not know if NATO is going to adopt wholesale persistent engagement and defend forward or rather just incorporate elements of that constant friction into their own models, which I think is a necessary by-product of engaging networks.

Some of the countries within NATO are more prolific than others when it comes to such activities – the UK, for example, or even France. Obviously, countries run offensive cyber operations of their own: they consistently need to fend off adversaries from their critical infrastructure and they prefer not to do this by directly mitigating incidents within their own network. So the step of persistent engagement and defend forward does make sense, but I do not know if that is an adoption of the same doctrine or just some of the principles that it looks to embody.

Part II of this interview will be published tomorrow on Friday 11th June 2021.