More Related Content


Understanding the 'physics' of cyber-operations - Pukhraj Singh

  1. UNDERSTANDING THE ‘PHYSICS’ OF CYBER-OPERATIONS From Doctrine to Operations From Operations to Doctrine Pukhraj Singh
  2. About me • 13 years of off-and-on experience in cyber threat intelligence • Made early attempts at fusing cyber with geopolitics – Novel in 2010 • 5.5 years in the government – “It was the best of times, it was the worst of times” – Charles Dickens • I stand on the shoulders of giants – Cyber is over-classified; completely lacks empirical data to see trends – Experience is the only marker for cyber – I rely on operators with much greater experience • Product of a six-month research on a manuscript
  3. Three interspersed narratives in this talk • Understanding the ‘meta’ of cyber – Shifts once in 5 years, on an average • The underlying physics of cyber-operations – All our assumptions are gravely wrong – Gets re-written in 5 years, too • The autonomous code will write the laws of war – From operations to policy, strategy & doctrine, not otherwise – Cyber: Counter-insurgency as a strategy & realpolitik as a policy
  4. “The other domains [of war] are natural, created by God & this one is the creation of man” -- Gen Michael Hayden, former director NSA & CIA Let that sink in for a moment…
  5. Four dimensions of power that absolutely don’t work in cyberspace: Territoriality, Causality, Proportionality & Legality
  6. What are cyberweapons? “Cyberweapons are power projection tools” -- Dave Aitel, former NSA cyber-operative
  7. But what REALLY are cyberweapons? “Anything which changes the terrain of cyberspace” -- Gen. Michael Hayden, ex-NSA & CIA It is not just about access
  8. Anything which changes the terrain of cyberspace • For example, availability is the most potent weapon • Julian Assange/Wikileaks – The strategic pivot of Russian Active Measures (INFOOPS) – “Ahead of its time by many years” – Dave Aitel, ex-NSA • Russian Active Measures in the 2016 US elections – Weaponized the mere availability of crappy information
  9. Three things where the generals may go wrong: - Cyber is NOT fully asymmetric - Cyber is NOT always non-kinetic - Cyber is NOT mostly non-attributable
  10. Stuxnet: costly than an airstrike -- Rebecca Slayton, Cornell University
  11. “The vast majority of cyber power projection tools are built and maintained by non-state-actors… a vast majority of the top tier hackers in the world are not with nation-states or never were” -- Dave Aitel, former NSA cyber-operative
  12. “If we were to score cyber the way we score soccer, the tally would be 462-456, twenty minutes into the game” -- Chris Inglis, former Deputy Director of NSA Defense is an afterthought
  13. “…the dual-hatting of the Director of NSA & Commander of U.S. Cyber Command ought not be undermined by nascent efforts to divide the two out of a need for improved optics” -- Gen. Keith Alexander, former director of NSA Offense-Defense • Mathematically indistinguishable • Symbiotic
  14. Cyber is the true dual-use technology “I cannot change the reality that all security tools are dual-use” -- Mike Walker, DARPA • Offense-defense: symbiotic • Antivirus is the APT: the Kaspersky example • The Wassenaar debacle • “The cyber security products that promise total surveillance over the enterprise are, to my mind, an offensive strategy used for defensive purposes” – Dan Geer, In-Q-Tel • NSA’s DEFIANTWARRIOR, TURBULENCE & QUANTUMBOT
  15. Thresholds of cyberwar would remain nebulous “…fixation on defining the precise threshold for a digital act of war (beyond the de facto effects-based analysis to be applied in any actual scenario) distracts from the important question of how cyber operations are actually being used today” -- Sean Kanuck, former National Intelligence Officer for Cyber
  16. Why? Because the real intent & impact of a cyberattack are objectively incalculable Thresholds of cyberwar would remain nebulous
  17. Why? Because CNE, CNA & CND are indistinguishable until fully manifested Thresholds of cyberwar would remain nebulous
  18. CNO Matthew Monte, former cyber-operative with the CIA
  19. Why? “When evaluating potential cyber activities, US policymakers have tended to view cyber operations as strictly delineated: offense or defense; espionage or military operations. Reality defies such stark categorization; determining when one type of cyber operation ends & another begins is challenging. Rather than establishing strict categories into which cyber activities are sorted, it may be best to view cyber operations along a spectrum” -- Col. Gary D. Brown, former staff judge advocate for U.S. Cyber Command Thresholds of cyberwar would remain nebulous
  20. So, what is a reasonable marker? “Surviving on a diet of poisoned fruit” “The US cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security” -- Richard A. Danzig, former member of the Defense Policy & Intelligence Advisory Boards
  21. “Cyber & Crisis Escalation: Insights from Wargaming” “Data from a crisis wargame conducted at the U.S. Naval War College from 2011 to 2016” “Decision-makers view cyber operations as highly escalatory…cautious about using offensive cyber operations & cyber network exploitation, even after conventional conflict has begun” “Despite their concern about escalation— chose not to respond to cyber attacks by the adversary in any of the wargames” -- Jacquelyn Schneider, United States Naval War College
  22. “Cyber & Crisis Escalation: Insights from Wargaming” “Data from a crisis wargame conducted at the U.S. Naval War College from 2011 to 2016” “Significant strides toward our understanding of the impact of cyber on crisis stability by shifting from an analysis of capabilities to an exploration of states’ perceptions about the impact of cyber on escalation. By bypassing technical questions of capabilities, we can focus instead on how decision-makers process the uncertainties of cyber, with implications not only for potential behaviors during crisis situations but also for understanding the variables that shape foreign policy decision-makers’ understandings of the cyber domain” -- Jacquelyn Schneider, United States Naval War College
  23. Finally, is cyber-deterrence a chimera? “Deterrence is largely a function of perception” “For deterrence to be effective, the adversaries must believe that our ability to respond to an attack will result in unacceptable costs imposed on them. Costs may be imposed through a variety of mechanisms, including economic sanctions, diplomacy, law enforcement, & military action” -- Aaron G. Hughes, former U.S. deputy assistant secretary of defense for cyber policy
  24. Bureaucracy: the most persistent technical signature of a cyber attack
  25. “Your cyber adversary has a boss & a budget” -- The Grugq Bureaucracy: the most persistent technical signature of a cyber attack
  26. “Map the adversarial ecosystem of cyberspace in anthropological detail with the aim of increasing our understanding of our adversaries & our own incentives & methods of operation” -- Richard A. Danzig, Surviving On A Diet of Poisoned Fruit Bureaucracy: the most persistent technical signature of a cyber attack
  27. Prevalent operational structures -- Dave Aitel, former NSA cyber-operative
  28. Three real asymmetries of cyberwar -- Matthew Monte, former CIA cyber-operative Book: Networks Attacks & Exploitation
  29. Overview: China • Two 3PLA cyber feeder programs – Apart from tech, HUGE focus on language – Jiao Tong, Shanghai International Studies University • Tiered competency • Loose C&C – OPSEC relies on plausible deniability • Fusion centers for economic espionage • Unified war component: Strategic Support Force
  30. Overview: China -- Dave Aitel, former NSA cyber-operative
  31. Overview: China • Efficient economic espionage – “The largest transfer of wealth in history” -- Gen. Keith Alexander – A major part of the 30% self-sustenance component of PLA • Declassifies stolen intelligence downstream – Via fusion centers: National Technology Transfer Centers or National Demonstration Organizations – “Convert advanced foreign technology into domestic innovation ability” – “Making technology transfer even more the core feature of our technology innovation” – Project 863, 973 & 211 – Under the 61 Research Institute of 3PLA – Corrupt generals
  32. Overview: US • Cyber competency: Medium-tiered • Medium C&C • Extremely high covertness • “Doesn't try to controlling the world but prevents surprise” – The Grugq • A million cleared people - 17 agencies competing for budget • Contractor rot; high attrition
  33. Overview: Russia • Good fusion of CYBEROPS with INFOOPS • Disinformation goes all the way back to Stalin • Remnant of the massive Soviet-era Active Measures machinery – $3-4 billion budget in 1982 ($9.5-12.6 billion in today’s terms) > budget of the NSA
  34. Overview: Russia • Non-linear war: Gerasimov Doctrine – Peak build-up during & after Crimea • Competing agencies -- GRU, FSB & SVR • Very low covertness • Extension of the state-criminal nexus – Multiple operational components – Strategic cyber reserve
  35. Overview: Israel • Purely an extension of skilling – unique • Completely disrupts conventional population- based competencies (lesson for India) • Feeders for 8200: starts from school – Magshimim, Talpiot • Vets bring almost $10 billion per year post- retirement – That’s roughly $700 per capita
  36. India?
  37. ??? ☹
  38. The worst kind of insurgency • Col. Gary D. Brown on why we won’t see international norms in cyber: – Laws came from customs & practices of nations – how do we account for the massive non-state component? – Functional entropy. Every cyberweapon can command its own law – Most conflict laws written around kinetic impact – Whatever rules we may create around cyber for would also affect other bodies like kinetic warfare – No letting go of offensive capabilities. “The strong do what they can, & the weak suffer what they must” – Internal (inter-agency) lack of cohesion is extreme
  39. Cyber from a subcontinental perspective • “States not defining their limits & capabilities is an impediment to cyber law” -- Col. Gary D. Brown – Maintains escalatory control • “Vast majority of our key networked infrastructure is owned & operated by the private sector… must learn to work together to defend our nation in cyberspace” -- Gen. Keith Alexander – Private sector would always be in the cross-hairs – Active Defence (Offensive Defence) – “Private companies… providing threat intelligence that is steadily approaching the all-source format” – Sean Kanuck
  40. Cyber from a subcontinental perspective • “We are fighting at the intersection of a Venn diagram where the finances of a non-state actor meet the capabilities of a state actor” – Le me • “Offense’s superiority means that it a utopian fantasy to believe that information can be protected from leakage, & so the counter-offense of disinformation is what we must deploy in return” – Dan Geer
  41. Cyber from a subcontinental perspective • “Espionage & war are the same thing now” • “Information is capabilities” • “Lines of communications are lines of attack” • “Passive can turn into active at a heartbeat” • “Motivations dictate methodology” • “Capabilities can scale” • “Cyber attacks ideologies best” • “Banks evolved from a physical place to software services provider that conducts financial transactions… so too are countries becoming increasingly defined by code, rather than physical, tangible assets” – Dave Aitel
  42. Cyber from a subcontinental perspective • “Most common threat vector within the cyber environment displays characteristics of a classical insurgent force” -- Maj. GB Parisien, Canadian Forces College • Cyber feeder program – Cyber NDA – Skilling would be the most effective & cheapest force multiplier for the Indian Armed Forces • Focus on tooling & toolchains rather than hacks – Controls resource & manpower attrition
  43. Cyber from a subcontinental perspective • Cyber is the strategic pivot of symmetric war, not otherwise • A highly regulated non-state actor engagement model – Cyber-military industrial complex • For India, cyber-deterrence may mostly be realized through geopolitical alliances as the capability build-up is slow & weak
  44. Thanks