UNDERSTANDING THE ‘PHYSICS’ OF CYBER-OPERATIONS
From Doctrine to Operations
From Operations to Doctrine
Pukhraj Singh

About me
• 13 years of off-and-on experience in cyber threat intelligence
• Made early attempts at fusing cyber with geopolitics
– Novel in 2010
• 5.5 years in the government
– “It was the best of times, it was the worst of times” – Charles Dickens
• I stand on the shoulders of giants
– Cyber is over-classified; completely lacks empirical data to see trends
– Experience is the only marker for cyber – I rely on operators with
much greater experience
• Product of a six-month research on a manuscript

Three interspersed narratives in this talk
• Understanding the ‘meta’ of cyber
– Shifts once in 5 years, on an average
• The underlying physics of cyber-operations
– All our assumptions are gravely wrong
– Gets re-written in 5 years, too
• The autonomous code will write the laws of war
– From operations to policy, strategy & doctrine, not
otherwise
– Cyber: Counter-insurgency as a strategy & realpolitik as a
policy

“The other domains [of war] are natural,
created by God & this one is the creation of
man”
-- Gen Michael Hayden, former director NSA & CIA
Let that sink in for a moment…

Four dimensions of power that absolutely
don’t work in cyberspace:
Territoriality, Causality, Proportionality & Legality

What are cyberweapons?
“Cyberweapons are power projection tools”
-- Dave Aitel, former NSA cyber-operative

But what REALLY are cyberweapons?
“Anything which changes the terrain of
cyberspace”
-- Gen. Michael Hayden, ex-NSA & CIA
It is not just about access

Anything which changes the terrain of cyberspace
• For example, availability is the most potent weapon
• Julian Assange/Wikileaks
– The strategic pivot of Russian Active Measures (INFOOPS)
– “Ahead of its time by many years” – Dave Aitel, ex-NSA
• Russian Active Measures in the 2016 US elections
– Weaponized the mere availability of crappy information

Three things where the generals may go wrong:
- Cyber is NOT fully asymmetric
- Cyber is NOT always non-kinetic
- Cyber is NOT mostly non-attributable

Stuxnet: costly than an airstrike
-- Rebecca Slayton, Cornell University

“The vast majority of cyber power projection tools are
built and maintained by non-state-actors… a vast
majority of the top tier hackers in the world are not
with nation-states or never were”
-- Dave Aitel, former NSA cyber-operative

“If we were to score cyber the way we score
soccer, the tally would be 462-456, twenty
minutes into the game”
-- Chris Inglis, former Deputy Director of NSA
Defense is an afterthought

“…the dual-hatting of the Director of NSA &
Commander of U.S. Cyber Command ought not be
undermined by nascent efforts to divide the two out of
a need for improved optics”
-- Gen. Keith Alexander, former director of NSA
Offense-Defense
• Mathematically indistinguishable
• Symbiotic

Cyber is the true dual-use technology
“I cannot change the reality that all security tools are dual-use”
-- Mike Walker, DARPA
• Offense-defense: symbiotic
• Antivirus is the APT: the Kaspersky example
• The Wassenaar debacle
• “The cyber security products that promise total surveillance over
the enterprise are, to my mind, an offensive strategy used for
defensive purposes” – Dan Geer, In-Q-Tel
• NSA’s DEFIANTWARRIOR, TURBULENCE & QUANTUMBOT

Thresholds of cyberwar would remain nebulous
“…fixation on defining the precise threshold for a digital act of
war (beyond the de facto effects-based analysis to be applied in
any actual scenario) distracts from the important question of
how cyber operations are actually being used today”
-- Sean Kanuck, former National Intelligence Officer for Cyber

Why?
Because the real intent & impact of a
cyberattack are objectively incalculable
Thresholds of cyberwar would remain nebulous

Why?
Because CNE, CNA & CND are indistinguishable
until fully manifested
Thresholds of cyberwar would remain nebulous

CNO
Matthew Monte, former cyber-operative with the CIA

Why?
“When evaluating potential cyber activities, US policymakers
have tended to view cyber operations as strictly delineated:
offense or defense; espionage or military operations. Reality
defies such stark categorization; determining when one type of
cyber operation ends & another begins is challenging. Rather
than establishing strict categories into which cyber activities are
sorted, it may be best to view cyber operations along a
spectrum”
-- Col. Gary D. Brown, former staff judge advocate for
U.S. Cyber Command
Thresholds of cyberwar would remain nebulous

So, what is a reasonable marker?
“Surviving on a diet of poisoned fruit”
“The US cannot allow the insecurity of our cyber
systems to reach a point where weaknesses in those
systems would likely render the United States unwilling
to make a decision or unable to act on a decision
fundamental to our national security”
-- Richard A. Danzig, former member of the Defense
Policy & Intelligence Advisory Boards

“Cyber & Crisis Escalation:
Insights from Wargaming”
“Data from a crisis wargame conducted at the U.S. Naval War
College from 2011 to 2016”
“Decision-makers view cyber operations as highly
escalatory…cautious about using offensive cyber operations & cyber
network exploitation, even after conventional conflict has begun”
“Despite their concern about escalation— chose not to respond to
cyber attacks by the adversary in any of the wargames”
-- Jacquelyn Schneider, United States Naval War College

“Cyber & Crisis Escalation:
Insights from Wargaming”
“Data from a crisis wargame conducted at the U.S. Naval War
College from 2011 to 2016”
“Significant strides toward our understanding of the impact of cyber
on crisis stability by shifting from an analysis of capabilities to an
exploration of states’ perceptions about the impact of cyber on
escalation. By bypassing technical questions of capabilities, we can
focus instead on how decision-makers process the uncertainties of
cyber, with implications not only for potential behaviors during crisis
situations but also for understanding the variables that shape foreign
policy decision-makers’ understandings of the cyber domain”
-- Jacquelyn Schneider, United States Naval War College

Finally, is cyber-deterrence a chimera?
“Deterrence is largely a function of perception”
“For deterrence to be effective, the adversaries must believe
that our ability to respond to an attack will result in
unacceptable costs imposed on them. Costs may be imposed
through a variety of mechanisms, including economic sanctions,
diplomacy, law enforcement, & military action”
-- Aaron G. Hughes, former U.S. deputy assistant secretary of
defense for cyber policy

Bureaucracy: the most persistent technical
signature of a cyber attack

“Your cyber adversary has a boss & a
budget”
-- The Grugq
Bureaucracy: the most persistent technical
signature of a cyber attack

“Map the adversarial ecosystem of cyberspace in
anthropological detail with the aim of increasing our
understanding of our adversaries & our own incentives
& methods of operation”
-- Richard A. Danzig, Surviving On A Diet of Poisoned
Fruit
Bureaucracy: the most persistent technical
signature of a cyber attack

Prevalent operational structures
-- Dave Aitel, former NSA cyber-operative

Three real asymmetries of cyberwar
-- Matthew Monte, former CIA cyber-operative
Book: Networks Attacks & Exploitation

Overview: China
• Two 3PLA cyber feeder programs
– Apart from tech, HUGE focus on language
– Jiao Tong, Shanghai International Studies University
• Tiered competency
• Loose C&C
– OPSEC relies on plausible deniability
• Fusion centers for economic espionage
• Unified war component: Strategic Support Force

Overview: China
-- Dave Aitel, former NSA cyber-operative

Overview: China
• Efficient economic espionage
– “The largest transfer of wealth in history” -- Gen. Keith Alexander
– A major part of the 30% self-sustenance component of PLA
• Declassifies stolen intelligence downstream
– Via fusion centers: National Technology Transfer Centers or
National Demonstration Organizations
– “Convert advanced foreign technology into domestic innovation
ability”
– “Making technology transfer even more the core feature of our
technology innovation”
– Project 863, 973 & 211
– Under the 61 Research Institute of 3PLA
– Corrupt generals

Overview: US
• Cyber competency: Medium-tiered
• Medium C&C
• Extremely high covertness
• “Doesn't try to controlling the world but prevents surprise” – The Grugq
• A million cleared people - 17 agencies competing for budget
• Contractor rot; high attrition

Overview: Russia
• Good fusion of CYBEROPS with INFOOPS
• Disinformation goes all the way back to Stalin
• Remnant of the massive Soviet-era Active Measures
machinery
– $3-4 billion budget in 1982 ($9.5-12.6 billion in today’s
terms) > budget of the NSA

Overview: Russia
• Non-linear war: Gerasimov Doctrine
– Peak build-up during & after Crimea
• Competing agencies -- GRU, FSB & SVR
• Very low covertness
• Extension of the state-criminal nexus
– Multiple operational components
– Strategic cyber reserve

Overview: Israel
• Purely an extension of skilling – unique
• Completely disrupts conventional population-
based competencies (lesson for India)
• Feeders for 8200: starts from school
– Magshimim, Talpiot
• Vets bring almost $10 billion per year post-
retirement
– That’s roughly $700 per capita

India?

???
☹

The worst kind of insurgency
• Col. Gary D. Brown on why we won’t see international norms in
cyber:
– Laws came from customs & practices of nations – how do we
account for the massive non-state component?
– Functional entropy. Every cyberweapon can command its own law
– Most conflict laws written around kinetic impact
– Whatever rules we may create around cyber for would also affect
other bodies like kinetic warfare
– No letting go of offensive capabilities. “The strong do what they
can, & the weak suffer what they must”
– Internal (inter-agency) lack of cohesion is extreme

Cyber from a subcontinental perspective
• “States not defining their limits & capabilities is an impediment
to cyber law” -- Col. Gary D. Brown
– Maintains escalatory control
• “Vast majority of our key networked infrastructure is owned &
operated by the private sector… must learn to work together to
defend our nation in cyberspace” -- Gen. Keith Alexander
– Private sector would always be in the cross-hairs
– Active Defence (Offensive Defence)
– “Private companies… providing threat intelligence that is
steadily approaching the all-source format” – Sean Kanuck

Cyber from a subcontinental perspective
• “We are fighting at the intersection of a Venn diagram
where the finances of a non-state actor meet the
capabilities of a state actor” – Le me
• “Offense’s superiority means that it a utopian fantasy
to believe that information can be protected from
leakage, & so the counter-offense of disinformation is
what we must deploy in return” – Dan Geer

Cyber from a subcontinental perspective
• “Espionage & war are the same thing now”
• “Information is capabilities”
• “Lines of communications are lines of attack”
• “Passive can turn into active at a heartbeat”
• “Motivations dictate methodology”
• “Capabilities can scale”
• “Cyber attacks ideologies best”
• “Banks evolved from a physical place to software services
provider that conducts financial transactions… so too are
countries becoming increasingly defined by code, rather
than physical, tangible assets”
– Dave Aitel

Cyber from a subcontinental perspective
• “Most common threat vector within the cyber
environment displays characteristics of a classical
insurgent force” -- Maj. GB Parisien, Canadian Forces
College
• Cyber feeder program – Cyber NDA
– Skilling would be the most effective & cheapest force
multiplier for the Indian Armed Forces
• Focus on tooling & toolchains rather than hacks
– Controls resource & manpower attrition

Cyber from a subcontinental perspective
• Cyber is the strategic pivot of symmetric war, not
otherwise
• A highly regulated non-state actor engagement model
– Cyber-military industrial complex
• For India, cyber-deterrence may mostly be realized
through geopolitical alliances as the capability build-up
is slow & weak

Thanks
pukhraj@gmail.com