Start your day with intelligence. Get The OODA Daily Pulse.
The conduct of U.S. military cyber operations has significantly shifted—particularly in the last year. The Department of Defense’s newest cyber strategy, issued in September 2018, emphasizes a “persistent engagement” approach that moves the Department from a reactive state into a more proactive, assertive stance against national security threats in the cyber domain. This is also consistent with the Trump administration’s new classified directive for streamlining the review and approval process for cyber operations. NBC News reported back in January that “the military’s elite cyber force has conducted more operations in the first two years of the Trump administration than it did in eight years under Obama.”
Yet, as the details of these cyber operations are becoming publicly available, I believe there are a set of incorrect assumptions that may be impacting the U.S. government’s ability to produce optimal long-term strategic effects.
The Rumor of Offensive Advantage
There are plenty of national security strategists who favor an offense-dominant warfighting strategy. This is because in theory, the offensive approach is assumed to produce a short, decisive, and structured battle that is set on the attacker’s terms. Jack Snyder writes about this “cult of the offensive,” around the First World War in The Use of Force: Military Power and International Politics. Because of the perceived advantage, military institutions usually prefer to plan for a quick disarmament of the adversary even if a defensive strategy is easier.
However, in both the cyber and physical world, we have seen that advancements in technology favor the defender. In their book titled Cybersecurity and Cyberwar: What Everyone Needs to Know, P.W. Singer and Allan Friedman note “the most important lesson we have learned in traditional offense-defense balances, and now in cybersecurity, is that the best defense is actually a good defense.” It may seem as if it is operationally easier to wage a cyberattack, as defenders cannot be everywhere at once. Nonetheless, the most crippling attacks are much more difficult than what is often depicted. Former Director of the Defense Information Systems Agency, Charles Croom, explains, “The attacker has to take a number of steps: reconnaissance, build a weapon, deliver that weapon, pull information out of the network. Each step creates a vulnerability, and all have to be completed. But a defender can stop the attack at any step.”
Operation Glowing Symphony, seemingly the longest offensive cyber operation in U.S. military history, shows us just how difficult it is to orchestrate a successful attack. Initially devised in 2016, the goal of the operation was to deny, degrade, and disrupt ISIS media operations. While a majority of the details remain classified, the New York Times reported that United States Cyber Command and the National Security Agency (NSA) were able to obtain passwords from ISIS administrator accounts. With this access, the U.S. blocked out fighters and deleted terrorist propaganda from the web. Unfortunately, ISIS was able to quickly reconstitute because they backed up their data in servers across the globe, used encrypted communications, and leveraged common applications for their operations. Three years later, the U.S. military is still in ISIS networks attempting to disrupt terrorist activity.
I don’t want to paint Operation Glowing Symphony as an overwhelming failure, as ISIS’s ability to operate freely on the web has been severely diminished. This case simply highlights the high threshold to conduct an effective cyber operation over a number of years of persistent engagement.
Lack of Coercive Capability
We have seen state and non-state actors employ cyber operations in an attempt to influence adversary behavior. The objective is often to produce a coercive effect, primarily through compellence or deterrence. But as more studies are conducted on the dynamics of coercion in cyberspace, we see that the coercive effects are often limited.
Let us take the example of the U.S.’ retaliatory cyberattack following the Iranian takedown of an unmanned U.S. Navy drone. In June 2019, Iran’s paramilitary force, the Islamic Revolutionary Guard Corps (IRGC), shot down a U.S. drone after claiming it wrongfully entered the country’s territory. The U.S. contested this, citing the drone was actually in international airspace. In response, President Trump authorized a cyberattack that targeted a critical database used by the IRGC to track oil tankers and shipping traffic in the Persian Gulf. Vox also reported a second U.S. attack on Iranian military computer systems that control the nation’s rocket and missile launchers, although U.S. officials have denied this.
Officials claim the cyberstrike against IRGC was designed to be debilitating, but proportionate and not lead to further escalation. However, shortly after executing the U.S. cyber operation, the Department of Homeland Security announced a “recent rise in malicious cyberactivity directed at United States industries and government agencies by Iranian regime actors and proxies.”
In my judgement the cyberattack was a tactical success, but proved to be a strategic failure. Presumably, the goal of the operation was to impose consequences on Iran, signal that the U.S. is capable of immediately responding to acts of aggression, and deter future Iranian attacks. Yet, Iran continues to ignore U.S. pressure, as demonstrated by the subsequent cyberattacks against U.S. companies and government agencies. While I have oversimplified U.S.-Iranian hostilities for this example, if we examine the immediate tit for tat following the U.S. military drone take down, the resulting coercive effect of a U.S. cyberattack is very low.
Illusion of Precision
When reading about cyber operations, I have seen numerous descriptions calling out “highly targeted attacks” and “cyber surgical strikes.” They are portrayed as impeccably accurate, with more recent analogies comparing cyberattacks to precision-guided munitions. I believe this to be particularly misleading, as there are concrete examples of widespread collateral damage in cyberspace as a result of cyberattacks. (Spoiler alert: precision air strikes are also a myth.)
Although it is not a military campaign, I would be remiss if I did not mention the Stuxnet worm. Stuxnet is attributed as the world’s first successful cyber-kinetic weapon, and even though government officials have not confirmed it, the operation is assumed to be a collaboration between U.S. and Israeli intelligence services. It targeted Iranian centrifuges, altering the rotator speed and causing physical degradation so as to sabotage the country’s nuclear program.
The operation was described as “far too precisely targeted to damage anything other than equipment used only in Iranian uranium enrichment facilities.” Security researchers have claimed that the risk to third-party countries was low because Stuxnet was programmed to infect only a specific subset of Siemens hardware. Yet, a Symantec report on Stuxnet shows evidence of the worm spreading to Indonesia, India, and even the U.S. Fortunately, it did not cause widespread damage in these countries. But, we must remember the worm was never intended to travel outside the facility’s air-gapped networks in the first place. The malicious code is still available online which allows other malware developers to repurpose it for new attacks. Years later, one of the exploits that Stuxnet took advantage of was still widely used in 2016.
Decision-makers need to seriously consider the likelihood of propagation and weigh the associated operational risks. Another such example is the U.S.’s attempt in 2008 to dismantle a website suspected of facilitating suicide bombers in Iraq. This operation resulted in the disruption of more than 300 servers in Saudi Arabia, Germany, and Texas due to difficulties in mapping out target IT systems. The U.S. seems willing to accept a greater risk when conducting cyber operations, potentially due to the lack of physical effects. This is an unhelpful perspective as the 2019 World Economic Forum global risk report named data breaches and cyberattacks as the fourth and fifth most serious risks facing the world.
Threat of Vulnerability Stockpiling and Miscalculation
Cyberattacks cannot be fired at the drop of a hat. They necessitate extensive priming to gain entry into target systems. An attacker may send phishing emails, deploy malware, and/or exploit hardware or software vulnerabilities to obtain access. Though once inside, an attacker may wait weeks, months, or years before initiating a destructive attack, potentially holding out to escalate access, continue to collect intelligence, or trigger the attack during a subsequent conflict. This scenario presents two key issues: vulnerability stockpiling and miscalculation of the attacker’s intent.
The U.S. has been accused of stockpiling vulnerabilities before. The conversation was reinvigorated following the 2017 WannaCry ransomware attack when an alleged NSA hacking tool was used to exploit a critical vulnerability in Microsoft Windows. The attack spread to at least 150 countries, where global financial and economic losses range from hundreds of millions of dollars to upwards of $4 billion. Slate reported, “The NSA did, eventually, inform Microsoft of the vulnerability so the company could patch their software—but first the agency exploited the vulnerability for five years to collect intelligence, revealing it only after they learned that [it] had been stolen.” Microsoft called out the U.S. government for stockpiling vulnerabilities rather than alerting software manufacturers to the flaw sooner. Even though Microsoft released a patch more than 2 years ago, cyberattacks leveraging the exploit were still at an all-time high this year. The decision to withhold information on security vulnerabilities should not be taken lightly, as the impact to global infrastructure can be devastating.
The second issue is with regards to identifying an attacker’s intent. The Harvard Kennedy School writes that “an adversary can easily mistake defensive cyber exploitation for offensive operations because the distinction is a matter of intent, not technical operation.” Imagine the perceived intent when the U.S. military, the most powerful in the world, is discovered in an adversary’s high value system. The article goes on to say, “the difficulty of distinguishing between offensive and defensive tactics makes mistrustful adversaries more reactive, and repeatedly conducting offensive cyber operations only increases distrust.” Prioritizing offensive cyber operations can lead to instabilities in international relations and increase an adversaries’ likelihood to react.
Final Considerations
As U.S. military cyber operations ramp up, it becomes essential to address these misperceptions. Decision-makers need to have certainty in the weapons they are launching, as a cyberattack is not bound by the same laws of physics as a conventional missile. Due to the interconnected nature of cyberspace, the likelihood of a cyberattack spreading beyond an intended target is not a far-fetched outcome. Incorrect assumptions about cyber warfare are dangerous and will set the U.S. up for strategic losses in the future.
This is not to say I oppose offensive cyber operations, as the U.S. would be foolish to not use all available tools in our toolbox. We just need to better understand the risks from conducting a cyberattack and hold ourselves accountable if something goes wrong.
What Can Businesses Do To Mitigate Risk In This Environment?
Mitigating risk in this environment requires continued attention and action. Fortunately there are many lessons learned and best practices at your disposal to give you a leg up in mitigating these risks. To accelerate your risk mitigation activities see:
These and many contextualized reports are available at our OODA Member Network Resources Page.