Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.
To encourage openness of discussion, these sessions take place with Chatham House rules, where participants are free to use the information in the meeting but are asked not to directly quote or identify other participants (we also keep privacy in mind when preparing summaries of these sessions, like the one that follows).
The April call was held on Friday, April 15th. This month’s call was marked by more than the usual number of follow-up commitments on what were clearly promising ideas and projects with great potential for OODA Loop research and analysis (and are also a bit more time-sensitive than usual due to the crisis conditions in Ukraine).
In a break from the usual “summary” format of this read-out of the monthly OODA network meeting, this post will predominantly highlight the topics and projects with the potential for follow-up research. For all of these ideas and follow-up projects, we are looking to get from ideation to a draft OODA Loop research and analysis post (in the publication queue) as soon as we can.
If you are “attached” to any of the ideas (primary source material, initial ideation on the call, etc.) and have draft documents or action items you have taken since the meeting, please follow up with the OODA team.
Topics of discussion on the April monthly call were:
To start the meeting, OODA CTO Bob Gourley shared that some of the members of the OODA network have been providing pro bono consulting to senior members of the Government of Ukraine to help their war efforts: “The discussions with Ukraine are not for public release, but we were given permission to discuss some of the topics with the network.” Bob encouraged the broader OODA network membership to contribute to pro bono efforts to assist these Ukrainian technologists (tasked with providing innovative solutions to the Ukrainian war effort).
Bob then reviewed some issues OODA network members have been working on and solicited any ideas for additional topics to raise with these leaders in the Ukraine Ministry of Digital Transformation. Please reach out to Bob directly if you have any questions, comments, follow-up items, or specific resources you would like to discuss with him and the OODA team on these ongoing Ukrainian assistance efforts. And, of course, thank you to the network members who have contributed time and resources to the Ukrainian government – and shared the details of those efforts with the group on the monthly call.
The group picked up on some of the ideas expressed by Bob in his March 13th post We Are In The First Open Source Intelligence War. Specifically, social media is now an element of warfare. Items of interest for follow up research and analysis on this topic include:
OSINT Social Media Distribution: Both the Russians and the Ukrainians are using social media to share information and garner intelligence. Research questions include: This is a very new thing in terms of conflict. What are the issues of the scale, validity, speed, and volume of this social media-based information and intelligence distribution in a conflict environment?
On the Ground – Physical Layer Jamming: There is a constant radio frequency (RF) jamming by everybody. Russians are jamming, the Ukrainians are jamming. The whole RF band is burned. Almost nothing works on the ground in Ukraine (i.e.. smartphones or Wi-Fi) because someone is always jamming the frequency of their adversary. Research questions include: What are the tactical implications of this constant jamming? What is the best OSINT resource for determining the extent and impact of jamming activities? Are the NGOs working on the refugee crisis equipped to ‘stand up’ emergency cellular, radio, and WiFi signals to improve the cognitive infrastructure for refugees? What contributions can nation-states, NGOs, and global tech companies make to repairing, protecting, and improving the cognitive infrastructure on the ground in Ukraine?
Visual AI and Social Media: Homegrown AI capabilities, or AI techniques built on open AI libraries, allow the Ukrainians to take pictures of dead Russians and Russian prisoners of war, and then rapidly identify the individuals what their social media accounts are and who their relatives are. This activity is based on a strategy of getting this information to the fallen Russian soldier’s friends and family. This Ukrainian strategy is based on many mainstream media reports on the fact that protests from the mothers of missing and dead Russian soldiers have fueled Russian protests against Soviet/Russian in the past. The Ukrainians are trying to shape the Russian family’s perceptions of the war back home in Russia. Visual AI is a capability they are already using. Research areas include: Qualitative and quantitative use cases and anecdotal evidence on the success or failure of these efforts; Visual AI? What is it and how has it been used to challenge Russian mis- disinformation in Russia.
The (Loose) Parallels Between Ukraine and Taiwan: In contrast to the aerial bombardment of Ukraine, Taiwan would be an amphibious landing. But what is happening in Ukraine gives us some insight into what might happen in Taiwan with the reality of modern warfare, including social media impacts. Research questions include: What would the Chinese do preemptively to the social media platforms available in Taiwan based on their tactical and strategic learnings from Ukraine?
The benefit of reaching out to help the Ukrainians has been the learning opportunity. The biggest learning opportunity will be our ability (as a community) when the conflict is over to do a postmortem analysis of the ‘cyber failures.’ Case studies for research and analysis include the Russian attempt to attack the Ukrainian Energy Grid (what are the details and conclusions?) and the lack of an attack (to date) on the domestic U.S. using the same tools and technology (why has the other shoe not dropped yet re: a major domestic U.S. cyber attack? What are the current numbers of the ongoing onslaught on cyber incidents that have not risen to a major attack?).
In the sections below entitled Russian: Degradation of Information and Communication Technology (ICT) Resources, China and Recent CISA Joint CSAs and Targeting of Domestic U.S. Critical Industrial Infrastructure, there are also discussion points on ‘cyber success’ which are also ripe for follow up research and analysis.
The group had a discussion of the OODA Loop post of March 17th entitled Russia Faces IT Crisis With Only Two Months of Data Storage Capacity Available. Research Questions Include: How are the Ukrainians talking about the intel they’re getting about Russian ICT weaknesses and degradation of capabilities? Western companies pulled out and are causing this data storage shortage. Does that create a vacuum for China and North Korea to provide ICT material support to Russia? How much of this activity is clandestine and outside of the Geneva Convention’s definition of “the prohibition of unqualified acts of ‘material support,’” and/or other unofficial ‘norms’ during warfare?
This topic also comes up in a few different contexts in the sections below, entitled Russian: Degradation of Information and Communication Technology (ICT) Resources, China and Recent CISA Joint CSAs and Targeting of Domestic U.S. Critical Industrial Infrastructure.
The group on the monthly call agreed that seen through a traditional geopolitical prism, the Russian motives for the invasion of Ukraine ‘are simply unknown. Follow-up research questions include: Is it all about Russian oil and natural gas and maintaining access to natural resources and the EU marketplace by way of Ukraine? What are the frameworks that can help us understand Russian motives (i.e. the work of Peter Swack and studies of Russia and the Soviet Union, Russian culture and history in geopolitics- and things Putin has been saying himself since 2004)? In the run-up to this invasion, why did many expert opinions converge conclusively into a strong opinion that Russia was going to invade?
As Bob noted on the call: “44 major cities in China are under some degree of lockdown, with horrible pictures and video of what they’re doing to their own citizens – evicting them from their own housing to make room for others to quarantine for COVID. Protest in the street – unheard of since Tiananmen Square. We have been talking about the weakening economy in China and the impact that can have on supply chains. And for two years, we’ve been talking about COVID in China and its impact on the global economy. And now it all seems to be coming to a head and for anybody who has not informed their strategy with the reality of what’s going on – now is the time. Better late than never.”
“I wanted to ask the group: are there any other sources we need to be aware of? or any other questions about China that we can dive into in our future research and reporting? other comments at all on supply chain impacts?” Topics discussed on the call include:
Monitoring of Low and Slow Cyber Attacks: An OODA network member with access to an AI live monitoring service has “seen a lot of low and slow attacks. And from my discussions with someone significant in the military, it seems like China is really excelling at getting these IP blocks of addresses that look like they’re coming from within us. And I would like to dive deeper into that activity and present something to the group at some point – like a demo – cleanse and replay some stuff so the group can actually see some of this activity.”
Zero trust architectures (and software-defined perimeters and improved protocols to reduce risk in architectures and design) were discussed by an OODA Network member who is a subject matter expert on the call and has deep experience developing protocols. Issues for future OODA Loop research and analysis include:
The Declining Effectiveness of Cybersecurity Products: spending more of an IT budget without an increase in performance. How do improved architectures and designs address this problem?
The Emergence of Quantum Computing in China: How would Chinese innovation in Quantum impact our current cybersecurity model? Would it be lethal to our model because digital certificates are kind of foundational to how we think about security?
Everybody is Going After the Data: How does zero trust – and innovation at the architecture and design level – provide opportunities for better security around large-scale, mission-critical data sets? What happened is there is nothing to attack? What does zero trust in application infrastructure look like? If we do not want the application infrastructure to have any of our data, how would a completely decentralized compute architecture solve this design issue?
Research published by ARK Invest shows that3 AI Training Costs Are Improving at 50x the Speed of Moore’s Law – inclusive of a rapid decline in the cost of training. Participants on the call (affiliated with an innovative AI company) validated that the ARK Invest research is “very exciting research and certainly something that our scientists and engineers looking at very closely. It is going to help the end-user significantly – especially in some of the national security and defense sectors and some of the work they’re doing.” Follow-up OODA Loop research and analysis include the opportunity to integrate the ARK Invest findings into how we cover the disruption and exponential growth of machine learning from a business strategy perspective – balancing out some of our research and analysis on government-led AI and machine learning projects – and insights into AI governance and the moral and ethical implications of AI, including the AI Accidents framework.
Issues for further OODA Loop tracking, research, and analysis include:
The Libertarian Ethos of the Crypto Community vs. Future Government Involvement and Regulation: Will governments abdicate their role in this emerging ecosystem because they are slow movers/late adopters/fast followers (at best)?
The Balance between Security, Anonymity, and Accountability: We need an ability to track down criminals and child pornographers, and oligarchs if they are using cryptocurrency, but implicit in that tracking ability is that it can be directed at anyone with a coin, a node or blockchain – which is counterintuitive to the entire design and promise of the technology. Is the recently proposed federal regulation enough?
Overregulation? The ongoing question: will overregulation stifle innovation?
The Need for Speed: Cryptocurrencies include Bitcoin, Ethereum, and 14,000 other cryptocurrencies. The two platforms have always been plagued by the slowness of the network and how hard it is to get things done. Are we on the brink of a wave of major innovation (i.e. the lightning network capabilities) with payments networks for the first time in 50 years?
The Promise of Blockchain Technology Needs to be Decoupled from Cryptocurrency. As a network member notes on the call: “I think there is a big difference between what is happening with Ethereum 2 and zero-knowledge off-chain transactions, which are really focused on enterprise applications (whether it’s supply chain or decentralized finance, etc.) And I think the problem is people group everything together. Ethereum 2 and where it is going is very much enterprise-focused and looking at mainstream financial markets. And, I really think this is going to take off – just because it lowers the cost of financial transactions (like insurance) and creates more transparent markets. So, I am actually a believer in the promise of the business applications.”
OODA Loop Cryptocurrency Incident Database: We continue to track as many cryptocurrency incidents as we can and then report on the root cause. How best do we generate follow on research and analysis to generate lessons learned and recommendations for these kinds of risks?
A Core Issue – Know Your Customer (KYC) on recipient wallets: It is apparent there are a lot of governments – and the U.S. will follow lead – that will not allow the transfer of bitcoin or digital currencies unless the identity of the recipient wallet is known – which breaks the model for a lot of the ecosystem. What are the latest developments, innovations, and insights on this topic?
Since the monthly meeting call, OODA CTO Bob Gourley has organized some of the insights from the discussion in the following post:
https://oodaloop.com/archive/2022/04/25/time-for-every-company-and-every-government-organization-to-consider-running-a-bitcoin-node/
The Five Eyes Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and, specifically, the DOE, CISA, NSA, and the FBI Release Joint Cybersecurity Advisory about Industroyer2 and Pipedream ICS/SCADA Malware were discussed on the call. Tools and adversary targeting of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) device vulnerabilities are of grave concern to the group, pointing out that it seems strange that “we are talking about the tools and the infrastructure, but nothing has been attacked yet.”
Areas for future research and analysis are issues OODA network members have been debating for a long time: What are the implications of persistent engagement? What does it mean to defend forward? What does it mean to bring the power of the U.S. government to bear in support of allies and in defense of private sector entities? What does it mean to risk further escalation and conflict where the adversary has chosen to move very aggressively to posture against Western energy networks, the USG, U.S. oil and gas and energy sector targets, and nuclear targets?
A seasoned SME on the call provided the following insights based on direct experience with the authoring of the CSAs and tactical cyber maneuvers in the last 6 to 8 weeks:
Zero-Day Exploits and Vulnerabilities: This concept applies here. For the first time, publicly discussed at this level, this was seen before adversary use – which makes it a very hard thing to describe. It makes it a very aggressive forward-leaning use of intelligence and other resources to get an understanding of this out into the wild. I’m referring specifically to the Pipedream component, which was the most recent CSA announcement. The reporting stands out as it is. It is highly unusual that it has not been further characterized for attribution.
Industroyer2 has been very well attributed by industry: Indestroyer2 is the most recent evolution of a very specific multipurpose wiper capability that hit multiple substations in Ukraine. The original intent of the CrashOverride malware was not simply to break one or two substations. It was designed to cause cascading failure across the grid. With Indestroyer2, the ambition was much higher than they executed previously and the ambition was much higher than they were able to pull off – almost certainly due external intervention bluntly.”
“Cyber had no effect,” Cyber has negligible effect”: That is simply not true: There have been ongoing aggressive operations. This is part of military operations. There is no other definition but cyberwar that we could apply to this activity. The fact is this was deployed by the same development teams and structure as the Sandworm Team (aka BlackEnergy APT Group and Voodoo Bear). This is a GRU attributed activity. Cyclops Blink was also burned before it was known to industry.
Defend Forward Activities: There are some arguments to walk back the authorities under which Defend Forward activities are being conducted. But the fact remains: what you are seeing discussed publicly in these joint CSAs is the result of these defend forward tactics. It is no longer a theory. It works. It is in practice and it is dramatically degrading adversary capabilities across multiple lines of their intentions.
It is Not a Coincidence: The department of justice decided to disclose an incredible set of material in the recent indictments. If you have not read those indictments to understand the full scope of what that FSB team was doing, it is absolutely critical and important. Whenever we are sounding like alarmists about the adversaries’ strategic operations capabilities, we are usually talking about these FSB capabilities. The president of the United States does not casually make statements about specific intrusion groups. The Deputy National Security Advisor for Cyber does not come out and publicly make those statements without a very good reason. There is a recent Foreign Affairs article saying cyber was negligible in Ukraine. All of this is nonsense. That the NATO intelligence community felt the need to correct the record is rather unprecedented.
The TLP AMBER Leak: The damage done to bilateral relationships by the leaking of certain TLP AMBER materials is going to make this much harder going forward. The fact that it showed up in a press tweet was painful for everyone.
What’s Next? This is not the last set of these tools that we are going to see: If you are running an Indications and Warnings (I&W) matrix formally in your organization – which you should be – it is blinking red, if not black. We are losing visibility of observation on some of the key adversary aspects. We are using intelligence in some very aggressive ways. Industry is not seeing the things the U.S. government has to bring it to them – or other entities are bringing it to them (thus the joint international CSAs). Even understanding these defragmented pieces that are coming out becomes harder – and it becomes much more important to orient on them. Regarding the initial warning around scanning and addresses: POTUS does not get worked up over some IP addresses and we do not move the entire national security apparatus for that purpose.”
A Tremendous Amount of Free Fire Activity from a Variety of Uncontrolled, Unilateral, Private Actors: Whether it’s the Belarussian cyber partisans that were denying integrated rail movements with escalation physical sabotage in some of the networks. We are seeing a variety of other operations being conducted. At any moment, any one of these could pop and be the next headline crisis that you all may have to deal with – because if it’s adjacent to your sector and it hits something inside Russia, they may decide to conduct symmetric retaliation. There is also no guarantee that it will stay symmetric. There’s a very strong likelihood that they will be an interest-based targeting more than simple reciprocity – where the adversary has become attuned to what is driving Western policy concerns in a way that we have not seen before – and that includes the use of proxy actors within the ransomware continuum criminal enterprise.
Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop
The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence
We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech
Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency
The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence