About an Offensive Cyber Strategy

HECK (Photo credit: elycefeliz)

Offensive cyber strategy…  Putting together an offensive cyber strategy is difficult if one does not have a military background, know the latest buzzwords and/or have a doctorate in an aspect of offensive warfare in cyberspace (could range from National Security Strategy to Advanced Persistent Threats to Information Technology).  The folks that work at the US Cyber Command are a unique breed in that they have to “moosh” all this together and hopefully some of it will stick.  The formation of a J3 Targeting shop (I don’t even know if there is such an animal) at CyberCom probably bears the signature of someone with a background in (fill in the blank), meaning that (fill in the blank) may not be fully or adequately represented (and therefore we may or may not adequately exploit that weakness in others in the future).  The problem here is that our adversaries and potential adversaries may have a gaping zero day exploit which we do not see and do not exploit for days, years, or even longer – the same goes for us.

Take Moonlight Maze, for instance.  This intelligence investigation was published in the London Times in the summer of 2000, here,  after US Senate testimony peeled back the top layer of that onion, here, so let me use that as an example.  Supposedly US defense systems were being penetrated – badly.  Supposedly it took months to prove someone was in the system, more time to discover and prove what was being taken and even more time to determine how.  Bottom line, a new technique was discovered where we didn’t even know we were vulnerable and a potential adversary took advantage.  Today, guarding against this technique is fairly routine but back then it didn’t even occur to us that we could do that…  again, like 9/11, we hadn’t considered something and suffered because of it. A caution about the Wikipedia account, the timelines aren’t accurate but it is a very nice synopsis.

Saying cyberwar does not an exploit make…  in my worst Yoda imitation. One should (I don’t want to use the word must) consider making a very flexible approach.  There are hundreds, perhaps thousands of possible ways of bringing down a system.  Heck, we might invent some way of manipulating an electron to ‘fuzz up’ the input coming into a system in the near future (or better yet, inside a system), effectively blinding an adversary.  I would say that’s a cross between Electronic Warfare and Warfare in Cyberspace but to my knowledge, it’s not being done. When I mention such stuff to ‘cyberwar’ experts I see the look on their face and I read that thought bubble above their head – “it’s not possible”.  “Dude”, I say, “not only is it most likely possible, it’s probably already being investigated, we just haven’t conceived the idea, so it seems outlandish.”

So…  in writing an ‘offensive strategy’ one should consider one’s words obsolete before they are printed and, therefore, one should give a strategy the flexibility to bend, morph and evolve into literally tomorrow’s technology, tactics, techniques and procedures.  Resist the urge to publish according to today’s standards.   We do not know what will be discovered tomorrow and we should embrace that change is coming and think and write for it now.

My thanks to Max for inspiring this little missive.  After I wrote an email response to a paper he wrote, which has really good potential, I realized others might benefit from these words.  I agonized about one paragraph of this blog, about what I could say and what I could not.  Even though some events occurred some 15 years ago, I still cannot talk about them and, even if I could, I would probably only muck up the facts.

Update:  ps.  An offensive cyber strategy MUST be part of an overall military strategy, which in turn should be part of an overall national strategy.  In my initial response to Max I had stated this emphatically and repeatedly in previous papers.   I think it important enough to add here.

Related articles

• Russia to Create CyberCommand (toinformistoinfluence.com)
• NATO cyberwar directive declares hackers military targets (rt.com)
• US Cyber Command to Take Offensive (hawaiireporter.com)
• NATO cyberwar directive declares hackers military targets (poorrichards-blog.blogspot.com)
• When a Cyber Attack Occurs, the Key to Surviving the Attack, and the Aftermath, is All in How a Business Responds (prweb.com)
• It’s time to bring some reason to all of the cyberwar talk (community.csc.com)
• US Cyber Command Adapts To Understand Cyber Battlespace (eurasiareview.com)
• INFORMATION WARFARE: The American Cyber Warriors Assemble (strategypage.com)
• Welcome to the Malware-Industrial Complex (beyond2012zeitgeist.com)
• US Cyber Command Admits Offensive Cyberwarfare Capabilities, Fundamental Shift In US Doctrine (hothardware.com)