Click cover for interactive viewer

Forechecking the Cyber Puck
© 2017 FrontLine Security (Vol 12, No 2)

Three decades ago, the Cold War was still raging and conflict between states represented the principal threat to international security and nuclear deterrence was the game. Then came the collapse of the Soviet bloc, the rise of transnational terrorism and the Internet. Fast-forward to today and we have a multitude of security challenges that were never envisioned, from cyber-espionage to super-empowered non-state actors. In a few short years, technology has gone from teletype messages to mobile phones, social media and personal drones. 

Today, our World is subject to global influence at the speed-of-light. We have entered a period of instability, rapid convergence, quantification and risk, where social media has created a frictionless state between the human terrain, the network, and the Internet-of-Things. 

The cyber dialogue has been elevated from hackers to matters of strategic deterrence, coercive signalling, and purposeful interference of critical infrastructure. In this age, the mouse has proved mightier than the missile – the accessibility of the cyber space contributes to the fog and friction of war.

In the fifth century BC, Sun Tzu advocated “foreknowledge” as part of a winning strategy. He warned that planners must have a precise understanding of the active threat and not “remain ignorant of the enemy’s condition.” 

Robert John Garigue, a computational epistemologist and father of information warfare in Canada, published a Developing a Conceptual Framework in 1994 for the Department of National Defence (DND). This was a landmark document and genesis for proactive cyber defensive theory in Canada. Since then, we have simply been admiring the problem.

That is about to change.

To date, the Canadian Armed Forces (CAF) has focused on securing important military systems, network monitoring, control, and incident response as parts of a shared responsibility with other government departments and agencies.

The 2017 Defence Policy recognized that cyber has a number of touch points across the CAF and that substantive investments are required to develop joint capabilities of: advanced training, situational awareness, mission assurance, threat intelligence, and active response. 

The Chief of Canada’s Defence Staff, General Jonathan Vance, in a recent interview about the defence policy, said it would be “irresponsible for Canada not to have the ability to hit back against hackers and organizations that already use cyberspace as a battleground […] a team can’t play with just a goalie.” 

To further draw upon the hockey analogy, may organizations have been playing with only a goalie facing into their own net, reacting to goal horns and lights, but never seeing the puck coming. 

A cyber defence strategy needs fore-checking. That is playing an aggressive style of defence; checking opponents in their own defensive zone, before they can organize an attack.

We also need bring our game into the professional leagues. Conducting active cyber operations in contested space requires and entirely different set of tradecraft, tactics and technology.

1. Proactive Mindset
Proactive cyber defence should act in anticipation to oppose an attack, while offensive operations take the fight to the adversary. We need to strip reactive language from definitions of proactive defence strategy and think differently.

There appears to be an over-emphasis on resiliency, emergency management and disaster recovery, thus establishing a policy of failure as the starting point to a strategy on cyber and critical infrastructure protection, and perpetuating disaster continuity. The threat will remain undeterred without the consequence of detection and retaliation.

2. Convergence and Pervasiveness of the Domain 
Through convergence, cyber has evolved into a complex ecosystem of information and systems. Cyber has the ability to achieve strategic balance between deterrence, containment, intervention, influence, and the projection of soft or hard power while maintaining the legitimacy of force. 

We must now think in terms of the Internet-of-Everything. Consider that the largest mobile device you will soon own will be your car. Picture a fighter aircraft as software with wings and navy ships as floating data-centres. Look at augmented reality gaming on our sidewalks, drones in the sky, and semantic botnets influencing mass-populations in a theatre of operation. Solutions need to close the gaps left by traditionally siloed security.

3. Next Generation technology, tradecraft, training and tactics 
Cyber is often viewed as more of an administrative issue – not directly related to the core business of bullets and battleships. Combatting informationalized warfare at scale will require more than rebadging incident responders as cyber warriors and issuing standard kit. To fight the network, one needs specialized infrastructure that is independent of traditional networks. One cannot simply engage in active cyber operations using an office laptop (as effective as deploying staff cars into battle). One has to be willing to abandon legacy technology, methods and programs. Combat-hardened networks are, by their nature: hyper-agile, dispersed, resilient, global and bullet proof. 

4. Public Private Partnerships (P3)
Operational experience has demonstrated the high likelihood that internal conflicts in fragile and ungoverned regions and countries with porous and poorly controlled borders will be the norm for which our military will have to prepare for deployment. At the same time of increasing potential for involvement in these unstable regions, their societies are increasingly connected to the Internet. However, cyber has indistinct boundaries, be they technical, physical, political, or socio-economic. 

The multi-stakeholder model in cyberspace governance means that there are a lot more players. Proxy conflicts in cyberspace can unbalance the traditional deterrence equation given cyber is an offence-dominated domain.

The military does not build its own tanks, aircraft or ships. It should come as no surprise that cyber space is owned, operating and defended by the private sector and a globalized industry. Industry is already decisively engaged as proxy target of state cyber-warfare and espionage.
Playing the offensive game requires a public-private partnership as well as a poly-stakeholder governance framework. It is not something any government can accomplish unilaterally from existing networks as it contains numerous technical challenges and moral hazards.  

5. Strategic Understanding
Military cyber operations require an enhanced understanding of the domain. Reacting with surprise is ineffective, costly and leaves few options.

Proactive defence provides time, precision and actionable insights using three tight-coupled concepts:

  • Cyber Intelligence, Surveillance and Reconnaissance (CyberISR) provide strategic listening to enable, secure, sense, and exploit the Internet-of-Everything;
  • Intelligence Preparation of the Battlefield (Cyber IPB) generates the ability to enumerate, rapidly target and re-acquire the adversary within contested space; and 
  • Cyber Physiological Operations (CyOps) can influence the human terrain from cyberspace.

6. Targeting
Traditional ISR and targeting are ill-suited for the Cyber Domain. Cyber is too fast, fluid and uncontained. In fact, Cyber aligns better with the Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD) methodology to anticipate and predict enemy operations, identify, locate, and target enemy forces, and to perform intelligence exploitation and analysis.

In the same vein, the Proactive, Pre-emptive Operations doctrine seeks to bring together military action, information warfare, intelligence, cover and deception. Thus, an active cyber defence would have the capability to conduct adversary pursuit and sustained hunt operations to identify signs of planned and active attacks and take action to neutralize them, forming the foundation of a comprehensive approach.

As former CSIS Director Richard Fadden said in 2016 during a CBC Radio interview, “If we are going to allow that we’re going to have Canadian Forces abroad and they are facing cyber attacks, either communications or other, I think it’s totally reasonable to think seriously about whether or not we should give them the capacity to reach out and suppress before they are used against them.”

7. Warfighting in the Internet of Everything
Nowadays, nearly all cyber compromises are socially engineered or originate from human error. The largest magnitude of  “denial of service” attacks comes from the Internet-of-Things. 

Cyber is the nervous system that binds all critical infrastructures, can influence populations and interfere with the democratic process. This new type of warfighting requires fundamentally rethinking of doctrine, policy and organizational models. It requires an agile capability to hunt an adversary across social, cyber, physical and human networks. 

As a defender, the next attack will come at you sideways, from outside your domain, and for this, we need a winning strategy. We are living in a converged World, requiring converged solutions.

8. Informationalized Warfare
Active cyber defence is not just about the ones and zeros. Coercive persuasion can be amplified by cyberspace to be affective-at-scale whether that be interfering in the democratic process or military deception. Cyber is the modern-day battleground of ideas and influence, and the doctrine of cyber defence must evolve to integrate Counter-influence and Information Peacekeeping (IPK).

9. Strategic Deterrence
Deterrence is based upon both a credible proactive defence and an offensive capability from which to project power and security, and to exert influence globally through cyberspace in the aim of defence. Furthermore, deterrence and diplomacy are required in the right dosage to dissuade and deter purposeful interference of critical infrastructures by foreign states.  Authoritative regimes have limited soft-power options (like cyber) and their subsequent actions can be sudden and violent. Nations are therefore more susceptible to strategic surprise and horizontal proliferation of conflict. Cyber offers a response that is somewhere between a diplomatic note and a nuke strike. 

11. Offensive Imperative
Globally, there is a significant capability gap between the offensive and defensive game, measured in decades. One cannot simply cross this divide with more defence. As Melissa Hathaway, Senior Advisor to the Director of National Intelligence, pointed out, “offensive must inform defence.”

A strong offensive rests on the foundation of a well-engineered proactive defence, enhanced operational security, and war-ready infrastructure. Like any team sport, offensive and defensive cyber operations need close coordination for reasons of operational security, and to mitigate risk of friendly fire. Joint capability development is recommended for similar reasons..

“You need to be on the offence to ensure you’re not going to get scored on all the time. And you need to be on the offence if you actually want to win something sometimes. You want to win that game,” concludes General Vance.

Dave McMahon is a cyber security strategist based in Ottawa.