When Routine Isn’t Enough: Why Military Cyber Commands Need Human Creativity

Former Secretary of Defense Ashton Carter recently published a report on the campaign to destroy ISIL. Particularly notable was what Carter said about the “cyber component” (or lack thereof) of the U.S. efforts:

I was largely disappointed in Cyber Command’s effectiveness against ISIS. It never really produced any effective cyber weapons or techniques. When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection. This would be understandable if we had been getting a steady stream of actionable intel, but we weren’t. The State Department, for its part, was unable to cut through the thicket of diplomatic issues involved in working through the host of foreign services that constitute the Internet. In short, none of our agencies showed very well in the cyber fight.

The statement sounds alarm bells about the current organizational efforts of U.S. Cyber Command. In fact, the United States is not the only one struggling. A growing number of countries are said to be establishing military cyber commands or equivalent units to develop offensive cyber capabilities, and they all seem to have their growing pains stemming from the unique nature and requirements of offensive cyber operations.

Carter’s statement primarily refers to interagency problems, for instance, on how the use of militarized cyber operations by CYBERCOM may endanger current or future intelligence collection operations by the NSA. But the problems with successfully carrying out offensive cyber operations are deeper and more complicated. Specifically, military cyber commands require individual creativity — which is too often is sacrificed on the altar of organizational routines.

Routines are considered to be the oil that keeps government institutions running. In the academic literature, routines are defined as ‘‘an executable capability for repeated performance in some context that has been learned by an organization in response to selective pressures.” One benefit of routines is that they provide stability, which in turn leads to predictability. In the cyber domain, where there is already considerable uncertain and imprecise information, predictability of actions is certainly a welcome asset.

Yet offensive cyber capabilities are inherently based on unpredictability. As the RAND Corporation’s Martin Libicki observes, there is no “forced entry” when it comes to offensive cyber operations. “If someone has gotten into a system from the outside, it is because that someone has persuaded the system to do what its users did not really want done and what its designers believed they had built the system to prevent,” Libicki argues. Thus, to ensure repeated success, one must find different ways to fool a system administrator. Repetition of an established organizational routine is likely to be insufficient when conducting military cyber operations. The command must foster an environment in which operators can depart from routine and nimbly adapt their actions to stay ahead of their adversaries.

More specifically, Jon Lindsay and Erik Gartzke note that “cyber operations alone lack the insurance policy of hard military power, so their success depends on the success of deception.” Deception as a strategy is based on two tactics: dissimulation, or hiding what’s there; and simulation, or showing something that’s not. The cyber weapon Stuxnet, for example, utilized both tactics. Through what is known as a “man-in-the-middle attack,” Stuxnet intercepted and manipulated the input and output signals from the control logic of the nuclear centrifuge system in Natanz, Iran. In this way, it was able to hide its malicious payload (simulation) and instead replayed a loop of 21 seconds of older process input signals to the control room, suggesting a normal operation to the operators (dissimulation). To ensure that an offensive cyber attack is successful, the attacker needs to constantly find innovative ways to mislead the enemy — which may mean deviating from routines, or crafting routines that permit individuals to make adjustments at their discretion.

There is no easy resolution of this dilemma. Few of the mechanisms organizations use to encourage creative behavior can be applied to military cyber commands. Instead, what governments can focus on to foster creativity in these organizations is workforce diversification and purpose creation.

First, a common form of encouragement is to reward risk-takers in the organization. Yet military cyber commands need to be risk-averse and cautious. It is essential for “cyber soldiers” to stick to the rules to avoid escalation and possible violation of the laws of armed conflict, just as it is for more traditional soldiers. Despite the need for unpredictable and deceptive responses, military cyber commands cannot simply try things out and see what happens. Indeed, though offensive cyber capabilities are not inherently indiscriminate, without careful design and deployment there is a high potential for severe collateral damage. The Morris Worm of 1988 is an illustrative case in this regard. Robert Morris “brought the internet to its knees” due to a supposed error in the worm’s spreading mechanism. The worm illustrated the potential of butterfly effects in cyberspace – small changes in code can escalate into large-scale crises.

Similarly, military cyber commands will find it more difficult than private companies to grant autonomy to individuals. The underlying management logic for granting personal autonomy was perhaps most famously spelled out (and radically implemented) by Brazilian entrepreneur Ricardo Semler: Let employees decide how to get something done, and they will naturally find the best way to do it. For cyber operations, while outcomes are important, precisely how the job gets done is equally relevant. After all, unlike most conventional capabilities, the modus operandi of one cyber operation may greatly affect the effectiveness of other operations.

This is partially due to what’s known as the “transitory nature” of cyber weapons. Cyber weapons are often described as having “single-use” capabilities. The idea is that once a zero-day vulnerability – that is, a publicly undisclosed vulnerability – has been exploited and becomes known to the public, the weapon loses its utility. Although I’ve argued before that this view lacks nuance – as in reality it often still takes time before patches are installed and vulnerabilities closed (and only the minority of cyber weapons exploit zero-days) – the likelihood of successfully accessing the target system does nonetheless reduce after initial use. In other words, the use of a zero-day exploit by one operator may complicate efforts for other operators.

So, what can be done? At a minimum, military commands should make sure they attract a diverse group of people. Only recruiting people within government organizations for the command, as for example the Netherlands supposedly does, should be discouraged. Conventional human resource matrices (i.e., the candidate should have a university bachelor’s degree, good grades, courses in certain areas etc.) should be reconsidered too.

We have already seen various encouraging initiatives on this front. The U.S. Army recently launched the cyber direct commissioning program, so (qualified) civilians can now directly apply to become officers. Countries like the United Kingdom, the Netherlands, and Estonia are also setting up cyber reserve units to attract civilians with the right skill set. Yet these programs are not yet widely adopted across states, nor do they tend to extend far enough (the responsibilities of reserve officers are often unclear).

Military cyber commands should also make sure they create an inspiring workplace to capitalize on people’s intrinsic motivation. Senior leaders have generally been good at providing a vision for their cyber command; this is normally expressed as a desire to become a world leader in offensive cyber operations (see, for instance, the UK’s cyber security strategy). They are also explicit about their mission. Yet, hardly ever do they provide purpose: how does the command fit into the big picture, and what is the strategic framework being followed? Jim Ellis, the former commander of U.S. Strategic Command, has noted the shortcomings of the cybersecurity discourse, saying the debate is “like the Rio Grande, a mile wide and an inch deep.” A deeper focus on purpose-driven values is needed to motivate people to enter a field like cyber operations.

As more countries look to get into the business of offensive cyber operations, the inherent tension between the requirements of these operations and the regimented tendencies of national security bureaucracies will become starker and starker. If governments want to bring together different minds, inspire creativity, and maximize human performance, they need to clearly communicate the value of cyber commands to their people.

This article was first published @WarontheRocks

Contesting “Cyber”

Here are the links to all the New America blog posts:

Part I: Cyber: not just a confused but also a contested concept.

Part II: The Connotations of “Cyberspace” Shift From Opportunity to Threat

Part III: Substantive vs. implied definitions: A Mundane stuff or the Wild West?

Part IV: “Cyber Exceptionalism”

Part V:  ARPANET; Where did it all start again?

Part VI: Exit, Voice, and Cyberspace

Contesting “Cyber” – Introduction and Part I

By Max Smeets and James Shires. More info about the series here

Introduction

Over the last few decades there has been a proliferation of the term “cyber”, and commensurate levels of inconsistency. This series argues that the inconsistent application of the prefix “cyber” stems not only from confusion, as some scholars and policymakers have proposed, but also from contest. Our goal of this series is not to resolve conceptual disputes, but instead to understand how and why contests occur, and whether, once the lines along which contests occur are identified, resolution is possible.

As the prefix “cyber” has rarely been used alone, we place the concept of cyberspace at the centre of analysis, for two reasons. First, it is considered to be the “elemental” concept in the field, and demarcates the boundaries of relevant technical and social activity through an intuitive geographical metaphor. Second, selecting the concept “cyberspace” for analysis can be considered a least-likely (or least-obvious) study of contest. The attachment of the prefix “cyber” to various nouns has left cyber-related concepts with a variety of underlying normative connotations. On the one side, some concepts describe a clear activity or state of affairs, which are prima facie undesirable, like “cyber warfare” or “cyber threat”. On the other side, various concepts reflect a more positive degree of attractiveness—“cyber democracy” is a good example of this. The obvious normative aspects of these terms to which the cyber prefix is attached make these likely sites for contest, whereas “cyberspace” is seemingly more neutral. We suggest instead that it is the ominous calm at the heart of the storm, providing an excellent case in which to study the tension regarding the prefix more broadly.

Over the next six days, we will publish a series of blog post that show that cyberspace is contested in a number of ways: through its change in connotations from opportunity to threat; through the existence of substantive and implied definitions, with different rhetorical functions; and through competing understandings of the key historical exemplar for cyberspace: that of ARPANET. We therefore note that the prospects for agreement regarding cyberspace are low. Overall, this presents the choice of what we term, following Hirschman, an ‘exit’ rather than ‘voice’ strategy, to use other concepts instead. An initial post in this series was published last Friday at Slate’s Future Tense and can be found here.

PART 1. Cyber: not just a confused but also a contested concept.

Since the early 1990s the prefix “cyber” has become widespread. As often noted, its use stretches back to Norbert Wiener’s coinage of “cybernetics” from its Greek equivalent in the 1940s. It is similarly canonical to cite novelist William Gibson as creating the “ur” metaphor for this prefix in the early 1980s by combining it with “space”. Almost three decades later in an interview with The A.V. Club, Gibson argued that “‘cyberspace’ as a term is sort of over. It’s over in the way that after a certain time, people stopped using the prefix ‘-electro’ to make things cool, because everything was electrical. ‘Electro’ was all over the early twentieth century, and now it’s gone. I think ‘cyber’ is sort of the same way”.

In contrast to Gibson’s prediction, a simple automated content analysis using Google Trends indicates that the popularity of the prefix “cyber” has remained stable (with a spike in November each year for “cyber Monday”). There are ever more applications of this prefix, to words such as crime, law, cafe, hate, bullying, attack, war, vandalism, politics, dating, security, and power. Today, more people enter the search term “cyber” into Google than the term “democracy” or “terrorist”. Needless to say, the term “cyber” has also gained in prominence in academia and policymaking.

The proliferation of this prefix has, inevitably, led to substantial inconsistencies in its use. On one level, these contradictions may stem from simple confusion. As Michael Hayden, former director of the CIA and NSA, remarked: “rarely has something been so important and so talked about with less clarity and apparent understanding than this phenomenon.” Scholars and policy-makers, among others, are not always consistent in their own usage of cyber-related concepts, and they sometimes reinterpret the definitions employed by others, especially when given a liberal dose of cross-disciplinary fertilization.

Many hold that such disagreement is primarily caused by the apparently abstruse and multifaceted nature of the phenomenon. For example, in a Foreign Policy article, Stephen Walt notes that “the whole issue is highly esoteric—you really need to know a great deal about computer networks, software, encryption, etc., to know how serious the danger might be,” concluding that “here are lots of different problems being lumped under a single banner, whether the label is ‘cyber-terror’ or ‘cyber-war’. If this is the case, more research can iron out the lack of clarity surrounding this relatively young concept, and then we can get to the one and only “meaning of the cyber revolution,” as Lucas Kello emphasizes in his recent book (and earlier article). However, in this article series we argue that the inconsistent application of the prefix “cyber” stems not only from confusion, but also from contestation.

In other words, the roots of disagreement are deeper than a mere struggle to absorb the collective knowledge of another discipline, but stem from underlying normative disagreements.

Understanding the nature and extent of this contestation of “cyber” is important for both policy-making and academic research. For policy-makers, the promise of what Joseph Nye Jr. calls “rules of the road” in cyberspace is much diminished if the very domain itself remains in question (also see the UK government strategy). Constructing effective international cyber-governance becomes more difficult—although not impossible—if the scope of what to be governed is fundamentally disputed.

For academics, if the roots of disagreement are deeper, then faith in a unified understanding of the cyber-issue is utopic; and further investigation of why and how broader political disputes are translated into problems with this proliferating prefix is urgently required.

Here we will explore what it means when we talk about cyber, and address the nature of contestation from various angles.

This article was originally posted @NewAmerica

The Word Cyber Now Means Everything—and Nothing At All

By James Shires and Max Smeets

In early October, at the launch of Stanford’s Global Digital Policy Incubator, Secretary Hillary Clinton said, “We need to get serious on cybersecurity.”

It’s hard to argue with the sentiment, but what does it actually mean? Is she suggesting that companies should invest in data breach insurance? That governments should build new weapons? That police should have better decryption tools? That tech companies should write safer code, especially for critical infrastructure? That international differences in internet governance must be resolved? That individual citizens should review their online behavior? Or all of the above?

The problem is in the word cyber. At first, the word’s flexibility was a good thing—it helped raise awareness and offered an accessible gateway to discussing all kinds of security. But it has now become an obstacle to articulating credible solutions.

The term cyber has been around for decades, stretching back to MIT mathematician Norbert Wiener’s coinage of cybernetics in the 1940s. Wiener borrowed the ancient Greek adjective ‘kubernētikós’, meaning governing,piloting, or skilled in steering, to describe then futuristic idea that one day we would have a self-regulating computing system, solely running on information feedback. In the 1980s, novelist William Gibson married the prefix to space, creating the term so ubiquitous today. Since then, cyber has been used by anarchists and policymakers, scholars and laymen, artists and spies. It has been attached to concepts ranging from warfare to shopping, and it can denote opportunity as well as threat.

Yet, cyber is, in a way, empty: It acts like a sponge for meaning, soaking up whatever content is nearby. Gibson described this nicely in an interview with the Paris Review: “The first thing I did was to sit down with a yellow pad and a Sharpie and start scribbling—infospace, dataspace. I think I got cyberspace on the third try, and I thought, oh, that’s a really weird word. I liked the way it felt in the mouth—I thought it sounded like it meant something while still being essentially hollow.”

The hollow aesthetic captured by Gibson—the peculiar position of being both intuitively meaningful and a self-consciously strange word—is part of the appeal of cyber. The prefix is popular, and growing in use, not despite its hollowness, which is bemoaned by many, but because of it.

Thomas Rid, in his book Rise of the Machines, shows how various narratives have accompanied the prefix cyber since World War II, all of which cross boundaries between technology and society, between science and culture, and between the impetus created by war and security and more benign visions.

As Rid explains in the preface, the cyber idea is “self-adapting, ever expanding its scope and reach, unpredictable, yet threatening, yet seductive, full of promise and hope, and always escaping into the future.” In short, it is a sponge—but one that fails to clean up the conceptual problems of its terrain.

We can see this clearly in recent events. With new information seeping in on an almost daily basis about the Russian meddling in the 2016 elections, the cyber sponge has been absorbing everything related to disinformation campaigns, information warfare, social media bots, and election hacking.

Clinton’s talk demonstrates all of this. “In the 21st century, war will increasingly be fought in cyberspace. As Americans we need to approach this new threat with focus and resolve. Our security, physical or otherwise can’t be taken for granted,” she said. She went on to discuss the various new “weapons of choice” coming from “the highest bowels of the Kremlin”: email releases, probing voting systems, the industrialization of fake news, targeted use of Facebook ads, and more.

She isn’t wrong about these things, but speaking about them in this manner mashes them together with previous uses of the term in relation to militarized cyber operations, critical infrastructure attacks, DDoS attacks against Estonia and Georgia, and Stuxnet. In this case, the cyber label doesn’t improve our understanding of this influence. Instead, the generic term flattens the terrain by conflating the potential hacking of critical infrastructure systems and the buying of advertisements by foreign nations. This incorrectly implies similarities in response, suggesting that we can handle all of these things in a similar manner. But ensuring that the industrial control systems of a power plant will not be accessed by a malicious actor requires a very different set of actions than curbing the spread of fake news. Labeling both actions as cyber encourages the inappropriate transplant of policies and technologies across these issues.

Finally, cyber also masks significant political and organizational hurdles. Clinton speaks about “the need for public and private cooperation,” but this cooperation takes very different forms for critical infrastructure and social media, not to mention questions of state and commercial offensive actions—yet all fall ostensibly under the rubric of cybersecurity.

We’ve wrung all the utility we can out of the cybersecurity sponge. To address the “serious and urgent challenges” of our time, we need to acknowledge that they are indeed challenges plural—not one single, monolithic domain.

This article was first published @ Slate Future Tense.  Future Tense is a partnership of Slate, New America, and Arizona State University.

 

Europe Slowly Starts to Talk Openly About Offensive Cyber Operations

Europe is finally starting to talk more publicly and candidly offensive cyber operations.

Two weeks ago, the Dutch Ministry of Defense hosted the Third International Cyber Operations Symposium. In conference hand-outs, the commander of Dutch Defense Cyber Command, Hans Folmer, said he hoped to “foster a shared and realistic understanding of the role of cyber capabilities in future operations, while facilitating the opportunity to develop and strengthen relationships among all participants.” One senior participant at the conference observed: “speaking at NATO about offensive cyber was blasphemy a few years ago. We have advanced.”

At the same conference last year, former UK Defense Minister Michael Fallon acknowledged that states “must have the capability to project power in cyberspace as in other domains” and confirmed that the United Kingdom was using “offensive cyber” against the self-declared Islamic State group. This year, participants discussed lessons learned from those operations, and explored how and when cyber tools could be the most useful against an adversary.

However, based on the discussions this year, there seemed to be less excitement about the potential of offensive cyber tools. In Europe, cyber capabilities were once seen as a silver bullet for Europe’s defense problems—chronically low defense budgets and outdated materiel could be replaced with an asymmetric capability that could improve Europe’s ability to deter adversaries and project power. Now, as one participant said, “cyber is no longer something special.” There was a more honest and open debate about how cyber capabilities can be used, the challenges with developing and maintaining them, and understanding their strategic effects.

Nevertheless, Europe will continue to struggle with at least three issues.

First, not all European cyber commands are created equal. In fact, the diversity of capability in Europe makes it difficult to compare them in theory, and probably even more difficult to coordinate efforts in practice. Whereas Germany is said to have thousands of ‘information and cyber officers’, you can count the people working at cyber defense units in other European countries on two hands. Also, all states are in need of technical personnel, but not all have the resources to attract them. Although many European countries started building a cyber offensive capability almost a decade ago, many states are still far away from a meaningful capability.

Second, Europe is still searching for a strategic objective for its offensive cyber capability. Every scholar or policymaker at the conference noted that deterrence was a flawed strategy to pursue in cyberspace—either partially or completely. Yet, there remains a lack of alternatives and policymakers at the conference seemed unaware of ideas raised in the academic literature about the strategic value of offensive cyber capabilities, such as Kello’s cumulative deterrence, Harknett’s notion of persistence, or Lindsay and Gartzke’s discussion of deception.

Third, Europe lacks a common doctrine on the use of offensive cyber operations. NATO recently finished a first draft of its own cyber operations doctrine, and is going through the process of addressing comments made by member states and invited observers. Europe will need a common doctrine, or at least a common lexicon that can be used by military planners, if it wants to take a coordinated approach to cyber operations. Doctrine normally tries to link theory and practice. Yet, cyber operations in a military context are still fairly new and the lack of practice means that policymakers tend to concentrate primarily on theory, making the development of doctrine a difficult exercise.

This article was first published on the Net Politics Blog of the Council on Foreign Relations

 

Cyber References Project

I started my graduate studies a few years ago thinking not much was published in the field of cyber conflict. I quickly found my assumption was wrong when I optimistically began a systematic literature review of ‘all’ the relevant works in the field. It was a project I had to abandon after a few weeks (although I do believe that more reviews like this should be conducted).

Even though it is true that still not enough has been published in the top academic journals, one can hardly say that people don’t write on ‘cyber’. With relevant readings currently being scattered across journal articles, books, blog posts, news articles, cyber security firm reports, and more, it becomes increasingly difficult to know what’s out there and build upon earlier insights and arguments published by others.

Whereas this has led some ( Oxford Bibliographies Project and State of the Field of Conference 2016) to direct efforts towards finding the ‘core’ of the field – focusing on key readings –  I have started a complimentary ‘Cyber References Project with as aim to be much more inclusive.

The database currently includes about 800-1000 readings (and also lists a few podcasts and documentaries), which I have sorted into 48 categories. The categories are not mutually exclusive. The goal is not to search based on author (or title) like conventional search engines.

This database includes the references listed on various cyber security course syllabi, State of the Field of Conference 2016,  Oxford Bibliographies Project, SSRN, Google Scholar, Oxford SOLO, PhD-Manuscripts, and think-tank search engines.

Where I see this project going: I plan to include another 150+ academic articles & 200+ blog posts in the near future. I also hope to improve formatting and sort the current list of readings (by year & add categories). In addition, Olivia Lau maintains a great notes/summary pool of key readings on International Relations. It would be great if we could establish something similar for cyber conflict.

Please let me know if readings are missing or categorized incorrectly. Of course, any ideas on how to make this platform easier to use are also very welcome.

Organizational Integration of Offensive Cyber Capabilities: A Primer on the Benefits and Risks

Below you can find the abstract of the paper I’ll present at the 9th International Conference on Cyber Conflict (CyCon 2017) in Tallinn, Estonia. The paper will be published after the conference.

Organizational Integration has become a key agenda point for policy makers as governments continue to change and create new organizations to address the cyber threat. Passing references on this topic, however, far outnumber systematic treatments. The aim of this paper is to investigate the potential effects of organizational integration of offensive cyber capabilities (OIOCC).  I argue that OIOCC may lead to three key benefits: enhance interaction efficiency, stimulate knowledge transfer and improve resource allocation. There are however several negative effects of integration too, which have so far received little attention. OIOCC may lead to an intensification of the cyber security dilemma, increase costs in the long run, and impel – what I call – ‘cyber mission creep’. Though the benefits seem to outweigh the risks, I note that ignoring the potential negative effects may be dangerous – as activity is more likely to go beyond the foreign-policy goals of governments and intrusions are more likely to trigger a disproportionate response by the defender.

Talk Global Cyberspace Cooperation Summit VII

I was part of a great panel at the Global Cyberspace Cooperation Summit VII, organized by the East West Institute.

The summit brought together policymakers, business leaders and technical experts to discuss the most pressing issues in international cyberspace, including securing the Internet of Things, balancing encryption and lawful access to data, developing norms of behavior, improving the security of information and communications technology (ICT) and strengthening the resilience of critical infrastructure.

If you’d like to know more about cyber and dinosaurs (!), start at 38.00 min. Also some great points on cyber risk, non-state actors in cyberspace and more from the other panelists.

More at http://cybersummit.info/.

 

On the transitory nature of cyberweapons

The abstract of my forthcoming article ‘A matter of time: On the transitory nature of cyberweapons’ in the Journal of Strategic Studies:

This article examines the transitory nature of cyberweapons. Shedding light on this highly understudied facet is important both for grasping how cyberspace affects international security and policymakers’ efforts to make accurate decisions regarding the deployment of cyberweapons. First, laying out the life cycle of a cyberweapon, I argue that these offensive capabilities are both different in ‘degree’ and in ‘kind’ compared with other weapons with respect to their temporary ability to cause harm or damage. Second, I develop six propositions which indicate that not only technical features, inherent to the different types of cyber capabilities – that is, the type of exploited vulnerability, access and payload – but also offender and defender characteristics explain differences in transitoriness between cyberweapons. Finally, drawing out the implications, I reveal that the transitory nature of cyberweapon’s benefits great powers, changes the incentive structure for offensive cyber cooperation and induces a different funding structure for (military) cyber programs compared with conventional weapon programs. I also note that the time-dependent dynamic underlying cyberweapons potentially explains the limited deployment of cyberweapons compared to espionage capabilities