Category Archives: offensive cyber capabilities

Dutch Hacking: The Rise of a New Cyber Power?

The world opened its eyes to a new cyber power. Last month, Dutch reporters from Nieuwsuur and de Volkskrant revealed that in mid-2014 the Dutch Joint Sigint Cyber Unit (JSCU) infiltrated the computer networks of the infamous Russian hacker group “Cozy Bear.”

By sharing information with their U.S. counterparts, JSCU helped oust the Russian government-linked group thought to be responsible for the Democratic National Committee breach during the 2016 U.S. presidential campaign.

Hacking by its very nature is a secretive business. Although numerous states reportedly are interested in the development of offensive cybercapabilities, we typically hear about only a small set of state actors conducting operations. The public disclosure of Dutch intelligence success — based on leaked information — has important signaling effects, both internationally and domestically. And it bumps the Netherlands high in the world pecking order of offensive cyber-capability.

There’s a paradox about signaling offensive cyber-capability

It is difficult for an actor to prove its offensive cyber-capability without playing its hand — and losing this advantage. This is in part because cyber-capabilities are difficult to showcase — other than waving your hand with a USB stick containing malicious code. As strategic studies scholar Thomas Rid notes, “You can’t parade a code on the streets of Moscow.”

My research on the transitory nature of cyberweapons also explains that once a country’s cyber-capability is exposed, the adversary can often relatively easily adapt its systems to avert intrusion. Revelations about a country’s cyber capability after the fact are therefore essential to gauge an actor’s ability to conduct cyber-operations. 

These factors create a number of paradoxical dynamics. The release of classified NSA documents by Edward Snowden was perhaps the most embarrassing episode in the history of the intelligence agency. Yet the Snowden disclosures also exposed the U.S. government’s impressive arsenal, including at least 231 offensive cyber-operations in 2011. As RAND Corporation scholars David Gompert and Martin Libicki point out, the leaks ironically “broadcast how deeply the NSA can supposedly burrow into the systems of others.”

After Kaspersky Lab, a Russian anti-virus company, reported in 2014 on the espionage platform “Animal Farm,” many analysts believed the French government to be behind the sophisticated intel capabilities embedded in the malware. The French government initially denied any role.

During a lecture in mid-2016, however, Bernard Barbier, the former technical head of France’s external intelligence agency, admitted his agency had developed the malware. Security blogger Bruce Schneier points out Barbier “talked about a lot of things he probably shouldn’t have.” But for France, this post-hoc confirmation of capabilities likely enhanced the government’s reputation in this new area of conflict.

A well-placed leak — or just lucky timing? 

It remains unclear whether the signaling was intentional in the Dutch case. Access to the computer networks of Cozy Bear was already lost — perhaps because the Russians were alerted after earlier Washington Post revelations. And the Dutch government may see a diplomatic backlash from the Trump administration as the intelligence helps the FBI investigation — similar to what some say happened to Australia after officials passed information about Trump’s possible campaign links to Moscow, triggering the initial Russia inquiry.

There were certainly gains at home from this type of signaling. Last Friday, Dutch Prime Minister Mark Rutte didn’t go into any detail about the case but told members of the media he was “immensely proud” of the intelligence unit’s success. And Rutte used the occasion to stress the importance of a controversial Dutch intelligence law from June 2017 that would allow the government to conduct large-scale, untargeted tapping of Internet traffic. Even though it is certain the law will come into effect on May 1, critics were able to enforce a national “advisory referendum” on the issue this March. With the government under pressure, the achievement of the Dutch intelligence apparatus is a very welcome PR success. 

What’s next for the Netherlands?

As of now, Dutch cyber-capability has yet to produce a major military activity. It remains to be seen just how the JSCU, a relatively small unit, is organized within the General Intelligence and Security Service and the Military Intelligence and Security Service.

The two Dutch reporters who broke the case mistakenly wrote that JSCU has the authority to conduct computer networks attacks. This is not the case; the JSCU cannot“disrupt, deny, degrade, or destroy.” It can, however, conduct computer network exploitation — that is, espionage.

Of course, network exploitation and network attacks can be quite similar. As former NSA and CIA director Michael Hayden states in his book, “Playing the Edge”: “Reconnaissance should come first in the cyber-domain. … How else would you know what to hit, how, when — without collateral damage?”

At the moment, it remains unclear to what degree the JSCU capabilities support the maturation of the Dutch military cyber-command — which does have full authority to attack computer networks. Although organizational integration and coordination between network espionage and network attacks may be beneficial — increasing the opportunity for knowledge transfer and more efficient allocation of resources — my research on organizational integration indicates it is not a given within any government.

In the U.S. government, for instance, NSA and U.S. Cyber Command have numerous coordination problems. Not least among them is the fact that the NSA is not always willing to share capabilities with the military as it increases the risk that its espionage efforts — exploiting the same vulnerabilities and following similar coding procedures — also are exposed. Dutch cyber-capabilities historically reside in the intelligence community, as well. It would be hardly surprising if the Dutch government is dealing with similar organizational problems.

Finally, (cyber) power comes with a price. Russian hackers — and other actors — may now see the Dutch intelligence services as a more interesting target. Russia may retaliate accordingly — and publicly — against the Dutch to signal mutual vulnerability. At least the Dutch government seems to have taken precautions, choosing to tabulate election results by hand earlier this year.

This article is an edited version of my op-ed published by the Washington Post, The Monkey Cage

When Routine Isn’t Enough: Why Military Cyber Commands Need Human Creativity

Former Secretary of Defense Ashton Carter recently published a report on the campaign to destroy ISIL. Particularly notable was what Carter said about the “cyber component” (or lack thereof) of the U.S. efforts:

I was largely disappointed in Cyber Command’s effectiveness against ISIS. It never really produced any effective cyber weapons or techniques. When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection. This would be understandable if we had been getting a steady stream of actionable intel, but we weren’t. The State Department, for its part, was unable to cut through the thicket of diplomatic issues involved in working through the host of foreign services that constitute the Internet. In short, none of our agencies showed very well in the cyber fight.

The statement sounds alarm bells about the current organizational efforts of U.S. Cyber Command. In fact, the United States is not the only one struggling. A growing number of countries are said to be establishing military cyber commands or equivalent units to develop offensive cyber capabilities, and they all seem to have their growing pains stemming from the unique nature and requirements of offensive cyber operations.

Carter’s statement primarily refers to interagency problems, for instance, on how the use of militarized cyber operations by CYBERCOM may endanger current or future intelligence collection operations by the NSA. But the problems with successfully carrying out offensive cyber operations are deeper and more complicated. Specifically, military cyber commands require individual creativity — which is too often is sacrificed on the altar of organizational routines.

Routines are considered to be the oil that keeps government institutions running. In the academic literature, routines are defined as ‘‘an executable capability for repeated performance in some context that has been learned by an organization in response to selective pressures.” One benefit of routines is that they provide stability, which in turn leads to predictability. In the cyber domain, where there is already considerable uncertain and imprecise information, predictability of actions is certainly a welcome asset.

Yet offensive cyber capabilities are inherently based on unpredictability. As the RAND Corporation’s Martin Libicki observes, there is no “forced entry” when it comes to offensive cyber operations. “If someone has gotten into a system from the outside, it is because that someone has persuaded the system to do what its users did not really want done and what its designers believed they had built the system to prevent,” Libicki argues. Thus, to ensure repeated success, one must find different ways to fool a system administrator. Repetition of an established organizational routine is likely to be insufficient when conducting military cyber operations. The command must foster an environment in which operators can depart from routine and nimbly adapt their actions to stay ahead of their adversaries.

More specifically, Jon Lindsay and Erik Gartzke note that “cyber operations alone lack the insurance policy of hard military power, so their success depends on the success of deception.” Deception as a strategy is based on two tactics: dissimulation, or hiding what’s there; and simulation, or showing something that’s not. The cyber weapon Stuxnet, for example, utilized both tactics. Through what is known as a “man-in-the-middle attack,” Stuxnet intercepted and manipulated the input and output signals from the control logic of the nuclear centrifuge system in Natanz, Iran. In this way, it was able to hide its malicious payload (simulation) and instead replayed a loop of 21 seconds of older process input signals to the control room, suggesting a normal operation to the operators (dissimulation). To ensure that an offensive cyber attack is successful, the attacker needs to constantly find innovative ways to mislead the enemy — which may mean deviating from routines, or crafting routines that permit individuals to make adjustments at their discretion.

There is no easy resolution of this dilemma. Few of the mechanisms organizations use to encourage creative behavior can be applied to military cyber commands. Instead, what governments can focus on to foster creativity in these organizations is workforce diversification and purpose creation.

First, a common form of encouragement is to reward risk-takers in the organization. Yet military cyber commands need to be risk-averse and cautious. It is essential for “cyber soldiers” to stick to the rules to avoid escalation and possible violation of the laws of armed conflict, just as it is for more traditional soldiers. Despite the need for unpredictable and deceptive responses, military cyber commands cannot simply try things out and see what happens. Indeed, though offensive cyber capabilities are not inherently indiscriminate, without careful design and deployment there is a high potential for severe collateral damage. The Morris Worm of 1988 is an illustrative case in this regard. Robert Morris “brought the internet to its knees” due to a supposed error in the worm’s spreading mechanism. The worm illustrated the potential of butterfly effects in cyberspace – small changes in code can escalate into large-scale crises.

Similarly, military cyber commands will find it more difficult than private companies to grant autonomy to individuals. The underlying management logic for granting personal autonomy was perhaps most famously spelled out (and radically implemented) by Brazilian entrepreneur Ricardo Semler: Let employees decide how to get something done, and they will naturally find the best way to do it. For cyber operations, while outcomes are important, precisely how the job gets done is equally relevant. After all, unlike most conventional capabilities, the modus operandi of one cyber operation may greatly affect the effectiveness of other operations.

This is partially due to what’s known as the “transitory nature” of cyber weapons. Cyber weapons are often described as having “single-use” capabilities. The idea is that once a zero-day vulnerability – that is, a publicly undisclosed vulnerability – has been exploited and becomes known to the public, the weapon loses its utility. Although I’ve argued before that this view lacks nuance – as in reality it often still takes time before patches are installed and vulnerabilities closed (and only the minority of cyber weapons exploit zero-days) – the likelihood of successfully accessing the target system does nonetheless reduce after initial use. In other words, the use of a zero-day exploit by one operator may complicate efforts for other operators.

So, what can be done? At a minimum, military commands should make sure they attract a diverse group of people. Only recruiting people within government organizations for the command, as for example the Netherlands supposedly does, should be discouraged. Conventional human resource matrices (i.e., the candidate should have a university bachelor’s degree, good grades, courses in certain areas etc.) should be reconsidered too.

We have already seen various encouraging initiatives on this front. The U.S. Army recently launched the cyber direct commissioning program, so (qualified) civilians can now directly apply to become officers. Countries like the United Kingdom, the Netherlands, and Estonia are also setting up cyber reserve units to attract civilians with the right skill set. Yet these programs are not yet widely adopted across states, nor do they tend to extend far enough (the responsibilities of reserve officers are often unclear).

Military cyber commands should also make sure they create an inspiring workplace to capitalize on people’s intrinsic motivation. Senior leaders have generally been good at providing a vision for their cyber command; this is normally expressed as a desire to become a world leader in offensive cyber operations (see, for instance, the UK’s cyber security strategy). They are also explicit about their mission. Yet, hardly ever do they provide purpose: how does the command fit into the big picture, and what is the strategic framework being followed? Jim Ellis, the former commander of U.S. Strategic Command, has noted the shortcomings of the cybersecurity discourse, saying the debate is “like the Rio Grande, a mile wide and an inch deep.” A deeper focus on purpose-driven values is needed to motivate people to enter a field like cyber operations.

As more countries look to get into the business of offensive cyber operations, the inherent tension between the requirements of these operations and the regimented tendencies of national security bureaucracies will become starker and starker. If governments want to bring together different minds, inspire creativity, and maximize human performance, they need to clearly communicate the value of cyber commands to their people.

This article was first published @WarontheRocks

Europe Slowly Starts to Talk Openly About Offensive Cyber Operations

Europe is finally starting to talk more publicly and candidly offensive cyber operations.

Two weeks ago, the Dutch Ministry of Defense hosted the Third International Cyber Operations Symposium. In conference hand-outs, the commander of Dutch Defense Cyber Command, Hans Folmer, said he hoped to “foster a shared and realistic understanding of the role of cyber capabilities in future operations, while facilitating the opportunity to develop and strengthen relationships among all participants.” One senior participant at the conference observed: “speaking at NATO about offensive cyber was blasphemy a few years ago. We have advanced.”

At the same conference last year, former UK Defense Minister Michael Fallon acknowledged that states “must have the capability to project power in cyberspace as in other domains” and confirmed that the United Kingdom was using “offensive cyber” against the self-declared Islamic State group. This year, participants discussed lessons learned from those operations, and explored how and when cyber tools could be the most useful against an adversary.

However, based on the discussions this year, there seemed to be less excitement about the potential of offensive cyber tools. In Europe, cyber capabilities were once seen as a silver bullet for Europe’s defense problems—chronically low defense budgets and outdated materiel could be replaced with an asymmetric capability that could improve Europe’s ability to deter adversaries and project power. Now, as one participant said, “cyber is no longer something special.” There was a more honest and open debate about how cyber capabilities can be used, the challenges with developing and maintaining them, and understanding their strategic effects.

Nevertheless, Europe will continue to struggle with at least three issues.

First, not all European cyber commands are created equal. In fact, the diversity of capability in Europe makes it difficult to compare them in theory, and probably even more difficult to coordinate efforts in practice. Whereas Germany is said to have thousands of ‘information and cyber officers’, you can count the people working at cyber defense units in other European countries on two hands. Also, all states are in need of technical personnel, but not all have the resources to attract them. Although many European countries started building a cyber offensive capability almost a decade ago, many states are still far away from a meaningful capability.

Second, Europe is still searching for a strategic objective for its offensive cyber capability. Every scholar or policymaker at the conference noted that deterrence was a flawed strategy to pursue in cyberspace—either partially or completely. Yet, there remains a lack of alternatives and policymakers at the conference seemed unaware of ideas raised in the academic literature about the strategic value of offensive cyber capabilities, such as Kello’s cumulative deterrence, Harknett’s notion of persistence, or Lindsay and Gartzke’s discussion of deception.

Third, Europe lacks a common doctrine on the use of offensive cyber operations. NATO recently finished a first draft of its own cyber operations doctrine, and is going through the process of addressing comments made by member states and invited observers. Europe will need a common doctrine, or at least a common lexicon that can be used by military planners, if it wants to take a coordinated approach to cyber operations. Doctrine normally tries to link theory and practice. Yet, cyber operations in a military context are still fairly new and the lack of practice means that policymakers tend to concentrate primarily on theory, making the development of doctrine a difficult exercise.

This article was first published on the Net Politics Blog of the Council on Foreign Relations


Cyber References Project

I started my graduate studies a few years ago thinking not much was published in the field of cyber conflict. I quickly found my assumption was wrong when I optimistically began a systematic literature review of ‘all’ the relevant works in the field. It was a project I had to abandon after a few weeks (although I do believe that more reviews like this should be conducted).

Even though it is true that still not enough has been published in the top academic journals, one can hardly say that people don’t write on ‘cyber’. With relevant readings currently being scattered across journal articles, books, blog posts, news articles, cyber security firm reports, and more, it becomes increasingly difficult to know what’s out there and build upon earlier insights and arguments published by others.

Whereas this has led some ( Oxford Bibliographies Project and State of the Field of Conference 2016) to direct efforts towards finding the ‘core’ of the field – focusing on key readings –  I have started a complimentary ‘Cyber References Project with as aim to be much more inclusive.

The database currently includes about 800-1000 readings (and also lists a few podcasts and documentaries), which I have sorted into 48 categories. The categories are not mutually exclusive. The goal is not to search based on author (or title) like conventional search engines.

This database includes the references listed on various cyber security course syllabi, State of the Field of Conference 2016,  Oxford Bibliographies Project, SSRN, Google Scholar, Oxford SOLO, PhD-Manuscripts, and think-tank search engines.

Where I see this project going: I plan to include another 150+ academic articles & 200+ blog posts in the near future. I also hope to improve formatting and sort the current list of readings (by year & add categories). In addition, Olivia Lau maintains a great notes/summary pool of key readings on International Relations. It would be great if we could establish something similar for cyber conflict.

Please let me know if readings are missing or categorized incorrectly. Of course, any ideas on how to make this platform easier to use are also very welcome.

Organizational Integration of Offensive Cyber Capabilities: A Primer on the Benefits and Risks

Below you can find the abstract of the paper I’ll present at the 9th International Conference on Cyber Conflict (CyCon 2017) in Tallinn, Estonia. The paper will be published after the conference.

Organizational Integration has become a key agenda point for policy makers as governments continue to change and create new organizations to address the cyber threat. Passing references on this topic, however, far outnumber systematic treatments. The aim of this paper is to investigate the potential effects of organizational integration of offensive cyber capabilities (OIOCC).  I argue that OIOCC may lead to three key benefits: enhance interaction efficiency, stimulate knowledge transfer and improve resource allocation. There are however several negative effects of integration too, which have so far received little attention. OIOCC may lead to an intensification of the cyber security dilemma, increase costs in the long run, and impel – what I call – ‘cyber mission creep’. Though the benefits seem to outweigh the risks, I note that ignoring the potential negative effects may be dangerous – as activity is more likely to go beyond the foreign-policy goals of governments and intrusions are more likely to trigger a disproportionate response by the defender.

Talk Global Cyberspace Cooperation Summit VII

I was part of a great panel at the Global Cyberspace Cooperation Summit VII, organized by the East West Institute.

The summit brought together policymakers, business leaders and technical experts to discuss the most pressing issues in international cyberspace, including securing the Internet of Things, balancing encryption and lawful access to data, developing norms of behavior, improving the security of information and communications technology (ICT) and strengthening the resilience of critical infrastructure.

If you’d like to know more about cyber and dinosaurs (!), start at 38.00 min. Also some great points on cyber risk, non-state actors in cyberspace and more from the other panelists.

More at


On the transitory nature of cyberweapons

The abstract of my forthcoming article ‘A matter of time: On the transitory nature of cyberweapons’ in the Journal of Strategic Studies:

This article examines the transitory nature of cyberweapons. Shedding light on this highly understudied facet is important both for grasping how cyberspace affects international security and policymakers’ efforts to make accurate decisions regarding the deployment of cyberweapons. First, laying out the life cycle of a cyberweapon, I argue that these offensive capabilities are both different in ‘degree’ and in ‘kind’ compared with other weapons with respect to their temporary ability to cause harm or damage. Second, I develop six propositions which indicate that not only technical features, inherent to the different types of cyber capabilities – that is, the type of exploited vulnerability, access and payload – but also offender and defender characteristics explain differences in transitoriness between cyberweapons. Finally, drawing out the implications, I reveal that the transitory nature of cyberweapon’s benefits great powers, changes the incentive structure for offensive cyber cooperation and induces a different funding structure for (military) cyber programs compared with conventional weapon programs. I also note that the time-dependent dynamic underlying cyberweapons potentially explains the limited deployment of cyberweapons compared to espionage capabilities

How Much Does a Cyber Weapon Cost? Nobody Knows

Can a non-state actor take down critical infrastructure with a cyberattack? If it is not possible today, will it be possible in the future? Experts disagree about the capabilities of non-state actors in cyberspace, let alone agree on their future capability.

There is debate within cybersecurity community and academia whether cyber weapons are getting cheaper and thus within the reach of the self-proclaimed Islamic State or other non-state groups. Although there is some generalconsensus that offensive cyber operations will be less expensive in the future, there is very little understanding of what influences the cost of a cyber weapon. Making sense of the inputs and defensive environment that drive the cost of a cyber weapon is essential to understanding what actors—whether state, non-state, or criminal—will attain what kinds of cyber capability in the future.

There are four processes that make cyber weapons cheaper. First, labor becomes more efficient; attackers become more dexterous in that they spend less time learning, experimenting, and making mistakes in writing code. The observation has been made that Iranian cyber activities are not necessarily the most sophisticated. Yet, since the Shamoon virus wiped the hard drives of 30,000 workstations at Saudi Aramco in 2012, there have been significant improvements in their coding. Whereas Shamoon contained at least four significant coding errors, newer malware seems to be more carefully designed.

Second, developers standardize their malware development process and become more specialized. Some parts of cyber weapons have become increasingly standardized, such as exploit tool kits, leading to an increase in efficiency. The growth of offensive cyber capabilities in militaries allows for greater specialization in cyber weapon production. The U.S. Cyber Command now has 133 teams in operation, making it easier to dedicate specialized units to specific types of cyber operations—even if these units need to be integrated within a general force structure. According to one report, Russia was able to do the same thing for its cyber campaigns against Ukraine.

Third, reusing and building upon existing malware tools allows attackers to learn to produce cyber weapons more cost effectively. The wiper cases Groovemonitor (2012), Dark Seoul (2013), and Destover (2014) are illustrative of this process. Actors who seem to have relatively limited resources have in recent years been getting more bang for their buck.

Fourth, there are shared experience effects, which allow lessons from one piece of malware to shed light on other offensive capabilities. Cyber weapons are generally part of a large collection of capabilities—sharing vulnerability, exploits, propagation techniques, and other features. Stuxnet’s ‘father’, for example, is thought to be USB worm Fanny, and Stuxnet has also been linked to espionage platforms like Duqu, Flame, miniFlame, Gauss, and Duqu 2.0.

In sum, many of the drivers that can make cyber weapons cheaper come from ‘experience’ and ‘learning curve’ effects, where malware developers learn from the work of others.

Although attackers might rejoice at the prospect of weapons getting cheaper, there are significant barriers that can hamper the cost reduction. The defensive measures put in place as a result of advanced persistent threats have forced attackers to develop more complex capabilities to remain effective. Although it is still the case that most computer breaches could have been avoided by simple patching, basic measures such as network segmentation, firewall implementation, and the use of secure remote access methods are becoming increasingly common. Furthermore, IT security professionals communicate more regularly with management about cyber threats than they did a decade ago.

At a recent Royal United Services Institute conference, a military cyber commander clearly stated that the main problem for conducting effective operations is “people, people, people.” For a government, attracting the brightest minds does not come cheap—especially when a person has the opportunity to work in the private sector for a much higher salary. Historically, foreign intelligence agencies have needed foreign language professionals. Today, they need people able to interpret and write code. However, since coding is a highly transferable skill, these people are able to switch to the private sector easily—making the government’s job of retaining them much harder.

Finally, a cyber weapon program requires continuous production, not just intermittent projects. The malleability of cyberspace gives these weapons a highly transitory nature; they’re only effective for a short while. Therefore, the development of cyber weapons must be unceasing and resources must be constantly available. Ideally, cyber weapons would be produced on an assembly line, ensuring that when one weapon becomes ineffective, the next can be put to use. However, it is hard to estimate the costs of maintaining a cyber capability. Because vulnerabilities can be patched, cyber weapons can suddenly lose their effectiveness, unlike traditional weapons where their effectiveness decays over time.

In 2006, sixty-one years after the first atomic bomb was dropped on Hiroshima, Robert Harney and his colleagues published “Anatomy of a Project to Produce a First Nuclear Weapon.” They outlined almost 200 tasks required to produce a nuclear weapon. Undertaking a similar exercise to identify the costs and barriers to the development of a cyber weapon may be challenging considering the rapid pace of technological change, but it should be done nonetheless. Until military strategists, policymakers and intelligence officials understand the cost drivers for cyber weapons, they will not have any basis to claim whether cyber tools are getting cheaper or who can access them. In other words, unless policymakers have a better understanding of the cost of a cyber weapon, they won’t be able to know whether the Islamic State has the capability to develop and deploy one.

This article was first published on the Net Politics Blog of the Council on Foreign Relations