This paper was prepared for PSAA 608 – Domestic Intelligence Operations at the Bush School of Government and Public Service at Texas A&M University. For this paper, we as students were expected research possible defensive and offensive strategies to be used in cyber warfare.

A wide variety of strategies are being developed all across the world to face the threat of a full cyberwar. The Russians have to a certain degree been leading the way on development of these strategies with cyberattacks on Estonian and Georgian infrastructures. However, in each of these incidents the cyberattacks were generally limited in scope and lifetime of the effects on infrastructures such as communications, financial, and energy. In some cases these strategies were not even employed using actual agents of the Russian government but instead were carried out by proxies of Russia not unlike what went on during the Cold War.

A full cyberwar would likely utilize attacks against the cyber components of critical infrastructures that are essential to response to a kinetic attack, but would not be limited in terms of timeframe of the effects that are felt by the cyberattack. For example, instead of simply shutting down the power grid around Boeing or Lockheed Martin production facilities thus limiting their output for a time, an attacker may also attack their information technology network to destroy the programming for their production lines as well as any backups. This would theoretically eliminate their ability to produce military aircraft during wartime for the United States until they could reprogram all of their production equipment from scratch. We’ve seen similar attacks in the past that have been extremely disruptive such as the oil company Saudi Aramco, who produces 10% of the world’s oil supply. In 2012 Saudi Aramco were hit with a cyberattack in which 35,000 of their computers were partially or totally destroyed (CNN Money, 2015). While pumping and oil production still continued during this attack, communications within the company was essentially brought to a dead standstill. The company was unable to manage the flow of its product to deliver to its customers. The total downtime for their computer network from the time of attack was upwards of five months.

If this same kind of sophisticated cyberattack were to be utilized against the United States during a war it would be potentially crippling for our ability to defend the nation against a foreign aggressor. Cyberattacks have a very unique nature in the battlespace. Traditional kinetic forces utilized by our military require a great deal of varying levels of training and logistical support to be effective against an enemy whether you’re talking about the average M-4 rifle or the B-2 bomber. Conversely, cyberattacks require only an off the shelf laptop computer with an internet connection or a USB thumb drive and some skill with fairly common programming languages. Put another way, almost anyone in this highly internet connected world has the tools on hand right now to be able to launch a cyberattack against a target. Additionally, there are two significant factors that separate cyberattacks from traditional kinetic warfare. First is the difficulty for a target to be able to attribute an attack to the actual attacker. Second, because of the global reach of the internet cyber weapons have a truly global range. Combining that unlimited range with a very low profile for identification of an attacker, and a very low cost of development you have potentially a type of attack that has never been seen on a battlefield in the history of war.

This requires a very unique approach when developing a strategy for a cyberwar. Unlike kinetic attacks where there is a limited attack surface that can be defended by military forces, cyberattacks potentially have a much larger attack surface to go after based on the dependence of a target on technology. That larger attack surface can be extremely difficult to build an adequate defense against. Richard Clarke identifies this issue in his book, Cyberwar, where he ranks the cyberwar strength of several nations including the United States, Russia, China, Iran, and North Korea. While the average person may put the United States and Russia at the top of this list due to our offensive capabilities, Clarke puts the United States at the bottom with North Korea at the top (Clarke, Cyberwar, 2012). His rationale for this is primarily because of the very high dependence that the US has on cyber technology (thus a large attack surface), while North Korea’s dependence on cyber technology is the lowest on the list (thus a very small attack surface). For obvious economic and societal reasons, the United States is not likely going to reduce its dependence on cyber technology.

This set of strategies is designed to close the gap between the United States and other cyberwar powers around the globe. It does so by building up our defensive capabilities as well as adding to our offensive capabilities to provide deterrence against potential attackers as well as to maintain our ability to defend the nation in a cyberwar and to respond to any attacks whether in cyber battlespace or the kinetic battlespace.

Defensive Strategy 1: Defend Essential Government Infrastructure and Capabilities

This is an absolutely essential strategy that must be maintained. As we have seen in past cyberattacks around the world one of the first targets is against the ability of governments to be able to respond to an attack and to be able to communicate with their citizens. Both in Estonia and Georgia the goal of the cyberattacks in those countries was first and foremost to limit the government ability to communicate through the internet and other forms of telecommunication with their population. This can have a variety of effects on a country from creating panic amongst the citizenry, to putting people in harms way, to preventing a government from coordinating necessary response efforts with military forces and essential services.
Therefore, defending the government’s ability to communicate critical information must be maintained using effective defenses including redundancy of design with the goal of maintaining system resiliency.

Defensive Strategy 2: Defend Essential Civilian Infrastructure and Capabilities

It is very easy to focus on just government capabilities while ignoring the civilian sector. This is mainly because the government sector and the civilian sector tend to operate very differently in the United States. The government sector is far more focused on the strategy being implemented and the end goal to be achieved. The civilian sector is still focused on the end goal, but has a tendency to look at issues of security and defense as an expense that pulls away from their own end goal of selling whatever product or service that they are in business for. Nevertheless, the civilian sector must still be protected against attack in cyberwar since it is the civilian sector that is responsible for some of the most significant critical infrastructures within the United States including news and communications, the power grid, petrochemical industry, and others which make up a larger portion of our attack surface than the government sector.

Therefore, cooperation with the civilian sector in the critical infrastructures to defend those infrastructures against cyberattack is as important as protecting the government’s capabilities. And a balance between regulation, education, and incentivize voluntary action from industry will be the key to success for this strategy. Regulation to require certain essential sectors (the power grid for example) to meet cybersecurity standards across the board. Education of people in the private sector to gain more involvement and buy-in for the cybersecurity process on the part of the civilian sector. Incentivize voluntary action from industry to close the gap between where the industry is currently and where it should be from a cybersecurity standpoint.

Defensive Strategy 3: Enable and Utilize Civilian Expertise in Defense of the Homeland and Critical Infrastructures

The first two strategies can work very well in parallel and independently. However, over time there would likely be an increasing degree of divergence between those strategics in terms of the tactics used and the effectiveness of those strategies. This strategy seeks to bring the government and civilian sectors together in a combined effort to defend the homeland and critical infrastructures against cyberattack.

These combined efforts would involve information sharing about defensive cyber tactics and their effectiveness, potential threats against the US, and additional resources. We currently see this being done within organizations such as InfraGard which exists as a partnership between the FBI and members of the private sector. This program could be expanded to increase the collaboration between the government and civilian sectors.

Defensive Strategy 4: Build Critical Infrastructure Cyber Defenses, Cyber Resiliency, and Digital Forensics

In Richard Clarke’s book, Cyberwar, he lists the United States as dead last on cyber defenses amongst the nations that he compares. Because of the openness of our society, in particular on the internet, our defenses against cyberattack are considered extremely low. That combined with our high degree of dependence on cyber technology makes us particularly vulnerable despite having some of the best offensive cyber capabilities in the world.

Therefore, a new focus on cybersecurity and cyber defense capabilities must be a priority. Both the government and civilian sectors can focus on the development of tactics to defend their respective capabilities and infrastructures. However, their ability to do so is still limited by what cybersecurity technologies are developed within industry. Cybersecurity needs to be considered as much a part of new hardware and software as the performance and speed at which it runs.

This includes keeping available strong encryption technology in the private sector. The information and capabilities of any device from smartphones and smartwatches to laptops and desktops could potentially be exploited by effective hackers and social engineers to go after a target. Therefore it is important that these devices be kept secure using the best methods available including strong encryption technologies.

From the standpoint of digital forensics, the most difficult part of cyberattacks is identifying who performed the attack so that the appropriate response can be implemented on the attacker. Put another way, you won’t know who respond to if you don’t know who launched the attack. The same is true for deterrence. If an attacker knows that they can attack the US without being successfully identified as the attacker, the best cyber weapons in the world would not deter them. This is where digital forensics comes in. While this discipline has come a long way in the last few decades it is still considered extremely difficult. The US needs to build this discipline much further to be able to maintain our capability to effectively respond to an attack.

Offensive Strategy 1: Build The Offensive Capabilities of The Intelligence Community and Military Branches

This is likely the most obvious offensive strategy and works well as a deterrence against attack. With effective digital forensics, as mentioned in Defensive Strategy 4 above, the capability to respond effectively can provide the deterrence to prevent the vast majority of attacks. So while this is listed as an offensive strategy it still falls under the old adage of “the best defense is a good offense”. That being said, effective offensive cyber capabilities for both the intelligence community and the military must be continuously developed as technology being used by an enemy is also being continuously developed.

Offensive Strategy 2: Enable Non Governmental Entities To Take Offensive Action During Wartime

Given how large the attack surface is for the United States, and how much of that attack surface is comprised of civilian targets, it would be wise to include appropriately trained civilians in the offensive cyber strategies during a cyberwar with very limited rules of engagement. It is important to strike a balance between what a civilian attacker can and cannot do as well as between what reasons a civilian attacker can or cannot conduct an attack to prevent escalation of a cyberwar or damage being done to the wrong party. The reasons that should allow an attack by a civilian attacker should only be when their organization has been attacked as part of a cyberwar. Their attack should be limited to only those that attacked them, and must have the objective of recovering data that may have been stolen or eliminating an enemy’s capability to attack in cyberspace.

If civilians have this offensive capability under the laws of the United States then it would potentially be a deterrent to attack from potential bad actors even under these very limited rules of engagement. A target being able to defend itself or retaliate for actions taken against it is in and of itself a deterrence to most would be attackers.

Summary

This overall strategy has several interconnecting components in which different elements build upon or strengthen others. The first two elements involve building the defenses of both the government and civilian sectors, while the third seeks primarily to have both the government and civilian cybersecurity experts working together in defense of the homeland and our critical infrastructures. The fourth element seeks to build the foundation of deterrence against an enemy by building resiliency against attack while developing better methods for attribution to be able to better identify an attacker. Without this fourth strategy the deterrence of offensive capabilities developed as a part of the fifth strategy would be meaningless to a would be attacker and would be potentially worthless as part of any kind of response to an attack. Offensive capabilities and deterrence can be further built upon by the involvement of civilian attackers under the appropriate conditions and turn the “soft targets” of the civilian world into “hard targets” that could fight back in the event of an attack.

All of these strategies seek to minimize the exposure of the United States’ attack surface in the event of a cyberwar. The smaller we can make that attack surface, the less resources we will need to defend it, and therefore the less likely our society’s dependence on technology could be used against us in a cyberwar.

References

Charles Teel is an experienced Cyber and Information Security Professional and founder of SR2 Solutions with a demonstrated history of working in the the business world including in a variety of sectors. Skilled in Secure Software Development, Team Building, Leadership, and Management Consulting. Graduated from Lamar University MBA Program. Currently an Executive Masters Student at the Bush School of Government and Public Service at Texas A&M University with a concentration in Homeland Security and Critical Infrastructure Protection.