Wednesday, December 2, 2009

Review: Billy Rios on Cyber Attacks

It has been a busy time since last post. I gave a short lecture at the NATO School in Germany last week and I'm preparing some paper ideas for next year. However, I decided to take a short breather and review another paper from the Conference on Cyber Warfare - Billy K. Rios wrote a piece titled "Sun-Tzu Was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack." His work is partially based on the Grey Goose Report I.

The paper tries to map some real cyber operations to equivalent concepts in maneuver warfare, particularly drawing on the Georgia case and the US Marine Corps doctrine. He starts out by describing the essence of maneuver warfare and points out that cyber operations cannot "win a war". Instead, they can break up the enemy's cohesion and allow for exploitation by other (conventional) means. Incidentally, the Chinese seem to have adopted the same idea.

Discussing decentralized command and commanders intent, he brings the example of how a target list of Georgian sites was posted in a forum without clear instructions for action. The forum members then contributed with potential attack plans/instructions and discussed the campaign. As a result, a variety of targets and options became available and the attackers could each choose a course of action suitable for their skill, resources and level of motivation. As a side note, similar behavior was observed a year earlier during the cyber campaign against Estonia.

As an example of combined arms, he brings the example of SQL injection queries for fingerprinting and gaining access to database contents (NB! starting a month before the armed conflict), exploiting this information for intelligence, preparing automated attack tools that are then provided through the forum to anyone interested. I think he could have used a better example, because the link to combined arms is not clearly apparent.

Illustrating the concept of initiative he uses the examples of pre-emtive intrusions to Georgian systems and the sustained pressure to keep initiative on the attacker side, while keeping the Georgians to react. As a result, responding to cyber attacks wasted valuable time.

He also explains the importance of identifying and attacking enemy Centres of Gravity, although he does not connect it to the Georgian case. The important point is that these centres need not be physical fortifications or units, but can also encompass things like morale and resolve. Clearly, cyber attacks are a potential way of attacking the enemy centres of gravity, especially C2 networks and information targets.

He then points out that conventional weapons have physical limitations and the skill of the operator can only have relatively little effect in terms of stretching the effective range, damage etc. For example, a skilled marksman with a M4 carbine can hit a target from several hundred meters with standard sights, but not much more. On the other hand, the cyber warrior's capability to do damage is directly correlated with his skills. I especially like this sentence:
"Creating an offensive cyber capability is less about finding the right hardware and more about finding the right people and skillsets."
He also highlights that it poses a problem for intelligence analysts, as it is very difficult to estimate or track the development of offensive cyber capability, because the key component is the skillset of operators, not the invested money or acquired hardware.

Rios summarizes the paper by emphasizing that
  • cyber capability should be incorporated into the overall plan, as it will not win the war on its own.
  • Command and Control should be kept decentralized and decisions delegated to the lowest level. [This is in contrast to the Chinese doctrine, which seems to prefer rigid central control and limited use of the cyber strikes. - RO]
  • the individual cyber specialist is the weapon system, not his laptop or his sidearm.
The paper is short and to the point. I like the summary, which brings out some good points (even some that do not seem apparent from the main text).

No comments:

Post a Comment