Mr. John Pirog, IA-04, DAF
MSgt Charles G. “Chuck” Doig, USAF (Retired)
We are failing at Cyber Defense. What can we do about this? In March 2010, retired Army Psychological Operations (PSYOP) Colonel Larry Dietz penned a blog post on his PSYOP Regimental Blog entitled CyberWar is CyberPSYOP.[i] In this post, COL Dietz states, “…both PSYOP and CNO [computer network operations] will have an increasing footprint in future conflicts… Contingency planning must include counter propaganda and the full spectrum of CNO…” Similarly, in the Fall 2010 Air and Space Power Journal, Mr. Adam Fraser, and retired Air Force Lt Cols Robert Kaufman and Mark Rydell, in their article, It’s Time to Fight Back “Operationalizing” Network Defense, argue for Air Force Cyber forces to take a more “proactive approach” to Network Defense and, among other ideas, argue for adversary “Cyber Engagement.”[ii] Fraser, Kaufman, and Rydell write that “cyber engagement covers a spectrum of operations…”and, “Regardless of the technique employed, the [cyber] operator would always try to introduce unreliability, make intrusions more costly, or influence the adversary’s actions.”[iii]
While not outlining specific psychological operations (now known as Military Information Support Operations, or MISO[iv]), certainly “engaging” our cyber adversaries to “influence the adversary actions” (as Fraser, et al argue) in ways that incorporate MISO considerations should be integral to any Cyber Defense Strategy. As COL Dietz argues, MISO should be part of the “full spectrum” of CNO in regard to contingency planning.
However, PSYOP (now MISO) and Cyber operations must overcome two problem areas for MISO to be an effective and integral part of a cyber engagement defensive strategy. The first problem is the difficulty associated with attribution of our cyber adversaries; we rarely ever truly know who it is that is attacking us. Without attribution, one cannot begin to understand the target audience. The second deals with deterrence of cyber actors. Aggressors are deterred if they perceive the cost of their action to be too high in relation to the benefits of success. But since the cost of Cyber action is relatively low, traditional deterrence may not work. This paper will briefly discuss these problems and then offer potential solutions to overcoming the difficulties associated with each.
As Bryan Krekel writes, “…attribution is always the most difficult component of information security investigation…” [v] and it is often difficult to determine, with absolute certainty, the source of any attempt to penetrate our cyber defenses. The reason for this is computers do not leave distinctive physical evidence behind and there are billions of nearly identical machines capable of sending nearly identical packets and attacks can come from anywhere. To compound the issue, in Cyber, there are the “threat actors”[vi] and then there are those directing the threat actors. A key tenet of MISO is to understand your target audience so that you know what to say and how to say it. The step in the MISO planning process to do this is called Target Audience Analysis (TAA). But in the case of Cyber, it is difficult to conduct TAA when you do not really know who the audience is.
In previous military operations, MISO has learned that one can target (persuasively communicate with) the individuals you want to influence directly, or, target those that can influence the individual (e.g. leaders or key communicators). In Cyber’s case the absence of intelligence information often makes the attribution of individual actors, and those directing them, problematic. Current Cyber identification methods are based upon forensic analysis of the type of tools, techniques and other technical information used to penetrate (or attempt to penetrate) a network and result in identifying “types” of threat actors.
According to Krekel, “hackers—individuals and groups alike—tend to operate in a consistent manner, exhibiting a preference for specific tools, possess a unique keyboard presence, and often tend to target the same types of data across their targets.”[vii] Further, The Hacker Profiling Project (HPP), a United Nations Crime and Justice Research Institute project started in 2004, provides a means for both law enforcement, as well as military cyber defenders, to identify, by type, the threat actor attempting to penetrate a given network. They conducted a worldwide survey of hackers and developed profiles and associated psychological characteristics and motivations of each “type” of hacker. See HPP’s publication, Profiling Hacker’s The Science of Criminal Profiling as Applied to the World of Hacking, published in the United States in 2008.
While the intent of HPP is to use computer forensics and behavioral science as a law enforcement tool, and as a tool for cyber defenders everywhere, it may also have application for MISO in regard to TAA. For example, once a cyber defender identifies the “type” of net intruder, the intruder might then be associated with a HPP Grid “type” (such as “military hacker” or “script-kiddie”). The motivations and associated psychological characteristics from the HPP “hacker profile” apply. So it is then possible to identify some basic attributes of a threat actor even when the specific individual or nation state of the individual is not known. In the event that we can further attribute a nation state to the threat actor (or an ethnic or cultural group associated with a non-nation state threat actor) the psychological vulnerabilities and motivations associated with that group may be combined with those from the “hacker” sub-culture. We now have a basis from which to begin TAA in order to determine what, if any, messages (or actions) might be developed in order to dissuade, discredit, or mitigate the threat actors.
General psychological (or motivational) characteristics associated with all hackers were synthesized, using the HPP, by Lt Col Mark Dubaz, Chief of Influence Operations, 23d Information Operations Squadron, using information gleaned from the HPP. Figure 1, below, outlines Lt Col Dubaz’s findings.
Not all of the general psychological characteristics listed for “hackers” in Figure 1 may apply to all the HPP hacker types. This might especially be true for those identified within the HPP “professional” category of hackers (such as military or government agent hackers). However, it is probable that even those in the “professional” category share some of the general psychological characteristics (especially 2, 4 and 5 in Figure 1 below) with their more nefarious “criminal” or “mischief making” hacker cousins within other categories (such as “crackers” and “script kiddies”). However, MISO planners might couple these hacker “sub-culture” psychological characteristics and motivations with the traditional socio-cultural analyses involving known State and non-state cyber actors to provide an even more complete and accurate TAA.
In the absence of specific attribution to cyber actors, the HPP grid provides an initial “target set” for individuals attempting to penetrate U.S. Networks by hacker profile type (see figure 2, first three columns below). For the MISO planner, this provides a broad set of “potential target audiences.” Motivations (and psychological characteristics) will vary by type of hacker and must be examined (especially if designated a “military” or “government agent” type) to determine which of the “hacker” psychological characteristics identified as part of the HPP actually apply. This “virtual” attribution, in the absence of “real” attribution, as well as the hacker “sub-culture” psychological characteristics and motivations, should offer the MISO planner a minimum set of data to begin TAA. The TAA results can then support broadly defined objectives in order to develop lines of persuasion and messages that might resonate with these actors or the populations in which they reside.
With a potential workaround for the cyber “attribution” problem identified, we now need to look at the problems associated with “cyber deterrence” in regard to “cyber defense.” As Fraser et al, write, “Defense has always involved delaying, disrupting, deterring, or denying enemy objectives. However, if we assume the impossibility of completely stopping the adversary, then we must consider ways to significantly hinder or exploit his efforts. (By ‘exploit,’ we mean achieve second- and third-order effects on his decision-making capacity.)”[x]
Most current thinking on cyber deterrence supports this view, and suggests that network intrusions cannot ever be completely stopped by “deterrence,” especially “Cold War” style deterrence. RAND author Martin Libicki outlines several problems associated with “cyberdeterrence”. “Attribution, predictable response, the ability to continue attack, and the lack of a counterforce option are all significant barriers.” [xi] However, Mr. Will Goodman, in his Fall 2010 Strategic Studies Quarterly article, argues that “…cyber deterrence is challenging, but with a measured and realistic strategy, cyber deterrence can accomplish most of its desired effects.”[xii] Goodman goes on to suggest that United States cyber deterrence languishes because other states do not understand what interests are off limits from attack and the consequences they face for attacking those interests. He therefore advocates for clearer and more prevalent deterrent messages to our adversaries and potential adversaries.[xiii] Goodman suggests that the United States create “new channels” of communication for these “cyber deterrence messages.”[xiv] Goodman also states that “…continual dialogue, in the form of a regular exchange of deterrent messages, is the first necessary condition to deter cyber aggression.”[xv] This suggests an integrated “influence operations” strategy (similar to COL Dietz’s “full spectrum” cyber and MISO approach) be employed to craft and deliver those messages and this approach seems tailor made for MISO. Obviously this cannot be done in a vacuum and other national capacities and the inter-agencies must be leveraged. National as well as Department of Defense (DoD) Cyber Policy, must undergo a paradigm shift for any cyber engagement defensive strategy to be implemented. However, once policy is changed, messaging our adversaries regarding clear intent on where the US draws the line in cyberspace can occur. All types of deterrence require the ability and the will to hold something of the adversaries at risk; otherwise the deterrence messages are not credible.
Adversary “Cyber espionage” is one activity that is of great concern to Air Force network defenders and where Cyber deterrence might help. Let us, using Goodman’s theories, examine how MISO and Cyber operating together might reduce the number of penetrations and exploitations. Goodman suggests that deterrent strategies based on futility, interdependence, and counterproductivity, linked with economic or trade benefits may prove useful in limiting cyber espionage activities and so can become suggested MISO themes.[xvi]
Based on Goodman’s theories, these themes, when properly presented, may resonate with certain state or non-state actors. Goodman suggests that those actors actually penetrating our networks and exfiltrating data face the difficulty of assessing what information is worthwhile and what information is not. Goodman states that the “huge amount of low-quality information in cyberspace bolsters deterrence by denial” and thereby reinforces the futility theme. [xvii] Goodman writes that “denial” (and, by this definition, futility and counterproductivity themes) alone is not sufficient to deter aggression (especially espionage) in cyberspace. [xviii] Goodman states that “Adversaries must also face some threat of penalty—which raises the costs … for deterrent messages to take effect.”[xix] This “threat of penalty” suggests another MISO theme, that of “risk” – but risk of what? To answer this question, we need to look at risk from the target audience’s perspective – what do they hold dearly. Senior national leadership may indeed respond to risks associated with economic and trade benefits. However, at a military operational level we need to consider the adversary actor at the keyboard.
Using MISO messages in support of “risk” themes and psychologically significant actions, or the threat of actions, have met with some success against our adversaries in past kinetic operations (see Figure 3). Therefore, in order to influence the adversary cyber actor it seems logical then to couple the aforementioned communication themes (e.g., futility and risk) with a cyber action to create a psychologically significant cyber effect. Using the hacker profiles to determine psychological vulnerabilities, a hypothetical example would be attaching some type of “benign malware” to an exfiltrated file which sets off virus alarms on an intruder’s machine or network and then pops up with a message (see Figure 4). The action in this case is setting off the virus alarms and the message is that the actor is at risk of introducing harmful malware if they continue to try to exfiltrate files from our network. The exploited vulnerability from the HPP is the actor’s creditability within the peer group. This risk strategy could be approached more overtly were the US to adopt an open active defense policy. A threat of deterrent action is only as effective as our willingness to use it. Announcement of the policy is fair warning to all.
MISO has used messages supporting “risk” themes and psychologically significant actions with some success in past kinetic operations to achieve “deterrent” behavior in our adversaries. Might MISO messages and cyber actions supporting “risk” themes be successful in deterring our cyber adversaries?
Integrating MISO and Cyber in this way, as a “proactive” (but still “passive”) defensive strategy (e.g., communicating the risk of and actually having to negotiate a “cyber minefield” of possible destructive malware each time an adversary attempts to exfiltrate data from our networks) may have the psychological effect of creating doubt in our adversaries of their own abilities as well as cause them to question the value of the information they are exfiltrating. The end result might be a decrease of attempted penetrations of the network. If for no other reason, the adversary actor must be more cautious and take more time in ensuring that the files they attempt to exfiltrate are, as Goodman suggests, “worthwhile” and also “risk” free. In the case of State actors, the introduction of “benign malware” and setting off virus alerts to a central computer emergency response team or having to report a potential virus incident, may cause a loss of “peer group standing” and/or discredit the actor within their own organization. The risk associated with this type of integrated use of MISO and Cyber is that the intruder might develop new tactics/tools that make the penetration of our network even more difficult to detect. Further, there are technical issues that must be addressed in order to “plant the minefield” with malware and not have authorized users “step on the mines”. Finally, a policy commitment must be made by U.S. senior leadership to actually “plant” the destructive malware, otherwise, the MISO messages simply become idle threats.
Hypothetical Message supporting the Cyber “RISK” Theme
It is important to note that we may or may not be able to communicate persuasively with all types of intruders (only a valid TAA will provide a specific answer). However, it may be worthwhile to explore the various “hacker” types where we might be successful in crafting MISO influence messages in conjunction with psychologically significant cyber actions. The synergistic effect in using MISO and Cyber this way may resonate (influence) with those target audience types. Establishing a continual dialogue (Goodman) with our cyber adversaries through the integrated use of MISO and Cyber operations, supports the defensive strategy of cyber engagement (Fraser et al). Attempting to engage our adversaries through the use of MISO and psychologically-significant cyber actions is certainly well worth exploring and is something both the MISO and Cyber communities should begin planning together.
[i] Dietz, Larry, Colonel, U.S. Army, Retired, posting, CyberWar is CyberPSYOP, PSYOP Regimental Blog website, Friday, 19 March 2010, http://psyopregiment.blogspot.com/2010_03_01_archive.html (accessed 7 March 2011)
[ii] Fraser, Nicolas Adam, Mr., Kaufman III, Robert J. Lieutenant Colonel, United States Air Force, Retired, Rydell, Mark R. Lieutenant Colonel, United States Air Force, Retired, It’s Time to Fight Back “Operationalizing” Network Defense, Air and Space Power Journal, Fall 2010, 29 and 32. http://www.airpower.au.af.mil/airchronicles/apj/apj10/fal10/2010_3_10_fraser.pdf (accessed 7 March 2011)
[iv] Secretary of Defense Memorandum, Changing the Term Psychological Operations (PSYOP) to Military Information Support Operations (MISO), 3 December 2010.
[v] Krekel, Bryan, Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation , Prepared for The US-China Economic and Security Review Commission, Northrop Grumman Corporation, Information Systems Sector, 7575 Colshire, Drive, McClean, Virginia, 22102, October 9 2009, 60.
[vi] NOTE: for the purposes of this paper we are using the term “threat actor” to denote unidentified individuals who penetrate or attempt to penetrate our networks. These threat actors may or may not be state actors.
[ix] First three columns are from Chiesa, Raoul and Ducci, Stefania, Profiling Hackers The Science of Criminal Profiling as Applied to the World of Hacking, CRC Press, Taylor and Francis Group, 6000 Broken Sound Parkway NW Suite 300, Boca Raton, Florida 33487-2742, 2009, 239 and 240. Column four is the author’s assessment based upon general psychological characteristics outlined in figure 1 and the motivation outlined in figure 2. As well as certain information presented by Chiesa et al in their book.
[xi] Libicki, Martin C., Cyber deterrence and Cyber war, 2009, RAND Corporation 1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138, 1200 South Hayes Street, Arlington, VA 22202-5050, 4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665, xix.