A paper for DEFCOM India, a prestigious journal of the Indian Army, edited by the Corps of Signals.
Vol 3 No 1 2017
Abstract – This paper explores the hypothesis that any modern information operations (INFOOPS) framework must understand the symbiotic, reflexive and inter-disciplinary arrangement between offence and defence. It postulates that information or intelligence, by its very technical nature, is of dual use and the key to an effective paradigm of strategic depth in cyberspace is to minutely understand the transitional nature of the domain. By citing emerging doctrinal approaches of other military powers, this paper highlights the problems that hinder seamless situational awareness across highly fluid informational spaces and cyber-geopolitical boundaries.
Keywords : Information operations, cyber defence, situational awareness and strategic depth.
1.1 Most INFOOPS frameworks inherit the rigid binaries around offence and defence that are generally applicable to the contemporary theatres of war. The kinetic nature of other informational spaces has also influenced the doctrinal approach towards cyberwar – wherein actions and counter-actions are seen through the lens of cause-effect, friendly-hostile, deterrence, proportional response, territoriality and other such conventionalities of military operations.
1.2 This paper builds upon the argument put forth by the Russian Chief of General Staff Valery Gerasimov that with the advent of “mobile, mixed-type groups of forces, acting in a single intelligence-information space”, the states of war and peace are now virtually indistinguishable. Gerasimov’s premise of a ‘non-linear war’ has captured the imagination of the Western strategic punditry, which has obsessively clung to the essence of his observations that ‘war is everywhere’.
1.3 Within the transitory realm of global geopolitical shape-shifting, cyber-capability has become an indispensable commodity of power. By briefly studying the competing frameworks of cyber offense and defence – and the subtle interpolations between the two – this paper arrives at the tenets for India’s own posturing in the arena.
- IN THE KAFKA-LAND OF OPSEC & ATTRIBUTION
2.1 Never in the history of American politics has the schism between the United States (US) administration and the Intelligence Community been subjected to so much public scrutiny than it was during the presidential election of 2016 . In a battle of perspectives, various arms of the US establishment pitted themselves against each other – the Federal Bureau of Investigation struggled with the allegations of partisanship and the Central Intelligence Agency felt so isolated that it feared losing the confidence of the incoming President – as the very legitimacy of the electoral process started getting questioned .
2.2 The pivot of a seemingly uni-polar world came under tremendous strain, all because of a trivial hack of the Democratic National Convention’s (DNC) computer network. A rather unsophisticated spear phishing attack compromised the email accounts of the key functionaries of the DNC’s campaign team. Knowing well that people are more prone to their impulses over fast-paced online communications, the hacker selectively leaked some of the emails in a series of long-drawn, well-timed public disclosures. The uncensored chatter in an extremely dynamic situation got permanently etched into the public consciousness – doing incalculable damage to the candidacy of the DNC’s two front-runners, Hillary Clinton and Bernie Sanders.
Picking on the trail of slip-ups in the attacker’s operational security (OPSEC) measures, premier cyber counter-intelligence teams from the private sector were the first ones to point fingers towards the Russian intelligence apparatus . But it wasn’t until the outcome of the election that the US administration officially acknowledged the roles of the Russian Federal Security Bureau and Glavnoye Razvedyvatel’noye Upravleniye (its military intelligence agency).
2.3 In an unprecedented move amidst the growing public and political pressure, The Office of the Director of National Intelligence and the National Cybersecurity and Communications Integration Centre of the US declassified two separate reports  . These dossiers walked a very thin line between establishing the credibility of the investigative findings and the concealment of the intelligence tradecraft in doing so.
But whistle-blower Edward Snowden had already tweeted that XKEYSCORE – the National Security Agency’s (NSA) all-encompassing signals intelligence (SIGINT) search engine – facilitates the tracking of cyber-espionage campaigns, actors, botnets and exfiltration channels . He also claimed to have used it to home-in on Chinese operations, expressing that “[cyber counter-intelligence] being the only case in which mass surveillance has actually proven effective.”
2.4 The way the internet has been designed, hacker attribution remains the most pressing of challenges and an investigation can come to a grinding halt in the very initial stages. Putting all your bets on the OPSEC mistakes of the adversary is a risk which intelligence agencies simply can’t afford to live with – it is also a recipe for a perfect false-flag operation. The US Government’s (USG) reports on Russian hacking must have fused the inputs of multiple human and technical sources from various offensive and defensive espionage functions – transcending the cyber-physical divide – making them feel confident enough to issue sanctions against specific individuals and organisations .
2.5 A 2010 presentation from the trove of classified documents leaked by Snowden reveals the workings of one such counter-hacking program codenamed DEFIANTWARRIOR . Run by the Tailored Access Operations (TAO) – a highly-specialised Computer Network Exploitation unit under the NSA – it leverages the multifaceted SIGINT capabilities of many platforms for just one task: undertake the hostile takeover of foreign botnets.
2.6 DEFIANTWARRIOR devours signals from the electronic dragnets run by the Five Eyes (an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the US), the mid-point exploitation frameworks of the General Communications Headquarters (the British counterpart of the NSA), and a worldwide active-passive collection platform worth half-a-billion dollars called TURBULENCE (or QUANTUMBOT)  . The seamless, 360-degree and back-and-forth transition from the hostile cyberspace to its own that DEFIANTWARRIOR allows serves as a case in point for the massive efforts and resources required to guarantee full-proof attribution.
- WAR IS EVERYWHERE
3.1 If the assertions of the USG are correct, then this incident also provides a fascinating peek into the changing narrative of war. While there is no publicly available proof or postulation to make one believe that the Russian establishment endorses a specific military doctrine, a strikingly candid article written by its Chief of General Staff Valery Gerasimov has kept the pundits intrigued .
3.2 Written for Voenno-promyshlennyi kur’er (Military-Industrial Courier) – a mouthpiece so inconsequential that it belies the attention garnered by the article with an equally ambiguous title: The Value of Science of In Prediction. Yet, the Western strategic community has deconstructed its every sentence and punctuation many times over, hoping that it will reveal itself like some esoteric Kabbalahscript. So much is the popularity of the piece, that someone even re-christened it as the ‘Gerasimov Doctrine’.
3.3 To assume that it speaks for the whole of the Russian defence establishment may be farfetched; nevertheless, it does serve as a pointer to the prevalent schools of thought. Gerasimov summarily and impressively observes that just like the “blurring [of] the lines between the states of war and peace” the “differences between strategic, operational, and tactical levels, as well as between offensive and defensive operations, are being erased”. He goes on to propose the paradigm of what the pundits prefer to as the ‘non-linear war’:
3.4 These days, together with traditional devices, nonstandard ones are being developed. The role of mobile, mixed-type groups of forces, acting in a single intelligence-information space because of the use of the new possibilities of command-and-control systems has been strengthened. Military actions are becoming more dynamic, active, and fruitful. Tactical and operational pauses that the enemy could exploit are disappearing. New information technologies have enabled significant reductions in the spatial, temporal, and informational gaps between forces and control organs. Frontal engagements of large formations of forces at the strategic and operational level are gradually becoming a thing of the past. Long-distance, contactless actions against the enemy are becoming the main means of achieving combat and operational goals. The defeat of the enemy’s objects is conducted throughout the entire depth of his territory.
3.5 For a nation that is economically the size of Italy – crippled by international sanctions and shrunk by the price drop of its major export, crude oil – this may appear to be a very valid militaristic worldview. As the analysts say, it perfectly falls in line with Russia’s geopolitical trumps in Ukraine and Syria.
3.6 The media commentators have also used it to conjecture why the DNC hack played out the way it did . However, the only takeaway from all the theorising is that when ‘war is everywhere’, the limelight mainly falls on cyberspace. This applies to all the nations claiming a stake in the future.
- GOOSE-STEPPING THE INDIAN CYBERSPACE
4.1 The challenge for emerging military powers like India is to see beyond the ambit of the ‘kinetic mindset’. Aggression or hostility may not precede the application of force. The notions of cause-effect, deterrence, proportional response, territoriality and other such conventionalities of military operations may not be applicable anymore.
4.2 The first tenet that needs to be enshrined is that information or intelligence by its very nature is of dual use. Any INFOOPS paradigm must understand the symbiotic, reflexive arrangement between defence and offence, also deducing the transitional stages where there is no realisable difference between the two.
4.3 It’s a lesson that the US military learnt well from its failings and has been harmonised with its chain of command. In 2008, the US Department of Defence had discovered another trivial cyber-attack on its infrastructure. A run-of-the-mill computer worm ended up infecting thousands of systems belonging to classified networks that are physically and logically separated (air-gapped) from the internet. The INFOCON – the threat level classifier for the American cyberspace – was elevated to three. The Pentagon launched an exhaustive clean-up operation called Operation Buckshot Yankee that lasted for fourteen months.
4.4 Though not the first of such outbreaks, it received the unprecedented response of being seen as an attack on the US soil . With its enhanced situational awareness, the NSA could trace the malicious pings to certain actors. In an ingenious use of its offensive capability for defence, TAO exploited foreign systems to look for potential variants and weed them out. But the NSA stepped into a grey area as it was not authorised to undertake military operations. On the other hand, the Pentagon’s cyber-offensive unit – Joint Functional Component Command, Network Warfare – was grappling with legal ramifications of neutralising non-military systems in friendly foreign cyberspace. To further aggravate the crisis, none had the mandate to probe into domestic civilian networks.
4.5 This seminal deadlock led to the creation of the US Cyber Command (USCYBERCOM). But seeing the synergistic nature of offense and defence, it was co-located with the NSA at Fort Meade to tap into its phenomenal active-passive collection infrastructure. The Director of the NSA also became the ‘dual-hatted’ chief of the USCYBERCOM.
4.6 The second tenet that the Indian Armed Forces must imbue is that the theatre of cyberwar can’t be clearly demarcated. Even to this day, its cyber-defence frameworks are built on the arcane notion of air-gapping. There are documented public instances where TAO-authored malware like the Equation Group have penetrated physically isolated networks in India with ease, remaining persistent for decades . It may be accomplished in a variety of ways – by exploiting the human component or by merely piggybacking on the pervasive super-set that is the electromagnetic spectrum . COTTONMOUTH is one example from the NSA’s play-set to jump the air-gap, the interdiction of Cisco and Juniper routers to install implants and backdoors in them is another   . Even the unanticipated radio signals emanating from the systems and its thousands of components open a space for exploitation – a fact known to the NSA since the Cold War .
4.7 The third tenet applies to all the policy-making arms of the Indian Government. Pulverising every node of adversary’s information backbone, much before a kinetic action, is not a tale of science fiction but the stark reality staring right at us. Like the NSA Operation Nitro Zeus which planted a logical time-bomb in all of Iran’s critical infrastructure, a futuristic foe may already be knocking at our doorsteps . Any outward looking INFOOPS initiative to use cyber as an instrument of strategic depth should also peek inwardly into the existential threat it poses. Every act of compromise paves the technical way for a counter-attack to piggyback upon it. It was evident when the NSA’s cyber-attack staging servers were infiltrated by a mysterious hacking group and its toolkits released to the public .
4.8 Intuitively, the NSA’s own OPSEC methodologies can come to the rescue. The exfiltrated data from compromised systems is routed from the Low Side (the insecure internet) to the virtual Listening Posts on the NSA’s High Side (a logically different network operating on a set of secure protocols) . It uses interfaces called data diodes (uni-directional hardware security gateways) codenamed SURPLUSHANGAR and HANGARSURPLUS to facilitate ingress and egress flows to and from the High Side.
5.1 Largely driven by geopolitical imperatives, the powers-that-be have wilfully propagated a broken internet, but this mine may soon run out of gold if the odds to sustain it become too high  . How and when would a piece of chip or a line of code open a window of vulnerability may remain unknown until the Rubicon is crossed. The millions of permutations and combinations leading to the exploitable attack paths increase exponentially with every added interface, and there are thousands of it in a single computational system.
5.2 The challenge for India is to allocate billions of dollars and create a ten-year roadmap for information dominance that covers everything from indigenisation, manufacturing, staffing, real-time situational awareness, cyber resilience, a policy and command structure, and covert expeditionary operations to a full-spectrum INFOOPS framework covering the political, diplomatic, economic, social, and military dimensions. The unclear and overlapping demarcations between an aberration and an attack, between prevention and response, and between friendly or hostile and domestic or foreign informational spaces must be waded through elegantly, if not commandingly.
- K. Gilsinan and K. Calamur, “Did Putin Direct Russian Hacking? And Other Big Questions,” The Atlantic, 6 Jan 2017. [Online]. Available: https://www.theatlantic.com/international/archive/2017/01/russian-hacking- trump/510689/.
- H. D. Parton, “Spy vs. spy: The CIA says Russia hacked the election to help Trump – and we know the FBI did,” Salon, 12 Dec 2016. [Online]. Available: http://www.salon.com/2016/12/12/spy-vs-spy-cia-says-russia-hacked-the- election-to-help-trump-and-we-know-the-fbi-did/.
- T. Rid, “How Russia Pulled Off the Biggest Election Hack in U.S. History,” Esquire, 20 Oct 2016. [Online]. Available: http://www.esquire.com/news- politics/a49791/russian-dnc-emails-hacked/.
- National Cybersecurity and Communications Integration Center & Federal Bureau of Investigation, ” JAR-16-20296: GRIZZLY STEPPE – Russian Malicious Cyber Activity,” 29 Dec 2016. [Online]. Available: https://www.us- cert.gov/sites/default/files/publications/JAR_1620296A_GRIZZLY%20STEPP E-2016-1229.pdf.
- Office of the Director of National Intelligence, USA, “Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution,” 6 Jan 2017. [Online]. Available: https://assets.documentcloud.org/documents/3254237/Russia- Hack-Report.pdf.
- S. Biddle, “TOP-SECRET SNOWDEN DOCUMENT REVEALS WHAT THE NSA KNEW ABOUT PREVIOUS RUSSIAN HACKING,” The Intercept, 29 Dec 2016. [Online]. Available: https://theintercept.com/2016/12/29/top-secret- snowden-document-reveals-what-the-nsa-knew-about-previous-russian- hacking/.
- US Department of the Treasury, “Issuance of Amended Executive Order 13694; Cyber-Related Sanctions Designations,” 12 Dec 2016. [Online]. Available: https://www.treasury.gov/resource-center/sanctions/OFAC- Enforcement/Pages/ 20161229.aspx.
- National Security Agency, “20150117-Spiegel-Overview on the NSA Use of Bots and the DEFIANTWARRIOR Program,” 24 May 2010. [Online]. Available: https://www.eff.org/document/20150117-spiegel-overview-nsa-use- bots-and-defiantwarrior-program.
- R. Sesek, “Unraveling NSA’s TURBULENCE Programs,” Robert Sesek’s Homepage, 15 September 2014. [Online]. Available: https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html.
- L. Constantin, “The NSA not only creates, but also hijacks, malware with Quantumbot,” ComputerWorld from IDG, 29 Jan 2015. [Online]. Available: http://www.computerworld.com/article/2871687/the-nsa-not-only-creates-but- also-hijacks-malware-with-quantumbot.html.
- M. Galeotti, “The ‘Gerasimov Doctrine’ and Russian Non-Linear War,” In Moscow’s Shadows, 6 Jul 2014. [Online]. Available: https://inmoscowsshadows.wordpress.com/2014/07/06/the-gerasimov- doctrine-and-russian-non-linear-war/.
- M. K. McKew, “Putin’s Real Long Game,” Politico Magazine, 1 Jan 2017. [Online]. Available: http://www.politico.com/magazine/story/2017/01/putins- real-long-game-214589.
- E. Nakashima, “Cyber-intruder sparks response, debate,” The Washington Post, 8 Dec 2011. [Online]. Available: https://www.washingtonpost.com/national/national-security/cyber-intruder- sparks-responsedebate/2011/12/06/gIQAxLuFgO_story.html?utm_term= .3b5bdf971058.
- D. Goodin, “How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last,” ArsTechnica, 17 Feb 2015. [Online]. Available: http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the- nsa-hid-for-14-years-and-were-found-at-last/.
- National Security Agency, “The SCS Cyber Advantage,” Duncan Campbell’s Website, [Online]. Available:
- National Security Agency, “ANT CATALOG: USB,” GOV1.INFO, [Online]. Available: https://nsa.gov1.info/dni/nsa-ant-catalog/usb/index.html.
- S. Gallagher, “Photos of an NSA “upgrade” factory show Cisco router getting implant,” ArsTechnica, 15 May 2014. [Online]. Available: http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory- show-cisco-router-getting-implant/.
- K. Zetter, “New Discovery Around Juniper Backdoor Raises More Questions About the Company,” Wired, 8 Jan 2016. [Online]. Available: https://www.wired.com/2016/01/new-discovery-around-juniper-backdoor- raises-more-questions-about-the-company/.
- REDACTED, “TEMPEST: A Signal Problem,” National Security Agency, 27 Sep 2007. [Online]. Available: https://www.nsa.gov/news- features/declassified-documents/cryptologicspectrum/assets/files/tempest.pdf.
- P. Szoldra, “The US could have destroyed Iran’s entire infrastructure without dropping a single bomb,” Business Insider, 7 Jul 2016. [Online]. Available: http://www.businessinsider.in/The-US-could-have-destroyed-Irans-entire- infrastructure-without-dropping-a-single-bomb/articleshow/53089295.cms.
- P. Singh, “The ‘Shadow Brokers’ & The NSA Hack: Some More Wild Conjecturing in A Wilderness of Mirrors,” Bhujang, 17 Aug 2016. [Online]. Available: https://bhujang.net/blog/the-shadow-brokers-the-nsa-hack-some- more-wild-conjecturing-in-a-wilderness-of-mirrors/.
- C. Timberg, “Net of insecurity: The real story of how the Internet became so vulnerable,” The Washington Post, 30 May 2015. [Online]. Available: http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part- 1/.
- J. Wallen, “Zero Days: Why the disturbing Stuxnet documentary is a must- see,” TechRepublic, 31 Jul 2016. [Online]. Available: http://www.techrepublic.com/article/zero-days-why-the-disturbing-stuxnet- documentary-is-a-must-see/.