Unless your cave doesn’t have wifi, you probably know by now that 12 operatives from the GRU have been indicted by special counsel Robert Mueller.
The supporting document is a rare artefact, in a sense that it is the most public exposition of American cyber tradecraft ever.
Its analysis has been bolstered by an agency – the NSA, in case you are wondering – whose very DNA has been hardcoded with operational deniability. Remember, the US still issues a Glomar response on Stuxnet even when the operation has been outed by a hundred different sources.
There’s a specific reason behind that, which I will address in a separate article, but in a nutshell: nation states are still figuring out how cyber operations fit into the escalatory and declaratory ladders of conflict.
Until that gets chiselled with experience and mistakes, cyber attacks would keep on enjoying a sort of forced plausible deniability. I mean, would our world be any different if Iran, North Korea or Russia had owned up to Shamoon, Sony or DNC? Maybe not.
I’m always reminded of Col. Gary D. Brown’s (former staff judge advocate of the USCYBERCOM) assessment. He posits that states not defining their limits and capabilities in cyberspace is a big impediment to norm-setting.
Norms, as we imagine them, are the organic outcomes of the customs and practices of nations. So, the law of armed conflict, or whatever international markers we have established, become hazy when capabilities aren’t defined. That is exactly why the Tallinn Manual remains such a dud, apart from the fact that it’s overly kinetic-centric.
Dave Aitel labelled Stuxnet as the “announcement of a team” more than anything else, which could take out any factory, any time. Over the course, the US Department of Defence (DoD) seems to have figured out cyber’s fitment into the declaratory dimensions of power. It is exactly why the DoD tries hard to control the mathematics of the domain.
Yet, as Jacquelyn Schneider of the US Naval War College astutely observes: the military leaders get cold feet while calculating its escalation dynamics. To quote from a yet-to-be-published piece of mine:
A study of wargames conducted from 2011 to 2016 revealed a consistent pattern of going overboard with the escalatory risk of cyber operations – that they would eventually lead to a nuclear war. So awesome was the mythos around cyber that the defensive teams exercised restraint in cyberspace even when the allies were getting nuked. This fear psychosis pervaded all the way up in the chain of command.
Jason Healey concludes that it was the US which got deterred in the run-up to the Russian election hacking.
The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings.
This indecisiveness was born out of a lack of political arithmetic for cyber operations. Cyber deterrence has little to do with the technicalities of the domain.
Coming back to the dossier, when the NSA, via the FBI, goes on to name the operatives and publishes their internet search histories, it’s merely giving cyber deterrence the required politico-legal shape.
Most pundits have fallen into the wow-trap. See, the competence of the NSA is well respected, thanks to Snowden. The attribution of APT 28 has been open-sourced, too, as the private sector has had a major investigative role to play. Even the details of the GRU units had trickled out earlier.
The NSA is actually giving a banshee-like scream with this trailer of capabilities – You may win a battle or two, but we are here to win the war.
Andrea L. Limbago of Endgame sums it up,
[These] indictments demonstrate the potential for attribution and the level of capabilities that can provide this evidence, help support a broader deterrence strategy.
While the 12 operatives are being portrayed as some wily geniuses, it’s clear that the team was overworked and understaffed. Tasked with a high-pressure, overwhelming mandate, they left a trail of OPSEC mistakes.
When hackers hack at scale, they reuse infrastructure. They make mistakes. This isn’t unusual. You can piece the bits together.
— Pwn All The Things (@pwnallthethings) January 4, 2017
Similarly, we also saw an Indian cyber mercenary succumbing to the fog of war.
Or it could be the case that, in The Grugq’s trademark British humour, the Russian OPSEC policy is YOLO.
I can’t locate the exact tweet as always. Somewhere on The Grugq’s Twitter timeline – the most authoritative compendium of tradecraft on the internet – there’s a mention of linguistics and anthropology as the foundational sciences of cyber operations.
I can’t agree more. Richard J. Danzig recommends studying the “adversarial ecosystem of cyberspace in anthropological detail”. China even runs a full-fledged language feeder school SISU to complement its lucrative technical setup for cyber espionage.
While the two GRU units focused on hacking and dissemination, little effort was paid on the language front. There’s a marked similarity between the conspiratorial punchlines of the Shadow Brokers and the tin foil hatted references to the Illuminati by Guccifer. The GRU’s understanding of the paranoid hacker archetype sounds amusing and probably borrows from the KGB’s dealings with hackers like Karl Koch during the Cold War.