During my stint with the government, we established formal contact with a Western signals intelligence agency. In one of the highly ceremonial and limited interactions with our counterparts from that agency, my boss joked of recruiting a “young gun” who was spearheading cyber operations. That was me.
While I have always rated myself as a below-average hacker, I was indeed a test case for the government in inducting ‘specialists’ into the system via lateral entry (Don’t ask me how it went).
Anyhow, an officer from the said Western agency had a similar story to share: its head of cyber operations too was a chap quite junior for his pay-grade.
The point is: unlike other disruptive military technologies whose eventual aim is productisation, the man always outwits the machine in cyber.
Regardless of the billion-dollar offensive toolchains which some SIGINT agencies now boast of, everything stems from the mind of the operator (Well, that may remain true until Darpa’s hacking automatons from the Cyber Grand Challenge take over).
In 2017, Gen. Paul Nakasone said “our best [coders] are 50 or 100 times better than their peers,” and asked “Is there a sniper or is there a pilot or is there a submarine driver or anyone else in the military 50 times their peer? I would tell you, some coders we have are 50 times their peers.”— Putting a value on the 50x coder
And I had mentioned my recent op-ed for The Quint:
You build cyber capabilities and expertise over decades, hinged around generations of disciplined cadres of hackers. You hope that one day, the brightest among them would become a commander. This is true in the case of Gen Paul Nakasone, the current head of the USCYBERCOM.— US-Iran Tensions: What Indian Cyber Commanders Can Learn
Regimented hacking relies on a lineage of operators. In that way, it is almost like the nuclear programme.
What do you do when you are dealing with a possible capability mismatch between you and the adversary? It makes all the sense to neutralise that ’50x coder’ like the nuclear scientists of the past. You want to kill an institutional culture or a lineage.
Legally, it is a tenuous proposition. When I quizzed a hotshot Indian cyber lawyer as to whether military hackers are to be deemed as combatants in accordance with the Law of Armed Conflict, he was noncommittal in his response.
But here is an interesting overlap between cyber operations and targeted assassinations: in both cases, norm-violation is a form of norm-setting.
“International law progresses through violations. We invented the targeted assassination thesis and we had to push it. At first there were protrusions that made it hard to insert easily into the legal moulds. Eight years later it is in the center of the bounds of legitimacy.” — Daniel Reisner, Israel Defence Forces— Consent and Advise
I am reminded of Nate Fick’s aphorism: “Governments would be tempted to hack more killers, and kill more hackers.” Cyber operations are massively cascading in terms of their effects, which could cause extreme but invisible damage to national security and sovereignty. Neutralising hackers, as in the case of nuclear scientists, is a viable option that has been suitably expended in the past.— US-Iran Tensions: What Indian Cyber Commanders Can Learn