The chimera of cyber offence6 minutes read

This is a hot take on a recent piece by two National Law University Delhi academicians, Gunjan Chawla and Vagisha Srivastava: What are ‘offensive cyber capabilities’?

The article starts on the right note: briefly pointing out the evolution of terminology using which Western militaries have tried to circumscribe cyber operations within a quasi-legal framework.

But it stops short of explaining the whys and hows of this evolution. If that’s not understood, then we fail to see why defining offensive capabilities — without understanding the delineation (or the lack of it) between cyber techniques and effects — becomes an exercise in futility.

By not addressing these fundamentals, you slip into a quicksand of lexicon, taxonomies, hypotheses, assumptions, rhetoric and legalese.

It’s like you are just stepping on to the moss-laden floor of a triple canopy rainforest, and yet you feel that you could confidently define all the flora and fauna which exists there.

The shift from the Computer Network Operations framework — which further spins off into Computer Network Exploitation, Computer Network Attack and Computer Network Defence — to simplistic Offensive Cyberspace Operations and Defensive Cyber Operations really captures the ongoing struggle of lawyers and strategists.

I must point out that while all that was happening, the technical underpinnings of cyber operations DIDN’T CHANGE AT ALL — the evolution was purely ideological.

The two documents which should have become the very foundation of Chawla and Srivastava’s ‘exegesis’ are Joint Publication (JP) 3-13, Information Operations, and JP 3-12, Cyberspace Operations.

As I write in my never-to-be-published book:

Joint Publication (JP) 3-13, Information Operations of the U.S. Joint Chiefs of Staff published in 1998 was for long the lodestar of Western strategic thought in cyber. It was replaced by a new doctrine JP 3-12, Cyberspace Operations in 2013, declassified in 2014…

It ironically shifts the core capabilities of cyber from the information environment to air, land, maritime, and space…

JP 3-12 remains a work in progress as cyberspace undergoes a sort of creative destruction where every transgression, violation or attack sets new norms. It was last updated on June 8, 2018 – recalibrated to better process and adapt to the ongoing Russian hostilities.

It also marks the phasing out of many operational terms that are still popular in the cyber security industry…

Supporting documents and data which could have assisted us in understanding the gradual elevation of JP 3-12 remain classified. [Alexander] Klimburg believes that with JP 3-12 “the U.S. is entering its third generation of visualising conflict in this domain”. But he also noted that “these three generations of thought have developed in an epistemic bubble, one that is nearly impenetrable for outsiders”.

— The Hacker and the Prime Minister (draft manuscript)

Remarkable is the fact that JP 3-12 is a living document. Policymakers must a run a diff, and deeply deliberate why some words are being added and subtracted from it over time.

However, elements of this discourse doubting the applicability of the CNO framework did seep into the public sphere, most notably with the writings of Col. Gary D. Brown, the former staff judge advocate of the US Cyber Command.

Chalwa and Srivastava would do well by reading ALL of Brown’s papers. They may realise that the struggle is far from over, and confusing capabilities and techniques with effects could essentially weaken your doctrinal and command structures.

What holds more power: Degrade, Deny, Disrupt & Destroy…or Access, Analyse, Remove & Offer? That should be the kōan (公案) for every student of cyber statecraft.

Source: https://www.slideshare.net/pukhraj/pukhraj-singh-keynote-itweb-security-summit-johannesburg-south-africa

There is better lexicon to follow which could really clear the haze, like event-based and presence-based cyber operations. The Russians have something even more effective: informational-psychological and informational-technical effects.

Chalwa and Srivastava write:

However, from a legal standpoint, one cannot say that ‘capabilities’ and ‘operations’ are synonymous any more than one could claim that having ‘arms/ammunitions/weapons’ are synonymous to an ‘armed attack’.

This, right here, marks the failure of imagination of the legalists. Because such underlying assumptions are not challenged by the legal community, the discourse around cyber policy has become excessively teleological. It exudes unquestionable religiosity than doubt, objectivity, scrutiny and rigour.

Analogical reasoning has truly become the bane of cyber policy.

Let me give you an example: the most effective way to acquire power in cyberspace till now is by maintaining passive access. I mean, the very fact that you have a company like Huawei or Cisco in your kitty directly bolsters your posturing, leaving aside the question that whether such access is weponisable or not.

The conduits of power projection in cyberspace are mostly passive and tertiary — the resultant effects of second, third, fourth or fifth order. It’s exactly why the US Government spent the last three decades shaping than signalling.

Yet, in spite of the multiplicity of terms employed, offensive cyber capabilities can be categorised broadly as the ability to conduct a cyber attack or cyber exploitation. 

Exploitability and attack in cyberspace are the cognitive outcomes of an operator exhibiting wilfulness and intent to undermine the adversary. The intent doesn’t reside in the code; code is just semantics. Everything else — be it the supply chain, a compromised President, a social media post or a state-influenced antivirus company — just become the means to these informational ends.

Something more to mull over from the draft book:

Such demarcation is usually thin and procedurally non-existent even internally within operational setups. So much so that after decades of operating independently the NSA even merged its offensive Signals Intelligence Directorate (SID) and the defensive Information Assurance Directorate (IAD) into a conjoined Directorate of Operations in 2016. As Richard “Dickie” George, former technical director with the IAD, once epiphanised, “Defence and offence really were one team, we eventually realised.”

In June 2018, the Australian Computer Emergency Response Team, the national cyber security response body, too, was transitioned to the Australian Signals Directorate (ASD), the offensive agency.

Because it deals with something as primal as information, cyber is probably the most dual-use of technologies that policymakers would ever encounter. Nothing comes close, not even nuclear.

Mike Walker was a former program manager at Defence Advanced Research Projects Agency (DARPA), which ran the forerunner to the internet. On seeing machines hacking machines at the Cyber Grand Challenge, the world’s first automated hacking tournament held in 2016, Walker exhorted, “I cannot change the reality that all security tools are dual-use.”