The SolarWinds hack has triggered deep introspection within the policy circles.
One realisation which I am having is that military strategies in cyberspace seem to be wanting to define “contact” in more conventional terms rather than how it’s really applicable to cyber operations.
Defend Forward is a manifestation of this substrate of ideology. The “Forward” part of it realises adversarial capabilities as attack infrastructures and hostile networks which could be potential launchpads — or at least this is how the expeditionary nature of it is publicly understood.
So, you disrupt the operational network of the Internet Research Agency and Daesh, or dox the malware and staging infrastructures of the North Koreans and Russians, etc.
Dave Aitel, however, has pointed out that Defend Forward is not just about defending forward in space but also in time. I am not questioning the effectiveness of such tactics — that’s not my focus here. It’s just that I am a bit concerned about how the discourse of adversarial competition in cyberspace is being made to fit to conventional military paradigms.
The best articulation of the technical nature of this competition, or the lack it, doesn’t come from a soldier or wonk, but reverse engineer Halvar Flake. He explains how the attacker and the defender would never ever be in direct competition with each other. In fact, both parties spend majority of their efforts in minimising the friction and uncertainty that arises from “the world.”
Chris Inglis sees it from the lens of “extreme target dependence.”
That brings me to the larger argument around the nature of “contact” being sought by Defend Forward — and why.
It’s not like militaries aren’t used to noncontact operations. But in this case, it likely points to systemic issues. First, the Pentagon’s penchant to realise cyber effects within the ambit of D5: deceive, degrade, deny, disrupt, and destroy. Herbert Lin has written how it created disjointedness between the cyber and information operations doctrines.
Second, the strict delimitation of the information operations strategy to the military establishment, lacking a strong civilian or diplomatic component.
This has two possible side-effects. First, you may never ever reach the thresholds of attrition which would make things intolerable, costly or untenable for the adversary. The adversary and you may remain on wholly different cognitive planes. This most likely happened in the case of Russia.
Second, you could possibly trail behind the threat landscape. How would Defend Forward’s expeditionary strategy adapt if the adversary resorts to blended operations instantiated by HUMINT, and a heterogenous, autonomous and cooperative sensor network rather than a centralised, infrastructure-driven command-and-control?
What if the adversary resorts to disengaged automation instead of direct competition? How would the “Forward” of Defend Forward look like then? And wouldn’t “Defend” change to “Attack”? (References to Grugq’s talk on Aggressive Autonomous Agents, Dave Aitel’s obsession with myrmecology, Halvar Flake’s thoughts on the potential of automation in offence and Ciaran Martin’s recent speech).
*An autonomous wormable payload will be discovered, with complex targeting logic & extensive modularity, only a fraction of which will be fully reversed or understood. But this will nonetheless be used in marketing materials for years to come.
— HostileSpectrum (@HostileSpectrum) December 31, 2020
All this leads to the discussion around cyber grand strategy. Isn’t the Joint Doctrine Note 1-19, Competition Continuum, questioning the nature of deterrence sought by Defend Forward? As a result of your actions, has the adversary even engaged in wilful or inadvertent competition? If not, then is the strategy working in its current form?
There is no simple answer. As long as Defend Forward remains just an approximate microcosmic, operational component of a broader strategy, then yes. But its gradual elevation to a full-blown deterrence framework could become a structural impediment.
The Chinese or Russian doctrines, beautifully expounded by Timothy L. Thomas, may have an answer (with an emphasis on “system of system operations”).