Thursday, April 30, 2015

Paradoxes of (Cyber) Counterinsurgency

This is a shameless cross-post.  Okay, not completely shameless - it is a refined and expanded version of a piece I originally posted to a couple of months ago. It incorporates some feedback on the original post and a detailed review by a colleague. It is an interesting topic that I may continue to refine. Certainly interested in further feedback.

The U.S. Army’s Field Manual 3-24, Counterinsurgency, broke the mold for Army doctrine, providing insights into counterinsurgency operations that were largely unknown to U.S. military professionals and offering techniques that could be applied at both the operational and tactical levels to improve local conditions.  The manual also highlighted the complex nature of counterinsurgency operations, providing a list of paradoxes, or seemingly contradictory truths, that highlight the difficulties inherent in this type of military operation.  Many parallels can be drawn between counterinsurgency and cyber operations, and practitioners of both face challenges even more complex than those encountered in more traditional, kinetic military operations.  Herein we provide a list of cyber paradoxes in the spirit of the counterinsurgency paradoxes given in FM 3-24.  Through these paradoxes, we hope to highlight the inherent complexity of cyber operations and provide insights to those who hope to be successful in this new operational domain.

The publication of the Army’s Field Manual 3-24, Counterinsurgency, in 2006 was a watershed event in the history of US Army doctrine. Previously published Army manuals, and much of the doctrine1 published since, tends to take a very high-level view of military operations.  These manuals often provide lots of theoretical background with little practical applicability.  Many military practitioners see them as abstract tomes handed down from the ivory tower of the Combined Arms Doctrine Directorate at Fort Leavenworth, KS.  Many Army officers even pride themselves in having avoided reading most of the doctrine that underpins their profession.

The new counterinsurgency manual was different.  The primary authors were then Lieutenant General David Patraeus and Lieutenant Colonel John Nagl2 at the Combined Arms Center at Fort Leavenworth.  It is unusual for a senior officer like LTG Patraeus to have such a hands-on role in writing doctrine, but Pataeus never shied away from the unusual.  A highly decorated Infantry Ranger with a Ph.D. in international relations from Princeton, Patraeus had just been promoted after successfully commanding one of the most storied divisions in the Army, the 101st Airborne Division.  His command included a year-long deployment to Mosul, Iraq during Operation Iraqi Freedom where Patraeus quickly learned how to successfully engage in counterinsurgency operations.  His primary co-author, John Nagl, was a Rhodes Scholar, having graduated near the top of his class at West Point in 1988, with a doctorate from Oxford University where he studied counterinsurgency.  Nagl published a revised version of his doctoral dissertation in 2002 under the title Learning to Eat Soup with a Knife, a well-received history of counterinsurgency lessons from Malaya and Vietnam.  The title was meant to convey unlikely successes in the seemingly impossible task of successful counterinsurgency operations.  Nagl had also served in Operation Iraqi Freedom as an Armor Battalion Operations Officer in the 1st Armored Division.  FM 3-24 was a refreshingly practical manual that was based on historical counterinsurgency doctrine and lessons learned by both officers from their own experiences fighting the deepening insurgency in Iraq in 2003 and 2004.

Like most doctrine, FM 3-24 was based on military theory developed over centuries, and from writings by insurgent leaders and counterinsurgents alike.  However, it is also full of practical tips for the tactical commander and small unit leader in successfully prosecuting a counterinsurgency.  One of the most useful sections, and one that breaks the mold of most Army doctrine, is a section entitled “Paradoxes of Counterinsurgency Operations”3.  This section provides a list of counterintuitive examples that make it clear to the reader, from Private to General, how the approach to counterinsurgency is different from other military operations.  For example, the paradox “sometimes the more force is used, the less effective it is” highlights the fact that in counterinsurgencies, unlike in most conventional conflict, increasing use of force provides opportunities for insurgents to cast the counterinsurgents as brutal and violent, thereby drawing more of the local population to the insurgent cause.

The inherently asymmetry of cyber conflict, where small groups or individuals regularly penetrate large corporate networks, makes it easy to draw parallels between malicious hackers and insurgents.  Malicious insider threats, those individuals that target networks from inside the organization, resemble insurgents even more closely.  In both scenarios network defenders and incident handling teams are the counterinsurgents.  Like most analogies, this one works in some places and not in others.  However, inasmuch as cyber defense is a counterinsurgency, there are similar paradoxes, many of which closely mirror military counterinsurgency paradoxes, which are helpful for the cyber defender to understand.  In this paper we draw on many of the paradoxes in FM 3-24 and highlight their applicability to cyber defense.  We then highlight a handful of similar paradoxes that are specific to cyber operations. 

Paradoxes of Cyber Operations.
A similarity between counterinsurgency operations and cyber operations is the complex and often unfamiliar set of mission considerations presented to the practitioner.  The paradoxes of counterinsurgency operations offered in FM 3-24 are intended to stimulate thinking and to provide examples of the different mindset required to solve problems under these complex circumstances.  Here we offer a list of cyber operations paradoxes in the spirit of the counterinsurgency paradoxes offered in FM 3-24.  Many of our paradoxes are taken directly from the FM 3-24 list intact, while others are used with minor rephrasing.  A few paradoxes are completely new, owing to the unique nature of the cyberspace domain.  We believe that our list will help cyber operators gain a better understanding of the complexities of operating in cyberspace.

Sometimes, the more you protect your perimeter, the less secure you may be4.  Early network defenders focused on building strong perimeter defenses using devices that would scan and filter potentially malicious traffic at network entry points.  Devices such as network-layer firewalls and intrusion prevention systems gave way to application-layer proxies and sophisticated content-monitoring systems, giving many network administrators and their managers a false sense of security.  Many still mistakenly equate increased network security budgets with a direct and corresponding reduced vulnerability to cyber threats.  Most security professionals now recognize that perimeter defense is only one part of the solution.  Successful defense requires a combination of layered defenses, well trained and rehearsed incident handlers, user education, and ‘hunt’ activities to locate and eradicate adversaries that have already found their way into your network.  In fact if given the choice, most of today’s network defenders would opt to bolster their intrusion analysis and incident handling processes rather than further enhance perimeter defenses5.

Sometimes, the more destructive the cyber weapon, the less effective it is6.  Some of the best cyber weapons are subtle, intended to achieve effects without adversaries even realizing that they have been targeted.  Consider Stuxnet, perhaps one of the most effective cyber weapons ever deployed.  While no one has taken direct credit for the development of Stuxnet, analysis of the malware reveals that the intended target was almost certainly centrifuges at Iran’s nuclear enrichment facility at Natanz7.  Stuxnet seems to have been carefully crafted, not only to evade detection, but to cause damage that would be mistaken for system design flaws or operational errors.  This allowed the malware to continue to be effective over a long period and cause damage to many devices over time and having a significant cumulative and potentially enduring effect.  Once Stuxnet found the specific devices it was designed to target, it would lie dormant for two weeks, recording operational data from the centrifuge cascades that it would play back later to indicate continued normal conditions to system operators8.  If the malware had been designed to quickly damage equipment without this careful deception and subtlety, the malware would likely have been discovered quickly and would have likely had a much reduced overall impact on the Natanz facility.  In this case, a subtle, prolonged attack was much more effective than a quick and obvious cyber attack.

Sometimes doing nothing is the best reaction9.    Signs of a network intrusion bring an almost visceral response from incident handlers and network defenders.  Any evidence of compromise is normally met with rapid action to extricate intruders and, hopefully, to reconfigure systems to prevent further similar intrusions.  While this solves the immediate problem of the fixing the compromise, it can tell the attacker a lot about the methods used by the network defense team to identify intruders and the methods they used to gain access.  On the other hand, a better response might be to observe and contain the attacker.  While an attacker often has the upper hand, network defenders enjoy a home field advantage that they can leverage to isolate and observe an intruder.  The longer defenders can observe the attacker, the more intelligence they can develop regarding tactics, techniques, and procedures (TTPs), and the more information they can glean regarding the attacker’s target in the network.  A defender that can reliably contain and observe an intruder also buys time that can be used to develop protective measures and prevent further penetrations.  Military intelligence professionals refer to tradeoffs between the risk and the benefits of data collection as “intelligence gain/loss calculus,” and they do this routinely.

Some of the best weapons for cyber operators do not shoot10.  Most cyber operators are not in a position to conduct offensive operations and therefore trust the defense of their networks to cyber weapons that do not “shoot.”  Sound network defense relies on skilled, experienced professionals who understand what standard network conditions look like and are able to anticipate and identify intrusions, then handle them appropriately.  One effective weapon in enterprise network defense is the fusion center, a collaborative workspace staffed with experienced network defenders and intelligence experts that gather information on cyber threats faced by other similar organizations, along with TTPs from adversaries that might target them, in order to inform defenses and mitigate exposure before their organization is targeted. 

If a tactic works this week, it might not work next week; if it works in this network, it might not work in the next11.  Most cyber weapons rely on very specific network conditions, and unlike physical terrain, cyber terrain is man-made and can change drastically over time.  Exploits are matched with vulnerabilities that must be present for the exploit to be successful, and effective network defenders constantly patch and update systems to eliminate existing vulnerabilities.  Similarly, defenders must be able to function in an environment where attackers discover new vulnerabilities routinely, and those vulnerabilities are exploitable until patched.  Even when a defender becomes aware of a new vulnerability, it takes time for software vendors to develop and distribute patches to fix them.  The market for zero-day vulnerabilities almost guarantees that defenders will face exploits that they are not equipped to handle12.

Many important decisions are not made by Generals13.  In counterinsurgency operations, young leaders interact with the population to improve local conditions through grass-roots change.  Senior leaders must ensure that Soldiers are equipped not only with an understanding of service doctrine, but also with sufficient information on their local situations and an understanding of the legal and ethical implications of their actions.  Soldiers are then empowered to take action locally that collectively improves overall conditions for the local population and reduces the insurgent’s influence in an area one village at a time.  Cyber operations can be very similar.  Soldiers and leaders will take direct tactical action on the keyboard in a way that most senior leaders aren’t able to do, nor even fully understand.  Those Soldiers must be equipped through proper training and education to understand the moral, ethical, technical, and legal implications of their actions in order to make sound decisions based on commander’s intent.  Most cyber operations will have the potential for far-reaching international implications since they traverse systems that exist in a variety of friendly, neutral, and adversary countries.  A few careless keystrokes could literally cause an international incident.

It is often easier to penetrate a computer thousands of miles away then it is to attack a computer in the next room.  Unobserved physical access to target computer systems is rare and risky; most unauthorized access relies on logical connections.  Physical proximity to a target is therefore rarely relevant in cyber operations.  A system that is close enough to you to be on the same network segment might make it more readily accessible through the network, but recent high profile compromises have relied more often on phishing or watering hole attacks that install malicious software on victim systems causing them to call back to the attacker’s command and control infrastructure.  Educating your users to avoid such social engineering attacks will go a long way toward preventing these sorts of compromises.  Other ways to make your network more secure are to restrict administrative accounts to appropriate personnel, deploy software such as Microsoft’s Enhanced Mitigation Experience Toolkit to prevent vulnerabilities in software from being successfully exploited, and configure email and other services to flag potential phishing messages and disable links in emails.  These steps will make your systems much more secure than systems in other, similar organizations regardless of location.

Collateral damage can be orders of magnitude worse than the intended effect.  In traditional combat, collateral damage from weapon systems is often a concern.  Bombs and missiles don’t always hit their mark and blast radii often extend beyond intended targets.  Damage from collateral effects, however, is largely predictable and are normally significantly less severe than the damage to the intended target.  Kinetic effects are generally well understood and commanders can make informed risk decisions based on known probabilities of unintended consequences.  A cyber weapon, however, can cause collateral effects that are unpredictable and severe.  A virus intended to infect and influence an adversary’s command and control infrastructure can easily spread far beyond its intended network and infect thousands or millions of systems.  Even if the virus recognizes that the system it has infected is not the target and the payload is never activated, companies will still invest significant resources to investigate the intrusion and eliminate the infection from their systems.  By its nature, malware is unpredictable. Even if payloads are not activated, malicious software can cause critical systems to crash, or it can introduce vulnerabilities that would not have existed otherwise.  Any attempts to argue that malicious software is benign unless it reaches its intended target are either na├»ve or purposely misleading.  Furthermore, a cyber weapon may never reach its intended target, causing collateral damage without ever achieving its intended purpose.

Using a cyber weapon can immediately render it, and a whole class of related weapons, obsolete.  To use an exploit is to risk having an adversary identify it’s use and the vulnerabilities it exploits, and then patch those vulnerabilities so the weapon can no longer be leveraged against their systems.  If the affected software is commercial off-the-shelf, a clever opponent might patch their own systems and then use a similar exploit to target systems belonging to you or your allies.  It is also possible, and perhaps more likely, that the exploit is identified by a third party who then publicizes the vulnerability and causes the vendor to create a patch for all users of the affected software, rendering the exploit more universally obsolete.  For example, the exploits used by Stuxnet were discovered and publicized by commercial security companies and the vulnerabilities, mostly in Microsoft products, were quickly patched14.  Other malware that took advantage of those same vulnerabilities were immediately rendered useless on patched systems.  It is useful to note, however, that many individuals and organizations do a poor job of keeping their systems fully patched, and that can make even known vulnerabilities exploitable.  A recent report by Secunia found that 11% of Internet Explorer installations are not fully patched, and 12.6% of users are running unpatched operating system software.  Furthermore, almost 6% of users are running unpatched End-of-Life software such as Windows XP15.  

The more junior a cyber operator is, the more experienced she is likely to be in cyber operations.  Cyber operations are largely the realm of “digital natives,” young people who have grown up with and are completely comfortable in a fully-connected, digital existence. Even senior leaders with technical backgrounds are at a disadvantage compared to junior officers and Soldiers who have fresh training, newly minted degrees, and recent operational experience.  Recently, two new college graduates with Computer Science degrees and significant outside-the-classroom cyber experiences (including conference attendance, security training, internships, and cyber club involvement) spent 6 months immediately after graduation as interns at Army Cyber Command where they served as technical advisors to the ARCYBER Commanding General before starting their Basic Officer Leader Courses (BOLC).  The CG relied heavily on their expertise, and commented that these junior officers’ technical understanding surpassed that of almost every officer currently assigned to the command.  These officers are well on their way to making names for themselves in the Army’s newly created Cyber branch.

Cyberspace operations and counterinsurgency operations are both unlike the more traditional and primarily kinetic combat practiced by the U.S. Army.  After years of fighting counterinsurgencies in Iraq and Afghanistan, however, an Army that was primarily trained for large-scale maneuver warfare was able to master the intricacies of counterinsurgency operations.  This evolution required a concerted effort among leaders at all levels and required a massive retooling of Army training curricula.  The paradoxes of counterinsurgency outlined in the 2006 Counterinsurgency field manual highlighted the challenge that the Army faced in refocusing to counterinsurgency operations.  It is encouraging to look back on 15 years of operations in Iraq and Afghanistan and see how the Army evolved to face this emerging threat.  Perhaps highlighting similar challenges in cyberspace operations will help lead to successes in this new form of warfare.

1 U.S. Department of Defense Joint Publication 1-02, Dictionary of Military and Associated Terms, defines doctrine as “fundamental principles by which the military forces or elements thereof guide their actions in support of national objectives.  It is authoritative but requires judgment in application.”
2 John Nagl provides a brief history of the development of FM 3-24 in a 2005 article on the University of Chicago website at
3 Headquarters, Department of the Army, “Field Manual 3-24: Counterinsurgency”, Dec., 2006, page 1-26.
4 The original counterinsurgency operations paradox is “Sometimes, the More You Protect Your Force, the Less Secure You May Be”.
5 As far back as 1999, Winn Schwartau, in Time Based Security (Interpact Press, 1999), decrided the failed “fortress mentality” espoused by many security vendors.  More recently, in the preface of The Practice of Network Security Monitoring, Understanding Incident Detection and Response (No Starch Press, 2014), Richard Bejtlich points out the need for monitoring for indications of compromise inside the network.
6 Original counterinsurgency paradox: “Sometimes the More Force Is Used, the Less Effective It Is”.
7 K. Zetter, “Countdown to Zero Day,” Crown Publishers, New York, NY.  2014.
8 Ibid.
9 Kept from FM 3-24 with same wording.
10 Original counterinsurgency paradox: “Some of the Best Weapons for Counterinsurgents Do Not Shoot.”
11 Original counterinsurgency paradox: “If a Tactic Works this Week, It Might Not Work Next Week; If It Works in this Province, It Might Not Work in the Next.”
12 Even noted black-hat to white-hat to now gray-hat hacker Kevin Mitnick has gotten into the zero-day exploit market.  See
13 Kept from FM 3-24 with same wording.
14 Symantek Corporation, “W32.Stuxnet Dossier.”  Available at  Feb. 2011.
15 Secunia ApS, “Secunia Emphasizes Patch Importance During National Cyber Security Awareness Month.”  Available at, 1 Oct. 2014.