Disclaimer
This is a shameless cross-post. Okay, not completely shameless - it is a refined and expanded version of a piece I originally posted to www.cyberdefensereview.org a couple of months ago. It incorporates some feedback on the original post and a detailed review by a colleague. It is an interesting topic that I may continue to refine. Certainly interested in further feedback.
Abstract
The U.S. Army’s Field Manual 3-24, Counterinsurgency, broke
the mold for Army doctrine, providing insights into counterinsurgency
operations that were largely unknown to U.S. military professionals and
offering techniques that could be applied at both the operational and tactical
levels to improve local conditions. The
manual also highlighted the complex nature of counterinsurgency operations,
providing a list of paradoxes, or seemingly contradictory truths, that
highlight the difficulties inherent in this type of military operation. Many parallels can be drawn between
counterinsurgency and cyber operations, and practitioners of both face
challenges even more complex than those encountered in more traditional,
kinetic military operations. Herein we
provide a list of cyber paradoxes in the spirit of the counterinsurgency
paradoxes given in FM 3-24. Through
these paradoxes, we hope to highlight the inherent complexity of cyber
operations and provide insights to those who hope to be successful in this new
operational domain.
Introduction
The publication of the Army’s Field Manual 3-24,
Counterinsurgency, in 2006 was a watershed event in the history of US Army
doctrine. Previously published Army manuals,
and much of the doctrine1
published since, tends to take a very high-level view of military
operations. These manuals often provide
lots of theoretical background with little practical applicability. Many military practitioners see them as abstract
tomes handed down from the ivory tower of the Combined Arms Doctrine
Directorate at Fort Leavenworth, KS. Many
Army officers even pride themselves in having avoided reading most of the
doctrine that underpins their profession.
The new counterinsurgency manual was different. The primary authors were then Lieutenant
General David Patraeus and Lieutenant Colonel John Nagl2
at the Combined Arms Center at Fort Leavenworth. It is unusual for a senior officer like LTG
Patraeus to have such a hands-on role in writing doctrine, but Pataeus never
shied away from the unusual. A highly
decorated Infantry Ranger with a Ph.D. in international relations from
Princeton, Patraeus had just been promoted after successfully commanding one of
the most storied divisions in the Army, the 101st Airborne Division. His command included a year-long deployment to
Mosul, Iraq during Operation Iraqi Freedom where Patraeus quickly learned how
to successfully engage in counterinsurgency operations. His primary co-author, John Nagl, was a
Rhodes Scholar, having graduated near the top of his class at West Point in
1988, with a doctorate from Oxford University where he studied
counterinsurgency. Nagl published a
revised version of his doctoral dissertation in 2002 under the title Learning to Eat Soup with a Knife, a
well-received history of counterinsurgency lessons from Malaya and Vietnam. The title was meant to convey unlikely
successes in the seemingly impossible task of successful counterinsurgency
operations. Nagl had also served in
Operation Iraqi Freedom as an Armor Battalion Operations Officer in the 1st
Armored Division. FM 3-24 was a refreshingly
practical manual that was based on historical counterinsurgency doctrine and lessons
learned by both officers from their own experiences fighting the deepening
insurgency in Iraq in 2003 and 2004.
Like most doctrine, FM 3-24 was based on military theory
developed over centuries, and from writings by insurgent leaders and
counterinsurgents alike. However, it is
also full of practical tips for the tactical commander and small unit leader in
successfully prosecuting a counterinsurgency.
One of the most useful sections, and one that breaks the mold of most Army
doctrine, is a section entitled “Paradoxes of Counterinsurgency Operations”3. This section provides a list of
counterintuitive examples that make it clear to the reader, from Private to General,
how the approach to counterinsurgency is different from other military
operations. For example, the paradox
“sometimes the more force is used, the less effective it is” highlights the
fact that in counterinsurgencies, unlike in most conventional conflict,
increasing use of force provides opportunities for insurgents to cast the
counterinsurgents as brutal and violent, thereby drawing more of the local
population to the insurgent cause.
The inherently asymmetry of cyber conflict, where small
groups or individuals regularly penetrate large corporate networks, makes it
easy to draw parallels between malicious hackers and insurgents. Malicious insider threats, those individuals
that target networks from inside the organization, resemble insurgents even
more closely. In both scenarios network
defenders and incident handling teams are the counterinsurgents. Like most analogies, this one works in some
places and not in others. However,
inasmuch as cyber defense is a counterinsurgency, there are similar paradoxes,
many of which closely mirror military counterinsurgency paradoxes, which are
helpful for the cyber defender to understand.
In this paper we draw on many of the paradoxes in FM 3-24 and highlight
their applicability to cyber defense. We
then highlight a handful of similar paradoxes that are specific to cyber
operations.
Paradoxes of Cyber Operations.
A similarity between counterinsurgency operations and cyber
operations is the complex and often unfamiliar set of mission considerations
presented to the practitioner. The
paradoxes of counterinsurgency operations offered in FM 3-24 are intended to
stimulate thinking and to provide examples of the different mindset required to
solve problems under these complex circumstances. Here we offer a list of cyber operations
paradoxes in the spirit of the counterinsurgency paradoxes offered in FM
3-24. Many of our paradoxes are taken
directly from the FM 3-24 list intact, while others are used with minor
rephrasing. A few paradoxes are
completely new, owing to the unique nature of the cyberspace domain. We believe that our list will help cyber
operators gain a better understanding of the complexities of operating in
cyberspace.
Sometimes, the more
you protect your perimeter, the less secure you may be4. Early network defenders focused on building
strong perimeter defenses using devices that would scan and filter potentially
malicious traffic at network entry points.
Devices such as network-layer firewalls and intrusion prevention systems
gave way to application-layer proxies and sophisticated content-monitoring
systems, giving many network administrators and their managers a false sense of
security. Many still mistakenly equate increased
network security budgets with a direct and corresponding reduced vulnerability
to cyber threats. Most security
professionals now recognize that perimeter defense is only one part of the
solution. Successful defense requires a
combination of layered defenses, well trained and rehearsed incident handlers, user
education, and ‘hunt’ activities to locate and eradicate adversaries that have
already found their way into your network.
In fact if given the choice, most of today’s network defenders would opt
to bolster their intrusion analysis and incident handling processes rather than
further enhance perimeter defenses5.
Sometimes, the more
destructive the cyber weapon, the less effective it is6. Some of the best cyber weapons are subtle,
intended to achieve effects without adversaries even realizing that they have
been targeted. Consider Stuxnet, perhaps
one of the most effective cyber weapons ever deployed. While no one has taken direct credit for the
development of Stuxnet, analysis of the malware reveals that the intended
target was almost certainly centrifuges at Iran’s nuclear enrichment facility
at Natanz7. Stuxnet seems to have been carefully crafted,
not only to evade detection, but to cause damage that would be mistaken for system
design flaws or operational errors. This
allowed the malware to continue to be effective over a long period and cause
damage to many devices over time and having a significant cumulative and
potentially enduring effect. Once
Stuxnet found the specific devices it was designed to target, it would lie
dormant for two weeks, recording operational data from the centrifuge cascades
that it would play back later to indicate continued normal conditions to system
operators8. If the malware had been designed to quickly
damage equipment without this careful deception and subtlety, the malware would
likely have been discovered quickly and would have likely had a much reduced
overall impact on the Natanz facility.
In this case, a subtle, prolonged attack was much more effective than a
quick and obvious cyber attack.
Sometimes doing
nothing is the best reaction9. Signs of a network intrusion bring an
almost visceral response from incident handlers and network defenders. Any evidence of compromise is normally met with
rapid action to extricate intruders and, hopefully, to reconfigure systems to
prevent further similar intrusions.
While this solves the immediate problem of the fixing the compromise, it
can tell the attacker a lot about the methods used by the network defense team
to identify intruders and the methods they used to gain access. On the other hand, a better response might be
to observe and contain the attacker.
While an attacker often has the upper hand, network defenders enjoy a
home field advantage that they can leverage to isolate and observe an
intruder. The longer defenders can
observe the attacker, the more intelligence they can develop regarding tactics,
techniques, and procedures (TTPs), and the more information they can glean
regarding the attacker’s target in the network.
A defender that can reliably contain and observe an intruder also buys
time that can be used to develop protective measures and prevent further
penetrations. Military intelligence
professionals refer to tradeoffs between the risk and the benefits of data
collection as “intelligence gain/loss calculus,” and they do this routinely.
Some of the best
weapons for cyber operators do not shoot10. Most cyber operators are not in a position to
conduct offensive operations and therefore trust the defense of their networks
to cyber weapons that do not “shoot.”
Sound network defense relies on skilled, experienced professionals who
understand what standard network conditions look like and are able to
anticipate and identify intrusions, then handle them appropriately. One effective weapon in enterprise network
defense is the fusion center, a collaborative workspace staffed with
experienced network defenders and intelligence experts that gather information
on cyber threats faced by other similar organizations, along with TTPs from
adversaries that might target them, in order to inform defenses and mitigate
exposure before their organization is targeted.
If a tactic works
this week, it might not work next week; if it works in this network, it might
not work in the next11. Most cyber weapons rely on very specific
network conditions, and unlike physical terrain, cyber terrain is man-made and can
change drastically over time. Exploits
are matched with vulnerabilities that must be present for the exploit to be
successful, and effective network defenders constantly patch and update systems
to eliminate existing vulnerabilities.
Similarly, defenders must be able to function in an environment where attackers
discover new vulnerabilities routinely, and those vulnerabilities are
exploitable until patched. Even when a defender
becomes aware of a new vulnerability, it takes time for software vendors to
develop and distribute patches to fix them.
The market for zero-day vulnerabilities almost guarantees that defenders
will face exploits that they are not equipped to handle12.
Many important decisions
are not made by Generals13. In counterinsurgency operations, young
leaders interact with the population to improve local conditions through
grass-roots change. Senior leaders must
ensure that Soldiers are equipped not only with an understanding of service
doctrine, but also with sufficient information on their local situations and an
understanding of the legal and ethical implications of their actions. Soldiers are then empowered to take action
locally that collectively improves overall conditions for the local population
and reduces the insurgent’s influence in an area one village at a time. Cyber operations can be very similar. Soldiers and leaders will take direct
tactical action on the keyboard in a way that most senior leaders aren’t able
to do, nor even fully understand. Those
Soldiers must be equipped through proper training and education to understand
the moral, ethical, technical, and legal implications of their actions in order
to make sound decisions based on commander’s intent. Most cyber operations will have the potential
for far-reaching international implications since they traverse systems that
exist in a variety of friendly, neutral, and adversary countries. A few careless keystrokes could literally
cause an international incident.
It is often easier to
penetrate a computer thousands of miles away then it is to attack a computer in
the next room. Unobserved physical
access to target computer systems is rare and risky; most unauthorized access relies
on logical connections. Physical
proximity to a target is therefore rarely relevant in cyber operations. A system that is close enough to you to be on
the same network segment might make it more readily accessible through the
network, but recent high profile compromises have relied more often on phishing
or watering hole attacks that install malicious software on victim systems
causing them to call back to the attacker’s command and control
infrastructure. Educating your users to avoid
such social engineering attacks will go a long way toward preventing these
sorts of compromises. Other ways to make
your network more secure are to restrict administrative accounts to appropriate
personnel, deploy software such as Microsoft’s Enhanced Mitigation Experience
Toolkit to prevent vulnerabilities in software from being successfully
exploited, and configure email and other services to flag potential phishing messages
and disable links in emails. These steps
will make your systems much more secure than systems in other, similar
organizations regardless of location.
Collateral damage can
be orders of magnitude worse than the intended effect. In traditional combat, collateral damage from
weapon systems is often a concern. Bombs
and missiles don’t always hit their mark and blast radii often extend beyond
intended targets. Damage from collateral
effects, however, is largely predictable and are normally significantly less
severe than the damage to the intended target. Kinetic effects are generally well understood
and commanders can make informed risk decisions based on known probabilities of
unintended consequences. A cyber weapon,
however, can cause collateral effects that are unpredictable and severe. A virus intended to infect and influence an
adversary’s command and control infrastructure can easily spread far beyond its
intended network and infect thousands or millions of systems. Even if the virus recognizes that the system
it has infected is not the target and the payload is never activated, companies
will still invest significant resources to investigate the intrusion and
eliminate the infection from their systems.
By its nature, malware is unpredictable. Even if payloads are not
activated, malicious software can cause critical systems to crash, or it can
introduce vulnerabilities that would not have existed otherwise. Any attempts to argue that malicious software
is benign unless it reaches its intended target are either naïve or purposely
misleading. Furthermore, a cyber weapon
may never reach its intended target, causing collateral damage without ever
achieving its intended purpose.
Using a cyber weapon
can immediately render it, and a whole class of related weapons, obsolete. To use an exploit is to risk having an
adversary identify it’s use and the vulnerabilities it exploits, and then patch
those vulnerabilities so the weapon can no longer be leveraged against their
systems. If the affected software is
commercial off-the-shelf, a clever opponent might patch their own systems and
then use a similar exploit to target systems belonging to you or your
allies. It is also possible, and perhaps
more likely, that the exploit is identified by a third party who then
publicizes the vulnerability and causes the vendor to create a patch for all
users of the affected software, rendering the exploit more universally obsolete.
For example, the exploits used by
Stuxnet were discovered and publicized by commercial security companies and the
vulnerabilities, mostly in Microsoft products, were quickly patched14. Other malware that took advantage of those
same vulnerabilities were immediately rendered useless on patched systems. It is useful to note, however, that many
individuals and organizations do a poor job of keeping their systems fully
patched, and that can make even known vulnerabilities exploitable. A recent report by Secunia found that 11% of
Internet Explorer installations are not fully patched, and 12.6% of users are
running unpatched operating system software.
Furthermore, almost 6% of users are running unpatched End-of-Life
software such as Windows XP15.
The more junior a
cyber operator is, the more experienced she is likely to be in cyber
operations. Cyber operations are largely
the realm of “digital natives,” young people who have grown up with and are
completely comfortable in a fully-connected, digital existence. Even senior
leaders with technical backgrounds are at a disadvantage compared to junior
officers and Soldiers who have fresh training, newly minted degrees, and recent
operational experience. Recently, two
new college graduates with Computer Science degrees and significant
outside-the-classroom cyber experiences (including conference attendance,
security training, internships, and cyber club involvement) spent 6 months
immediately after graduation as interns at Army Cyber Command where they served
as technical advisors to the ARCYBER Commanding General before starting their Basic
Officer Leader Courses (BOLC). The CG
relied heavily on their expertise, and commented that these junior officers’
technical understanding surpassed that of almost every officer currently assigned to
the command. These officers are well on their way to making names for themselves in the Army’s newly created Cyber branch.
Conclusion
Cyberspace operations and counterinsurgency operations are
both unlike the more traditional and primarily kinetic combat practiced by the
U.S. Army. After years of fighting
counterinsurgencies in Iraq and Afghanistan, however, an Army that was
primarily trained for large-scale maneuver warfare was able to master the
intricacies of counterinsurgency operations.
This evolution required a concerted effort among leaders at all levels
and required a massive retooling of Army training curricula. The paradoxes of counterinsurgency outlined
in the 2006 Counterinsurgency field manual highlighted the challenge that the
Army faced in refocusing to counterinsurgency operations. It is encouraging to look back on 15 years of
operations in Iraq and Afghanistan and see how the Army evolved to face this
emerging threat. Perhaps highlighting
similar challenges in cyberspace operations will help lead to successes in this
new form of warfare.
1
U.S. Department of Defense Joint Publication 1-02, Dictionary of Military and
Associated Terms, defines doctrine as “fundamental principles by which the
military forces or elements thereof guide their actions in support of national
objectives. It is authoritative but
requires judgment in application.”
2
John Nagl provides a brief history of the development of FM 3-24 in a 2005
article on the University of Chicago website at http://www.press.uchicago.edu/Misc/Chicago/841519foreword.html.
3
Headquarters, Department of the Army, “Field Manual 3-24: Counterinsurgency”,
Dec., 2006, page 1-26.
4
The original counterinsurgency operations paradox is “Sometimes, the More You
Protect Your Force, the Less Secure You May Be”.
5 As
far back as 1999, Winn Schwartau, in Time
Based Security (Interpact Press, 1999), decrided the failed “fortress
mentality” espoused by many security vendors.
More recently, in the preface of The
Practice of Network Security Monitoring, Understanding Incident Detection and
Response (No Starch Press, 2014), Richard Bejtlich points out the need for
monitoring for indications of compromise inside the network.
6
Original counterinsurgency paradox: “Sometimes the More Force Is Used, the Less
Effective It Is”.
7 K.
Zetter, “Countdown to Zero Day,” Crown Publishers, New York, NY. 2014.
8
Ibid.
9
Kept from FM 3-24 with same wording.
10
Original counterinsurgency paradox: “Some of the Best Weapons for
Counterinsurgents Do Not Shoot.”
11
Original counterinsurgency paradox: “If a Tactic Works this Week, It Might Not
Work Next Week; If It Works in this Province, It Might Not Work in the Next.”
12
Even noted black-hat to white-hat to now gray-hat hacker Kevin Mitnick has
gotten into the zero-day exploit market.
See https://www.mitnicksecurity.com/shopping/absolute-zero-day-exploit-exchange.
13
Kept from FM 3-24 with same wording.
15
Secunia ApS, “Secunia Emphasizes Patch Importance During National Cyber
Security Awareness Month.” Available at http://secunia.com/,
1 Oct. 2014.