State Actors’s Offensive Cyber Operations The Disruptive Power of Resourceful Systematic Cyber Attacks

Jan Kallberg CySREC, Erik Jonsson School of Engineering and

Computer Science The University of Texas at Dallas

Richardson, TX 75083-0688 jkallberg@utdallas.edu

Bhavani Thuraisingham

CySREC, Erik Jonsson School of Engineering and Computer Science

The University of Texas at Dallas Richardson, TX 75083-0688

bhavani.thuraisingham@utdallas.edu

Abstract –The innovative technologies directly or indirectly catalyze major shifts in how we use technology and become vehicles of change. In cyber operations, the technology has already been present for years before it is assigned a proper cyber operative use and becomes revolutionary. The disruptive power in cyber operations is embedded in the change how we see what the technology could be used for – the technology is already available. During the last years have several nation states entered cyberspace as offensive state actors in pursuit of utilizing the Internet to reach policy, geopolitical, and state competitive goals. The development of the battle tank is used as an analogy. It took twenty years from the introduction of the battle tank to see the effective military use. The Internet has been broadly accessible for soon to be twenty years. It has taken the Internet twenty years to be militarized, but once started the military interest accelerates. The main obstacle for state actor entrance is not the technology per se, but instead the ability to think beyond the existing cyber security paradigm. Older technology is leveraged by innovative thinking. The existing paradigm says that cyberspace is becoming more secure; the entrance of state actors reverses the paradigm as the cyberspace becomes less secure and heavily contested.

Keywords - cyber operations; cyberdefense; information assurance; offensive cyber operations; defense; cyberwar; cyber education; information operations.

I. INTRODUCTION The public information security sentiment through the last

twenty years has been that the Internet was and is unsafe but the net is becoming more safe over time. The further back from the present time the more unsafe would the Internet have been and at the dawn of the Internet there was no security at all. According to the medial and societal interpretation, the security software industry has step-by-step introduced new software to protect our client computers and the general societal IT-security has increased. A paradigm does not need to be shared by everyone in the field, but if it is an accepted and dominant outlook in society, then it becomes a paradigm.

Recent advancements in client computer security, in conjunction with the impact of time and Internet maturity, have created a population at ease with the Internet and trusting the net. People use online banking, run their businesses in the cloud, and relies on net supported transactions. The limited abilities and resources of the early attackers contained the

threat to criminal activity and marginal financial damage. The early Internet’s cyber perpetrators had marginal abilities, pursued financial gain by doing digital smash’n’grab thefts of credit card numbers and identities that could be converted to money through a chain of illegal activity.

The entrance of state actor’s as attackers has a reversed trajectory for Internet security where Internet is becoming increasingly less safe over time. The threat no longer engulfs individuals and businesses, but also the nation state.

II. TECHNOLOGY FIRST, PROPER USE LATER Cyber warfare technology arrived decades earlier than its

militarized role in cyber operations. These technologies are created as weapon-able assets long before the potential aggressors are able to put these new weapons in military use. The dual use, both military and civilian, is has not been fully realized or understood. The arrival of technology before the ability to understand its military usage is not new in history. The human mind is path-dependent and tends to utilize earlier experiences to form a perception of the future. New technology is not seen as independent and a vehicle of change – but instead subordinated into the earlier context.

The armored tank was introduced to the battle field in 1916. The tank was used for two decades as a movable pill box, a machine gun nest, which could move out from the trenches and follow the infantry in the WWI strategy of position warfare. It was not until the Blitzkrieg, the German assault on France 1940, armored warfare was operationalized and became an integrated part of the military strategy with direct implications on the outcome of the conflict.

The Germans were the first to see the opportunity with the armored battle tank and design a strategy to use it to reach major geopolitical goals. The Germans leveraged the tank from being a fractural part of position warfare, a way of moving military hardware in a tactical manner, to be a vehicle to form an innovative over-arching strategy. The Internet has had identical development. The ability to militarize Internet has not relied on technology, or flavors of networking, but instead the ability to see an effective military use of the Internet application layer.

The Stuxnet, the set of code that affected the Iranian nuclear centrifuges, is the product of advances in thinking. The ability

Digital Object Indentifier 10.1109/MITP.2013.20 1520-9202/$26.00 2013 IEEE

This article has been accepted for publication in IT Professional but has not yet been fully edited.Some content may change prior to final publication.

to code these cyber weapons have been present for decades. The innovative component is to see the code’s effective military use. A state designed Stuxnet to deliberately damage the Iranian nuclear centrifuges. Not only has the code become militarized, it have a feature that all weapons have – the ability to target.

This shift of thinking is no different to the German then colonel Heinz Guderian that in the late 1920s and the 1930s, together with others, realized that armored tanks should not be used as moveable pillboxes along with slow moving infantry trying to take a hill or set of trenches. Guderian realized that tanks should be used in massive numbers to strike deep into the enemy’s territory. Before Blitzkrieg, the German concept of mobile armored warfare, wars have been fought in a linear manner where infantry were the fighting line, support by a line of artillery bombarding from a distance the enemy, and behind the artillery there was a logistic echelon providing the needs of the artillery and infantry. At the start of the Second World War, the French and many other armies still subscribed to the concept of three lines of military units of which only the first one had contact with the enemy.

The development of the military helicopter follows an identical path as the battle tank and the Internet. The helicopter was invented in the 1930s, in the late 1940s and early 1950s the military started to use helicopters as ¾ ton trucks that could move through air space. The military had helicopters for twenty years before the helicopter became a weapons platform of any significance.

Once the intellectual ceiling was broken the militarized helicopters went through a rapid evolution – and today’s attack helicopters are based on concepts from the late 1960s and early 1970s.

The revolutionary idea with Blitzkrieg was to strike deep with massive tank formations, ignoring the enemy infantry, plough through the artillery, and attack the bakery. Indirectly taking the initiative from the enemy, forcing the enemy to counter act, and the enemy’s line of defense collapsed and their units where skirmished and easy prey for the attacking armored units. It took battle tanks almost 25 years to reach the point where it was military utilized in an effective manner. The main obstacle was not technology – it was human adaptation. The technology was already present. The hurdle was the human mind among those who later faced defeat.

A similar deep strike in a cyber-context is attacks on industrial control systems that attack the core of the society’s functionality. The opportunity to attack municipal waterworks and other local infrastructure, that becomes a deep strike in the society, has existed several years.

The increased numbers of SCADA (supervisory control and data acquisition systems) attacks are a product of the shift in the cyberattack modus operandi when the marginally funded cybercriminals are replaced with well-funded state actors’ with a completely different objective and agenda.

To be able to attack the core industrial backbone of a targeted country, and create havoc in transportation and communication infrastructure, is an opportunity for a state

actor seeking to have an advantage over another state. For cybercriminals it is an almost pointless operation.

The intellectual ceiling for militarization of the Internet is incrementally breaking since 2010.

III. LA RAISON D’ÉTAT The way we see, design, create, and maintain information

security and protect our assets connected to cyberspace is facing a quick evolution the next years. The entrance of state actors and by so creating a militarized Internet and using it as a contested space, for intelligence, economic espionage, information operations, and to destabilize adversarial states has radically changed the fundamentals for security in cyberspace. The state actor seeks to exploit weaknesses in the critical national infrastructure, information systems, and take advantage of the fact that our populations heavily rely on the Internet.

The reasoning for state actors’ differs from the rationale of individuals and criminal networks. First and foremost is the goal for individuals and criminal networks financial gain. The state seeks to optimize the state’s influence and power or to avoid being influenced by other states and over-powered. The state has a vested interest to have the ability to destabilize systems of other nations. The state actor uses a full system attack strategy instead of the traditional cyber-attack that seeks limited goals.

State target other state’s core abilities in the pursuit of destabilizing, deny access to information access, and undermine the targeted state’s core functionality. The set of aim points utilized in a state actor attack differ completely from earlier experiences with criminal networks and cybercrime. The criminals pursued access to reach financial gains with a quick turnaround – so the criminals could avoid law enforcement and detection meanwhile perpetrating the attack.

The mix of the reasoning of the nation states, the resources the nation states have at hand, and the opportunity to exploit the vulnerabilities of the Internet makes the state actors a far more capable perpetrator for any covert cyber operation.

Areas that in the earlier paradigm been to a high degree sheltered from cyberattacks, such as the spaceborne U.S. global information grid, are becoming targeted by state actors [1]. Attacking the global information grid represents no quick financial gain for a criminal network or hackers, and if there would be marginal gain from selling the information it is drastically outweighed by the repercussions of the act, which have left the satellite infrastructure untouched by serious and capable cyberattacks.

William J. Lynn III, former U.S. deputy secretary of defense, said in 2011 as a reflection on the U.S. national security space strategy [2], The willingness of states to interfere with satellites in orbit has serious implications for our national security. Space systems enable our modern way of war. They allow our warfighters to strike with precision, to navigate with accuracy, to communicate with certainty, and to

Digital Object Indentifier 10.1109/MITP.2013.20 1520-9202/$26.00 2013 IEEE

This article has been accepted for publication in IT Professional but has not yet been fully edited.Some content may change prior to final publication.

see the battlefield with clarity. Without them, many of our most important military advantages evaporate.

Interference is cyberattacks because a kinetic anti-satellite missile attack would be a grave act of war and catapult the missile launching nation on a confrontational course with the U.S. that is likely to lead to war or other uncertain drastic repercussions. Kinetic attacks are replaced with cyberattacks as these are less of a risk, especially with the hardship to determine proper attribution to satisfy the international community to sanction counteractions.

For a state actor attacking the global information grid is an opportunity to undermine and remove the U.S. information supremacy, and warfighting ability, with direct geopolitical consequences. Modern warfare conducted by great powers relies today heavily on access to space borne information grids.

IV. THE DIGITAL MAGINOT LINE

John Fraser, a British editor, wrote in the magazine The Spectator [3] after a major British security breach; “Suddenly, the western internet ‘firewalls’ are looking like a digital Maginot Line, so vulnerable that amateur hackers can steal hundreds of thousands of secrets for fun. So what might a cyber-army be able to achieve?”

The use of Digital Maginot Line follows the analogy with the battle tank development. The French built the Maginot Line on the border to Germany to ensure that France could not be successfully attacked by Germans after the First World War. The work started in 1930 and the construction was one of the largest construction projects in the world at that time. The Maginot Line was based on a major flaw – the construction assumed the attacker had to use a designated path to their goal. The defender would the fight in fortified positions along the assumed attacker’s path forward. The attacking Germans went another route using their new mindset of armored and mobile warfare. The concept of the Maginot Line failed. The French faced one of history’s most humiliating defeats. The Maginot Line was built on the failed concept of overinvesting in static defenses based on how conflicts used to be fought.

The entrance of state actors in cyber represents the same drastic change of mindset and concept as the Germans using mobile armored warfare to overrun French defenses in 1940. A Digital Maginot Line would be pouring in money and resources to a defensive position that assumes that cyberattacks would occur as we thought they would be. The vast effort in cyber security today is placed on addressing the threats of the past when a few unfunded individuals pounded a single point of entry to the system utilizing often crude tools to find configuration errors.

The main challenge for Internet security after this change of paradigm is to redesign how security is designed from a system perspective instead on focusing on these single entry points. Information assurance strategies resemble the trench warfare and position warfare. The position warfare is fought from fixed positions in a known terrain using hardened positions and pre-assessed planning.

The hardened system defenses defending a few well-described and visible points of entries to the system expect a limited attack trying to penetrate a specific sector, server, or area of the system. System thinking and a wider understanding of societal impact is not needed when the focus is to defend one single point of entry.

One major weakness in the advanced societies’ cyberdefense is the overemphasis in cyber security training and research on information assurance, the hardening of systems, when the paradigm has changed toward full-spectrum cyber operations [3]. By continuously hardening systems a false sense of control and security is maintained, mainly based on the earlier attacker profile with single individual or small criminal efforts to penetrate the system.

These barriers are effective if the intruder is coming the way we anticipate. State actors have far more options to attack a system than solely trying to penetrate a firewall.

To continue to focus on hardening system entry points is creating a digital Maginot Line, a fixed set of hardened positions with embedded assumptions of attacker behavior that once identified by a capable attacker and nullified. Attackers have the choice to pick their aim point. The entrance of state actors disturbs and reorganizes how cyber security should be organized, structured, taught, and designed.

V. CONCLUSION The well-funded and politically sanctioned militarization of

the Internet is a recent development – and represents a major shift in risks and threats originating from the net. There have been marginal technological barriers to militarize Internet the last decade. Technology was already in place, but it required a change of mindset, but once that change of mindset occurred cyber security as we have known it transformed. Dan Geer said that research in cyber is to embrace the unknown [4], rephrased that cyber researchers have to step out of the comfort zone of traditional IT-security, and the entrance of state actors directly forces cyber research to think along the lines and utilize a high-level systematic outlook to secure systems.

The political scientist Kenneth N. Waltz said that the power with nuclear arms is not what you do with them, but instead what you can do [6]. Using the Waltz comment in a cyber-context, the power of cyber operations are not what you do but instead what you can do. A state uses uncertainty to deter other states from taking conflicting actions with the primary state’s interest.

The gains from a militarized cyberspace are too inviting for a major nation state not to take advantage of. Once states engage their resources universities becomes armories¨[6], defense industries receives contracts to establish weaknesses in foreign systems, intelligence agencies abilities are added to the cyber attacking capacity, and cyberspace security have entered a completely new realm. The innovative technology, the cyberspace, has been accessible for soon two decades. The change is in the state actor mindset and will reset how we see cyberspace and the risks associated with cyber.

Digital Object Indentifier 10.1109/MITP.2013.20 1520-9202/$26.00 2013 IEEE

This article has been accepted for publication in IT Professional but has not yet been fully edited.Some content may change prior to final publication.

[1] Kallberg, Jan. Designer Satellite Collissions from Covert Cyberwar. Strategic Studies Quarterly. Spring 2012.

[2] Lynn III, William J.,“A Military Strategy for the New Space Environment,” Washington Quarterly 34, no. 3.

[3] Nelson, Fraser. The Spectator. December 4, 2010. http://www.spectator.co.uk/features/6507703/chinas-spy-network/

[4] Geer, Dan. A New Cybersecurity Research Agenda (In Three Minutes or Less). https://threatpost.com/en_us/blogs/new-cybersecurity-research-agenda-three-minutes-or-less-110711

[5] Kenneth N. Waltz. “Nuclear myths and political realities,” The American Political Science Review, Vol. 84, No. 3 (Sep., 1990), pp. 731-745

[6] Kallberg, Jan, and Bhavani Thuraisingham. “Cyber Operations: Bridging from Concept to Cyber Superiority,” Joint Forces Quarterly, no.68.

Digital Object Indentifier 10.1109/MITP.2013.20 1520-9202/$26.00 2013 IEEE

This article has been accepted for publication in IT Professional but has not yet been fully edited.Some content may change prior to final publication.