What is the Cyber equivalent of physical displays of military strength?

Picture1
Many times in our history, the United States has deployed a carrier battle group as a sign of strength and projection of power. An aircraft carrier is recognizable by most of the world and can be very intimidating if you are potentially on the receiving end of its payload of missiles and aircraft. Similarly, the United States has also conducted joint military exercises with allies and deployed squadrons of combat aircraft at times of stress. These actions can escalate tensions, but can also show strength and resolve during times of diplomatic negotiations. We project our power in the air, on land and in the sea – are there methods we could be using in cyberspace?
I’ve asked a wide variety of cyber experts for comments and have organized them below. Some have provided extensive commentary and other have shown wisdom through brevity.

For contributing, I’d like to thank Dmitri Alperovitch, Jon Brickey, Bryson Bort, Charles Clancy, Tony Cole, Matt Devost, Matthew Dunlop, Rick Howard, Aaron Hughes, Mike Janke, Jamil Jaffer, Tom Kellermann, Rob Lee, Marcus Ranum, Chris Steed, Kiersten Todt, Sounil Yu and one former government official who will remain nameless.

A former senior national security official

If an adversary invaded our shores, pre-placed explosives on our power grid, or broke into our homes to steal secrets, would we even consider shows of force or cyber exercises?

The goal is to punish adversaries for their cyber behavior and deter them from future action. We won’t get there unless we impose hard-hitting, real-world consequences. The US has an arsenal of tools available: everything from the best cyber minds in the world to economic measures that allow us to bring about financial hurt to nations or individual companies. 

We’ve started to wield these weapons in fits and starts. It’s time we went even further to make adversaries think twice about threatening the U.S. 

Dmitri Alperovitch, CTO and Co-Founder, Crowdstrike

Cyber is best for covert/clandestine action, not for show of force.


Dr. Jon Brickey, Colonel, U.S. Army Retired and Mastercard SVP, Cybersecurity Evangelist

The concept of the United States projecting power to protect US interests is easy to comprehend in the traditional, physical warfighting domains: air, land, and sea, and even space to a lesser extent; however, it is much more perplexing in cyberspace.
 
Perhaps one analogy in the maritime domain may serve as a model for operations in cyberspace: Naval escorts. In WWII, these military operations were common and necessary to protect merchant ships traversing the Atlantic. In more recent history, the US has continued to conduct similar operations in times of diplomatic tensions to accompany US flagged merchant ships through strategic terrain, such as the Strait of Hormuz and the Gulf of Aden.
 
Leveraging this analogy and operationalizing it in the cyber domain may be one way for the US Government to show strength and resolve in cyberspace.

Bryson Bort, CEO & Founder, Scythe

This gets back what is effective cyber deterrence? So far, nothing we’ve seen yet. A recent idea proposed by Max Sweets at CyCon: building a collaborative NATO framework for process and notification. The value of this approach deconflicts and removes the potential for friction in gray space operations. Furthermore, an entity of like nations coordinating against common threats starts to look a lot like an aircraft carrier.
 
Current US-centric operations function more like one-off operations than a full carrier battle group. A home-grown capability would doctrinally integrate all of the domains for effect and effortlessly function at the strategic to the tactical level. To the question, this could look like an actual carrier battle group that has integrated enhancement of cyber intelligence as well as the ability to shape the environment with supporting cyber effects.

Charles Clancy, Bradley Professor of Cybersecurity, Virginia Tech
 
The US’s offensive cyber ecosystem acts more like a special ops team than a carrier battle group.  The perishability of exploits and fragility of offensive cyber infrastructure align with a risk-adverse culture to only use capabilities surgically.  Arguably leaks like Vault 7 and Shadow Brokers have helped give the world a glimpse of US capabilities, but those leaks lacked strategic timing.
 
However, cyber does not act in isolation of the broader toolbox of economic, military, and diplomatic measures.  Recent US actions against Huawei are an example of this confluence, and to a certain extent represents that show of force.

Tony Cole, Chief Technology Officer, Attivo Networks

The ability to project military strength can be, and has sometimes been, an important deterrent in defusing rising hostilities between nations. When needed, it’s important to be able to project strength in any domain you wish to dominate to ensure the other nation backs down or at least realizes that you’re deadly serious.

Unfortunately, cyberspace is a different animal today and although it is a recognized domain, the same as land, air, sea, and space, where we must fight and win, a public show of strength can also easily backfire. It’s quite difficult to steal an aircraft carrier however it’s quite easy to steal a sophisticated exploit used in a public or private display of strength. Once the tool is out there, it is generally discoverable by researchers around the world and has likely lost its luster to the original creator. This is just one of many issues to resolve. You could publicly destroy a potential adversaries’ military flight radar systems through a cyberspace attack, a great show of strength, however this is less a projection of power and more likely an escalation of tensions, or potentially outright war.

The United States in the past has had few wars fought on our own soil, however it’s critical to remember that cyber space knows few real boundaries in general, even airgaps get crossed. A show of cyberspace strength, one of major scale that could cause another nation to publicly back down, could still backfire.

The United States is almost completely reliant on all aspects of the Internet for its economy to function. A nation also trying to project their strength in cyberspace to the US could wreak havoc on us since we are all interconnected. It’s not like attacking an aircraft carrier on the open ocean. You could counter and project your strength by attacking and impacting any number of verticals that hold up the US economy.

I suspect we will continue to project strength in cyberspace by talking about our spend on people, tools, organizations such as Cyber Commmand, and do exercises with allies and industry to show how powerful we are, and I think that’s about as public as we get today.

Matt Devost, CEO & Co-Foudner, OODA, LLC.

This poses an interesting question as use of these methods in exercises typically invoke analogies to stealth weaponry.  While the existence of a carrier group is well known and can be put on public display, cyber weapons often exploit vulnerabilities in common technologies and the overt display of a capability might reduce the future impact of the tool (the vulnerability gets patched) or inspire another actor to replicate it for use against U.S. or other targets.

There are potentially two ways around this.  We could conduct cyber exercises that demonstrate results, without revealing tactics.  For example, in conducting red teaming for military exercises in the 1990’s my team would demonstrate macro effects such as knocking an entire country off a coalition network or disrupting a particular sensor capability. This allowed for a demonstration of capability without getting too far down in the weeds on exactly what was targeted and how.  Another option would be to allow for more public disclosure of actual operations as a testament of capability.  While the U.S. affiliation with some larger scale offensive cyber operations is assumed, public declarations would remove any shadow of a doubt and also elevate cyber in the full spectrum of conflict and operations.

Mathew Dunlop, VP, Chief Information Security Officer Under Armour

The challenge with showing strength and projecting power in cyberspace is that the source of the attack is rarely the attack origin. The idea of hack-back repeatedly comes up as a private sector option, but it is not really a strong attacker deterrent. Not only are most victims prevented from retaliating by the Computer Fraud and Abuse Act, but the recipient of the hack-back is also not likely to be a guilty party. Even if the victim can effectively navigate all the way back to the origin of the attack, the real damage to the average attacker is, in most cases, minimal. Unlike kinetic operations, which require significant investment (i.e., capital, personnel, logistical, political), the barrier to entry in cyber is low. A sophisticated adversary could wreak havoc from a coffee shop with a basic laptop. Given the growing number of adversaries of differing skill levels, a better investment in time and resources for private sector companies is a strong defense that leverages compartmentalization of critical data and resources to the fullest extent possible.

Rick Howard, Chief Security Officer, Palo Alto Networks

As you know, we can't float the equivalent of the carrier fleet in cyberspace over to the Chinese networks to demonstrate our power. The way we can do it is with Information Operations. We can demonstrate our successes through various channels.

I just finished reading David Sanger's book, "
The Perfect Weapon." He describes Operation Nitro Zeus and Operation Shotgiant (See below).

Having that info in the public sphere is a projection of power. How we let our enemies know about those operations and others that we don't know about should be carefully crafted in an information operation campaign.

[The below comments are taken directly from The Perfect Weapon]

Operation Nitro Zeus – This was Cyber Command’s piece of the Op Plan 1025 puzzle to shut down Iran's electrical grid. If Olympic Games was the cyber equivalent of a targeted drone strike on Iran, Nitro Zeus was a full-scale attack. Nitro Zeus would be the opening act of the war plan: turning off an entire country so fast that retaliation would have been extremely difficult. This included tunneling inside Iran’s grid—along with its cell-phone network and even the Iranian Revolutionary Guard Corps’ command-and-control systems.  Nitro Zeus was a military plan, intended to unplug Tehran if diplomacy failed. 

Operation Shotgiant - President Bush’s program to bore a way deep into Huawei’s hermetically sealed headquarters in Shenzhen, crawl through the company’s networks, understand its vulnerabilities, and tap the communications of its top executives. The plan was to then exploit Huawai’s technology so that when the company sold equipment to other countries—including allies like South Korea and adversaries like Venezuela—the NSA could roam through those nations’ networks. Another goal was to prove the American accusation that the PLA was secretly running Huawei and that the company was secretly doing the bidding of Chinese intelligence. Chinese Army units, including several that maintain its nuclear weapons—were also overly dependent on easy-to-track cell phones. The NSA had mapped where the Chinese leadership lives and works which placed a bull’s-eye on Zhongnanhai—the walled compound next to the Forbidden City that was once a playground of the emperors and their concubines.

Aaron Hughes, Deputy CISO for Capital One and former deputy assistant secretary of defense for Cyber Policy in the Obama Administration

The most relevant corollary to the physical domain is the common practice of including DOD cyber forces in regional cyber exercises with allies and partners globally with the explicit intent (or scenario) of demonstrating our ability to provide support in response to adversary activities.  While not always necessary, this typically includes the deployment of cyber forces into theater which doubles as both a signaling event to adversaries and an excellent training and knowledge sharing forum with our partners.

While exercises are planned months and sometimes years in advance there is a need to project strength in a more tangible (and timely) fashion when tensions escalate.  Given the fragility of cyber effect capabilities, and the need to keep close-hold the access and methods by which we would deploy such capabilities, we are left with a challenging policy consideration for cyber power projection.  I never advocated for burning a capability or access but frequently recommended that we message that capability existed or that we had the policy position to use our capabilities.  Until our toolbox of capabilities is more readily replenished or access to adversary systems, we hold at risk is more pervasive, we must continue to rely on virtual means of cyber power projection.

Jamil N. Jaffer, VP for Strategy & Partnerships, IronNet Cybersecurity + Founder & Executive Director, GMU National Security Institute

Many have argued that deterrence doesn't work in cyberspace or that traditional theories of governing nation-state behavior simply don't apply in this new domain of warfare.  I fundamentally disagree.

In my view, deterrence can and does work in the cyber domain; we just don't effectively practice it today (or at least haven't historically).

For example, we don't typically set clear redlines for appropriate behavior in cyberspace when it comes to other nation-states, we don't discuss potential consequences, and we certainly don't enforce them when lines are crossed.  Perhaps worse, we don't talk about our capabilities except when they leak into the press nor do we regularly articulate (or actually act on) the notion that one might respond to a cyber attack in a wide range of many, many of which aren't in cyberspace; instead we often assume, mistakenly, that a cyber attack merits a cyber response. 

All of these general facts about our historic approach to warfighting in the cyber arena are among the numerous reasons why deterrence has been relatively ineffective to date on cyberspace, not some generalized inapplicability of classic deterrence theory to this newest domain of warfare.


Mike Janke, CEO & Co-Founder DataTribe and former Navy SEAL

In special operations, you project power by striking a sensitive, well-guarded target deep within enemy territory. Use a small team, get in, terminate and get out - all without being seen or confronted most of the time. This is a “projection of power” very similar to the Aircraft Carrier psychology.

In cyberspace, I believe utilizing this tactic would be the most effective option. For example, shut down the power grid in a small area for 60 minutes -then turn it on. Cause a squadron of aircraft to be unable to communicate for 30 minutes. Take over the camera systems of a city for 15 minutes with a message put on the screens. These are examples of “safe” projection of power that strike deep with no collateral or overall damage - just to send a “cyber message” that we can do anything, anytime. 


Tom Kellermann, Chief Cybersecurity Officer, Carbon Black

We must dismantle the pillars of the Darkweb economy of scale. Cyber Command must be authorized to sinkhole the bulletproof hosts and C2s used by our Cold War adversaries.  In addition, classified digital information should be capable of destroying itself and encrypting the host that analyzes it.  Lastly, we must modernize forfeiture laws to forfeit all digital currencies connected to cybercrime or spying activities. These funds should be allocated to critical infrastructure protection.

Rob Lee, CEO & Founder, Dragos

There are multiple forms of displaying strength in cyber. My personal favorite and one that does more good than harm is the investment in and showcasing of your people. After World War I there were air races and air shows across the United States. These were not only a show of strength in many ways but were spectacles to recruit new people and inspire young kids to want to grow up and become pilots. These helped the United States build the most impressive Air Force in the world. In cyber, displays of power that also look to the future and drive new ideas and talent are occurring in the form of capture the flag contests, private and public sector conferences and challenges, digital forensic competitions, and more. The shows of strength we worry about, such as targeting of industrial infrastructure such as energy systems, are damaging and unnecessary. Showing military strength by investing in our people in a versatile way that drives the next generation of technologies beyond just those in offense is an approach I feel much more proud about.

Marcus Ranum, Cyber Expert, Inventor of Proxy Firewall

I don't approve of militarism and making threats is a crime against humanity and is against the UN charter.

Chris Steed, Managing Director at Paladin Capital Group

Cyberspace has traditionally been used as a supporting function for military operations in the physical domains (air, land, sea, and space). With the rapid digitization of global critical infrastructure, cyberspace has become the domain of choice for asymmetric warfare, particularly for those who would otherwise be incapable of achieving a level of kinetic superiority over the US.

The United States should be explicit in creating an “Arsenal of Democracy” to appropriately enable our country to defend itself in cyberspace. The systemic effect of losing cyberspace superiority would be catastrophic to not only US military operations; it would also significantly hinder the ability of the private sector to continue building upon the global innovation advantage that we have shared with our allies for the last 75 years since World War II.

There has never been a greater existential threat to the United States than that posed by nation states, criminal networks, and terrorists in cyberspace. As a country, we must openly encourage our innovation environment to support the national prerogative of defending that which has been fundamental to the formation and continuity of our free society: an open, trusted, and safe information infrastructure.

Kiersten Todt, Managing Partner, Liberty Group Ventures

The cyber domain is the only domain where we ask companies to defend themselves.  We are still figuring out how the public and private sector should collaborate to defend attacks that can have significant impact on the national and economic security of our nation and the world and potentially disrupt the digital economy.

As we understand how to demonstrate our strength in cyberspace, we should allow the past and traditional, historical approaches to offense and defense to inform our actions, but our strategy should not be what we see in the rearview mirror.  The cyber world does not mirror the physical world.  Cyberspace and cyber threats do not honor or recognize geographic boundaries.

We are operating in a different theater.  Cyber threats, actions, and responses require that we think differently than we have before about how to act most effectively and efficiently, and successfully.  Projecting our power in cyberspace mandates active deterrence, as we saw with how Cyber Command blocked IRA traffic on election day in 2018 and a willingness to impose consequences for cyber actions against us.  

Sounil Yu, Cyber Expert

There’s the age-old argument that people in glass houses shouldn’t throw stones, especially if the other side can pick up the stone that you just threw, make copies, share the copies with their friends, and recklessly throw those stones back at you. Given how easily cyber “stones” can be replicated, there’s a legitimate argument that if we have a pile of hidden stones ready to be thrown, we shouldn’t reveal those stones. But if we want to show military strength and resolve in cyberspace, we may need to think differently about how to frame the glass house argument.

To demonstrate military strength, we can show a shadow of how high our pile of stones are. One possible way to reveal this shadow is to show that NSA had a particular exploit to a vulnerability X years before the vulnerability became known. You can also call this a “negative zero day” measurement. (Symantec wrote a really great paper on this topic titled “
Before We Knew It”).  In other words, when a zero day is publicly announced or a vulnerability is publicly announced, NSA provides a stat indicating how much time beforehand NSA discovered that same vulnerability. This may have minimal negative PR consequences for the NSA, but it clearly shows strength of capability.

To demonstrate resolve, we need to be able to show that we have thrown stones previously and are willing to do so again. In particular, if we can show that our previous stone throws were done with precision with no collateral damage, that reinforces the strength of our capability and provides a stark contrast to the uncontrolled and careless approach that our adversaries use. We should continue to have expiration dates so that the stone doesn’t become a future equivalent of landmines. We should continue to ensure that the stone doesn’t ricochet and accidently hit a hospital window. And if our stone is discovered, it should have all the clear markers that it came from us because it is overwhelming evident that we took all these precautions.

Lastly, we should remember that power projection can also be shown through a visible (active?) defensive posture. I’m sure that the shores of Normandy were pretty intimidating to those brave American troops that landed on that beach.  Thankfully, the beaches of Normandy were not impenetrable, but the reality is that if we didn’t deceive Germany into thinking the attack would occur elsewhere, they would have had more defenses in Normandy which would have deterred us from attacking there. If we build a glass house with unbreakable glass windows, but it still looks like breakable glass, it won’t do much to deter someone from trying to throw a stone through the glass.