Cyber warfighting success means examining wetware.
2nd Place in The Cyber Edge 2021 Writing Contest
The United States stands on the cusp of a future defined by great power competitions that will undoubtedly be characterized by broad, deep and subtle cyber warfare strategies and tactics. The nation must make a deliberate decision to defend the digital human attack surface effectively by blurring traditional battle lines and creating a combined homeland and external battlespace.
A cyber Cold War that dominates modern reality is being fought every day, both abroad and on U.S. soil, purposely kept below the threshold of armed conflict. As both the civilian and military worlds become increasingly software-defined, they are continuously challenged to keep up with new emerging battlefronts. The future of cyber warfighting may well be, for the most part, to subsume all other warfighting domains. And because the cyber domain knows no borders or boundaries, future military doctrine and jurisdictional boundaries must evolve and converge to provide a holistic and coordinated strategy to stay competitive with threats.
The United States must come to terms with this new reality. Near-peer adversaries recognize that a continuous military, economic and societal low-and-slow skirmish fought in the cyber domain will span across a digital human network of military assets as well as the military and civilian population. It also can be as devastating as armed conflicts while not incurring immense costs and political or societal damages.
It is interesting to consider that this version of warfare is reminiscent of the tale told in the Cold War-era Star Trek episode “A Taste of Armageddon.” In the television show, two hostile civilizations resign themselves to the reality that conflict cannot be avoided. They decided that computer-simulated warfare was the best way to preserve their mutual societies to prevent the destruction conventional warfare entails.
While the United States and its adversaries have not come to a spoken agreement as described in the episode, science fiction writers often have the gift of foresight. Trends that move away from large-scale armed conflict in favor of cyber warfare seem to be aligning with this prediction.
The challenges of this new cyber warfare landscape are compounded by near-peer adversaries’ ability to pull the levers of autocratic governance to ensure their defense industrial base is fully accessible to, and falls in line with, their cyber warfare strategies and tactics. Unlike in the United States, where private companies’ profit and intellectual property concerns are paramount, adversaries are not impeded by these barriers. They have free reign to utilize all available resources to expand their cyber warfare capabilities.
Additionally, civilian populations in enemy countries can be more resilient to the effects of foreign influence and misinformation campaigns because of cultural and political controls. The U.S. military and government do not—and should not—have any of these options available, but while this affords the United States cherished freedoms, it is a potential factor contributing to asymmetric capabilities of autocratic adversaries.
If cyber warfighting indeed becomes the primary conflict domain, staying competitive with adversaries who benefit from the somewhat ironic agility of autocratic governance will require a reconsideration of how U.S. offensive and defensive capabilities are structured. In addition, the blurring and erasure of the rigid jurisdictional boundaries between battle lines and homeland versus external defense—as the new Joint Warfighting Concept likely reflects—must be considered.
As military assets become increasingly data- and software-driven, cyber attacks will continue to be more effective and insidious and less risky and expensive than kinetic battles.
The complexity of warfighting software also is rapidly growing. Modern architectures composed of a web of microservices spanning multiple public clouds and on-premises or edge locations can be more secure than legacy applications. However, this increased complexity is ripe for inserting mistakes, misconfigurations or intentional actions by insider threats. These can hide within the exquisite architectures that are only understandable by a precious few.
This explosion of complexity of digital warfighting systems combined with the blurring of domains and battle lines, the rapid evolution of data-driven warfare and the broad capabilities needed for decision dominance give adversaries near-limitless opportunities to creatively evolve how they exploit this ever-expanding digital attack surface. This ability includes not only the software of military and civilian assets but also the “wetware” of the human mind.
Misinformation and psychological operations are not new. However, the modern digital pathways that reach deep into our lives and psyche open new, insidious and subtle methods of manipulation and control. The mind must be considered as another asset to be defended in the “digital human network,” especially because misinformation and influence implanted in a human mind can bridge any air gap or classification boundary.
The results and effectiveness of tactics like these have become brutally apparent within the last few years and acutely within the last few months. The United States has seen violent attacks and irrational behavior fueled by misinformation on social media. Without speculating about whether U.S. adversaries were directly involved, they were undoubtedly paying attention. They watched and learned that they could, with mere misinformation, execute an otherwise impossible attack on the homeland without putting a single soldier on U.S. soil.
This evolving front in cyber warfare—the exploitation of the digital human network—closely parallels exploiting a computer network or system and even leverages the same digital pathways. It is well known that adversaries perform vulnerability assessments and reconnaissance on computer networks to find high-value and soft targets to gain an initial foothold with first-stage malware, which then provides opportunities for lateral movement and attack escalation. This same technique is known to be used for misinformation and influence campaigns: to define a target objective, identify pockets of society more likely to accept the implanting of the first stages of malinformation and then benefit from its organic movement throughout and beyond social media. This lateral movement is on a scale and depth that dwarfs any purely digital attack, one that knows no boundaries or limits.
Another technique in software exploitation called fuzzing can be applied to human manipulation. It involves bombarding software with random inputs to solicit an unexpected response that could indicate a vulnerability for further exploitation. A close parallel to this technique for attacking a human network is the psychological tactic known as gaslighting. This technique involves sowing doubt and lies and nurturing confusion, which floods the human consciousness with faulty input making it more pliant and susceptible to manipulation.
Even if this “human fuzzing” is not done with a specific objective in mind, it directly erodes an individual’s attention span and energy. When combined with the aforementioned drive toward advanced, highly complex digital capabilities, it can result in widespread errors and misconfigurations that attackers can exploit.
It is important to recognize and defend against all of these tactics like any other cyber threats. They cannot be contained by air-gapped, secure environments and span every critical military and civilian asset, such as infrastructure, financial and health care systems. The “human attack surface” must be considered in a holistic cyber warfare strategy as a ubiquitous vector by which power and influence can be spread to every corner of a society’s critical systems.
The new joint warfighting concept and efforts surrounding combined Joint All-Domain Command and Control are steps in the right direction. They will allow the United States to rise above the rigid boundaries of traditional warfare. In addition, they will deny the nation’s adversaries the opportunity to take advantage of its existing siloed military services and doctrine to gain cyber warfare and artificial intelligence dominance.
The United States must accelerate this trend toward convergence and continuously evolve its strategies and tactics. The country must address new battlefronts, including the entirety of the digital human network, to ensure that the United States can defend itself against the ever-increasing pace, complexity and subtlety of adversarial actions.
Samuel J. Richman is a U.S. Defense Department systems engineer at Zscaler, specializing in zero trust. Prior to this role, he was a strategic solution architect at Red Hat focusing on U.S. Air Force digital initiatives including tactical edge computing, ABMS/JADC2 and modern warfighting architectures. He has over 20 years of enterprise IT experience, both in the federal service and in multiple industry roles, supporting civilian and Defense Department initiatives such as cybersecurity, agile architecture, application delivery and data integration/analytics.
Source: https://www.afcea.org/content/defending-digital-human-network
