Modelling the actual attack to create a counterintelligence plan
[06.08] Therefore, against those skilled in attack, the enemy does not know where to defend. — Sun Tzu
In the first part of this series we established that attempting to secure a group of civilians against the Russian military intelligence is basically never going to happen. This is for the same reason that securing any cyber infrastructure against a breach by determined attackers is a daunting task. The trick, as cyber security professionals know, is to mitigate the damage of the breach, rather than rely on preventing it entirely.
To paraphrase Dino Dai Zovi: if the cost of the attack exceeds the value of the compromise, you have security. This is also a counterintelligence principle: increase adversarial costs beyond the value of the data. I’d even hazard a guess that this is the guiding principle behind protections against shoplifters and thieves everywhere.
The core problem facing the Democrats wasn’t that the data was stolen, it is that the data could be exploited in an information operation. It is almost impossible for civilians to prevent an intelligence agency from stealing data off computers (whether they’re laptops or mobile phones.) To achieve security the best approach is to reduce the value of that data, making it both less attractive as a target and less useful for exploitation.
What do they want?
The goal of an information operation is to control the narrative around an event, sequence of events, person, etc. etc. An exceptionally effective information operation will inject “info” into the the sensemaking discourse at such a level that it alters the conclusions of those targeted. That is – a truly good information operation will change the targets’ perception and understanding of reality.
Before we can look at how to develop an effective counterintelligence plan against cyberwar info ops, we’ll need to get up to speed on some intelligence agency basics.
Just Intel Agency Things
This section is just going to briefly lay out the various structures of intelligence agency operations. It is important background information necessary to understand how active cyberwar operations are conducted.
Generic Intelligence Cycle
First, there is the intelligence cycle, which provides a structure for conducting intelligence operations. There are essentially four phases (ive omitted a lot of feedback loops and refinements):
- Tasking: determine the need for intelligence and ask the agency to get it
- Collection: figure out where the data is, plan how to get it, and do it
- Analysis: examine and contextualize the data, create intelligence reports
- Dissemination: get the intelligence reports to the right people
Second, there is the operations process, which is fundamentally the same for everything, but has endless variations depending on the requirements and goals, the operators involved, the organisation(s) involved, etc.
- Tasking: determine a need for the operation, assign resource to it
- Planning: figure out how to conduct the operation to achieve success
- Execution: conduct the operation
- Exploitation: make effective use of the results of the operation
Active Cyberwar Operations
Finally, in the specific case of the cyberwar operations conducted against the Democrats, there were multiple Collection operations, significant resources devoted to Analysis of the data, and then a number of “active measures” operations that got the information in curated datasets into the public discourse. These information operations follow the basic operations process, but the meta structure of the cyberwar operation was as follows:
- Collection: standard computer network operations cyber collection
- Dissemination: analysis by the foreign intelligence service; curation into datasets; distribution to the target audience
- Consumption: assessment, evaluation and judgement by the target audience; essentially processing and digesting the datasets
These phases of the active measures operations are important because as we established in part one, preventing collection is quite hard (or even impossible.) An effective counterintelligence strategy (after making collection as hard as possible) must focus on mitigating the later phases of the operation.
Ready to evaluate cyberwar security
Now everything is laid out for evaluation and we can begin to think about how a counterintelligence plan can be implemented against the information operation, which was the real attack (not the breach, obviously.) The fundamental issues to keep in mind are that threats and risks only appear when the info op has good dissemination (broad reach, acceptance of legitimacy) and the info is consumed and processed by the target audience. This is where things get more interesting, and I’ll explore them in the next instalment.