Counterintelligence against the real threat
Conflict in the fifth domain is not limited to the purely technical aspects of hacking, nor is it even restricted by the formalised “deny/degrade/destroy” sort of rhetoric that gets the Western military so excited. Previous instalments in this series covered:
- why pretty much everyone is wrong because they viewed this as a cybersecurity problem (wrong!), and
- how intelligence agencies operate and conduct information operations
Finally we’ll get down to understanding the real risks and problems, and develop a strategy that counters the actual threat. This means rather than attempting to teach civilians how to protect their computers against the a determined foreign intelligence service (FIS) — which is essentially impossible — we’ll teach them to reduce the value of the data available to the FIS after their systems are compromised.
In the first post of this series we saw that it is possible to increase the costs of the compromise, but it is not beyond the budget of the adversarial intelligence services. Other guiding of security rules will work, but few are directly applicable to the attacks against, for example, individual mail spools.
For a successful defence we will have to focus on identifying and mitigating the value of the compromise. This means focussing on the post compromise exploitation of the data collected by the adversary. This requires a more strategic approach, one which identifies the real risk and adversary.
Counterintelligence and the Cybers
This actually deserves a post of its own, however, here’s a quick run down of current cyber security principles that are known to work. There are only a few of them:
- Increase the cost of the compromise
- Decrease the value of the compromise
- Restrict adversarial freedom of movement post compromise
- Increase ease of detecting a compromise
- Increase chance of detecting a compromise
- Audit trails for post compromise analysis
These are fundamental security principles that apply to computers just as well as to sensitive documents protected by an Intelligence Service. Counterintelligence fundamentals haven’t really changed since the second oldest profession got started… Aside: intelligence officers like to joke that their’s is “the second oldest profession” (after prostitution), but the evidence seems to suggest that “midwife” is actually the oldest profession. So maybe spies only rank as the bronze medal of ancient job titles. Still, third place ain’t bad…
Last time we saw that the cost of compromise would always be within budget for the GRU, and that various suggestions to mitigate against the breach were misguided or misleading. This is fundamentally because people are still, wrongly, focussing on the access to the data being the critical factor of the information operation, rather than the exploitation of the data.
A quick review of the intelligence cycle is in order here. I am going to be horribly sloppy and treat these phases as also part of the information operation rather than just the “pure intelligence” that nations do all the time. This is just to provide some structured framework to allow us to model the events.
There are roughly four phases to the Intelligence Cycle:
We’ve seen that preventing collection is, at least for now, essentially impossible. There is no way to make civilian cyber infrastructure 100% safe against breaches. Policy people are working on developing a theory for deterrence that might prevent the tasking phase (thus nipping the whole sequence in the bud) but this is far from settled. Neither tasking nor collection can be avoided.
This leaves analysis and dissemination. If there’s a way to stop information spreading online, then China has it. I, personally, do not want to see that level of information control deployed across the Internet — censorship is not the answer. It would seem that we have to cross dissemination off the list, but keep it in mind as one aspect that we can effectively mitigate (more on this later.) this is a strong contender for “understatement of the year.”
Information operations, like all operations, are also divided into phases, although they’re less well defined:
Anatomy of the Information Operation
An information operation (info op) can be structured in any number of ways, but I’ll use the specific example of the Russian attacks against the Democrats. There are only a few fundamental elements:
- Collection: get the data
- Dissemination: get the data out
- Assessment/Examination/Judgement: get the data into the public discourse
To create a defense to mitigate this operation we will have to accept that any plan reliant on stopping collection is doomed to failure. Every element of the operation must be addressed and countered.
Information Warfare in the Fifth Domain
The goal of an information operation is to control the narrative around an event, sequence of events, person, etc. etc. An exceptionally effective information operation will inject “info” into the sensemaking discourse at such a level that it alters the conclusions of those targeted. That is, a truly good information operation will change the targets’ understanding of reality.
To properly understand the actual attack (which, in case there is any doubt, was not the breach of the targeted individuals and institutions), first I will define exactly what the execution and exploitation phases of the information operation actually were.
Cyberwar: Information Operation Execution
The technique used by the FIS was to provide the curated data sets to a number of dissemination points that then injected the data into the public discourse with the aim of controlling the narrative, adding new narratives, and so on. Effectiveness in this phase requires essentially two things: broad dissemination and acceptance of legitimacy.
Achieving broad dissemination is both easier and harder to achieve due to social media. Firstly, reaching a wide audience is possible for basically anyone with an internet connection. That is wonderful. That is the problem. Getting attention is now the primary problem, not getting published. Page views are the rule of the land here, clicks, likes, retweets, etc. are the measure of success. The Alexa top 25 websites (by traffic) in the US have only three non search/shopping/social media sites: #15 CNN, #16 ESPN, #22 NYTimes.
Without broad dissemination, and the resulting attention capture, the information operation is a failure. The FIS learned this first hand with a failed attempt “if you build it, they will come” by simply creating a site (DCLeaks) and publishing and waiting. And waiting. And nothing happened. The data needs to climb the page view ladder, and there are tried and true methods for that: get attention in smaller sites and leverage those into larger and larger sites step. For example: blog post → reddit → Vox → USA today.
Stamp of Authenticity
Reaching a wide audience is possible with social media. Indeed, most social media has a wider audience than the main stream media. The problem for an information operation is that it needs to be accepted as legitimate information, and this is where the main stream media still plays a major role. The MSM is still, in many ways, the gatekeeper for legitimacy.
Even in an age of social media, journalists still hold an influential role of validating a story.
— Jeremy Rue, lecturer at UC Berkeley’s Graduate School of Journalism (Source)
Conclusion of Execution
Putting these pieces together, what this means is that:
- the information must be collected (the unstoppable breach),
- analyzed and curated into datasets,
- disseminated to the broadest audience possible, and finally
- believed by the target audience (which requires assessment, digesting and interpretation.)
The goal of the information operation was to exploit the data collected, not simply collect it. Successful exploitation involved inserting it into the public discourse, hopefully in a way that alters the target audience’s narrative/perception of reality. To achieve this goal, the datasets must be digestible and interpretable by the target audience. They have to be able to read it and understand it.
Now that the real problem is identified — exploitation of the data — we can look at ways of mitigating that risk. Until the threat is identified, defending and counter attacking becomes possible. Next time, we’ll hit on concrete actions to take to mitigate this specific exploitation of this specific data.