Principles of Cyberwarfare
Total Page:16
File Type:pdf, Size:1020Kb
Cyberwarfare Principles of Cyberwarfare Cyberwarfare is different from classic kinetic warfare and therefore requires a review of basic warfare principles to differentiate it from armed conflict in the traditional sense. RAYMOND lassic, kinetic warfare principles have been not an exhaus- C. PARKS derived from thousands of years of expe- tive list, nor is it AND DAVID rience as Tsun Tzu, Carl von Clausewitz, intended as the P. DUGGAN Antoine-Henri Jomini, Basil Henry Liddel- final definitive Sandia CHart, and others have documented. Some kinetic one. Instead, these principles are a continuation of the National warfare principles apply to cyberwarfare, others have discussion with the cyberwarfare community that we Laboratories no meaning in cyberwarfare, and a few may actually began with our first article. We chose principles from be antagonistic to cyberwarfare. practical experience. When we follow these princi- The principles of warfare guide warfighting at the ples, we win; when we do not follow them, we lose. strategic, operational, and tactical levels. They’re the enduring bedrock of US military doctrine, derived Definitions from practical experience and the wisdom of those To present our cyberwarfare principles, we must define who documented that experience. Those who fol- our terms. Dan Kuehl defines cyberspace as “an opera- lowed these principles have won, and those who did tional domain whose distinctive and unique character is not have lost. Clearly, we do not have thousands of framed by the use of electronics and the electro magnetic years of experience in cyberwarfare, so we have to spectrum to create, store, modify, exchange and ex- start with what we have had. Many cyberwarfare in- ploit information via interconnected information- cidents are classified and not available for public dis- communication technology (ICT) based systems and cussion. Fortunately, our experience in red-teaming their associated infrastructures.”2 This coincides with can act as a surrogate for the undisclosed. our original description of the cyberworld as any vir- As practitioners, we derived the principles of cyber- tual reality contained in a collection of computers and warfare discussed in this article from the bottom up. networks. Many cyberworlds exist, but the one most As part of Sandia National Laboratories’ Information relevant to current cyberwarfare discussions is the Inter- Design Assurance Red Team (IDART), we’ve had net. Cyberwarfare is a combination of computer network hands-on practice through red-team exercises, which attack and defense and special technical operations.3 are equivalent to limited cyberwarfare scenarios. We We define kinetic warfare as warfare practiced in the wrote the first version of this article in 2001, when land, sea, air, and space domains. All current militar- we had approximately five years of experience.1 The ies’ tanks, ships, planes, and soldiers are kinetic war- cyber domain has changed, and we, along with our fare’s protagonists. colleagues, have learned since then. While conduct- ing active adversarial analyses of information systems, Kinetic Principles we identified eight cyberwarfare principles. This is Kinetic warfare has a history as long as mankind’s and 30 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES 1540-7993/11/$26.00 © 2011 IEEE SEPTEMBER/OCTOBER 2011 Cyberwarfare includes many attempts to derive principles for prac- made analogies between cyberwarfare and subma- titioners. Many have attempted to pass on the wis- rine warfare. Several other participants pointed out dom and insight they’ve gained, usually through hard the similarity between cyberwarfare and special lessons. Publications on cyberwarfare frequently cite operations. Both of these analogies are suitable in Tsun Tzu’s The Art of Strategy.4 Its primary relevance our opinion. Law enforcement professionals from to cyberwarfare involves our principle that attacks both the FBI and Secret Service have told us that must have a real-world effect. Tsun Tzu recom- our cyberterrorist model closely matches assassins’ mends manipulating the adversary’s decision-making. operational profiles.8 In none of these cases is mass Clausewitz’s Vom Kriege (On War) seems to have lost as important in cyberwarfare as in kinetic warfare. popularity with many cyberwarfare writers, but we • Cyberwarfare is inherently an application of the ki- believe it still has relevance, particularly its assertions netic principle of economy of force—to allocate mini- on the will to win, the “fog of war,” and the friction mum essential combat power to secondary efforts. of war.5 Cyberwarfare as a part of information op- Because cyberwarfare is the epitome of asymmetric erations can affect the enemy’s will to fight, and we warfare, economy of force for both secondary and aimed our strategic cyberwarfare attacks for theoreti- primary efforts is inherent. cal exercises and workshops at increasing the fog and • The kinetic principle of maneuver—placing the en- friction of war. Liddel-Hart’s principle of indirect ap- emy in a position of disadvantage through the flex- proach is likewise applicable to cyberwarfare.6 In our ible application of combat power—is applicable to experience, cyberdefenses are best handled, from an cyberwarfare. However, attackers and defenders do attacker’s point of view, by avoiding them altogether. not physically or virtually move their forces—they In exercises that have had limited defenses, we as at- move the point of attack or defense. tackers have either bypassed the defense or ignored it. • The kinetic principle of unity of command is to ensure We have no intention of traversing an exhaustive unity of effort under one responsible commander for list of kinetic warfare principles here. We consider the every objective. This is applicable to cyberwarfare in following principles, drawn from Figure I-1 of US most operations; however, there are certain cyber- Department of Defense (DoD) Joint Publication 1, warfare attacks, such as crowdsourcing and Anony- primarily to compare them to cyberwarfare:7 mous’ Low Orbit Ion Cannon, that use unwitting bystanders or loosely controlled volunteers who are • The kinetic principle of objective is to direct every not within the command of the protagonist. military operation toward a clearly defined, decisive, • The kinetic principle of security—to never permit and attainable objective. This is certainly applicable the enemy to acquire unexpected advantage— to cyberwarfare. Our adversary models include the applies to cyberwarfare, but in a different sense. The principle of objective as part of all adversaries other risk to operational forces in cyberwarfare is far less than unsophisticated attackers.8,9 than kinetic warfare, but the risks of failure before • The kinetic principle of offensive is to seize, retain, achieving the desired effect and having weapons and exploit the initiative. In kinetic warfare, the in- turned back on the user are higher. ertia of opposing forces means that seizing the ini- • The kinetic principle of surprise—striking the en- tiative is difficult. In cyberwarfare, there’s almost no emy at a time or place or in a manner for which it’s inertia—moving bits is much easier than moving unprepared—applies to cyberwarfare, perhaps more tanks, ships, and aircraft. This makes the offensive than kinetic warfare. principle less relevant in cyberwarfare, which will • The kinetic principle of simplicity is to prepare clear, likely involve simultaneous action and reaction at a uncomplicated plans and concise orders to ensure frenetic pace. The principle of offensive still applies thorough understanding. This applies to cyberwar- to a lesser extent because of the inertia in the minds fare because of the danger of fratricide when one of the attackers and defenders—psychological rather operational unit denies another access or burns a than physical inertia. weapon on a lesser target. • The kinetic principle of mass involves concentrat- ing the effects of combat power at a particular place Interested readers can find a useful consolidation of and time to achieve decisive results. Overwhelm- additional kinetic warfare writings in the Department ing force is largely irrelevant to cyberwarfare except of Defense’s “Doctrine for the Armed Forces of the when engaging in denial-of-service (DOS) attacks United States.”7 that emulate kinetic warfare actions. Cyberwarfare is different from conventional warfare in that stealth Proposed Cyberwarfare Principles and surprise are supremely important. At the Cyber We base most of these principles on observations of how Strategy Workshop in October 1999, one presenter things work, online and during active engagements. We www.computer.org/security 31 Cyberwarfare have experience with more than 300 red-teaming activ- Previous attacks have affected both tactical and ities ranging from planning attacks to white-boarding strategic decision-makers. Attackers can mislead tac- exercises to actual hands-on engagements. tical decision-makers about the location and size of enemy and friendly forces. At an operational level, Lack of Physical Limitations we red-teamed a logistics system to manipulate the Physical limitations of distance and space do not apply arrival time and amount of supplies and reinforce- in the cyberworld. In cyberspace, physical distance is ments to cause bad decisions, such as attacking with neither an obstacle nor an enabler to conducting at- insufficient ammunition and delaying attack through tacks. A cyberattack can be executed with