Covert Action and Cyber Offensive Operations: Revisiting Traditional Approaches in Light of New Technology WILLIAM ROBERT CARRUTHERS Submitted in Partial Fulfilment of the Requirements of the Degree of Doctor of Philosophy University of Salford, School of Arts and Media 2018 TABLE OF CONTENTS FIGURE LIST ______________________________________________________ VI ACKNOWLEDGMENTS ____________________________________________ VII ABSTRACT ______________________________________________________ VIII INTRODUCTION ____________________________________________________ 1 RESEARCH AIMS ____________________________________________________ 8 LITERATURE REVIEW _________________________________________________ 9 METHODOLOGY AND SOURCES ________________________________________ 15 Interviews ______________________________________________________ 19 Newspaper Articles _______________________________________________ 21 Official Primary Documents: Contemporary and Archived ________________ 23 Leaks __________________________________________________________ 24 Cyber Security Reports ____________________________________________ 28 STRUCTURE OF THE THESIS ___________________________________________ 28 CYBER OFFENSIVE OPERATIONS AND COVERT ACTION ______________ 31 CYBER OFFENSIVE OPERATIONS ARE NOT CYBER WAR. _____________________ 32 UNDERSTANDING COVERT ACTION _____________________________________ 50 CYBER OFFENSIVE OPERATIONS AND COVERT ACTION: A COMPARISON ________ 54 CONCLUSION ______________________________________________________ 60 COVERT ACTION AND CYBER OFFENSIVE OPERATIONS: A COMPARISON BETWEEN PROPAGANDA ACTIVITIES. _______________________________ 61 TRADITIONAL COVERT ACTION: PROPAGANDA ____________________________ 66 CYBER OFFENSIVE OPERATIONS: PROPAGANDA ___________________________ 72 DIRECT COUNTER PROPAGANDA _______________________________________ 86 COMPARISON ______________________________________________________ 88 CONCLUSION ______________________________________________________ 90 ii COVERT ACTION AND CYBER OFFENSIVE OPERATIONS: A COMPARISON BETWEEN POLITICAL ACTIVITIES. __________________________________ 92 TRADITIONAL COVERT ACTION: POLITICAL ACTIVITIES _____________________ 93 CYBER OFFENSIVE OPERATIONS POLITICAL OPERATIONS ____________________ 98 Defacement _____________________________________________________ 99 Stopping websites from working ___________________________________ 100 Publication Operations ___________________________________________ 102 Target and Retaliation ____________________________________________ 104 Resentment Campaign and Misinformation Campaign __________________ 106 Voting Systems _________________________________________________ 109 Complete Operations ____________________________________________ 110 Other Elections _________________________________________________ 115 COMPARISON _____________________________________________________ 116 CONCLUSION _____________________________________________________ 117 COVERT ACTION AND CYBER OFFENSIVE OPERATIONS: A COMPARISON BETWEEN ECONOMIC AND PARAMILITARY OPERATIONS ___________ 119 TRADITIONAL COVERT ACTION: ECONOMIC ACTIVITIES ____________________ 120 CYBER OFFENSIVE OPERATIONS: ECONOMIC OPERATIONS __________________ 122 Denial of service ________________________________________________ 123 Targeting Individual or Group of Bank Accounts ______________________ 125 Targeting Business Accounts ______________________________________ 127 Stopping a business or banks from working ___________________________ 128 The Effects of Hacks _____________________________________________ 129 Cyber Heist ____________________________________________________ 130 Spreading of information _________________________________________ 131 TRADITIONAL COVERT ACTION: PARAMILITARY __________________________ 133 HIGH-END CYBER OFFENSIVE OPERATIONS _____________________________ 137 iii Individual Operations ____________________________________________ 137 Stopping Government or Organisations Systems from Working ___________ 139 Assassinations __________________________________________________ 140 Targeting Critical National Infrastructure ____________________________ 141 COMPARISON _____________________________________________________ 149 CONCLUSION _____________________________________________________ 150 COVERT ACTION, CYBER OFFENSIVE OPERATION, AND ORGANISATION __________________________________________________________________ 153 CYBER OFFENSIVE OPERATIONS ARE NOT A FORM OF COVERT ACTION ________ 153 ORGANISATION ___________________________________________________ 159 CONCLUSION _____________________________________________________ 175 ETHICS AND COVERT ACTION _____________________________________ 176 THE IMPORTANCE OF ETHICS _________________________________________ 179 JUST WAR THEORY AND COVERT ACTION _______________________________ 181 LADDER OF ESCALATION ____________________________________________ 198 OTHER ETHICAL ISSUES _____________________________________________ 199 CONCLUSION _____________________________________________________ 201 CONCLUSION _____________________________________________________ 203 FURTHER RESEARCH _______________________________________________ 214 BIBLIOGRAPHY ___________________________________________________ 216 PRIMARY SOURCES: THE EDWARD SNOWDEN DOCUMENTS (ALL ACCESSED VIA SNOWDEN SURVEILLANCE ARCHIVE, OR EDWARDSNOWDEN.COM) ____________ 216 PRIMARY SOURCES: LEAKED DOCUMENTS, OTHER THAN EDWARD SNOWDEN ___ 217 PRIMARY SOURCES: HEARINGS, DEBATES, PUBLIC INTERVIEWS, AND SPEECHES _ 217 PRIVATE ORGANISATION REPORTS ____________________________________ 218 PUBLISHED PRIMARY SOURCES: DIARIES, MEMOIRS, AND AUTOBIOGRAPHY ____ 218 PUBLISHED PRIMARY SOURCES: THE NATIONAL ARCHIVES (UK) _____________ 219 iv PUBLISHED PRIMARY SOURCES: THE NATIONAL SECURITY ARCHIVE (US) _____ 219 PUBLISHED PRIMARY SOURCES: OTHER ARCHIVES ________________________ 219 PUBLISHED PRIMARY SOURCES: TRANSNATIONAL ORGANISATIONS DOCUMENTS 219 PUBLISHED PRIMARY SOURCES: UNITED KINGDOM GOVERNMENT ____________ 220 PUBLISHED PRIMARY SOURCES: UNITED STATES OF AMERICA GOVERNMENT ___ 220 MEDIA SOURCES __________________________________________________ 222 SECONDARY WORKS: ARTICLES AND PAPERS ____________________________ 236 SECONDARY WORKS: BOOKS AND THESES ______________________________ 242 v Figure List Figure 1: Triangulation of Sources. ______________________________________ 19 Figure 3: Mark Lowenthal’s Covert Action Ladder. _________________________ 64 Figure 4: GCHQ’s Effects Hierarchy. ____________________________________ 65 Figure 4: Mark Lowenthal’s Covert Action Ladder. ________________________ 156 Figure 5: New Covert Action Ladder. ___________________________________ 157 vi Acknowledgments The author would like to thank his supervisory team Dr Samantha Newbery and Professor Alaric Searle without whom this would not have been possible. The author would also like to thank the Snowden Surveillance Archive, Edwardsnowden.com, and the National Security Archive for allowing people to access documents online free of charge. Finally the author would like to thank his family for helping him throughout the Ph.D, especially Andrea Carruthers who helped him so much to cross the finishing line with the thesis. vii Abstract Over the last three years a number of significant, alleged cyber offensive operations have taken place: the North Korean operations against Sony Pictures in 2014; the BlackEnergy3 Virus which targeted Ukrainian power substations in 2015; and the cyber offensive operations that were designed to influence recent presidential elections. This thesis will investigate whether these types of operations are new or similar to activities that took place in the twentieth century, especially during the Cold War, termed ‘covert action’. Focusing on the US and British experience, and using a comparative methodology, this study will compare covert action and cyber offensive operations. It will achieve this by addressing what covert action is and what forms it takes; this will then be employed in the analysis of cyber offensive operations. The thesis seeks to establish a clear relationship between these two forms of state tactics employed against state and non-state actors. It argues that although the two forms of behaviour are linked, there is a need to modify the existing understanding of covert action; this will allow, in turn, a clearer understanding of the nature of cyber offensive operations to be developed. It is concluded that there is a need to re-examine the organisational structures of covert action, including ethical dimensions, in relation to cyber operations. viii Introduction The aim of this thesis is to establish if there is a relationship between covert action and cyber operations. If such a relationship exists, the thesis will seek to understand it. Covert action is defined as ‘an activity or activities … to influence political, economic, or military conditions abroad where the role of the … government will not be apparent or acknowledged publicly’. 1 It has been argued that covert action is used outside of a war.2 ‘Cyber operations’ according to the United States of America (US) government is a collective term referring to cyber intelligence (cyber espionage), offensive use of cyber operations, and cyber defence (defence against intelligence gathering and cyber offensive operations).3 However this thesis will focus on the offensive use of cyber operations that the US defined as Offensive Cyber Effects Operations (OCEO). It was argued by the US that OCEO were operations