7 March 2019

LESSONS NOT LEARNED: WHY OUR POST-9/11 COUNTERTERRORISM EXPERIENCES SHOULD INFORM OUR CYBERSECURITY STRATEGY

Michael Senft 

How do you turn an elephant into a mouse? Despite tremendous investments in personnel and resources, the cybersecurity elephant continues to grow larger. Network compromises, data breaches, and destructive attackscontinue to increase in size and frequency. Neither increased expenditures or cybersecurity research are making the information-technology ecosystem that sustains our digitally dependent way of life more secure. Deterrence and retaliation are not credible alternatives due to the anonymity of cyberattacks. A new approach is required to turn the cybersecurity elephant into a mouse.

The immense challenges of cybersecurity may seem unique to the complex ecosystem of cyberspace, but there are deep parallels with the counterterrorism fight. Counterterrorism and cybersecurity both combat asymmetric warfare, where clandestine activity is used as a means to achieve an end in a persistent-threat environment in which attackers are able to ignore geographic boundaries. Both are also characterized by disproportionate cost disparity, marked differences in rate of adaptability, and inequality in rules of engagement between attackers and defenders. Cyberattacks—in the form of Computer Network Exploitation that seeks to obtain information or Computer Network Attack that aims to cause damage—assail the elements of confidentiality, integrity, and availability, which underpin the security and function of digital systems, much like terrorist attacks assail elements central to state authority, such as the ability to protect a state’s citizens. Given these similarities, past failures in counterterrorism can offer hard-earned lessons for the field of cybersecurity.


Asymmetric warfare, by its very nature, is information-centric, with a weaker opponent seeking to exploit vulnerabilities of a stronger opponent. The terrorist attacks on September 11, 2001 attacks are a vivid example. The 9/11 Commissionidentified the inability to coordinate information collection and integrate collected information as two key areas that contributed to the failure to identify patterns that might have provided warning of attack. Since 9/11, the ability to rapidly collect and integrate information has been critical to the US military’s success in finding, fixing, and finishing terrorists in the counterterrorism fight. If defenders have information, they can target attackers and remove them from the battlefield. If defenders lack information, attackers can execute a wide range of attacks and impose costs on the defenders. As detailed in Small Wars, Big Data, small-scale efforts can have large-scale effects in information-centric warfare, “Information,” the book’s authors write, “is the key factor determining which side has the upper hand in an asymmetric conflict.” Unfortunately, information collection and integration have not been a focal point for cybersecurity efforts.

While the advantage of nimble cyber attackers over their lumbering defensive counterparts seems insurmountable, defenders own the most powerful asset in battle—home-field advantage. Cyber attackers, like terrorists, depend on being able to blend into the local population. Once identified and their movements reported, both are easily neutralized. If utilized effectively, home-field advantage enables defenders to rapidly collect, evaluate, and act on information to not only detect cyberattacks, but force attackers into traps to reveal their identities, intentions, or more advanced capabilities. Use of undetectable passive monitoring devices and sensors make cyber attackers wary of executing operations lest they reveal tactics, techniques, and procedures that are difficult to reconstitute. Effective use of home-field advantage also allows the use of deception to provide false information, undermining the goal of many cyberattacks—espionage.

While counterinsurgency is distinct from counterterrorism, two factors compel its inclusion in this examination: (1) insurgency movements typically use terrorism as a tactic; and (2) despite doctrinal and policy distinctions, in practice the boundary between US counterterrorism and counterinsurgency operations has been blurred during post-9/11 operations, and often they either naturally overlap or are deliberately paired together. Army Field Manual (FM) 3-24, Counterinsurgency reinforces the importance of collection and integration of information in asymmetric warfare. The manual states that “counterinsurgency is an intelligence-driven endeavor” and stresses the importance of employing standard intelligence processes to understand the operational environment, emphasizing the populace, host nation, and insurgents. When effectively employed, the intelligence process offers a system-of-systems approach to identify collection gaps and optimize employment of collection resources to synthesize raw information into actionable intelligence, and to thereby drive informed decisions. Unfortunately, these lessons are largely unapplied in cybersecurity, with little emphasis on using the intelligence process—planning and direction, collection, processing, analysis and production, and dissemination—to understand the two key aspects of the cybersecurity operational environment: (1) users and (2) the information- and communication-technology infrastructure. Rob Joyce, the former chief of Tailored Access Operations at the National Security Agency, stressed the importance of understanding the operational environment during a 2016 presentation: “If you really want to protect your network, you really have to know your network.” Comprehensive knowledge of the operational environment enables effective utilization of home-field advantage to find, fix, and finish cyber attackers.

FM 3-24 also highlights the importance of taking small steps, addressing supportive areas first in order to generate inertia, and remaining agile to counter highly adaptive adversaries. Previous work from the authors of Small Wars, Big Data identified that the most successful counterinsurgency projects are modest, informed, and conditional. This advice would be well heeded by organizational leaders responsible for investments in cybersecurity. The Defense Digital Service illustrates how modest, informed, and conditional projects can have an oversized impact on improving cybersecurity. Their Hack the Pentagon program has helped the Department of Defense to identify and remedy thousands of security vulnerabilities with minimal investment.

Another dynamic that current cybersecurity efforts does not sufficiently address is information mechanics, the process and flow of information collection and sharing. In counterinsurgency the challenge of information mechanics centers on manipulation of the information flow to benefit counterinsurgent forces. By focusing on information mechanics, counterinsurgency forces can best leverage information and communication technology, using it as a channel to receive tips from civilians or shutting it down when it provides greater advantage to insurgents for coordination of attacks or other activities. The challenge of information mechanics for cybersecurity is considerably different, given the volume, velocity, and variety of data generated by our current digital systems, but the importance of information mechanics remains the same. Just as the ecosystem that enables civilians to provide tips on terrorist activity to counterterrorism forces is critical, so too is the ecosystem that enables network defenders to receive and act on tips of malicious cyber activity. Leveraging home-field advantage requires deep understanding of the operational environment in order to mitigate the faster decision cycles enjoyed by cyber attackers.

Additional lessons can be learned from retired Gen. Stanley McChrystal’s transformation of Joint Special Operations Command into a cohesive counterterrorism organization capable of rapid information processing, decision, and action. This transformation, detailed in his book Team of Teams, was driven by the failure of conventional approaches to defeat a decentralized al-Qaeda network. The interconnectedness of the cybersecurity operating environment requires a holistic understanding of the entire system across IT operations, defensive cyber operations, and threat-intelligence personnel to create an organization that functions as a team of teams. The rapidly changing domain of cyberspace necessitates real-time innovation, decentralized decision making, and transparent communication with empowered execution to transform cybersecurity efforts into a network of webs and nodes, instead of a loose connection of silos.

Finally, David Kilcullen outlines eight best practices to improve counterinsurgency operations in The Accidental Guerilla, which, with some adaptation, provide tangible steps toward improving cybersecurity from the tactical to strategic level.

A political strategy, which provides a framework that incentivizes measurable improvements in the cybersecurity posture within the Department of Defense, the US government, the defense industrial based, and critical infrastructure and key resources.

A comprehensive approach that closely balances security, privacy, and availability, based on a common understanding of the tradeoffs involved.

Continuity of key personnel and policies, with sufficient authority and resources to do the job.

Endpoint-centric security founded on reducing attack surfaces, centralized event logging, and principle of least privilege.

Cueing and synchronization of technology development, cyber­­security efforts, and policy, building them in a coordinated way that supports the National Cyber Strategy.

Close and genuine partnerships between government, academia, and industry working to address the systemic technical and nontechnical issues impacting cybersecurity.

Strong emphasis on building effective incident-response and cyber-protection teams, trained, capable, and empowered to detect, respond to, and mitigate advanced persistent threats against the Department of Defense, the US government, the defense industrial base, and critical infrastructure and key resources.

An internet-wide approach that disrupts dark-web safe havens, secures network borders, and undermines adversary ability to procure cyber infrastructure within friendly countries.

Our dependence on cyberspace and information technology has not been met with a proportional emphasis in its security. A recent report from the Government Accountability Office highlights the failure of the Department of Defense to prioritize cybersecurity of weapons systems, despite these systems being more networked and software dependent than ever before. A new approach is required, one versed in the lessons of counterterrorism, emphasizing the collection and integration of information. Small-scale efforts in enhancing information collection and integration can have large-scale effects in finding, fixing, and finishing attackers in information-centric conflicts, regardless of domain. As a means to achieve an end, cyberattacks, like terrorist attacks, have the potential to create an oversized impact on a nation’s political and economic power. Turning the cybersecurity elephant into a mouse requires a different approach, not unsustainable increases in spending. The longer we fail to adequately address the core issues of cybersecurity, systemic risk to the digital ecosystem that underpins our digitally dependent way of life will continue to increase exponentially. To paraphrase noted economist Rudiger Dornbusch, in the cyber domain, things take longer to happen than you think they will, and then they happen faster than you thought they could.

Maj. Michael Senft is an Army Functional Area 26A Information Network Engineering Officer and has multiple deployments in support of joint and special operations units. He holds a master’s degree in computer science from the Naval Postgraduate School and a master’s degree in engineering management from Washington State University.

No comments: