Pages

17 July 2022

Cyber Operations and Maschmeyer’s “Subversion Trilemma”

Jason Healey

Will cyber operations be a major factor in international relations, or a relative sideshow? A major article in the Fall 2021 issue of International Security advances these theories around cyber operations. Specifically, Lennart Maschmeyer argues, in his International Security article and associated Lawfare post, that cyber operations are subject to a “subversive trilemma” of speed, intensity, and control that limits their strategic utility. Improvements in one will likely result in losses in the others so that “cyber operations will tend to be too slow, too low in intensity, or too unreliable to provide significant utility.”

Maschmeyer’s formulation hits on important truths, but what he has uncovered is larger than just a trilemma and overestimates the impact of subversion.

The Subversive Trilemma Is a Compelling Concept

In “The Subversive Trilemma,” Maschmeyer argues that cyber operations are fundamentally subversive in nature, a compelling finding. Subversion relies on exploitation, depends on secrecy, and misuses an adversary’s own systems. This is easily recognizable in cyber operations, which use subversion “to control, manipulate, and use the system” to achieve their desired effects. This is a fuller analysis than, for example, emphasizing that cyber operations rely on deception.

Maschmeyer’s trilemma—based on the trade-offs among speed, intensity, and control of cyber operations—is both insightful and easy to understand, unlike many other theories of cyber conflict. While the basic phenomena he describes have been understood for a decade or more, they have not been put in such clear, analytical terms. Compare, for example, these quotes:Healey, “A Fierce Domain” in 2013—“Cyber incidents have so far tended to have effects that are either widespread but fleeting, or persistent but narrowly focused. No attacks, thus far, have been both widespread and persistent.”

Maschmeyer, “The Subversive Trilemma” in 2021—“Speed, intensity, and control are essential components of operational effectiveness, yet each of these variables can lead to mission failure and no more than two can be maximized at once.”

Maschmeyer’s quote is not just descriptive but predictive (and insightful and parsimonious as well). Speed, intensity, and control constrain the “strategic promise” of cyber operations: Speed is limited because it takes time to pinpoint system vulnerabilities and craft a plan of attack, while the intensity of effects depends on the scope and scale of access to such systems. And an adversary’s control over computer systems is uncertain both because they need to operate in a way that will limit discovery and because their control is limited to the areas of the system they are familiar with.

But It Is More Than a Subversive Trilemma …

Maschmeyer undersells the importance of his trilemma, which is applicable not only to military cyber operations but also to almost any malicious cyber activity, including cyber espionage or simply hacking for fun or profit. When Vladimir Levin hacked into Citibank’s computer systems in 1994 to steal $10 million, his actions were bound by the trilemma, balancing speed, intensity, and control.

Maschmeyer’s declaration that “any cyber operation that produces effects through hacking relies on subversive mechanism and thus is bound by the trilemma” would still be true if the phrase “subversive mechanism” was removed: “any cyber operation that produces effects through hacking is bound by the trilemma.”

Moreover, the trilemma seems germane well beyond cyber. Military operations on the land, sea, or air also depend on some combination of optimizing the time from starting an operation until its effects are felt (speed), hitting targets at the right scale (intensity), and maintaining command and control while maneuvering to hit the right targets (control). During World War II, bomber commanders of the Eighth Air Force would have certainly understood the constraining variables of this trilemma as they planned and executed massive daytime raids over Germany, just as Russian or Ukrainian commanders would in 2022.

So, the trilemma reveals an important truth about trade-offs among speed, intensity, and control. But because these are not unique to subversion, Maschmayer’s confirming their presence in cyber operations does not prove these operations were subversive. It only demonstrates they are one subset of operations characterized by such trade-offs. These constraints would likely be detectable across a wide range of military and cyber operations, including operations that are clearly warfighting—such as airstrikes, ambushes, or encirclement—and not subversion.

And More Than a Trilemma

Despite Maschmeyer’s classifying the trilemma as speed, intensity, and control, there is a fourth variable that likely changes the concept to a quadrilemma. Secrecy, which is not just a binary “defining characteristic,” is a threshold that adversaries must achieve to be successfully subversive.

Adversaries must in almost all cyber operations balance secrecy against operational speed, intensity, and control so that, as Maschmeyer contends, “gain in one variable tends to produce losses across the” others. The degree of secrecy required is informed by the goals of the campaign, their skills and technical capabilities, the timing and duration of the campaign, their willingness to be detected and attributed, the geopolitical situation, and other factors.

Some campaigns, such as Russian intelligence in their SolarWinds intrusion or U.S. and Israeli intelligence for their Stuxnet disruption of Iranian nuclear enrichment, maximized secrecy to avoid detection, limiting their speed in the process. By comparison, other teams seem unconcerned with secrecy, using only the barest minimum. Most notoriously, the Chinese intelligence teams (dubbed Hafnium by Microsoft) involved in rampaging over 30,000 Exchange servers cared little for secrecy, ignoring it to maximize their speed and impact.

Though a trilemma is a tidy concept—things always seem better when they’re in threes—it is most likely that Maschmeyer is discussing a quadrilemma.

But Limited in Application

Maschmeyer assesses that subversive cyber operations (by which he means, roughly, all of them) will have “limited utility in practice” because of the inherent trade-offs of the trilemma/quadrilemma. This assessment, however, ignores several key factors: the impact of one-to-multitude attacks, cumulative effects of many incidents, and changes in technology and geopolitics.

One-to-Multitude Attacks

At least one kind of cyber operation—one-to-multitude attacks—appears to have greater utility, by using the internet to achieve intensity at very large scales. Most researchers, including Maschmeyer, tend to focus on single tactical engagements: a single adversary targeting a single defender. These are easier to count and use to create large-n data sets. But cyber operations are not limited to one-to-one attacks; they are in many ways the least consequential. Many attacks are one-to-multitude, like the Russian intrusion into SolarWinds that gave the attackers access to 18,000 organizations, of which they exploited over a hundred.

Over the past 25 years, there have been many one-to-multitude attacks (with names like Nimda, SQLSlammer, or Conficker computer worm). According to an influential 2003 security industry report, such malware are examples of “‘cascade failure’—they spread from one to another computer at high rates. Why? Because these worms did not have to guess much about the target computers because nearly all computers have the same vulnerabilities.”

One-to-multitude attacks have a national security impact only in certain circumstances, but their scale creates the potential for a far greater utility since a single operation can either allow access to thousands of other organizations (as with SolarWinds) or cause cascade disruption. Accordingly, these attacks are most likely to have a systemic impact on an adversary. It is therefore no surprise that Maschmeyer found that the most successful “subversive” attacks have been the NotPetya malware and the Russian operations against Viasat, the one-to-multitude case studies.

Maschmeyer does not treat one-to-multitude as a specific category—this potential correlation between subversive value and one-to-multitude campaigns may be worth exploring with a separate set of cases. Such cases should include ransomware attacks, which often depend on one-to-multitude attacks. Attacks such as that on Colonial Pipeline have increasing national security implications and should not be banished to a footnote, as Maschmeyer’s original article did, categorizing them as of “low relevance in interstate competition.”

Cumulative Impact of Many Incidents

Future work should also examine the cumulative impact of many incidents, especially coordinated campaigns. Maschmeyer evaluates his subversive trilemma against five major, but individual, cyber operations from the protracted Russia-Ukraine conflict. This is, again, in line with researchers’ tendencies to assess the operational effectiveness and strategic utility of each incident in isolation. Such assessments can easily miss the cumulative effect of many tactical engagements over time. Maschmeyer noted to me that he will include exactly this type of evaluation in his upcoming book.

Changes in Technology and Geopolitics

Additionally, the trilemma/quadrilemma may not hold, or cyber operations may have greater utility, with changes in technology. More widely deployed and insecure “Internet of Things” (IoT) devices will improve attackers’ ability to easily achieve severity and scale: The more a target depends on insecure IoT, the more likely that attacks won’t disrupt only information or small things made of silicon, but large, industrial objects “made of concrete and steel.” This trend, long underway around the world, will increase the chances of successful subversion (and, for what it’s worth, coercion). Though Maschmeyer acknowledges that growth in IoT may “alter” the trilemma by maximizing intensity, he quickly dismisses the concern, since adversaries would still face limitations in control.

Maschmeyer equally dismisses artificial intelligence (AI). It might enhance an actor’s control “over scale-maximizing operations [through] facilitating computer network mapping and command-and-control functions[,]” but these effects should, he argues, be counterbalanced by advances by the defenders, as “artificial intelligence promises superior means of detecting exploitation.” This may be true, but it ignores how often new technologies have tended to favor attackers over defenders. Only a handful of defenders (nicknamed the “security one percent”) likely can afford AI-driven defenses, leaving more than enough valuable targets for AI-driven attacks.

Lastly, changes in geopolitics may undermine Maschmeyer’s analysis. Cyber operations may seem to have had relatively limited utility because the prevailing geopolitical conditions encouraged states to act with relative restraint (though it may not often seem like it). Cyber operations seem to be largely subversion (or an intelligence contest) only because states haven’t been willing to play for higher stakes.

Now that Russia has again invaded Ukraine—and is worried about regime failure and making nuclear threats—it and other states may decide to undertake riskier operations, to strive for effects worse than those analyzed by Maschmeyer and other researchers who rely on assessments and empirical evidence from more peaceful times.

And Overstates the Implications of Subversion on International Relations

One of Maschmeyer’s main theoretical contributions is how cyber operations depend on subversion, allowing potential insights from existing subversion theories. Unfortunately, this conclusion may overestimate the implications of subversion on the field because, even if a single cyber operation is subversive, it does not necessarily follow that the overall international relations effect is one of subversion.

Consider the extreme scenario in which a state’s cyber forces disrupt a rival’s air defense on the morning of a larger attack—as the United States planned to do against Iran in a plan called Nitro Zeus, a larger version of a trick the Israelis appeared to have pulled against Syria. The tactical cyber engagement may classify as subversion, as it exploits the adversary’s computers and networks, but that is not the overall strategic logic. In Maschmeyer’s language, this is part of warfare: a direct and overt use of force.

On the other end of the conflict spectrum, it is not clear how it helps by conceptualizing the SolarWinds campaign, or the earlier Russian Moonlight Maze espionage campaign, as subversion, despite fitting his description as indirect and clandestine exploitation. Just because many computers and networks were subverted does not mean that international relations theories of subversion apply to such espionage.

As a counterfactual example, imagine that Russia’s massive SolarWinds campaign had not been detected by the time of the invasion of Ukraine in February: “Even with existing malware functionality, the Russian espionage team could have rebooted all infected systems at a specific time, say just after a major Putin speech warning the United States to back down.” This is the logic of brandishing, not subversion.

Maschmeyer might, as he builds on this concept, further examine under what conditions the subversive nature of cyber operations dictates the strategic logic.

Maschmeyer can build on his great contributions, in connecting operational effectiveness to strategic utility within the context of cyber conflict, by further examining these issues. His “subversive trilemma” is both possibly quite larger than his original conception (applicable beyond subversive cyber operations and maybe a quadrilemma) but also more limited (as tactical subversion may not carry through to the strategic logic).

No comments:

Post a Comment