Cyber Defense Review

Paradoxes of (Cyber) Counterinsurgency

By LTC David Raymond | February 09, 2015

Introduction

The publication of the Army’s Field Manual 3-24, Counterinsurgency, in 2006 was a watershed event in the history of US Army doctrine. Previously published Army manuals, and much of the doctrine published since, tends to take a very high-level view of military operations. Written largely for senior officers, these manuals often provide lots of theoretical background with little practical applicability. Many military practitioners see them as abstract tomes handed down from the ivory tower of the Combined Arms Doctrine Directorate at Fort Leavenworth, KS. Many Army officers even pride themselves in having avoided reading most of the doctrine that underpins their profession.

The new counterinsurgency manual was different. The primary authors were then Lieutenant General David Petraeus and Lieutenant Colonel John Nagl[1] at the Combined Arms Center at Fort Leavenworth. It is unusual for a senior officer like LTG Petraeus to have such a hands-on role in writing doctrine, but Petraeus never shied away from the unusual. A highly decorated Infantry Ranger with a Ph.D. in international relations from Princeton, Petraeus had just been promoted after successfully commanding one of the most storied divisions in the Army, the 101st Airborne Division. His command included a year-long deployment to Mosul, Iraq during Operation Iraqi Freedom where Petraeus quickly learned how to successfully engage in counterinsurgency operations. His primary co-author, John Nagl, was a Rhodes Scholar, having graduated near the top of his class at West Point in 1988, with a doctorate from Oxford University where he studied counterinsurgency. Nagl published a revised version of his doctoral dissertation in 2002 under the title Learning to Eat Soup with a Knife, a well-received history of counterinsurgency lessons from Malaya and Vietnam. The title was meant to convey unlikely successes in the seemingly impossible task of successful counterinsurgency operations. Nagl had also served in Operation Iraqi Freedom as an Armor Battalion Operations Officer in the 1st Armored Division. Despite the keen intellects of the two primary authors, FM 3-24 was a refreshingly practical manual that was based on historical counterinsurgency doctrine and lessons learned by both officers from their own experiences fighting the deepening insurgency in Iraq in 2003 and 2004.

Like most doctrine, FM 3-24 was based on military theory developed over centuries, and from writings by insurgent leaders and counterinsurgents alike. However, it is also full of practical tips for the tactical commander and small unit leader in successfully prosecuting a counterinsurgency. One of the most useful sections, and one that breaks the mold of most Army doctrine, is a section entitled “Paradoxes of Counterinsurgency Operations”[2]. This section provides a list of counterintuitive examples that make it clear to the reader, from Private to General, how the approach to counterinsurgency is different from other military operations. For example, the paradox “sometimes the more force is used, the less effective it is” highlights the fact that in counterinsurgencies, unlike in most conventional conflict, increasing use of force provides opportunities for insurgents to cast the counterinsurgents as brutal and violent, thereby drawing more of the local population to the insurgent cause.

The inherently asymmetry of cyber conflict, where small groups or individuals regularly penetrate large corporate networks, makes it easy to draw parallels between hackers and insurgents. Malicious insider threats, those individuals that target networks from inside the organization, resemble insurgents even more closely. In both scenarios network defenders and incident handling teams are the counterinsurgents. Like most analogies, this this one works in some places and not in others. However, inasmuch as cyber defense is a counterinsurgency, there are similar paradoxes, many of which closely mirror counterinsurgency paradoxes, which are helpful for the cyber defender to understand. In this paper we draw on many of the paradoxes in FM 3-24 and highlight their applicability to cyber defense. We then highlight a handful of similar paradoxes that are specific to cyber operations.

Paradoxes of Cyber Operations

A similarity between counterinsurgency operations and cyber operations is the complex and often unfamiliar set of mission considerations presented to the practitioner. The paradoxes of counterinsurgency operations offered in FM 3-24 are intended to stimulate thinking and to provide examples of the different mindset required to solve problems under these complex circumstances. Here we offer a list of cyber operations paradoxes in the spirit of the counterinsurgency paradoxes offered in FM 3-24. Many of our paradoxes are taken directly from the FM 3-24 list intact, while others are used with minor rephrasing. A few paradoxes are completely new, owing to the unique nature of the cyberspace domain. We believe that our list will help cyber operators gain a better understanding of the complexities of operating in cyberspace.

Sometimes, the more you protect your perimeter, the less secure you may be[3]. Early network defenders focused on building strong perimeter defenses using devices that would scan and filter potentially malicious traffic at network entry points. Devices such as network-layer firewalls and intrusion prevention systems gave way to application-layer proxies and sophisticated content-monitoring systems, giving many network administrators and their managers a false sense of security. Many still mistakenly equate increased network security budgets with a direct and corresponding reduced vulnerability to cyber threats. Most security professionals now recognize that perimeter defense is only one part of the solution. Successful defense requires a combination of layered defenses, well trained and rehearsed incident handlers, user education, and ‘hunt’ activities to locate and eradicate adversaries that have already found their way into your network. In fact if given the choice, most of today’s network defenders would opt to bolster their intrusion analysis and incident handling processes rather than further enhance perimeter defenses[4].

Sometimes, the more destructive the cyber weapon, the less effective it is[5]. Some of the best cyber weapons are subtle, intended to achieve effects without adversaries even realizing that they have been targeted. Consider Stuxnet, perhaps one of the most effective cyber weapons ever deployed. While no one has taken direct credit for the development of Stuxnet, analysis of the malware reveals that the intended target was almost certainly centrifuges at Iran’s nuclear enrichment facility at Natanz[6]. Stuxnet seems to have been carefully crafted, not only to evade detection, but to cause damage that would be mistaken for system design flaws or operational errors. This allowed the malware to continue to be effective over a long period and cause damage to many devices over time and having a significant cumulative and potentially enduring effect. Once Stuxnet found the specific devices it was designed to target, it would lie dormant for two weeks, recording operational data from the centrifuge cascades that it would play back later to indicate continued normal conditions to system operators[7]. If the malware had been designed to quickly damage equipment without this careful deception and subtlety, the malware would likely have been discovered quickly and would have likely had a much reduced overall impact on the Natanz facility. In this case, a subtle, prolonged attack was much more effective than a quick and obvious cyber attack.

Sometimes doing nothing is the best reaction[8].   Signs of a network intrusion bring an almost visceral response from incident handlers and network defenders. Any evidence of compromise is normally met with rapid action to extricate intruders and, hopefully, to reconfigure systems to prevent further similar intrusions. While this solves the immediate problem of the fixing the compromise, it can tell the attacker a lot about the methods used by the network defense team to identify intruders and the methods they used to gain access. On the other hand, a better response might be to observe and contain the attacker. While an attacker often has the upper hand, network defenders enjoy a home field advantage that they can leverage to isolate and observe an intruder. The longer defenders can observe the attacker, the more intelligence they can develop regarding tactics, techniques, and procedures (TTPs), and the more information they can glean regarding the attacker’s target in the network. A defender that can reliably contain and observe an intruder also buys time that can be used to develop protections and prevent further penetrations.

Some of the best weapons for cyber operators do not shoot[9]. Most cyber operators are not in a position to conduct offensive operations and therefore trust the defense of their networks to cyber weapons that do not “shoot.” Sound network defense relies on skilled, experienced professionals who understand what standard network conditions look like and are able to anticipate and identify intrusions, then handle them appropriately. One effective weapon in enterprise network defense is the fusion center, a collaborative workspace staffed with experienced network defenders and intelligence experts that gather information on cyber threats faced by other similar organizations, along with TTPs from adversaries that might target them, in order to inform defenses and mitigate exposure before their organization is targeted.

If a tactic works this week, it might not work next week; if it works in this network, it might not work in the next[10]. Most cyber weapons rely on very specific network conditions, and unlike physical terrain, cyber terrain can change drastically over time. Exploits are matched with vulnerabilities that must be present for the exploit to be successful, and effective network defenders constantly patch and update systems to eliminate existing vulnerabilities. Similarly, defenders must be able to function in an environment where attackers discover new vulnerabilities routinely, and those vulnerabilities are exploitable until patched. Even when a defender becomes aware of a new vulnerability, it takes time for software vendors to develop and distribute patches to fix them. The market for zero-day vulnerabilities almost guarantees that defenders will face exploits that they are not equipped to handle[11].

Many important decisions are not made by Generals[12]. In counterinsurgency operations, young leaders interact with the population to improve local conditions through grass-roots change. Senior leaders must ensure that Soldiers are equipped not only with an understanding of service doctrine, but also with sufficient information on their local situations and an understanding of the legal and ethical implications of their actions. Soldiers are then empowered to take action locally that collectively improves overall conditions for the local population and reduces the insurgent’s influence in the area. Cyber operations can be very similar. Soldiers and leaders will take direct tactical action on the keyboard in a way that most senior leaders aren’t able to do, nor even fully understand. Those Soldiers must be equipped through proper training and education to understand the moral, ethical, and legal implications of their actions in order to make sound decisions based on commander’s intent. Most cyber operations will have the potential for far-reaching international implications since they traverse systems that exist in a variety of friendly, neutral, and adversary countries. A few careless keystrokes could literally cause an international incident.

It is often easier to penetrate a computer thousands of miles away then it is to attack a computer in the next room. Unobserved physical access to target computer systems is rare and risky; most unauthorized access relies on logical connections. Physical proximity to a target is therefore rarely relevant in cyber operations. A system that is close enough to you to be on the same network segment might make it more readily accessible through the network, but recent high profile compromises have relied more often on phishing or watering hole attacks that install malicious software on victim systems causing them to call back to the attacker’s command and control infrastructure. If users in your organization are trained to avoid such social engineering attacks, and if your network is equipped to protect users by disallowing administrative accounts, by deploying software such as Microsoft’s Enhanced Mitigation Experience Toolkit to prevent vulnerabilities in software from being successfully exploited, and by configuring email and other services to flag potential phishing messages and disabling links in emails, your systems should be much more secure than systems in other, similar organizations regardless of location.

Collateral damage can be orders of magnitude worse than the intended effect. In traditional combat, collateral damage from weapon systems is often a concern. Bombs and missiles don’t always hit their mark and blast radii often extend beyond intended targets. Damage from collateral effects, however, is largely predictable and are normally significantly less severe than the damage to the intended target. Kinetic effects are generally well understood and commanders can make informed risk decisions based on known probabilities of unintended consequences. A cyber weapon, however, can cause collateral effects that are unpredictable and severe. A virus intended to infect and influence an adversary’s command and control infrastructure can easily spread far beyond its intended network and infect thousands or millions of systems. Even if the virus recognizes that the system it has infected is not the target and the payload is never activated, companies will still invest significant resources to investigate the intrusion and eliminate the infection from their systems. By its nature, malware is unpredictable. Even if payloads are not activated, malicious software can cause critical systems to crash, or it can introduce vulnerabilities that would not have existed otherwise. Any attempts to argue that malicious software is benign unless it reaches its intended target are either naïve or purposely misleading. Furthermore, a cyber weapon may never reach its intended target, causing collateral damage without ever achieving its intended purpose.

The Takeaway

Cyberspace operations and counterinsurgency operations are both unlike the more traditional and primarily kinetic combat practiced by the U.S. Army. After years of fighting counterinsurgencies in Iraq and Afghanistan, however, an Army that was primarily trained for large-scale maneuver warfare was able to master the intricacies of counterinsurgency operations. This evolution required a concerted effort among leaders at all levels and required a massive retooling of Army training curricula. The paradoxes of counterinsurgency outlined in the 2006 Counterinsurgency field manual highlighted the challenge that the Army faced in refocusing to counterinsurgency operations. It is encouraging to look back on 15 years of operations in Iraq and Afghanistan and see how the Army evolved to face this emerging threat. Perhaps highlighting similar challenges in cyberspace operations will help lead to successes in this new form of warfare.

[1] John Nagl provides a brief history of the development of FM 3-24 in a 2005 article on the University of Chicago website at http://www.press.uchicago.edu/Misc/Chicago/841519foreword.html.

[2] Headquarters, Department of the Army, “Field Manual 3-24: Counterinsurgency”, Dec., 2006, page 1-26.

[3] The original counterinsurgency operations paradox is “Sometimes, the More You Protect Your Force, the Less Secure You May Be”.

[4] As far back as 1999, Winn Schwartau, in Time Based Security (Interpact Press, 1999), decrided the failed “fortress mentality” espoused by many security vendors. More recently, in the preface The Practice of Network Security Monitoring, Understanding Incident Detection and Response (No Starch Press, 2014), Richard Bejlich points out the need for monitoring for indications of compromise inside the network.

[5] Original counterinsurgency paradox: “Sometimes the More Force Is Used, the Less Effective It Is”.

[6] K. Zetter, “Countdown to Zero Day,” Crown Publishers, New York, NY. 2014.

[7] Ibid.

[8] Kept from FM 3-24 with same wording.

[9] Original counterinsurgency paradox: “Some of the Best Weapons for Counterinsurgents Do Not Shoot.”

[10] Original counterinsurgency paradox: “If a Tactic Works this Week, It Might Not Work Next Week; If It Works in this Province, It Might Not Work in the Next.”

[11] Even noted black-hat to white-hat to now gray-hat hacker Kevin Mitnick has gotten into the zero-day exploit market. See https://www.mitnicksecurity.com/shopping/absolute-zero-day-exploit-exchange.

[12] Kept from FM 3-24 with same wording.