Cyber Defense Review

Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach

By LTC Bertrand Boyer | May 11, 2015

What is it like to fight in cyberspace? Almost every paper regarding cyberwarfare depicts a battlefield, wild and open, where “cyberwarriors” move like a hunting pack; smart, sharp and agile. Reality is obviously far from that. Thus, the digital battle is usually compared to what happens in real life and the strategic approach of cyberspace stresses the parallel with the open spaces and naval theories. It may seem relevant up to a certain point, but at the tactical level, we surely have to change our mind, and start to think “outside the box”.

Leaving aside the maritime and romantic vision of cyberspace and the so-called “pirates”, this paper highlights the links between cyberwarfare and urban warfare. From an army perspective, it might be interesting to understand how modern land forces have shaped their structures and developed new tactics and new skills to face global challenges. Over the last 40 years, armies have had to quickly adapt themselves to the new tactical environment: from the first Gulf war to Afghanistan and Mali, most of our (French) military commitments were counterinsurgency-like and urban warfare (and sometimes both).

Indeed, the tactics and techniques of cyberwar, and especially its offensive component, reveal many similarities with urban warfare. There is de facto the use of a very similar vocabulary: breaching, penetration, perimeter, access and access control. Thus, breaching a network or an information system can be compared to the assault of a built up area. In both cases, the attacker has to deal with a highly stressful environment; he cannot control every parameter. Moreover, he usually has to maneuver in a blind context due to the lack of mapping of the battlefield and the weakness of global situational awareness.

IT Systems, the Cities of Cyberspace?

The military vision and description of the urban area has a lot of parallels with cyberspace. Looking at the French tactical definition of the urban area is quite interesting. In the following text, you can easily replace the term urban area with the word cyberspace without creating any significant changes.

“The urban area is the place of political, social and economic power, where population, infrastructure, and secondary and tertiary activities, are concentrated. Control of the cities is a necessary step to gain power. The urban area is also the place of the moral, cultural or religious power. There are symbolic cities because they are related to parts of peoples’ identities. “[1]

As with any urban area, information systems (IS) are divided into various functional zones. IS has, as does a city, storage areas, service areas, staging areas, limited and controlled access and perimeters. Furthermore, the wide diversity of urban areas echoes the architectures of information systems. In cyberspace, no place is like any other even if they share common infrastructures.

Medium-sized cities, towns, suburbs and historical centers have many distinct urban landscapes that nevertheless impose common tactics. The siege of a fortified city, like the breaching of an information system, shares the same constraints.

During the planning process, understanding constraints and restraints is a key point of the course of action developing phase. Identifying them and taking them into account is therefore critical in any cyberspace operation.

“Come closer baby”

If IT systems are like cities for the cyber-operator, we may face the same challenges to fight and win in this domain. Therefore, the first problem troops will have to deal with is intelligence. How can we assault this city without having a minimal understanding of what is hidden behind its walls?

But, before that, another point should be discussed. In cyber tactics, like in urban warfare, targets are extremely difficult to hit directly. Even with increased weapon ranges, the Infantry still has to maintain contact with the enemy when fighting. As a direct consequence, the success of the mission from a tactical perspective is, still today, linked with territorial possession.

In urban warfare the first task a troop has to fulfill is to maneuver close to the target before infiltrating and striking the enemy. What the French military calls the “avenue of approach” is usually an open area that is dangerous and risky. This “open field” is where the unit is at its most vulnerable. It’s also where the enemy is waiting for you and where you may find hidden defense systems, minefields, detection systems, etc. The chance of you being detected and targeted by direct fires is important. Cyber units will face the same kind of issues when they are about to breach a system or even when they conduct a reconnaissance. Thus, IDS (Intrusion detection system) can be compared to a minefield, even if the level of personal risk is not exactly the same. The problem is almost the same in real life as in cyberspace. Every leader will have to address and answer the following question: “how do I get close to my target and avoid the detection systems?” In cyberwarfare as in urbanwarfare, there is no single answer to this complex question. We won’t solve this “approach problem” here and now, but we simply want to emphasize the fact that we should look at it carefully and probably learn from real life tactics to solve what we may call our “technical” problem.

Facing discontinuity

The second main issue a cyber offensive unit will have to face is what we call discontinuity. In cyberwarfare as in urban warfare, troops have to traverse a different type of battleground. Thus, in a short time space, small units face a wide variety of terrain. One starts with an “open space” and goes through a very compartmentalized environment where you can’t see any further than your weapon. In cyberspace operations, units will face the same problem. Using Internet as an “avenue of approach”, cyber operators have to go through a closed area from outside something to enter inside something else (which they usually don’t know well). But this discontinuity is much more complex than in real life. Cyber operators will face complex systems, various types of networks architectures and protocols, different vendor configurations etc. So, the number of questions to solve is forever increasing.

Facing discontinuity requires operators to address a set of complex questions. Our proposal is to limit their number to the following 8:

  • How do I get in ?
  • Do I have to come back again ? If so, I therefore need to find another way to get in…
  • Where am I ?
  • Where are my friends?
  • Where am I going?
  • How can I move efficiently?
  • Where is my target?
  • How can I get out quickly (with or without a trace) ?

This “8 question process” should be refined of course, but one has to understand that any cyber operator has to address these type of questions.

One of the lessons learned from urban warfare is that this ability to get close to the target and to go through the defensive fence requires many different capabilities that were not initially available to a regular small infantry unit. Initial consequences are that a lot armies around the world have started to build up modular units putting together recce units, engineers, close air support and of course infantry (some may add an MBT platoon to the infantry company and even light artillery). This ability to mix units will not simply be the result of an order and a good “task organization”, it will require a shift in the mindset of the commander, a wide range of knowledge (to perfectly task the sub-unit), and a lot of combined training experience. Moreover, a change in doctrine is absolutely necessary.

Constraints and restraints

Getting close to the target, breaching into it, moving in a complex architectural and technical environment are not the only parallels we can draw between urban and cyber warfare.

In both forms of combat, the environment imposes a set of constraints and restraints to whoever wants to conduct operations.

Mapping and Intelligence

Modern warfare requires ever more intelligence and to produce it more widely. But in real life, only people move and the aim of intelligence preparation is to find enemy forces (and their intent) in a relative stable environment. This is not an easy thing to do, but in cyberspace, the enemy is everywhere, or could be everywhere, and the terrain is a live structure. The intelligence mission is not to simply identify locations on a map and pinpoint enemy units, but, rather to understand the architecture of the target, its logical organization, and therefore the key points to seize or defend.

Technical Variety

Assuming we can rely on a “map” of the system, one of the major constraints units must take into account is the large number of different types of equipment they will have to control, go through or bypass. If every building is different in real life, every machine in an IT system has its own specific role and configuration and will require using appropriate techniques and tools. A lot of these tools will be bespoke.

Every building (or each server and application) will require the implementation of appropriate techniques.

Human Limits

The last common constraint we’ve identified between urban and cyber warfare is neither technical nor tactical but human. The soldier on the ground is a key player at the tactical level because fighting in an urban terrain is highly stressful for him. Teams are divided, liaison is difficult, no one really likes closed environments, there is no “safe area” etc. Even if the cyber operator doesn’t put his life at risk (most of the time), he has to face a different kind of stress that leaders need to take into account. For instance, the job requires a large set of different skills which need to be constantly updated. Cyber operators must constantly be “at the top” of their game. But is virtually impossible. Someone, somewhere, has discovered a vulnerability that you don’t know about or a new tool that you can’t detect. Soldiers learn most military skills during their basic training and these skills are usually still ‘in date’ two years later for example. This is not the case in the cyber field. As soon as you learn something it is almost always immediately out of date.

“Do not break everything…please”

This last point is probably the sole restraint to really take into consideration. Cyberspace is a fantastic area of maneuver. Innovation and creativity are shaping these types of operation. Yet, there is something one has to keep in mind. You can destroy the terrain you operate in. As in urban warfare, you can shape the terrain by breaching walls, digging trenches and so on, but you can also blow up the building you are in. Cyber operators have to keep in mind the fact that they are targeting a network; but, their actions also rely on the network. This point introduces the important question of secondary effects in cyberops but also stress the impact of our own operations on the shaping of the terrain.

Conclusion

Using lessons learned in urban warfare to shape cyberops is not only a rhetorical exercise. Urban warfare is a relatively young type of warfare; its development is linked with the industrialization of wars during the last century. Cyberops, which is far younger, are the result of the last information revolution which started 40 years ago. At the tactical level, fighting in an urban environment has produced many practical consequences: modularity combined combat, small teams combat and new ways to use fire support. This paper outlines the main similarities between the two types of combat that can lead to tactical consequences for cyberops. But moreover, the answer for tomorrow is not in the past. We won’t find how to shape our combat unit in cyberspace by looking at what others have done. This type of comparison is useful to understand that when soldiers face new challenges (i.e a new type of warfare) they have to quickly evolve, change their mindset, adapt and learn.

References

[1] General Tactics, French Center for Land Forces Doctrine.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.