Cyber Defense Review

Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach

By LTC Bertrand Boyer | May 11, 2015

What is it like to fight in cyberspace? Almost every paper regarding cyberwarfare depicts a battlefield, wild and open, where “cyberwarriors” move like a hunting pack; smart, sharp and agile. Reality is obviously far from that. Thus, the digital battle is usually compared to what happens in real life and the strategic approach of cyberspace stresses the parallel with the open spaces and naval theories. It may seem relevant up to a certain point, but at the tactical level, we surely have to change our mind, and start to think “outside the box”.

Leaving aside the maritime and romantic vision of cyberspace and the so-called “pirates”, this paper highlights the links between cyberwarfare and urban warfare. From an army perspective, it might be interesting to understand how modern land forces have shaped their structures and developed new tactics and new skills to face global challenges. Over the last 40 years, armies have had to quickly adapt themselves to the new tactical environment: from the first Gulf war to Afghanistan and Mali, most of our (French) military commitments were counterinsurgency-like and urban warfare (and sometimes both).

Indeed, the tactics and techniques of cyberwar, and especially its offensive component, reveal many similarities with urban warfare. There is de facto the use of a very similar vocabulary: breaching, penetration, perimeter, access and access control. Thus, breaching a network or an information system can be compared to the assault of a built up area. In both cases, the attacker has to deal with a highly stressful environment; he cannot control every parameter. Moreover, he usually has to maneuver in a blind context due to the lack of mapping of the battlefield and the weakness of global situational awareness.

IT Systems, the Cities of Cyberspace?

The military vision and description of the urban area has a lot of parallels with cyberspace. Looking at the French tactical definition of the urban area is quite interesting. In the following text, you can easily replace the term urban area with the word cyberspace without creating any significant changes.

“The urban area is the place of political, social and economic power, where population, infrastructure, and secondary and tertiary activities, are concentrated. Control of the cities is a necessary step to gain power. The urban area is also the place of the moral, cultural or religious power. There are symbolic cities because they are related to parts of peoples’ identities. “[1]

As with any urban area, information systems (IS) are divided into various functional zones. IS has, as does a city, storage areas, service areas, staging areas, limited and controlled access and perimeters. Furthermore, the wide diversity of urban areas echoes the architectures of information systems. In cyberspace, no place is like any other even if they share common infrastructures.

Medium-sized cities, towns, suburbs and historical centers have many distinct urban landscapes that nevertheless impose common tactics. The siege of a fortified city, like the breaching of an information system, shares the same constraints.

During the planning process, understanding constraints and restraints is a key point of the course of action developing phase. Identifying them and taking them into account is therefore critical in any cyberspace operation.

“Come closer baby”

If IT systems are like cities for the cyber-operator, we may face the same challenges to fight and win in this domain. Therefore, the first problem troops will have to deal with is intelligence. How can we assault this city without having a minimal understanding of what is hidden behind its walls?

But, before that, another point should be discussed. In cyber tactics, like in urban warfare, targets are extremely difficult to hit directly. Even with increased weapon ranges, the Infantry still has to maintain contact with the enemy when fighting. As a direct consequence, the success of the mission from a tactical perspective is, still today, linked with territorial possession.

In urban warfare the first task a troop has to fulfill is to maneuver close to the target before infiltrating and striking the enemy. What the French military calls the “avenue of approach” is usually an open area that is dangerous and risky. This “open field” is where the unit is at its most vulnerable. It’s also where the enemy is waiting for you and where you may find hidden defense systems, minefields, detection systems, etc. The chance of you being detected and targeted by direct fires is important. Cyber units will face the same kind of issues when they are about to breach a system or even when they conduct a reconnaissance. Thus, IDS (Intrusion detection system) can be compared to a minefield, even if the level of personal risk is not exactly the same. The problem is almost the same in real life as in cyberspace. Every leader will have to address and answer the following question: “how do I get close to my target and avoid the detection systems?” In cyberwarfare as in urbanwarfare, there is no single answer to this complex question. We won’t solve this “approach problem” here and now, but we simply want to emphasize the fact that we should look at it carefully and probably learn from real life tactics to solve what we may call our “technical” problem.

Facing discontinuity

The second main issue a cyber offensive unit will have to face is what we call discontinuity. In cyberwarfare as in urban warfare, troops have to traverse a different type of battleground. Thus, in a short time space, small units face a wide variety of terrain. One starts with an “open space” and goes through a very compartmentalized environment where you can’t see any further than your weapon. In cyberspace operations, units will face the same problem. Using Internet as an “avenue of approach”, cyber operators have to go through a closed area from outside something to enter inside something else (which they usually don’t know well). But this discontinuity is much more complex than in real life. Cyber operators will face complex systems, various types of networks architectures and protocols, different vendor configurations etc. So, the number of questions to solve is forever increasing.

Facing discontinuity requires operators to address a set of complex questions. Our proposal is to limit their number to the following 8:

  • How do I get in ?
  • Do I have to come back again ? If so, I therefore need to find another way to get in…
  • Where am I ?
  • Where are my friends?
  • Where am I going?
  • How can I move efficiently?
  • Where is my target?
  • How can I get out quickly (with or without a trace) ?

This “8 question process” should be refined of course, but one has to understand that any cyber operator has to address these type of questions.

One of the lessons learned from urban warfare is that this ability to get close to the target and to go through the defensive fence requires many different capabilities that were not initially available to a regular small infantry unit. Initial consequences are that a lot armies around the world have started to build up modular units putting together recce units, engineers, close air support and of course infantry (some may add an MBT platoon to the infantry company and even light artillery). This ability to mix units will not simply be the result of an order and a good “task organization”, it will require a shift in the mindset of the commander, a wide range of knowledge (to perfectly task the sub-unit), and a lot of combined training experience. Moreover, a change in doctrine is absolutely necessary.

Constraints and restraints

Getting close to the target, breaching into it, moving in a complex architectural and technical environment are not the only parallels we can draw between urban and cyber warfare.

In both forms of combat, the environment imposes a set of constraints and restraints to whoever wants to conduct operations.

Mapping and Intelligence

Modern warfare requires ever more intelligence and to produce it more widely. But in real life, only people move and the aim of intelligence preparation is to find enemy forces (and their intent) in a relative stable environment. This is not an easy thing to do, but in cyberspace, the enemy is everywhere, or could be everywhere, and the terrain is a live structure. The intelligence mission is not to simply identify locations on a map and pinpoint enemy units, but, rather to understand the architecture of the target, its logical organization, and therefore the key points to seize or defend.

Technical Variety

Assuming we can rely on a “map” of the system, one of the major constraints units must take into account is the large number of different types of equipment they will have to control, go through or bypass. If every building is different in real life, every machine in an IT system has its own specific role and configuration and will require using appropriate techniques and tools. A lot of these tools will be bespoke.

Every building (or each server and application) will require the implementation of appropriate techniques.

Human Limits

The last common constraint we’ve identified between urban and cyber warfare is neither technical nor tactical but human. The soldier on the ground is a key player at the tactical level because fighting in an urban terrain is highly stressful for him. Teams are divided, liaison is difficult, no one really likes closed environments, there is no “safe area” etc. Even if the cyber operator doesn’t put his life at risk (most of the time), he has to face a different kind of stress that leaders need to take into account. For instance, the job requires a large set of different skills which need to be constantly updated. Cyber operators must constantly be “at the top” of their game. But is virtually impossible. Someone, somewhere, has discovered a vulnerability that you don’t know about or a new tool that you can’t detect. Soldiers learn most military skills during their basic training and these skills are usually still ‘in date’ two years later for example. This is not the case in the cyber field. As soon as you learn something it is almost always immediately out of date.

“Do not break everything…please”

This last point is probably the sole restraint to really take into consideration. Cyberspace is a fantastic area of maneuver. Innovation and creativity are shaping these types of operation. Yet, there is something one has to keep in mind. You can destroy the terrain you operate in. As in urban warfare, you can shape the terrain by breaching walls, digging trenches and so on, but you can also blow up the building you are in. Cyber operators have to keep in mind the fact that they are targeting a network; but, their actions also rely on the network. This point introduces the important question of secondary effects in cyberops but also stress the impact of our own operations on the shaping of the terrain.

Conclusion

Using lessons learned in urban warfare to shape cyberops is not only a rhetorical exercise. Urban warfare is a relatively young type of warfare; its development is linked with the industrialization of wars during the last century. Cyberops, which is far younger, are the result of the last information revolution which started 40 years ago. At the tactical level, fighting in an urban environment has produced many practical consequences: modularity combined combat, small teams combat and new ways to use fire support. This paper outlines the main similarities between the two types of combat that can lead to tactical consequences for cyberops. But moreover, the answer for tomorrow is not in the past. We won’t find how to shape our combat unit in cyberspace by looking at what others have done. This type of comparison is useful to understand that when soldiers face new challenges (i.e a new type of warfare) they have to quickly evolve, change their mindset, adapt and learn.

References

[1] General Tactics, French Center for Land Forces Doctrine.