Cyber Operations (CYOPS)

Issue Number 120 - April 2022

Cyber Operations (CYOPS)
Prepared By: B. Gen. Eng. Robert Mansour
(PhD) Lebanese Armed Forces/G3/Director of Signals

Introduction

It is known nowadays that the cyber-space is the fifth domain of war, which is the newest theatre of warfare, joining land, sea, air, and space. Cyber Operations is a combination of different domains covering the entire scope of cyber-space and related operations that are both technical and non-technical in nature, including ethical, legal, lawful, terrorism, kinetic, human-centered,…etc.

Cyber Operations is a paired discipline to cyber-security. It could be in the military domain with military objectives, or in a non-military field, civilian like sphere. It could place a particular emphasis on techniques or technologies that are applicable to both operational ad system levels, depending on the scenario of attack or threat. Emphasis on skills and competences of involved players will be part of the system attack, defense, infiltration, exploitation, mitigation, and recovery.^[1]

The specific tasks of Cyber Operations are to perform activities to gather evidence on criminal or foreign intelligence entities to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities. The focus is on:         

a.     Conducting Offensive Cyber Operations (OCO), Defensive Cyber Operations (DCO), Computer/Information Network Operations (CNO), and perform cyber-space mission planning and execution.

b.    Developing and executing tactics, techniques, and procedures (TTP) for cyber-space operations.

c.     Establishing performance standards, train, and conduct evaluations to ensure personnel are proficient, qualified, and certified.

 

1-   Cyber-space in Action

Cyber Operations, in contrast to cyber-attacks that focus on computer and network systems, are designed to cause damage to the whole information system that could be physical besides to the access to networks to obtain or destruct information, in addition to involvement of other domains such as diplomacy, punishments, and international relations.

 

A-   General Background

Cyber Operations are not limited to members of the armed forces. Civilians acting alone or as part of a mass uprising can leverage widely available hacking tools and techniques to conduct Cyber Operations. They are not limited to publicly available tools or techniques; significant research and development skills are present in nonmilitary populations. The evidence for this is strong. Every year hundreds of security conferences take place at which nonmilitary individuals present new ideas and tools for attack. Breaches at major organizations continue unabated in the private sector by attackers looking to profit from their attacks. Privately funded research continues to generate a consistent stream of vulnerabilities found in widely used software.

The ability for civilians to be involved in Cyber Warfare is established, but their effectiveness is not. Civilians can slot into the attacking role easily but will struggle to pick targets, and the targets they choose will likely be visible but largely irrelevant. Furthermore, picking targets is not simply a case of choosing Internet Protocol (IP) addresses geo-located in the adversary’s territory. Targeting requires preparation in the form of mapping out the adversary’s networks far in advance, and is one of the hallmarks of Cyber Warfare professionals.^[2]

It may seem that civilians are not able to assist in defensive roles because the assets are not under their control; this is largely the case. A well-resourced defense has no need for external personnel. However, for resource-constrained defenses where skills are weak, knowledgeable civilians would be able to offer services in the event of an attack.

As an illustration, in the 2006 Israeli aggression and the 2008 Israel-Hamas war, Cyber Operations and Information Operations seemed to be two sides of the same coin. In those battles, both sides used cyber operations to help spread their message while attempting to block the adversary from doing the same. We look at how Hezbollah’s strategy of cyber-cortical warfare and their use of CYOPS and IP address hijacking all contributed to their perceived “victory” over the Israeli enemy. We also look at how  the Israeli enemy then gathered lessons learned from this conflict as they prepared for their conflict with Hamas in 2008 -and how this cyber- capable adversary responded.^[3]

 

i.     Definition

According to Tallinn Manual^[4], the focus with the Cyber-space Operations is on the following basic points:

a.     States may not knowingly allow cyber infrastructure located in their territory to be used for acts that adversely affect other states.

b.    States may be responsible for cyber operations directed against other states, even though those operations were not conducted by the security agencies (i.e. hacktivist).

c.     The International Group of Experts agreed that cyber operations that merely cause inconvenience or irritation do not qualify as uses of force.

d.    States may respond to unlawful cyber operations that do not rise to the level of a use of force with countermeasures.

e.     A state that is a victim of a cyber “armed attack” may respond by using force. The force may be either cyber or kinetic.

Accordingly, Cyber Operations could be also outlined as operations that employ capabilities aimed at achieving objectives in or through cyber-space. It is described as the movements on theatre where activities and actions among cyber maneuvers and acts, including cyber-attacks, cyber terrorism, hacking, espionage, cyber-threats, cyber-crime, cyber-bullying…etc. Its tools and definition are the unauthorized access to computers, computer systems, or networks to obtain information, but without necessarily affecting the functionality of the accessed system or amending, corrupting, or deleting the data resident therein.

Cyber operators are those who conduct data collection, processing, and/or geolocation of systems to exploit, locate, and/or track targets of interest. Additional role is to perform network navigation, tactical forensic analysis, and, when directed, executes on-net operations.

“Cyber-space” is understood here as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures and local data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

Operations, whether in offence or in defense, intended to alter, delete, corrupt or deny access to computer data or software for the purposes of propaganda or deception; partly or totally disrupting the functioning of the targeted computer, computer system or network and related computer-operated physical infrastructure (if any); or producing physical damage extrinsic to the computer, computer system, or network.

 

ii.    Cyber-space Environment

Through analyzing the strategic guidance, decision makers, commanders, and planners build an understanding of the strategic environment describing the requirements of Cyber Operations in its different forms, based on:

a.     What actions or planning assumptions will be acceptable in each form of operation?

b.    What impact of such operation will be on political, economic, lawful, or legal aspects, mainly on the International law, and how to protect civilians in a soft way?

c.     What are the strategic objectives expected from such operations?

d.    What are the consequences on humanity, economy, culture, sovereignty, international relations,…?

 

B-   Types &Techniques of Cyber Operations

Cyber Operations are fundamentally different than many other weapons that are attached to state level violence, i.e. they are accessible to an expansive range of actors including but not limited to states. For example, only states, and very few of those, have ever developed a nuclear capability, however, on the other hand, more than hundred nations are reported to have or be developing cyber weapons, and more than thirty countries are creating cyber units in their militaries.^[5]

Cyber-space is a domain created through the interaction of three different components: the hardware, the virtual, and the cognitive, all distributed among the parts of Cyber-Warfare, Cyber-Security, and Law Enforcement of Cyber. These components are described in figure 1 below, as:

 

•      The physical reality, the hardware, of cyber-space is involved in the interdependent network of information technology infrastructures. This includes all the hardware of telecommunication and computer systems, from the routers, fiber optic cables and transatlantic cables, cell phone towers, and satellites, to the computers, smartphones, and, eventually, any device that comprises embedded processors such as electric power grids or the Lockheed Martin tactical fighter aircraft F-22 Raptor.

•      Cyber-space also has a virtual component that encompasses the software, firmware, and data, i.e. the information that is resident on the hardware.

•      The human, or cognitive, aspect is the final element of cyber-space.

Cyber Operations are able to destroy, degrade, deny, and disrupt information technology-dependent infrastructures and data.

Cyber Operations consist mainly on offensive and defensive actions within the Information Networks, with main conflicts between their interactions. Cyber-space operations are composed of the military, intelligence, and ordinary business-oriented operations. Military cyber-space operations use cyber-space capabilities to create effects that support operations across the physical domains and cyber-space.^[6]

The eight knowledge areas of Cyber Operations are summarized in the following figure^[7].

 

Cyber-space Operations differ from Information Operations (IO), which are specifically concerned with the use of information-related capabilities during military operations to affect the decision making of adversaries while protecting our own. IO may use cyber-space as a medium, but it may also employ capabilities from the physical domains.

Subsequently, the framework developed for military operations establishes four components for CyberOps or (CyOPS): Cyber Warfare (CyberWar), Cyber Network Operations (CyNetOps) or (CNO), Cyber Support (CyberSpt), and Cyber Situational Awareness (CyberSA)

Moreover, there are interaction conflicts among cyber-space players or actors, conflict in cyber-space through a quantitative and qualitative analysis of the intentions, capabilities, and activities of state actors in this domain, as well as an analysis of the norms and rules relevant to cyberspace. Cyber operations are taking a leading role in conflicts between states, and recently the risk of a major cyber incident between nation states has been described as a major threat in national security strategies.^[8] This could be illustrated as shown in table below (Table 1)^[9], that shows what type of consequences are resulted from such conflicts:

 

Another issue is the debate that always occurs if cyber-space players favor the offense, as many analysts and policymakers claim. In the case of the Stuxnet^[10], three factors undermine any cyber offensive advantage, as demonstrated in a cost-benefit analysis of the operation against Iran.

•      First, any measurement of the offense-defense balance must consider a cyber operation’s value as well as its cost to both sides.

•      Second, organizational capabilities play a significant role in determining the balance.

•      Third, offensive advantages decline when attackers target physical infrastructure rather than information networks.^[11]

Cyber-space operations are categorized into the following:

 

i.     Offensive Cyber-space Operations (OCO):

 Intended to project power by the application of force in and through cyber-space. These operations are authorized like operations in the physical domains.

As mentioned before, Offensive Cyber Operations refer to computer activities to disrupt, deny, degrade, and/or destroy. Offensive cyber operations generally take place across multiple stages. Prioritizing offensive operations can increase the fears of the adversaries, their suspicions, and readiness to take offensive action. Cyber offenses consist of cyber exploitation (intelligence gathering) and cyber-attack (disrupting, destroying, or subverting an adversary’s computer systems). An adversary can simply mistake defensive cyber exploitation for offensive operations because the distinction is a matter of intent, not technical operation. The difficulty of distinguishing between offensive and defensive tactics makes mistrustful adversaries more reactive, and repeatedly conducting offensive cyber operations only increases distrust. A focus on offensive operations can also increase vulnerabilities; for example, secretly stockpiling information about vulnerabilities in computers for later exploitation, rather than publicizing and helping civil society to mitigate those vulnerabilities, leaves critical infrastructure vulnerable to attack.^[12]

 

ii.    Defensive Cyber-space Operations (DCO):

Intended to defend main military or other friendly cyber-space. These are both passive and active defense operations and are conducted inside and outside of the Information Networks. The common assumption that the offense governs cyber-space is dangerous and deeply misguided.

The main Cyber-Defense target is to prevent the success of cyber-attacks. Usually, any cyber-attack follows a specific pattern known as the “cyber kill chain”. The footsteps of the “cyber kill chain” consist of the following:

•      Reconnaissance: is the step where the target is identified.

•      Weaponization: is the phase where preparation and staging take place.

•      Delivery: when the malware is delivered to the target, then the operation launches.

•      Exploitation: takes place when software, hardware, or human vulnerability occurs.

•      Installation of a persistent backdoor to maintain access.

•      Command and Control: The Command & Control of the malware opens a command channel to enable the adversary to remotely manipulate the victim.

•      Actions on the objective: occur when the goal of the mission are accomplished.

 

Consequently, a defensive cyber-space operation response action takes place, where it could be considered as a type of counter-attack. Here, both the military, as a state agent, or the private sector could perform these counter-attacks as a part of deterrence after the intrusions. Those actions could be organized on the following major goals:

•      Redirect the activities of the adversaries. It includes deterring, diverting, and deceiving the attacker.

•      Obviate the efforts of the attackers to make them ineffective, including preventing and preempting.

•      Impede the attackers to make their efforts or capabilities wasteful, including delay and degrading.

•      Detect the activities or effects of the attackers, thus making them identified.

•      Limit the impact of the attackers by restricting the consequences of oppositional efforts, thus mitigating their efforts.

•      Expose the attackers to take away their advantages, increase level of awareness of an attacker’s characteristics and behavior by developing and sharing threat intelligence, thus allowing the defenders to be better prepared.

 

iii.   Computer/Information Networks Operations (CNO):

 Mainly intended to design, build, configure, secure, operate, maintain, and sustain military communications systems and networks across the entire domain.

CNO is a broad term that has both military and civilian application. Conventional wisdom is that information is power, and more and more of the information necessary to make decisions is digitized and conveyed over an ever-expanding network of computers and other electronic devices. Computer network operations are deliberate actions taken to leverage and optimize these networks to improve human endeavor and enterprise or, in warfare, to gain information superiority and deny the enemy this enabling capability.

In the military domain, the other capabilities are Psychological Operations (PSYOPS), Military Deception (MILDEC), Operations Security (OPSEC) and Electronic Warfare (EW).

Within the military types, CNO consists of computer network attack (CNA), computer network defense (CND) and computer network exploitation (CNE).^[13]

Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.

Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks. Moreover, CND could be outline Computer Network Defense as an aspect of NetOps (Network Operations).

Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

A convergence between Electronic Warfare (EW) and Cyber-space Operations effects is illustrated in the following figure (Fig.3)^[14]:

 

iv.   Cyber-deterrence Operations

“For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”- Sun Tzu^[15]

Just as nuclear deterrence is defined by the capability and clear will to respond in-kind quickly and decisively, effective cyber deterrence requires the will and capacity to respond to a cyber-attack with an equal or greater blow.^[16]

The main techniques of Cyber-deterrence are based on:

•      Deterrence by Retaliation

•      Deterrence by Punishment

•      Deterrence by Denial

•      Deterrence by Entanglement

•      Deterrence by Signaling

•      Deterrence by Assimilation

•      Deterrence by Association

•      Deterrence by Norms and Taboos

 

Cyber-space Deterrence could not be specifically considered as pure defensive action or offensive part of Cyber-space Operations due to many challenges and limitations, as these deterring operations, practically, are a whole-of-government and whole-of-nation effort. Among these limitations are:

a.     The first of these is the attribution challenge compounded by the speed of the domain.

b.    The second is the unknown nature and identity of the adversary or attacker, thus not able to consider it as nation or state attack or non-state attack, which hardens the methodology of response in accordance to who is sponsoring the attack, and consequently, there is evidence of the resources or the legal standing to validate the identity of the attackers.

c.     The third limitation to cyber-space deterrence is that the first-strike advantage cannot be deterred. Even though Sun Tzu^[17] wrote: “Know the enemy and know yourself”, but in cyber-space so many vulnerabilities are unknown.

d.    The fourth, which is the Zero-day, where time and method of attacks on vulnerabilities could not be defined.

e.     The fifth is a risk of asymmetric vulnerability to attack in cyber-space, that is, the threat that the use of a capability could backfire. As one actor develops offensive and defensive capabilities, other actors will strive to improve their offensive and defensive skills as well.

f.     Lastly, cyber-space actors have a different risk tolerance than those acting in a physical domain due to their perceived anonymity, invulnerability, and global flexibility.

Deterrent options can be either passive (latent) or active. Passive, or latent, deterrence is a defensive measure also referred to as deterrence by denial. Active deterrence is achieved through the threat of retaliation, or rather, deterrence by punishment.

However, a successful active deterrence requires attribution, signaling, and credibility. Any target considered for deterrence must be attributable and identifiable. As an example, in the nuclear arena, the US has matured its capability in forensics to determine the origin of nuclear material regardless of the source.^[18]

 

But as regarding to cyber-attacks, there are also some limitations, where there are some few prerequisites that should be present such as the talent of the hacker, intelligence on the target, exploitations to cope with the vulnerabilities assigned with such intelligence, perfect device for attack, and suitable network connection. Moreover, there should be a focus on the three dimensions of the attack to be efficient, which are the intensity of the attack, duration of the attack, and evolution of the attack. Accordingly, deterrence can be applied in specific forms^[19], where its type of application could be summarized as follows:

•      Cyber Deterrence Operations are not totally possible because of:

- Hackers and types of penetrations are not known.

- Level of awareness among societies still relatively low.

- Attackers use a lot of Social Engineering, and applications to check network vulnerabilities, such as ‘Nmap’, i.e. the network mapper, sites such as www.exploitdb.com, NVB (National Vulnerability Database), or site of MITRE^[20] that publishes legally the information, but used illegally by the “darkweb”.

 

Accordingly, writing your exploit (exploit.db) will lower the level of probability of attacks, thus make it easier for writing the attack graph/path.

•      To deter, you have to:

       - Structure your offensive platform.

       - Know your system.

       - Define network, operating system, services…

       - Define your vulnerability.

       - Have your penetration test tools.

 

•      Offense is limited as long as:

       - Individuals and organizations are not well patched with security.

       - Skills are not well built up.

 

•      Proper Defense needs:

       - Policy creation

       - Strategy creation

       - Build borderline with best firewall.

       - Training

       - Creation of CERT/CSIRT, i.e. the Computer Emergency Response Teams & Computer Security Incident Response Teams.

       - Building Cyber Security Operations Center (C-SOC) that consolidates organization functions of incident monitoring, detection, response, coordination and computer network defense tools engineering, operation, and maintenance.

 

•      To attain the minimum necessities required for acceptable needs for deterrence, I believe the following are required:

       - Developing a response mechanism to guide deterrence after threat and attackers identification.

       - Developing protection and detection measures.

       - Creating and enhancing resilient systems.

       - Sharing collective responsibility in cyber-security.

       - Training and enhancing level of awareness.

       - Increasing capabilities through the improvement of penetration detection, after assessing risk exposure.

       - Creating norms with enforcement capabilities.

       - Establishing contingency plans, developing a response plan to reduce the impacts of the threats or attacks.

       - Assigning policies and strategies.

       - Strengthening international law enforcement, cooperation, and legislation.

       - Developing policy and legal procedures.

       - Developing other credible response option

       - Pursuing partnerships

       - Securing cyber-space

       - Strengthening defense

       - Conducting cyber-space deception.

Accordingly, supporters of active, offensive Cyber Operations argue that they could have a deterrent effect on potential cyber attackers, and consequently, the attackers would think twice about attacking if a digital counter-attack might be the consequence. The idea that offensive cyber capabilities should have a deterrent effect was one reason why the new US cyber doctrine was adopted in 2018. The same assumption is implicit in the debate about cyber counterattacks, i.e. hacking back, which was adopted in Germany. Hitherto, these assessments are based on a superficial understanding of deterrence. Cyber deterrence by the threat of retaliation works differently than that of nuclear deterrence. Problems of attribution, displays of power, controllability, and the credibility of digital capabilities increase the risk of deterrence failure.^[21]

Additionally, there is an important role of Cyber Intelligence, on the levels of strategic, operational, and tactical, within Cyber Operations in Cyber-space.

 

C.    Phases of Cyber Operations

i.     Design

The Cyber Operational design will focus on:

a.     Operational Design.

b.    Strategic Direction and Cyber-space

c.     Cyber-space Strategic Environment.

d.    Cyber-space Operational Environment.

e.     Defining the Problem: Threats and Challenges in Cyber-space.

f.     Cyber-space Assumptions.

g.     Cyber-space Actions and the Operational Approach.

h.    Identifying Cyber-space Decisions and Decision Points.

i.     Refining the Cyber-space Operational Approach.

j.     Developing Cyber-space Planning Guidance

 

ii.    Planning

a.     Joint Planning Process.

b.    Cyber-space Operational Planning

c.     Cyber-space in Operational Orders (according to existing Cyber Doctrine & Strategy).

 

iii.   Execution

a.     Execution.

b.    Cyber-space Operations during Execution.

c.     Cyber Effect Request Form to establish boundaries within which the operational approach must fit.

 

iv.   Review & Evaluation

A process and methodology to assess phases of operations to provide an overview and feedback after analyzing every step in each phase to re-correct towards a more preventative and successful formative assessment for better future outcomes.

 

D.    Challenges & Concerns in Cyber Operations

Cyber activity does not occur in a vacuum. It is, or at least should be, tied to a state’s broader geopolitical objectives. Cyber operations raise many issues and challenges due to the engagement of multiple actors and actions in an asymmetrical scale, capabilities development, and disinformation operations.

i.     Challenges:

Nations that have cyber actions and interests in the cyber-space focus on the following challenges:

a.     Ensuring its Joint Cyber-Force Command can achieve its missions in a contested cyber-space environment;

b.    Strengthening its Joint Cyber-Force by conducting cyber-space operations that enhance  its military advantages;

c.     Defending its critical infrastructure from malicious cyber activity that alone, or as part of a movement, could cause a significant cyber incident occurring on, or conducted through a computer network; that is (or a group of related events that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or its economy, or to the public confidence, civil liberties, or public health and safety.

d.    Securing its most critical information and systems against malicious cyber activity, including national information on non-national-owned networks;

e.     Expanding national cyber cooperation with inter-agency, industry, and international partners.

Building Cyber Operational capabilities

f.     High profile cyber-security incidents are likely to continue in the ongoing decade. Therefore, this issue will remain high on the agenda of all concerned governments and regulators, and companies should expect to see greater supervisory focus.

It is also not feasible to measure deterrence in cyber-space the same way as nuclear deterrence, where a no-attack scenario denotes that deterrence is successful. Rather, deterrence should be seen as a mitigating effort that leads potential attackers to believe it is not in their best interest to attack. These efforts at deterrence can be further enhanced by improving the accuracy of attribution, the detection of cyber incidents regardless of size, and ensuring that timely action is taken against cyber-attackers.

 

ii.    Concerns:

The rapid growth of the digital economy means that businesses are more susceptible to cyber threats, so basically the main concerns are related to the following:

a. Offensive Operations:As stated earlier, Offensive Cyber Operations seek out the gap or vulnerability through hacking, and find a way to disable the operations through network attacks as form of malware, phishing, Denial of Service (DoS), SQL injections, zero-day-exploit,...^[22]

As Offensive Cyber Operations are the combination of people, technologies, and organizational attributes that jointly enable cyber-attacks, the adversarial manipulation might focus on their (de-)escalatory potential in terms of diplomatic tension, instability, or power. This leads for a re-orientation toward considering the attack as ordinary violence or considerable way of war, and thus resulting in violent state actions, in both repressive and interstate situations. Acknowledging the different terms or processes in dealing with such offensive acts, an important analytical and political consequences could erupt.

 

b. Defensive Operations: Though the Cyber-Defense Operations is to prevent the success of cyber-attacks, the governments have to fight the complexity of digitalization in different battles:

•      Who is the target?

•      Where is the source of attack, and what type?

•      Lack of a corporate security program cooperation.

•      Missing security measures.

•      Usage and Application of defense strategy.

•      Application of security model that is made up of the three main components: confidentiality, integrity, and availability.

Subsequently, a rapid defensive response should be taken to face the attack, using the adequate tools according to type of attack: command & control capability, espionage, military and strategic data stealing, ransomware, cloud-computing issues, artificial intelligence (AI) or machine language (ML), distributed denial-of-service (DDoS), or crypto & block-chain attacks.

Here rises the effect of changes in the nature of responsive power to be used, from “Hard Power”, which rests on coercion and payment using economic and military tools, to “Soft Power” that rests on framing agendas, and attraction or persuasion, and finally evolving to “Cyber Power”.

 

Consequently, other concerns are related to the capability of:

•      Creating partnerships, between governments and the private sector that dominate cyberspace, to share information they believe relevant to cyber threats.

•      Developing functioning legal frameworks and enforcement capabilities to target and prosecute cyber-crime.

•      Encouraging a flexible, secure, and trusted global cyber operating environment that supports international cyber-security.^[23]

 

c. Unspoken Rules

Usually, in cyber-war there are no spoken rules, and cyber-operations do not occur in a vacuum. Moreover, lack of legal norms invites cyber-conflicts, and absence of norms that govern aggressive actions in cyber-space as a potential cause of conflict within this domain will negatively impact the ability to regulate the behavior in cyber-space, thus cyber-deterrence will not be like a mathematical formula only. Cyber deterrence tools will be obsolete as the adversary pays attention to his vulnerabilities and resolves them.

Zbigniew Brzezinski^[24] mentioned in the book “Identifying the Enemy: Civilian Participation in Armed Conflict” and in his opinion to the “Financial Times” that the “Cyber age demands new rules of war”.^[25]

On the other side, merging skills, resources, businesses, utilities, and local capabilities together into cyber defense strengthens cyber deterrence.

But unlike conventional instruments, cyber-operations do not appear with a return address to go back to the sender. Though technical evidences such as an IP address provide victims with a possible source, it is not necessarily the identity of the attacker. Moreover, the presence of certain articles doesn’t confirm the intent of the attacker or aggressor.

Additionally, there is always the issue of identifying the attacker. When an attack hits its target the effects can be shocking. Certainly, there is a strong desire to determine who is responsible, with certain nations often being cited as responsible for some of the biggest incidents in recent years, but in general the tools needed to uncover the actor rely on what are known as tools, techniques and practices (TTPs). The actors could be criminal actors, some of them are business intelligence actors, others are just contractors, and some of them are nation state actors, but many of them use very similar TTPs, i.e. in terms of tools, techniques, and practices in a significant way.

 

d. Cyber-deterrence May Not Work as Well as Nuclear Deterrence

The uncertainties or ambiguities of cyber-deterrence contrast plainly with the clarities of nuclear deterrence. In the Cold War nuclear realm, attribution of attack was not a problem. The prospect of battle damage was clear, and the 1,000th bomb could be as powerful as the first. Counterforce was possible, there were no third parties to worry about, and private firms were not expected to defend themselves. Any hostile nuclear use crossed an acknowledged threshold, no higher levels of war existed, and both sides always had a lot to lose.

On the other hand, though the threat of retaliation may dissuade cyber-attackers, the difficulties and risks suggest the risks of making threats to respond, at least in kind. Definitely, an explicit deterrence posture that encounters a cyber-attack with obvious effect, but non-obvious source, creates a painful dilemma: respond and maybe get it wrong, or refrain, and see other deterrence postures lose credibility.^[26]

The case for cyber-deterrence usually relies on the assumption that cyber-attacks are cheap, and that cyber-defense is expensive. If cyber-attacks can be conducted with exemption from punishment or freedom from the damaging consequences, the attacker has little reason to stop.

Furthermore, nuclear deterrence prevented the outbreak of nuclear conflict during the Cold War. But what is there about cyber-space that would prevent a similar posture from working similarly well? Plenty, as it turns out. Questions that simply do not appear with nuclear or even conventional deterrence matter in cyber-space whenever the target of an attack contemplates retaliation.

Cyber-weapons are more like intelligence assets than military hardware. In this case, nations want their opponents to be afraid they exist, but not to know exactly what they are, or how big their network capabilities are.

 

e. Offense vs. Defense

The offense-defense balance can be assessed only for specific operations, not for all of cyber-space, as it is shaped by the capabilities of adversaries and the complexity of their goals in any conflict. When it comes to exerting precise physical effects, cyber-space does not offer overwhelming advantages to the offense. Because the capabilities of offense and defense are similar, improving defensive operations allows preparation for cyber offense without risking geopolitical instability, or increasing vulnerability to attack.

The Defensive chain vs the Offensive chain could be briefed as in the following figure (Fig.4)

 

The issue of comparing or making a balance between Cyber Offense and Cyber Defense relies on the following:

 

1-    Creating Unnecessary Vulnerabilities

 Making offensive cyber operations a national priority can increase instabilities in international relations and worsen national vulnerabilities to attack. However, because the skills needed for offense and defense are similar, military offensive readiness can be maintained by focusing on defensive operations that make the world safer, rather than on offensive operations.

 

2-    Managing Complexity

The ease of both offense and defense increases as organizational skills and capability in managing complex technology improves; it declines as the complexity of cyber operations rises. What appears to be offensive advantage is primarily a result of the offense’s relatively simple goals and the defense’s poor management.

 

3-    Assessing Kinetic Effects

It is often more expensive for the offense to achieve kinetic effects, for instance, the case of sabotaging machinery, than for the defense to prevent them. An empirical analysis of the Stuxnet^[27] cyber-attacks on Iran’s nuclear enrichment facilities shows that Stuxnet likely cost the offense more than the defense, and was relatively ineffective.

The skills and organizational capabilities for offense and defense are very similar. Defense requires understanding how to compromise computer systems; one of the best ways to protect computer systems is to engage in penetration testing (i.e., controlled offensive operations on one’s own systems). The similarity between offensive and defensive skills makes it unnecessary to conduct offensive operations against adversaries to maintain offensive capability. Thus, rather than stockpiling technologies in the hope of gaining offensive advantage, nations should develop the skills and organizational capabilities required to innovate and maintain information and communications technologies.

 

E.    Cyber Operations Strategy as a Power Multiplier

Cyber Operations could provide strategic value, from both approaches, i.e. offensive or defensive. There is a growing number of nations who are trying to develop and invest in these capabilities, planning for a long-term strategy for gaining goals or acquiring power in this domain, thus achieving a force multiplier for both conventional and non-conventional assets.

Modern technology, with integrated cyber-security systems, are considered as force multiplier. Cyber-space capabilities, once in support of Information Operations (IO),  will allow to deny or manipulate adversary or potential adversary decision making, through targeting an information medium, thus enhancing their power in that dimension.

 

On the other hand, when being considered as gaining force on one side, counter measures are supposed to be structured such as:

i.     The need for an International Cyber Treaty.

ii.    Development of new capabilities

iii.   Putting in place the policies and organizations needed to execute the mission.

iv.   Building more effective cooperation with industry and international partners.

v.    Building up the Cyber Strategy.

vi.   Treat cyber-space as an operational domain to organize, train, and equip in order to take full advantage of cyber-space potential.

vii.  Employ new defense operating concepts to protect own networks and systems.

viii. Partner with other government, departments, and agencies, in addition to giving the private sector to enable whole-of government cyber security strategies.

ix.   Build robust relationships with allies and national/international partners to strengthen collective cyber security.

x.    Leverage existing capabilities through an exceptional cyber workforce and rapid technological innovation.

 

Conclusion

The global economy and national security of any state are depending on cyber-space; accordingly, the efficient protection of cyber-space will be determined by, in part, on successful Cyber Operations. Moreover, as the threat from Cyber Operations will increase in the next decade, even if an extensive information security is implemented, yet proper strategies for cyber security need focused care to deal with such operations.

 Cyber Operations have slowly left the empire of imagination and science fiction to become a contemporary reality. In the new existing ultra-connected societies, they are inevitable, and constitute an integral part of international relations. Nations, scholars, and NGOs have been speculating on the militarization of the Internet, in particular the deployment of military activities in cyber-space. Having cyber-space as a domain for military activities and armies are acquiring cyber capabilities, then Cyber Operations will definitely be a part the military scope, and consequently the private sector could be affected too.

On the other hand, as the Internet and the application layer are becoming a globally contested operational domain, where the entrance of state actors as contestants and aggressors create a radical shift, but the hackers and information thieves, who had limited resources, mainly aiming a financial goal. Thus, state-run operations have a complete different set of targets and goals, and here, beyond the escalation implications of “defending forward,” analysis highlights the limitations of cyber operations as independent tools of statecraft.

Within Cyber Operations, the ambiguous offensive-defensive duality of cyber tools, operations, and, in some cases, CERTs^[28] procedures, raises challenges similar to those posed by national ballistic missile defenses in nuclear-armed states. Building effective defenses on a scale that could match an opponent’s nuclear-armed missile arsenal could be a way to lower the risk of initiating offensive attacks by reducing the victim’s capacity to retaliate.

Cyber Operations, in parallel with the continuous importance of Cyber-security, will be always in a never-ending battle, thus creating an asymmetric covert conflict with an anonymous attacker and a reactive targeted society.

Cyber Operations are inherently characterized by extremely rapid decision cycles and thus necessitate the need for a flexible organization to provide rapid coordination on national and international level, and address common interests quickly.

 

References

1. Cyberspace Operations, Joint Publication 3-12, USA, 2018.
2. Andrew Ruef, Introduction to Cyber-Warfare, 2013.
3. Bertrand Boyer, Cyberstratégie l’art de la guerre numérique (French Edition), Nuvis, 2012.
4. C. Maathuis, W. Pieters, and J. van den Berg, Developing a Cyber Operations Computational Ontology, 2018.
5. Cyber Operations and International Law, Cambridge University Press, 2020.
6. Information Operations, Joint Publication 3-13, USA, 2014.
7. Jan Kallberg, Bhavani Thuraisingham, Strategic Intelligence Management, 2013.
8. Kenneth Waltz, The Emerging Structure of International Politics, 1993.
9. Martin C. Libicki, Cyberdeterrence and Cyberwar, 2009.
10. Rebecca Slayton, Why Cyber Operations Do Not Always Favor the Offense, Belfer Center for Science and International Affairs, Harvard Kennedy School, 2017.
11. Tallinn Manual on The International law Applicable to Cyber Warfare, Cambridge University Press, 2013.

العمليات السيبرانية

 

إن العمليات السيبرانية (CYOPS)، وفقًا للاتفاقيات والتعريفات الدولية المختلفة، تشكل جزءًا أو جانبًا متكاملًا من "وسائل الحرب الإلكترونية"، "أساليب الحرب الإلكترونية"، "حرب المعلومات"، "عمليات المعلومات"، أو "الهجمات الإلكترونية".

يعتمد الاقتصاد والسلامة والأمن القومي لمعظم الدول بشكل كبير على الفضاء الإلكتروني، وبالتالي ستتم حماية هذا الفضاء، إلى حد ما، على العمليات السيبرانية الناجحة. إن الفضاء الإلكتروني، الذي يتطور بسرعة، هو المجال الذي تتم فيه هذه العمليات من خلال زيادة استخدام الشبكات، البيانات الضخمة، التكنولوجيا، المحاكاة الافتراضية، الحوسبة السحابية، الخدمات السحابية، العملات المشفرة، الانتشار على نطاق واسع، الأنظمة المتوارثة، وتكامل الأنظمة السيبرانية مع العالم المادي.

وبالتفصيل، سيتعين على العمليات السيبرانية الاعتماد على أبعاد مختلفة، بشكل أساسي الإجراءات الهجومية والدفاعية والرادعة، مع أنظمة الحماية، إلى جانب الفهم والتكيف الكبير لمتطلبات حالة النظام، التهديدات والجهات الفاعلة، والاحتياطات المتوجبة. إضافة إلى ذلك، إن تحديد الإطار يعد ضروريًا لأفضل الممارسات لتحقيق الحماية والأمن، مع ضرورة الارتباط بالمفاهيم والقوانين الدولية، مع تحديد مستوى المخاطر أو التهديدات للسلم والأمن الدوليين.

علاوة على ذلك، وعلى الرغم من أن العمليات السيبرانية تفتقر إلى النماذج والمنهجيات والآليات اللازمة لوصف البيانات والمعرفة ذات الصلة، لا تزال هناك أدوار ومتطلبات للعناصر المعنية في هذا المجال. تتمثل المهام الرئيسية للأفراد المشاركين في العمليات السيبرانية في تطوير قدرات الفضاء السيبراني، والحفاظ عليها وتعزيزها للدفاع عن المصالح الوطنية من الهجوم، ولإحداث تأثيرات أو الشروع في أعمال هجومية في الفضاء السيبراني لتحقيق أهداف وطنية. بالإضافة إلى ذلك، تتمثل المهام الرئيسية للدول والمنظمات في هذا الجانب في إعداد وتطبيق التدريب والاستراتيجيات، تحديد السياسات والعقائد المناسبة التي تتطابق مع متطلبات الأمن وإجراءات الحماية للتخفيف من المخاطر ونقاط الضعف، اكتساب المواقف، وتنفيذ أفضل عمليات الاسترداد.