Premature Cyber Escalation

It’s ok, it happens to lots of states, don’t worry about it

thaddeus t. grugq
Jun 25 · 9 min read

US CYBERCOM launched a powerful widespread cyber attack against Iranian missile command and control (C&C) assets. This attack caused a denial of service that is so severe Iran will need a long time to recover their former capabilities. It was the least effective, most self defeating, cyber attack since a script kiddy hacked and wiped that system behind

[Support more content like this.]

That don’t make no goddamn sense.

This framing of the attack as a calculated atttack to cause damage to Iranian missile C&C assets that’ll be time consuming and costly to repair, is very literally crazy talk. An analogy: a threat actor hacks a company, and on Friday, bust before the end of the work day, they delete MS Office from every computer. The cost to the company is minimal as no one would be working over the weekend. No one except the poor IT staff who have to clean up the mess anyway. For the company the cost they pay is “unpleasant weekend for IT staff, and overtime money.” On the other hand, the company learns a great deal about their vulnerabilities, their risk exposure, and how to deal with a similar attack in future.

At the cost of some inconvenience for some people, and a bit of money, the company learned a lot of valuable information about their weaknesses. They can now take remedial action to prevent it from happening again, and create processes and procedures to reduce the burden of recovering from such an attack. From any perspective, it’s a great bargain.

The US used a cyber attack that gained them nothing, and the Iranians pay a small price to learn how to mitigate and respond to such a cyber attack. The US taught Iran a lesson alright, but I very much doubt it was: “if you like your military toys, then leave the US alone.

That can’t be the real reason, can it?

The rationale that the cyber attacks against Iranian C&C infrastructure were a punishment and a signal to Iran makes no sense . Like in the analogy, someone suffers a bit of inconvenience or some money while fixing things. For Iran this is a massive win. They learn: of a vulnerability in their C&C infrastructure that needs to be secured, and the practical experience of recovering from a cyber attack, particularly one against their C&C.

Iran pays next to nothing to learn how to better secure themselves against US cyber attacks. They also learn US CYBERCOM TTP – how they operate. And, bonus points, they learn the US doctrinal thinking on how cyber domain operations are incorporated into kinetic warfare operations. (Ok we all learn this, and it’s very similar to the Israeli doctrine of using cyber to disable opposition defense capabilities prior to an attack, e.g. disabling SAMs.)

There is no rational explanation for exposing a fragile but critical force protection capability – risking its future utility – in exchange for nothing of value. The official narrative is either false, or a demonstration of a terrible understanding of conflict in the cyber domain.

Cyber warfare: slow and cautious or fast and furious

The only plausible reason why US CYBERCOM launched a damaging denial of service attack against Iranian missile C&C assets is that it occurred before the rest of the operation was aborted. If the cyber attack was an early mission to prepare for the later kinetic operation it may have executed before the rest of the operation was aborted. Most likely the cyber attack was to temporarily reduce Iranian military capacity. The goal being to limit the threat of immediate escalation (“you and what missile fleet? lol“) plus provide force protection for the kinetic attack that would more permanently reduce Iran’s military capacity. A simple time line easily shows how this could happen.

The very nature of loud offensive cyber attacks makes them inherently less repeatable in the future. Destroying Iranian missile C&C assets via cyber has a cost. That cost must be offset by some value achieved by exploiting results of using that cyber capability. Diplomatic, strategic, operational or tactical, there must be follow up exploitation of a successful cyber attack.

Aborting the kinetic element of the operation after the cyber offensive had already begun is the only rational explanation I can think of for such irrational behaviour.

Why it was a dumb

Destroying Iranian missile C&C assets via cyber has a cost. That cost must be offset by some value achieved from exploitation of the results of that cyber capability. Diplomatic, strategic, operational or tactical, there must be follow up exploitation of a successful cyber attack.

The cyber domain has very rapid evolutionary cycles for offence and defense capability. One of the most important elements driving each iteration is the feedback register, which helps refine the fitness function, and triggers the start of a new cycle. Feedback information is a vital part of cyber warfare. Feedback determines how rapidly evolution advances, and which areas are important for selection in the next cycle. Fast reliable accurate feedback is possibly the strongest cyber defense capability (which is a whole other discussion, but seriously— cyber deception, done correctly, is magic.)

The rapid evolutionary cycle of the methods and means of warfare in the cyber domain is driven by information from successful attacks or defence. Clearly the best strategy for a cyber threat actor who wishes to retain a capability for future use is cautious selective utilisation. A rational actor uses tools only when they need them not just because they have them.

A rational actor uses tools only when they need them not just because they have them.

What’s going on? What happened?

The US had planes in the air ready to attack a number of Iranian military targets. The attack was aborted 10 minutes before it executed, and the sites were not bombed. Bizarrely, US CYBERCOM immediately bragged about how they had caused significant operational damaged to the Iranian missile control system. The hack was framed as a retaliation signal to Iran “the US can shut down your systems, let this be a warning to you. This will be expensive to fix so you’re ‘paying’ for your lesson.”

Didn’t we just cover why using cyber capabilities without any follow up exploitation is a waste ? Using cyber tools means accepting the risk of losing those cyber tools.

The clandestine element of cyber operations means that many of the same rules restricting clandestine organisations’ operational capacity apply:

The increasing frequency of British army searches meant that the policy of IRA quartermasters was ‘the more you give, the more you lose.’ Therefore, highly prized weapons, like Armalites, were kept for important operations. — source: Insider, Gerry Bradley’s life in the IRA

I sincerely hope that CYBERCOM is merely making a face-saving false statement, rather than enacting a policy that demonstrates a fundamentally flawed understanding of conflict in the cyber domain.

Assume CYBERCOM is competent, then why?

For the sake of argument let us assume that CYBERCOM is not a clown show cyber warfare unit that believe they are literally “dropping cyber bombs.” What rational reason(s) could there be for the execution of a (probably single use) temporary crippling cyber attack? Here’s one plausible reason: the cyber attack was a preparatory phase of an operation that would center around kinetic attacks on military targets. The preparatory phase was already past the point of no return by the time the operation was aborted.

This can even explain why the damage was more extensive than strictly necessary for the original mission (if indeed that is the case.) If cyber domain operations weren’t aborted in time, since they were already committed they were allowed to finish, or even expanded in scope? Once we assume the hypothesis that CYBERCOM began their mission before the abort, any other similar cyber domain operations around that time can be attributed to them as well because: In for a penny, in for a pound.

ELI5 the damn timetable already

I will create a fake, crude, and clumsy mission plan. with unrealistic times and details so the salient points are easily visible.

Operation Drama Queen

The primary mission objective of this operation is for Orangia to destroy some military targets located inside Iranistan. Orangia has superior technology and air supremacy, but are very casualty sensitive. Iranistan has good technology, particularly for threatening Orangia’s regional allies, Orangia’s economic partners, and Orangia’s air assets.

The Players

Blue Team: Iranistan

Iranistan has an advanced military with large stockpiles of sophisticated ballistic missiles, a powerful anti aircraft defense system of radars and surface to air missile batteries. They’re keyed up for a war and almost any attack, particularly kinetic, will trigger a cascade of escalations which are in nobody’s best interest.

Red Team: Orangia

Orangia has the largest most technologically sophisticated military in the world, comprised of some of the best soldiers in the world. They are have some cultural quirks that impact their war fighting capacity though, for example taking casualties can frequently be enough to trigger political pressure on the leadership to halt or reduce military involvement. Casualty avoidance and military technology tend to push Orangia into air campaigns where air supremacy limits their risk exposure. The Orangia military is composed of several competing services who enjoy fractious political infighting. On the field though, these services operate in concert using “combined arms” doctrine where they all support each other.

The newest member to the military services club is the group tasked with conducting operations in the cyber domain. They have yet to prove themselves in conflict and are eager to do so.

The Orangia political leadership is extremely erratic and unpredictable. It is hard to interpret what signals they are attempting to send (they’re frequently at odds with each other and there is spirited debate about whether they are even literate in state level signalling.) If there’s a coherent doctrine or strategy being pursued by the often confused and confusing leadership no one has been able to articulate it yet. Inconsistent, unpredictable, erratic, and fickle, developing a strategy against Orangia is a challenging task.

Prior performance is no guarantee of future performance.

Operation Drama Queen: Time Table

Iranistan is protected by the credible threat of a large volume of diverse ballistic missiles. A wide radar perimeter allows them to detect incoming flights, and within that space a smaller zone represents the boundary of their anti aircraft missile capability. An air attack on Iranistan requires removing the ballistic missile threat and disabling their air defense systems.

The kinetic strike against the Iranistan military targets is schedule for 2200 (zero hour). Orangia military planners calculate the flight times of their attack air craft:

  • when they must take off,
  • when they must start towards Iranistan and their targets,
  • when they will penetrate the Iranistan radar perimeter, and
  • when they will cross the boundary threshold putting them in range of Iranistan air defense systems.

To strike their targets at 2200, the planes must take off by 2000, leave for their targets by 2030, at 2100 they penetrate the perimeter, at 2130 they reach the boundary, and at 2200 they strike.

Orangia’s doctrine of force protection requires that the military disable the air defense systems before the aircraft reach them, so the AA must be disabled by 2130. However, once the aircraft are inside the perimeter. (2100) the chance that Iranistan will execute on their threat to Orangia’s regional allies starts to rise dramatically. To be safe, Orangia should neutralise the perimeter radar before the aircraft reach it, and they should also disable the AA at the same time to prevent last minute security procedures hardening the AA systems. Really, Orangia needs to launch all of it’s cyber domain operations as close to 2100, as they can get without being premature.

Drama Queen Timeline

  1. 2000 – Orangia aircraft take off
  2. 2030 – Orangia aircraft assemble into flight patterns, depart for their targets
  3. 2050 – Orangia’s cyber operations service disables the perimeter radar and the AA defenses
  4. 2100 – Orangia’s aircraft cross the perimeter, but Iranistan is blind
  5. 2101 – Iranistan is unable to launch missile strikes because nothing works
  6. 2102 – Iranistan sends for Mohammed’s nephew who is pretty good with computers to try to make things work again
  7. 2130 – Orangia aircraft cross the boundary, but Iranistan’s AA is disabled
  8. 2135 – Orangia’s chief kleptocrat realises he’ll miss Matlock if this attack is happening at 2200
  9. 2136 – Orangia issues the abort command and asks someone to find the TV remote
  10. 2140 – Orangia’s airplanes are all heading home
  11. 2245 – Mohammed’s nephew is pretty stumped and asks if he can check it in the morning cause it is way late
  12. 2300 – A heavily sweating Orangia Cyber Commander calls a newspaper to tell them about how long it is gonna take Iranistan to fix their computers because they are really really fucked.

Escalation to something MORE STUPID

That is the only way I can think of to explain the insane behaviour of US CYBERCOM as the behaviour of a rational actor.

thaddeus t. grugq

Written by

Information Security Researcher :: ::