Lessons in Cyber: Influence Operations

Taking home the gold at Olympic IO

International, and US, cyber wonks seem to have caught the influence op bug. Starting with the slow dawning awareness that PSYOPS can be conducted using New Media companies (Facebook, Twitter, Instagram, YouTube, etc.) the fascination with information/influence/psychological ops is exploding. Typically this is done with a hyperbolic discussion about the threat to liberal democracy represented by “people lying on the Internet.” Apparently the events in Ukraine (2014–2018) and the 2016 US election have finally reached critical mass and now every newly minted cyber expert is an information warfare specialist. Heads firmly stuck in the last lost war, they have just been caught slipping, again.

Rather than rehash what I wrote about in 2016 and 2017, lets look at an influence operation that is happening in 2018. Russia, having been caught conducting PSYOPS against the US in 2016, is leaning in and now pushing to establish itself as a recognized cyber superpower. Although there is room for debate about how true that is across all dimensions of cyber power, there is little doubt that they’re firmly the masters of mind games.

With a rich history of flexible approaches to the truth and numerous successful intelligence operations over the last century, their ability to conduct effective information operations should really come as no surprise. The surprise is how fertile the West has become for these games, it has squandered the inherent resistance to info war that sustained them through the Cold War — a virtual monopoly on the truth. The ramifications of dissolution of the USIA are now apparent. Charles Wick’s understanding of disinformation is sorely missed.

In responding to disinformation, the United States has the tremendous advantage that the truth is inherently more powerful than lies. But if the lies go unchallenged, then they can have a damaging effect.

— Charles Wick. Source

[W]ith all disinformation…it is the repetition that creates perceptions that then harden into damaging assessments — Charles Wick. Source

Cyber has become a good domain to demonstrate international prominence. It is no longer feasible to set off a Tzar Bomba or atomize islands in the Pacific, but parading nation state capabilities on the world stage is still possible. The trick is to keep it below the threshold of kinetic retaliation.

International Information Warfare on $10 a Day

The malware used against the 2018 Winter Olympics was poor quality, and badly false flagged. The interruptions to the Games were minimal. The attack was announced beforehand by Russian linked hackers. There is a reason for this — the operation was not about the actual action, the spoiler effects of the attack, but rather the inevitable discovery and media attention. The objective was not to disrupt the Games, but to amplify the image of Russia as a cyber superpower and provide a future credible belief in false-flag cyber ops. This will likely be used in future information operations to confuse and reduce the belief in the accuracy of attributions. Two very useful objectives that rely entirely on the Intelligence Services and the international media reacting in a particular way.

That gamble has paid off. Something like this just happened.

Cyber Superpower

Establishing a position as a cyber-superpower is costly, resource intensive, and requires some level of public exposure. Of course, public exposure of cyber capability is a great way to lose that capability, so there are risks involved. Israel’s Unit 8200, the UK’s GCHQ, the US NSA, have firmly established themselves as cyber superpowers via publicity (in the latter case, reluctantly, thanks to Stuxnet and Edward Snowden.) China was annointed by the APT1 paper as a cyber power. Russia has long held the role of cybercrime haven, but has only slowly gained recognition for their cyber espionage campaigns. The recent focus on cyber influence ops, fixated on false narratives spread through media channels, in particular the revelation of active — successful — operations against the UK and the US (both recognised cyber superpowers) has greatly improved Russia’s international standing as a dominant cyber power.

It is worth noting that cyber capacity and capability have a huge amount of complexity and dimensions. There is

• passive cyber (monitoring, espionage);
• active cyber (manipulating data);
• kinetic cyber (manipulating physical elements);
• informatic cyber (information manipulating the human consumer, as modeled via reflexive control);
• and probably other aspects that we don’t know about yet.

Naturally, these can be combined, and typically are. For example, the Stuxnet attack involved a kinetic cyber attack against the Siemens controllers of the Iranian centrifuges, while also presenting an informatic attack by displaying false “normal” status reports to the operators.

There are fundamental reasons why most countries focus on passive or kinetic cyber as the ultimate tier of capability — typically the organizations with authority to engage in cyber are the Intelligence Services and the Military. They are institutionally predisposed to collecting data or conducting “deny, disrupt, destroy, degrade” operations to enable and support their forces. This tunnel vision is a problem, but further hindering them is poor adaptability, slow speed, reduced creativity, and limited agility.

• Adaptability is the ability to recognize changes in technology and incorporate them into operational doctrine.
• Speed is the ability to conceive an operation and execute it, perhaps best articulated as “how many meetings before someone can hit Enter?”
• Creativity is the capacity for innovation and for developing, and/or combining existing, capabilities in new and novel ways.
• Agility is the capacity to respond to changes in the environment and continue to operate with purpose towards achieving one’s objectives.

These organisations are hierarchical bureacracies, and achieving tight OODA loops requires pushing authority down to the operational level. This functions best with capable operators and operations managers. As a result, small teams are therefore frequently more capable than large teams, a sort of mashup of Conway’s Law:

organizations which design systems … are constrained to produce designs which are copies of the communication structures of these organizations.

and Brook’s Law:

adding human resources to a late software project makes it later

Which leads to a significant advantage that Russia has inherited/created for itself in the cyber arena. There are a lot of small groups and the Intelligence Services have deliberately created the bureaucratic space to allow their cyber teams to operate at a high speed (conception to execution), and a high tempo (frequency of operations.)

They have also demonstrated exceptional creativity, which is a result of diversity and competition: numerous small teams (more ideas, less group think); a rich history of information operations (over a century of uninterrupted institutional memory); a deep cultural malleability with the truth (exhibit A, Pravda); and, an environment with the freedom to fail. Failure is an option. This encourages risk taking. As a result, it is possible to use a “spaghetti at the wall” approach — throw a bunch of operations at the wall and see what sticks.

The combination of adaptability, speed, agility, diversity, competition, creativity, and risk tolerance results in a exceptionally vibrant and subtle cyber capacity. Whether it is cohesive enough to conduct the sort of operations that the West thinks about is an open question, but it is undeniably able to conduct operations that the West does not think about — and, possibly, that is more important.

Caught Slipping, Again

In the middle of the Western re-discovery of PSYOPS (they literally wrote the book on this in the 1970s, and updated it a couple times since), Russia has again executed an information warfare attack. They have accepted the (honestly Russophobic) “cyber power” frenzy and are leaning in, pushing it further. They have done this on the cheap, and it is seriously impressive to witness it happening literally in the middle of the “Russia cyber influence” frenzy. As I’ve said before, cyber conflict is like Calvinball, the only rule is that it isn’t played the same way twice.

Olympic Gold Cyber Influence

The start of the 2018 Winter Olympic games in South Korea were marred by some malware induced problems. The geopolitics at the time involves fear about North Korean cyber capacity (they’re aggressive), sabre rattling about nuclear war, and Russia being banned from participating due to a doping scandal. This latter is what matters in this case as they are essentially the only nation state with a motive for interfering with the Games. They also have a history of provocations around doping and the Olympics, again dating back to 2016 and the WADA hackers who operated under the moniker “Fancy Bear Crew” — itself an info war attack aimed at causing confusion with the CrowdStrike naming convention for the GRU cyber team involved in the 2016 election.

In early 2018 the WADA hacker Twitter became active again, threatening to interfere with the Olympic games. This caused some minor media attention, but was not a particularly big deal. Then the malware and trivial computer problems during the start of the Olympics caught some media attention, but given the minimal disruption and the vague attribution (“was it kiddies for the lulz? DPRK as spoilers? Russia?”) there simply wasn’t that much of a story there. A week later something critical happened. The US came forward and specifically attributed the attacks to Russia stating that they had conducted a false-flag operation made to appear as North Korea. Now this is a story with legs.

Russia has caused the international media to trumpet its cyber superpower status. Additionally, not only was this an effective influence operation that caused Russia’s cyber power status to grow in stature and mindshare, the use of a false flag operation has laid the groundwork for future information warfare attacks. By acknowledging that a legitimate, serious, for real, false flag cyber operation occurred, the US intelligence community has created fodder for future conspiracy theories and contrarian attributions regarding cyber attacks. When an attack is publicly attributed to Russia, trolls and other info war participants will be able to point at this false flag operation and raise doubts about future attributions.

It’s a Twofer!

In one, cheap, operation they have amplified the concept of “Russia the cyber superpower”, and establish a plausible argument to dispute the credibility of future attributions. The creativity of this operation is not to be denied. Absolutely stellar. For the price of some cheap malware, a few Tweets, some playful shenanigans, and then simply sitting back to wait for the operation to be exposed and covered by the international press, Russia has achieved two important objectives:

1. They have further cemented their image as a cyber power, and
2. they have created a narrative useful for undermining future attribution.

Truly impressive PSYOPS. Russia takes home the cyber gold for this Olympics.