# Cyber War and America’s Response



## TYW27 (Jan 1, 2021)

I wanted to see what your professional thoughts are on state-sponsored hacks and talk a little about what our response as a Nation should be. I’m growing increasingly concerned with state-sponsored attackers and the damage they are doing to this Nation.

I first became aware of how much damage stat-sponsored hackers can do when China attacked OPM The OPM hack explained: Bad security practices meet China's Captain America

Then Equifax Chinese Government Hackers Charged With Massive Equifax Hack

The Marriot Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing (Published 2018)

And Anthem Member of Sophisticated China-Based Hacking Group Indicted for Series of Computer Intrusions, Including 2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 78 Million People

The scary thing is realizing that China is building a data base of government and military personnel with details from an SF-86 form and correlated through credit and travel agencies.


Lately the US Government has been scrambling to control the fallout with the alleged Russian attack on SolarWinds with specific targets in the National Treasury, Pentagon, and Department of Energy among others. What We Know About Russia's Alleged Hack Of The U.S. Government And Tech Companies

My question is, when does a cyberattack warrant military action? Or should it? So far we are being reactive (it seems) making movement to contact without any real ability to pro-actively locate and destroy these attackers in the cyber realm.


----------



## frostyred (Jan 1, 2021)

TYW27 said:


> The scary thing is realizing that China is building a data base of government and military personnel with details from an SF-86 form and correlated through credit and travel agencies.


Bud, that's been going on for a VERY long time. A very, very long time. You can look at the instances of espionage that you're trained on that have been discovered (and consider which ones HAVEN'T been). \



TYW27 said:


> My question is, when does a cyberattack warrant military action? Or should it? So far we are being reactive (it seems) making movement to contact without any real ability to pro-actively locate and destroy these attackers in the cyber realm.


It already does, and has; the problem that most people have is separation of kinetic and non-kinetic response. As we (and the world) drive more and more into full digitalization and informationalization, actions which attack or use information as the weapon become more common, more effective, and more useful overall. Even China speaks on these types of things in some of their documentation when talking about the Informationalization of War. Now, you have to be able to read/understand it in Mandarin... but the white papers are not difficult to find on the clear web.


----------



## AWP (Jan 2, 2021)

Let's say the US runs a cyber op that is successful...does anyone think we'll announce our success? Sooner or later someone will talk, but our failures are publicized, do we think China and Russia have the same openness as the US?


----------



## TYW27 (Jan 2, 2021)

frostyred said:


> Bud, that's been going on for a VERY long time. A very, very long time. You can look at the instances of espionage that you're trained on that have been discovered (and consider which ones HAVEN'T been). \



Absolutely I agree with you that China has been doing this (and I’m sure Russia as well) for a long time. However, the OPM breach was pretty significant in my opinion. If they already had all the information they needed on us why continue to gather more?

Then you have the Russian hack with SolarWinds and the different agencies who were impacted- which we still don’t know how bad this is. I think there is a very big difference between stealing information for reconnaissance purposes and an outright digital attack. In my opinion I believe the SolarWinds attack could be considered an open attack against us in the Cyber realm.

My question is: What should our response be?


----------



## TYW27 (Jan 2, 2021)

AWP said:


> Let's say the US runs a cyber op that is successful...does anyone think we'll announce our success? Sooner or later someone will talk, but our failures are publicized, do we think China and Russia have the same openness as the US?



Hopefully we wouldn’t announce it to avoid retaliation, but I seem to remember that we did just that when we killed UBL with a top secret Tier I unit.

Our own media would out us as it has in the past.


----------



## frostyred (Jan 2, 2021)

AWP said:


> Let's say the US runs a cyber op that is successful...does anyone think we'll announce our success? Sooner or later someone will talk, but our failures are publicized, do we think China and Russia have the same openness as the US?


At some point, perhaps. It depends on the narrative structure and how we intend to use the story. Whether that becomes an avenue to destroy adversary credibility, loosen belief and morale for the military and its constituent personnel in their command structure... or to cause an inflammatory response, in order to goad the first strike, therefore justifying a swift and decisive response.



TYW27 said:


> My question is: What should our response be?


Wholly depends on who's steering the ship, and what the adversary has done recently.

The bigger picture is less that we are shooting little cyber payload bullets at each other, and more than we're literally waging information warfare. Adversaries are stealing data and pushing narratives less to eliminate, and more to subjugate. And that's really how wars are won, sans, ya know, dropping a literal nuke onto small Japanese regions.

If the right people are in charge, our response will be one that probably undermines the belief in whatever capability we degraded, on the red side.


----------



## Kheenbish (Jan 2, 2021)

AWP said:


> Let's say the US runs a cyber op that is successful...does anyone think we'll announce our success? Sooner or later someone will talk, but our failures are publicized, do we think China and Russia have the same openness as the US?


One publicly announced successful cyber op was operation Glowing Symphony with Joint Task Force ARES. 

A great podcast called Darknet Diaries did an interview with one of the Os in charge of the op. 

Article

Podcast


----------



## Gunz (Jan 2, 2021)

Response to any Level 4 or Level 5 cyber attack should be full-spectrum retaliation. Whatever you have that still functions, pull the chain.


----------



## TYW27 (Jan 2, 2021)

Kheenbish said:


> One publicly announced successful cyber op was operation Glowing Symphony with Joint Task Force ARES.
> 
> A great podcast called Darknet Diaries did an interview with one of the Os in charge of the op.
> 
> ...



That makes sense that it was made public since it was a terrorist group (ISIS) and not a near-peer adversary like China or Russia.

I would imagine we could kick off WWIII if it was public that we hacked Russia the way they hit us with SUNBURST.


----------



## frostyred (Jan 2, 2021)

Kheenbish said:


> One publicly announced successful cyber op was operation Glowing Symphony with Joint Task Force ARES.
> 
> A great podcast called Darknet Diaries did an interview with one of the Os in charge of the op.
> 
> ...


Oh, Ares...


----------



## Kheenbish (Jan 2, 2021)

TYW27 said:


> That makes sense that it was made public since it was a terrorist group (ISIS) and not a near-peer adversary like China or Russia.
> 
> I would imagine we could kick off WWIII if it was public that we hacked Russia the way they hit us with SUNBURST.


True, but the the reported cyber attack by CYBERCOM against Iranian shipping lanes and the ability to track maritime ships was made public in 2019.

Article

It seems some of these attacks are made public, but not picked up by mainstream media or the general public still hasn't come to full terms with the reality of cyber warfare.


----------



## Teufel (Jan 2, 2021)

There is a big difference between a cyber intrusion and a cyber attack. One is espionage and the other is warfare. It can be difficult sometimes to define the two with widely accepted terms unfortunately.


----------



## BloodStripe (Jan 3, 2021)

US 'launched cyber-attack on Iran weapons systems'

Here's a recent (within last 2 years) publically announced attack the DoD did. I think cyber, like CLAN, is a fine line on what should be discussed on an open forum.

CSIS is a good resource for public info on recent attacks on both state and non-state actors. 

Significant Cyber Incidents | Center for Strategic and International Studies


----------



## Brill (Jan 3, 2021)

Teufel said:


> There is a big difference between a cyber intrusion and a cyber attack. One is espionage and the other is warfare. It can be difficult sometimes to define the two with widely accepted terms unfortunately.



Has there ever been a large-scale Title 50 “war”?


----------



## GOTWA (Jan 3, 2021)

Teufel said:


> There is a big difference between a cyber intrusion and a cyber attack. One is espionage and the other is warfare. It can be difficult sometimes to define the two with widely accepted terms unfortunately.


Could you say that's by design? Seems that gives one an out when determining the response. The cyber side worries me like nothing else. It's far scarier than anything kinetic in my opinion.


----------



## TYW27 (Jan 3, 2021)

Gunz said:


> Response to any Level 4 or Level 5 cyber attack should be full-spectrum retaliation. Whatever you have that still functions, pull the chain.



I am not even sure what those are - gonna have to do some research!


----------



## Teufel (Jan 3, 2021)

lindy said:


> Has there ever been a large-scale Title 50 “war”?


It depends on how you define large scale but I think US operations in central America during the cold war and Afghanistan during the Russian occupation qualify.


----------



## frostyred (Jan 3, 2021)

GOTWA said:


> Could you say that's by design? Seems that gives one an out when determining the response. The cyber side worries me like nothing else. It's far scarier than anything kinetic in my opinion.


I mean, it shouldn't. We have to take the same mentality as big companies such as Microsoft and assume that either networks have already been compromised (which, in most of these instances, is true) and mitigate what we can. Informationalized warfare is a bitch because it's got so, so many more vectors of attack.


----------



## Teufel (Jan 3, 2021)

GOTWA said:


> Could you say that's by design? Seems that gives one an out when determining the response. The cyber side worries me like nothing else. It's far scarier than anything kinetic in my opinion.


Think of it this way. How would you define an operation to steal some classified files on some emerging technology? There are a number of ways you can do this but I think we would all call this an intelligence operation. You an bribe someone to give you the files, sneak into the office, spy on the office with a telephoto lens, and etc. It's all espionage. What's the difference between that and a cyber intrusion? Conceptually nothing. The objective is not the problem here but the scale. These hackers aren't just stealing one file, they are stealing thousands of files with one fell swoop. This is what makes it hard to define. You can't call something an attack if the intruder didn't actually attack anything.


----------



## Teufel (Jan 3, 2021)

I think the international community defines a cyber attack as an action in cyberspace that destroys or manipulates something. This can be physical destruction, like when Stuxnet destroyed a centrifuge in an Iranian nuclear facility, or cyber destruction like when the US deleted a Hezbollah database after they took over a British tanker. Denying someone service, like what Russia did to Estonia a few years back, also qualifies. I think that we need to define a third category. Hacking into a military target like the Pentagon is one thing but hacking into our critical infrastructure is another. Where do you put the red lines? What do you do when someone crosses them? Do you respond in kind or with a kinetic attack? No one has good answers to these questions.


----------



## TYW27 (Jan 3, 2021)

GOTWA said:


> Could you say that's by design? Seems that gives one an out when determining the response. The cyber side worries me like nothing else. It's far scarier than anything kinetic in my opinion.



100%. Same here. I believe this will be the next equivalent to a nuclear arms race. And we probably have no idea how bad a cyber attack can be until someone else pulls the cyber trigger.

I read the article NPR put out about fighting ISIS through the Cyber realm. They (ISIS) had their own IT admins and an entire TEAM of IT?! And look how much they could do. Now scale that up to a Cyber army of about 100 people. Scale the technology and capabilities up and....yea that’s a scary picture.


----------



## frostyred (Jan 3, 2021)

Teufel said:


> I think the international community defines a cyber attack as an action in cyberspace that destroys or manipulates something. This can be physical destruction, like when Stuxnet destroyed a centrifuge in an Iranian nuclear facility, or cyber destruction like when the US deleted a Hezbollah database after they took over a British tanker. Denying someone service, like what Russia did to Estonia a few years back, also qualifies. I think that we need to define a third category. Hacking into a military target like the Pentagon is one thing but hacking into our critical infrastructure is another. Where do you put the red lines? What do you do when someone crosses them? Do you respond in kind or with a kinetic attack? No one has good answers to these questions.



I think the argument there is that it depends on who/what body does it, right? At least, from a policy standpoint.

This is part of the reason I'm happy the Pentagon is finally figuring out their shiz re: information warfare, because it should lead to us having a clearer direction on how to respond to things; as the military figures out what it's left and right limits are regarding who they're pew-pewing with data guns, the rest of the country will probably follow suit. 

How the Defense Department is reorganizing for information warfare

Which is also why I love how ARCYBER is oriented, or at least how Fogerty is pushing.

https://www.c4isrnet.com/smr/inform...tlines-ten-year-plan-for-information-warfare/


----------



## Gunz (Jan 3, 2021)

The attack levels were defined during the Obama administration with Level 5 being a catastrophic cyber attack on military and infrastructure networks, an attack that could likely, directly or indirectly, cause death and destruction.

And as far as response, I suppose it would depends on the amount of damage caused by the attack. A severe cyber attack on critical infrastructure that endangers lives and causes mass chaos ought to warrant full military retaliation. Just my 2c


----------



## frostyred (Jan 3, 2021)

Gunz said:


> The PRC’s invested billions in the technology. No doubt the Russians are engaged in R&D, as are government and private sector entities in the US and elsewhere; Google, IBM and others working on the computers themselves and various research groups working on the antidotal PQC.


Anyone who wants to learn about how China's using data in lots of scary ways should listen/read to AI Superpowers, very interesting for the person who doesn't know much about China and their cyber/data related exploits.


----------



## Kheenbish (Jan 3, 2021)

Teufel said:


> I think the international community defines a cyber attack as an action in cyberspace that destroys or manipulates something.


Having worked in the private and military areas for cybersecurity, each sector seems to define the actions differently for different purposes. 

From what I've experienced, a cyber attack defined in the private sector is an action taken to gain access or disable an operation launched from one computer to another.

This definition falls in line with the attacks mentioned but also phishing attacks where the goal isn't to disable an operation with that action, but to gain further information to potentially breach a network and either gain further access or disable an operation further on. Yes, an intrusion might not hinder an operation, but that information is used as a piece to stop an operation in the future.

I think a major issue is we are tripping over ourselves trying to define what is an isn't an attack. We spend a lot of time categorizing DCO, OCO, CNO, etc. 

I think all intrusions should be seen as an attack as most are the first step in the chain to conduct follow on operations, everything starts with reconnaissance.


----------



## frostyred (Jan 3, 2021)

Kheenbish said:


> I think all intrusions should be seen as an attack as most are the first step in the chain to conduct follow on operations, everything starts with reconnaissance.


I think the problem ends up being that we haven't built a dependable structure to whose sandbox is whose; Critical infrastructure should probably fall under the umbrella of State Dept, but the DoD barely has it going, so I'm sure State and every other entity is even FARTHER behind.


----------



## Kheenbish (Jan 3, 2021)

frostyred said:


> I think the problem ends up being that we haven't built a dependable structure to whose sandbox is whose; Critical infrastructure should probably fall under the umbrella of State Dept, but the DoD barely has it going, so I'm sure State and every other entity is even FARTHER behind.


True and if we define intrusions as attacks that opens up a can of worms of setting a standard that could end up going badly for us.


----------



## TYW27 (Jan 3, 2021)

Gunz said:


> The attack levels were defined during the Obama administration with Level 5 being a catastrophic cyber attack on military and infrastructure networks, an attack that could likely, directly or indirectly, cause death and destruction.
> 
> Far scarier are the implications suggested by the development of quantum computerization, so potentially destructive that efforts to counter it—post-quantum cryptography—have been underway since 2016 or so even though quantum computers are maybe 10-15 years away from a fully functioning model.
> 
> ...



Yea, I tried to find what you were referring to on the CISA and NIST websites and couldn’t see anything. Not even with a Google search - nothing close to what you mentioned at least


----------



## GOTWA (Jan 3, 2021)

TYW27 said:


> Yea, I tried to find what you were referring to on the CISA and NIST websites and couldn’t see anything. Not even with a Google search - nothing close to what you mentioned at least



I can only imagine what an RMF package will look like in 10 years.


----------



## frostyred (Jan 3, 2021)

Kheenbish said:


> Yea, I tried to find what you were referring to on the CISA and NIST websites and couldn’t see anything. Not even with a Google search - nothing close to what you mentioned at least


Which part of that were you trying to find?


----------



## Gunz (Jan 4, 2021)

Well, I'm going back to 2013. It was proposed during the Obama Administration after the NSA attack. Now whether or not it was officially adopted by CIST or the Trump Administration, I can't say. I do remember that it came under some criticism at the time and I assumed it was official and still existed. My apologies.


----------



## frostyred (Jan 4, 2021)

Gunz said:


> Well, I'm going back to 2013. It was proposed during the Obama Administration after the NSA attack. Now whether or not it was officially adopted by CIST or the Trump Administration, I can't say. I do remember that it came under some criticism at the time and I assumed it was official and still existed. My apologies.



Obama institutes new directive on cyberattacks


----------



## Locksteady (Jan 4, 2021)

frostyred said:


> I mean, it shouldn't. We have to take the same mentality as big companies such as Microsoft and assume that either networks have already been compromised (which, in most of these instances, is true) and mitigate what we can. Informationalized warfare is a bitch because it's got so, so many more vectors of attack.


Agreed.

To this point, the extent to which information technology is inextricably intertwined with Chinese software and hardware in the supply chain makes an avoidance-based national cybersecurity policy unrealistic.  The most feasible security approach seems to be one that recognizes the inevitability of penetration due to that increasingly shared technology environment and, like you said, does its best to mitigate the inevitable without crippling American businesses and the pace of tech innovations in the process.


----------



## frostyred (Jan 4, 2021)

Locksteady said:


> Agreed.
> 
> To this point, the extent to which information technology is inextricably intertwined with Chinese software and hardware in the supply chain makes an avoidance-based national cybersecurity policy unrealistic.  The most feasible security approach seems to be one that recognizes the inevitability of penetration due to that increasingly shared technology environment and, like you said, does its best to mitigate the inevitable without crippling American businesses and the pace of tech innovations in the process.


Part of that is changing the common mentality on privacy, and what the basic steps are for achieving that. The U.S. populace en masse has only recently began accepting the idea of VPN usage; I bet even fewer realize how easy it is to encrypt information; and I doubt that most state and local leadership has any measurable and dependable degree of tech literacy.


----------



## TYW27 (Jan 4, 2021)

Gunz said:


> Well, I'm going back to 2013. It was proposed during the Obama Administration after the NSA attack. Now whether or not it was officially adopted by CIST or the Trump Administration, I can't say. I do remember that it came under some criticism at the time and I assumed it was official and still existed. My apologies.
> 
> View attachment 37940



To clarify I didn’t mean that I thought your information was wrong or inaccurate. I just couldn’t find Level 4 or 5 Cyber Attacks on those websites. I did a brief Google around but the closest I found was a small business Cyber Threat module.

EDIT - see it now. Technically you could classify the SUNBURST attack as at least a level 4. It WILL cause danger to national security.


----------



## TYW27 (Jan 4, 2021)

Just read a ZDNet article that says this SUNBURST cyberattack is the Cyber Pearl Harbor we have been fearing. It does seem like the biggest hack on the US so far. So I guess we’re about to start defining the lines a lot more. I’m hoping (and a little worried) at where that might take us.

Will we retaliate with a counterattack in the cyber world? Will we do a virtual island hopping campaign that ends with a cyber attack warhead?


----------



## Kheenbish (Jan 17, 2021)

Great article from the Center for Strategic and International Studies about how the IC needs to adapt to the growing cyber and technological advances

The actual report is long, but there are a lot of good points made throughout the study.

Report


----------



## Florida173 (Jan 17, 2021)

Kheenbish said:


> Great article from the Center for Strategic and International Studies about how the IC needs to adapt to the growing cyber and technological advances
> 
> The actual report is long, but there are a lot of good points made throughout the study.
> 
> Report



My organization contributed to some of this.. and I have yet to read it in full, but I'm going to manage my expectations on what it says. I'll follow up later.


----------



## Kheenbish (Jan 17, 2021)

Florida173 said:


> My organization contributed to some of this.. and I have yet to read it in full, but I'm going to manage my expectations on what it says. I'll follow up later.


I found some of it to be common sense, but I've learned what is common sense to me is not always clear to those in leadership positions.


----------



## pardus (Nov 14, 2022)

So this seems a tad concerning…


__ https://twitter.com/i/web/status/1592157286101045248

__ https://twitter.com/i/web/status/1592157632139493377

__ https://twitter.com/i/web/status/1592121709443878916


----------

