Misinformation Vs. Disinformation

Before going forward, it's worth understanding that the propaganda I have mentioned is propaganda that is generally assumed to be truthful. Sure companies can lie about their products and what they are capable of, as can governments and various organisations for various reasons but there is a reason I chose to pick the examples I did, which is that while it is propaganda, all of it is backed by fact. We may not be able to see all of if any of the full context that was used to get to these truths, but they do not contain misinformation, to the best of anyone's knowledge. This is where Disinformation and Misinformation come into the equation as rather than truth, they are backed by Confirmation Bias, Motivated Reasoning, and/or Conspiracy and built with fabricated or little to no verifiable facts.

Disinformation is not a word native to the English language. It is borrowed from Russian where it is дезинформация, or dezinformatsiya and it is information that is deliberately misleading and spread in a somewhat covert manner such as via rumour, astroturfing or sock puppeting. Disinformation tends to rely on someone to be receptive to the information or to accept the credibility of the source as a false authority. Disinformation is what cults rely on as part of their indoctrination processes as they target people who are vulnerable for some reason to a given idea, and this new and important social group in their life is providing

Misinformation on the other hand is information that is misleading, though not deliberately so. This can be complicated as technically, The Onion could write a joke about Prague's Franz Kafka International Airport being named the world's most alienating airport, while this is a deeply funny joke, in a very well thought out and executed video, it is not intended to deceive, the aim is satire, and thus it is misinformation. Similarly our equivalent in Ireland, Waterford Whispers News is the same. When they write a story claiming that North Korea has claimed that they have landed a man on the sun, it is intended as a joke, but it is misleading. Stories such as these do get picked up as real news occasionally.

The Pseudo Gang

During the Troubles, Frank Kitson was the Brigadier in charge of the 39th Airportable Brigade, prior to this he put down the Mau Mau Uprising in Kenya, the Malayan National Liberation Army insurgency, the Jebel Akhdar Rebellion in what at the time was known as the Sultanate of Muscat and Oman, then some time in Cyprus between 1967 and '68 during inter-communal violence between the Greek and Turkish Cypriot's. He built a whole strategy on how to conduct Counter Insurgency Operations that he laid out in a 1969 book called Low Intensity Operations which formed the groundwork for a lot of the Intelligence Contest that took place during The Troubles.

A 1960 book he wrote called Gangs and Counter-gangs would be more influential though for the purposes of telling a wee story about Misinformation and Disinformation but before that, I want to lay out another idea from the book to come back to later, the Cultivation and Recruitment of Assets. Kitson looked to recruit assets inside the various groups involved in the Mau Mau Uprising so that he would have intelligence of the various operations going on, but to get this intelligence he needed assets inside the various groups of Mau Mau.

As the British Forces in Kenya regularly arrested and interrogated people, some of them would be sent to a facility Kitson and his team ran called 'Special Methods Training Centre' where they could be interrogated, integrated and become trusted members of a 'pseudo gang' or recruited as assets inside various Mau Mau groups. He would look for those disaffected with the group they were in or for those that had joined a group because their friends had, life was easier in the gang, or others who joined because there was a sense of adventure in joining one of the Mau Mau groups. These recruitment candidates were then put through 'taming';

Training—or taming as we called it—took place in three phases. When a new prisoner first arrived he would be treated harshly. We would chain him up, feed him on posho and little else and make him realize that he was not such a wonderful hero as he supposed. During this stage he would be primarily concerned in telling his story, and we would be involved in seeing whether he was worth trying in the job.
During stage two the candidate would be gradually incorporated into the community as a friend but would not be told much about the business, nor would he be left by himself. To start with he would just be let off his chain and taken under guard to help wash the men's dishes or dig a slit trench. Gradually he would be allowed more freedom until he could walk around inside the perimeter as he pleased. Eventually if we were sure that he was going to be satisfactory he would start on stage three.
From the beginning of stage three it was essential that the man should feel that he was trusted. Once he had joined us there were no reservations. He could sleep with the others, carry arms, do sentry duty or go out by himself. Frequently on one of his first patrols Eric or I would give him our pistol and carry only a simi to make him realize that he was absolutely one of the team.
Frank Kitson; Gangs and Counter-gangs; pp 126-127

I mentioned 'pseudo gang' so I should define that, they are a group of plainclothes military members who could be sent to infiltrate insurgent areas by looking and acting like locals including, if necessary, the requisite racism you would expect of a CIC of the British Army in Kenya;

'After all, if they can take me for an Asian without my disguising myself at all, it should be easy enough to get them to accept me as an African if I black my face and wear the right clothes. And another thing, they must have been temporarily surprised at meeting an Asian Mau Mau, as no one has ever heard of such a thing before. As an African I should excite far less attention.'
Frank Kitson; Gangs and Counter-gangs; pp 84

During The Troubles, this tactic was implemented again when Kitson set up the MRF (Mobile Reconnaissance Force/Military Reconnaissance Force/Military Reaction Force. It's unclear to this day). The goal of these soldiers was to infiltrate West Belfast, an IRA stronghold, posing as road sweepers, bin men, tramps drinking methylated spirits, one woman was even a door-to-door salesperson selling cosmetic products. They would drive around conducting covert surveillance or entering burned out or abandoned shops and houses where they remove a single brick from a wall and use it as an observation post.

The MRF was more though. It was also a hit squad. Members of the MRF may disagree with this as they called their operations a 'Snatch Attempt', but you could disagree with that given the fantastic and extensive reporting of Ed Moloney or Patrick Radden Keefe. To make sure this act was subversive and to ensure that only paramilitary groups could be blamed, the MRF used the same weapons as the paramilitaries like the L2 Sterling SMG or the ArmaLite AR-18.

‘We wanted to cause confusion,’ one MRF member recalled. If people believed the paramilitaries were responsible, it would erode their standing in the community and preserve the image of the army as a law-abiding neutral referee. This was particularly true in those instances where the MRF, seeking to assassinate a target, ended up inadvertently killing an unaffiliated civilian instead.
Patrick Radden Keefe; Say Nothing: A True Story of Murder and Memory in Northern Ireland; pp 170

But what if the MRF assassinated the wrong person or accidentally killed a bystander? How do you remain the 'neutral referee'? Well, this is where disinformation comes into the story. Police would announce that ‘no security forces were involved’ but that there might be a connection to ‘political bodies’, read paramilitaries. After this, Kitson would have the local Guardian reporter summoned, Simon Winchester, for a briefing where he would lay out the incident and refer to the army's classified files on the subjects of the incident, stating that so and so was a gunman and that this is probably why they were shot.

Kitson passing this information on to Winchester is textbook disinformation. It is false information that is being spread with the intent to deceive. Winchester was also quite friendly with Kitson and his family, so he was a receptive source who did not believe that he was being influenced or that in Kitson allowing Winchester to get closer to his family, that this reeked of classic intelligence asset cultivation, something Kitson talked about extensively in his books. Winchester didn't need to be interrogated, but as Kitson said, this step could be eliminated and assets could be quickly incorporated and made to feel like they were one of the team, a trusted person to do their duty and not think all that hard about it. Winchester also believed that the army's classified documents, the source, were true and credible and that Kitson was sharing this information with him such that the correct information could be in the public domain to preserve peace.

What makes this story of particular interest in understanding the difference between Disinformation and Misinformation is that this is where the Disinformation part of the story ends. When Winchester went on to publish a story that contained the Disinformation, it was no longer Disinformation, it was Misinformation. This is the case because while the information continues to be false, it was not being passed on deliberately deceive, in fact, Winchester thought he was telling the truth, though he would later go on to realise that he was a 'useful mouthpiece' for the Army;

I would ring up Frank Kitson and he would see me without demur and would tell me, give me chapter and verse about who the person was and the rank and position within in the IRA and the importance or otherwise of this person to the IRA, and therefore to the army, and I would then go on the "World at One" and seemingly blessed with profound knowledge about the inner workings of the IRA would parrot, it has to be said, parrot what Frank Kitson had told me. So I know in retrospect that I was a useful mouthpiece, which, as I say, surprised me somewhat because of my intimate, relatively intimate knowledge of the IRA from my contacts with them, but that remained true for most of my two and a half years in Northern Ireland.
Simon Winchester's evidence to the Saville Inquiry on the events of Bloody Sunday; pp 108-109

This is a story I probably would have forgotten if not for rereading Say Nothing by Patrick Radden Keefe in preparation for his latest book, Empire of Pain. Chapter 7, The Littel Brigadier covers a number of things I have mentioned here. I dug into a rabbit hole confirming a lot of what he had said and reading some of the stuff Kitson read while trying to confirm a number of things I came across. I do recommend the audiobook read by Matt Blaney though since he's a Nordie with a nice thick head on him and it's great to hear him pronounce words like Stickies correctly as Stick-aay's.

Propaganda is the more or less systematic effort to manipulate other people’s beliefs, attitudes, or actions by means of symbols (words, gestures, banners, monuments, music, clothing, insignia, hairstyles, designs on coins and postage stamps, and so forth). Deliberateness and a relatively heavy emphasis on manipulation distinguish propaganda from casual conversation or the free and easy exchange of ideas. Propagandists have a specified goal or set of goals. To achieve these, they deliberately select facts, arguments, and displays of symbols and present them in ways they think will have the most effect. To maximize effect, they may omit or distort pertinent facts or simply lie, and they may try to divert the attention of the reactors (the people they are trying to sway) from everything but their own propaganda.
Bruce Lannes Smith; Propaganda; Encyclopedia Britannica

Everything is propaganda and propaganda is everything. Advertising is designed to manipulate your attitude toward a product, by means of the symbol that is the brand logo, to influence you to buy it. Religion is designed to manipulate your beliefs and actions so that you live the chosen righteous life according to the beliefs of that religion via symbols such as how you pray, where you pray, who your chosen god or gods are etc. It is an everyday, normal thing that we experience. Sometimes we are skeptical, and it is only that which we see as concerning, wrong, different or manipulative that we take issues with as being propaganda.

Propaganda is vast, broad and misunderstood and I'm just going to give a few fun little tidbits here rather than dive deep into the whole thing, in This post I'm just going to look at White Propaganda, one of the three major areas. Just for context, Grey Propaganda is Propaganda that appears legitimate, doesn't appear to have an agenda and the evidence for it is in citations that cite other sources, that cite the original source to launder facts. An idea called the Woozle Effect, something best described by LazerPig sums up neatly, discussing the bullshit that is the Fighter Mafia.

There is also Black Propaganda, which is Propaganda that is disseminated purely for the purpose of subversion and from a source that obscures its origins. A prime example of this is the Soviet Disinformation operation to influence people's opinion of the HIV/AIDS epidemic in the 1980s by using an Indian newspaper called Patriot. Patriot was a KGB front set up expressly for disinformation, they spread the story by presenting themselves as journalists quoting scientists and studies. Unlike the Woozle Effect, where the citations are self-referential, here the journalists, scientists and studies don't exist because the goal was not to appear legitimate, appear to have no agenda or to launder facts, it was to foment anti-Americanism internationally, sow distrust in the US Government and potentially also to destabilize the US. Textbook effects of good Subversion.

White Propaganda

White Propaganda — Propaganda disseminated and acknowledged by the sponsor or by an accredited agency thereof
US Joint Chiefs of Staff; Department of Defense Dictionary of Military and Associated Terms, pp 462

White Propaganda is the official statement, from an official who is accredited to be a member of a given organisation. This could be the CEO of a corporation, the Pope or a Government Minister. You are aware of who these people are and what they are sping they are putting on the information. For example, when AMD releases a new product, you expect to see Dr Lisa Su get up on stage and announce at least in part, the product or build up to the product before handing it over to someone else to make the announcement, who is introduced as a member of the company working in a given division.

So in that context, if the pope were to browse Instagram and like the racy photos of a Brazilian model, and then do it a second time a month later, one might question is viewing such racy imagery is now seen as a righteous thing by the Catholic Church? Furthermore, when you see that both models have OnlyFans accounts, a subscription service popular with sex workers, but also others too, one might question is this a papal endorsement of pornography? Or is it an indication that Pope Francis feels that millennia of Christian Orthodoxy on the role of Mary Magdalene in the life of Jesus Christ are to be reexamined?

When the Budget is announced for Ireland, you expect to have an extensive statement, from the Minister of Finance and the Minister of Public Expenditure. Over the course of their extensive statements cover the state's economic situation, the budgets for different government departments, capital projects, supplementary spending for various things and change to taxation regimes if needed to pay for all of this or to tax the general public less.

None of these examples are sinister, suspect or wrong in any way, but this is the point of propaganda. In a way, it is the honest manipulation of you. So with that in mind, let's take a look at some specific examples;

White Propaganda in the United Kingdom

My favourite example of White Propaganda is the Official History. While there are many, such as the Gulf War Air Power Survey from the US Air Force to document their performance in the war, the best example you will find is that of intelligence services in the UK.

Over roughly the past decade, there have been extensive books written by professional historians, with access to a lot of classified and archived materials, covering operations at these intelligence services from their predecessors and beginnings up to a point. The first of these, The Defence of the Realm: The Authorized History of MI5 by Christopher Andrew and covers the history of MI5, now known as the Security Service, the domestic intelligence and counter-intelligence service, from 1909 to the near present ending after discussing operations post 9/11. The next is MI6: The history of the Secret Intelligence Service by Keith Jeffery which covers the history of MI6, or the Secret Intelligence Service, the foreign intelligence service, from 1909 to 1948. Finally, there is Behind the Enigma by John Ferris, a history of GCHQ, the UK's Signals and Cyber intelligence agency, from 1844 to 1992, with some details up to 2020.

As I noted, it's not limited to the UK. The single greatest example of this may be the absolutely titanic effort over the last 30 years and probably longer, by the German Military History Research Office to write the 12,000 page, 13 volume work, on the official history of the Wehrmacht in World War 2 titled Germany and the Second World War. It begins by examining the Weimar Republic, Hitler's rise to power, economics, rearmament and Foreign Policy in the build-up to World War 2.

White Propaganda in the Republic of Ireland

While generally when people hear about the concept of a Ministry of Propaganda, they think in terms of Joseph Goebbels and Nazi Germany or papers like Pravda or Izvestia run by people like Stalin or Bukharin, under the auspices of Agitprop in the Soviet Union, it's easy to forget that propaganda is not something confined to the evils of the Naiz's or the western views of the Soviet Union in the Cold War or before, but that a quick look for a list of Ministries of Propaganda has some unexpected names on it, such as Ireland.

On the 21st of January 1919, Sinn Fein formed a breakaway Government for Ireland and proclaimed independence from the British Empire. With Censorship still in effect from World War 1, republican ideas were censored in the press. In August 1919, the Censor was abolished, only for in September 1919, to have the Dáil outlawed. In response to this, in November of 1919, the Dáil began to publish the Irish Bulletin, published by the Department of Propaganda, which was set up on the 2nd of April 1919 under the leadership of an Irish poet, Desmond FitzGerald.

The Irish Bulletin was a daily publication on Republican successes and condemnation of the British and their actions. It quickly became essential reading for foreign correspondents who wanted a more full picture of goings on in the newly formed state and about what may really be happening in the guerrilla war, even if it had a particular spin on the information. It also became essential reading in Westminster, especially among members of the British Labour Party who had some sympathy with the cause of Irish Republicanism. At the end of the Irish War of Independence in July 1921, the Bulletin ceased publication.

After FitzGerald was arrested, Erskine Childers became the Director of Propaganda. As for a former British soldier who fought in the Boer War and World War 1 before becoming a champion of Irish Home Rule. As a former imperialist, he was perfect to combat British Propaganda of the time that described republican guerrilla action as the work of a murder gang, including making sure that it was official policy that this was all part of actions as part of a state of war between the independent state of Ireland and the British Empire on the 11th of March of 1921.

FitzGerald was released from prison in August 1921 and took his role back, only change the Director of Propaganda became the Minister for Publicity in September of 1921. It is now a former ministry that was never revived and it appears that in September of 1922 the ministry was dissolved, but I cannot find good sources for this.

None of this information would have come to light for me, if not for an article by Ian Kenneally, a PhD student researching Irish history, who wrote about censorship and propaganda in the Irish War of Independence for RTE, which lead me to more of his work, and highlighted that I had read some of it previously unknowingly. If you're interested in seeing the calibre of his research, I highly recommend reading the Revolution Papers. As well as the official history of the period as part of commemorations for the 100th Anniversary of an Dáil Éireann.

Video of the Talk

PDF of the Slides

The talk last year was on the Information Warfare threat to Ireland and served as a primer on Information Warfare as well as outlining the limited number of attacks possible in Information terms, as well as what we can see happening here in Ireland. At BSides Dublin, I gave a talk which was written in a very short amount of time on what we can see happening now and why it is more boring and mundane than most people had probably expected.

A Quick Primer

Last year I introduced viewers, listeners and readers to Col. Andrew Borden, USAF (Ret.) model of Information Warfare, where using Claude Shannon's Mathematical Theory of Information, Borden broke down the various attacks using Information Warfare to lay out the four categories of attacks available in the Information dimension of warfare, Deny, Degade, Corrupt and Exploit. He also talked about how Information Warfare would be used in a Combined Arms fashion, where militaries use multiple dimensions of warfare, such as land air and cyber at the same time, to achieve goals. This is something we have already seen in Ukraine;

In the past, I have given examples of the various kinds of attacks in each case but as this is a quick primer and I have little new on this front, rather than give the same verbose examples, I will rather give brief explanations and only highlight new and interesting examples with context. If you are interested though in some deeper examples, you can references previous posts and talks here, and here.

Attacks that Deny & Degrade

Attacks that Deny are attacks on the information itself. These can be attacks such as Wipers that in some way destroy data, but they can also such as ones that cut off access to data or slow your access to information. This is best understood in the context of forcing adversaries to use slower connections, such as using satellite over fibre or cutting fibre cables such that you no longer have access to data.

Attacks that Deny can be broken down into two different categories. The first is attacks against data collection assets. In military terms, this could be radars or intelligence collection planes but cyber audiences would be more familiar with assets such as those that feed data towards SIEMs for analysts to tackle. The other form of Denial is where rather than go after collection, you go after the analysts or decision makers that utilize such data. While you might see this as your CEO or CISO etc, traditionally militaries have seen this as high ranking officers such as generals or the leaders of particular operations to upset the operations.

Attacks that Corrupt

Attacks that Corrupt are attacks that feed false data into an Information Environment and is best exemplified in the everyday world that we all live in as disinformation such as that rubbish spewed by the Anti Vaccine crowd, or as I see them, the Pro Disease crowd. After all, if you are against preventing diseases, you are for disease. It is the flip side of that coin. Russia has a long history of such Disinformation, sometimes spread by propaganda outlets such as RT but also useful idiots or fellow travellers of Russian ideology.

In the past, I have shied away from having discussions or talking about Russia like this as for a lot of people it is too political. In the wake of Russia's escalation in the War in Ukraine though, I am taking my gloves off. I am not making political statements, but statements of fact and in you disagree with me on these particular issues, that's fine! But we aren't having a disagreement about politics but the nature of reality because Russian Propaganda and Disinformation are no basis to build your worldviews upon or worthy of engagement in good faith discussions.

A prime example of the impacts of this Russian Propaganda and Disinformation can be seen in Russia by looking at who is being targeted with such Propaganda and Disinformation, as we saw with a fun article from the OpenFacto Francophone OSINT collective who tracked down the massive extent of Russian Military Intelligence's control over Propaganda and Disinformation when they were linked to the InfoRos group of sites. The GRU is using OpenFacto as a form of population control to limit and shape the opinions of ordinary Russians on a daily basis as InfoRos are some of the most popular sites in Russia.

But InfoRos is also cited as a source of news used by other sites that then are shared around the world, such as Infobrics and OneWorld Press, which spread anti-Western and Pro Russian Propaganda and Disinformation. It should also be noted that former directors include Denis Tyurin and Aleksandr Starunskiy have been directors of InfoRos. Estonian intelligence have identified Starunskiy as commander of, and Tyurin as an officer in GRU unit 54777 (pp 62). This unit specializes in psychological warfare, informational confrontation, information-technical influencing of foreign countries and protecting Russia against foreign information operations.

One part of this unit's operations include exposing "the civilian population", as targets of psychological warfare. So what impact does all of this have on ordinary Russians? Well a group of people put together a Google Map of local war dead from the War in Ukraine. The map has now been removed for a violation of the Terms of Service, but I took some screenshots of the map and you can see that there is a relationship between places where InfoRos operates and where Russia's war dead are from;

I do wish I could overlay the Open Facto map with the one from Google as they are different projections and while I have some photoshop skills, I don't have the ability to curve Mercator Projection over whatever Open Facto used. The good news though is that while I can't do this, BBC Russia did their own dive into Russia's war dead and created their own maps, though they did so via Oblasts rather than in the granular depth Open Faco used, so you can't see the impact of the Propaganda.

We can also see a great example of Russia's process in action where in November Tim Kirby, an American by birth but Kremlin sock puppet by profession, began to talk about US funded Biolabs in Ukraine on his English language radio show in Russia. Once this is out there prior to the war starts, it is prepositioned to be amplified by other sock puppet outlets when the time comes that it is needed.

In some ways, this is a very spaghetti-at-the-wall approach, but all you need is to keep coming up with outlandish ideas and for one to take hold for it to become a whole thing. We see this regularly with conspiracy theories such as this. Once the war began, Russian sock puppet sites amplified the Disinformation, and it eventually took hold. You would expect that any credible journalist would do their due diligence but journalism is dead and clicks are king so it became a major news story built on nothing but Kremlin fueled hot air, sometimes with the Kremlin's own "Journalists";

This is a regular problem when dealing with such Kremlin Propaganda and Disinformation. Experts turn out to be not experts at all and are pushing a particular angle that is curiously pro-Russian. And sometimes we disappointingly see that in causes that I for example believe in, such as this comment from the Peace and Neutrality Alliance (PANA);

Let's ignore the strategic narcissism for a second, I'll come back to that...

Ukraine was attacked by a superpower. Losing ONLY two cities is an achievement especially when you consider that the cities where lost and recovered https://t.co/bSehbefFDe

— 🖕Пу́тін хуйло́ 💙💛 Слава і победа Україні 🇺🇦✊ (@LegendaryPatMan) June 28, 2022

Now not everything PANA says is pro-Russian but it is worth noting that while they are anti-American, they are also curiously quiet on Russia's War in Ukraine and then say pro-Russian things on twitter. It makes you question how pro peace they are and what they really stand for, if they only want the US to be peaceful but are ok with other, more authoritarian regimes going to war, particularly the brutal war that Russia wages.

The most effective way to deal with Disinformation and Propaganda, as we have learned time and time again, is that the most effective way to deal with the problem is to Deplatform such sock puppets and those who spread hate such as Nazis and racists. Not only does it make the world a better place for everyone, but it also makes such people feel unwelcome in regular society, which they should be. To an extent, we have done this in Europe and we are all the better for it.

Now some people don't like this as they believe it infringes their Free Speech, but in an essay in the New York Times, Roxane Gay discusses the idea that this isn't censorship where there is an attached punishment, but it is curation where we choose to not discuss or engage in such hate or bigotry. In the Marketplace of Ideas that we have today, we nearly universally agree that there are some just bad ideas like Nazism or Neo-Nazism. By choosing to not engage in these ideas, we are expressing that these ideas are unacceptable. By deplatforming these ideas, we are saying that they are unacceptable in decent society and the frankly genocidal statements that are on Россия-1 for example, are totally unacceptable.

The Other Corruption

One of the things that I am becoming increasingly cognizant of is how algorithms tailor a picture of the world. This can be through search results, in which we are Filter Bubbled into being a particular person based on the data a search engine has about us. Or how twitter doesn't provide us with information as it comes in from those we follow, but what twitter thinks we should see based on what it thinks we want. This can be problematic given that sometimes when a company has a poor picture of who it thinks you are. So for example, if you ask twitter for all of your data, which you are entitled to do under GDPR, you can look at twitter's algorithms think you are, and because I gave literally zero data to twitter, they are aware that I am a male between 13 and 54 and I speak English. That is it;

It should also be noted that this can be used for more nefarious purposes as we can see with the Great Firewall in China where data is only allowed in if it passes muster with the censors at the Publicity Department of the Chinese Communist Party. Some of these things sometimes bleed out into the rest of the world, such as we have seen with TikTok where keywords in posts trigger a review before the post is publically visible, or how TikTok has data sent back to China even though they pinky promised not to send data to China, or OnePlus phones sending back a file called badtext.txt to China for some reason. I could go on, I have piles of examples like this where a mix of Governments and just Surveillance Capitalism generally are being used to exploit or monitor people in extremely distasteful ways, something women, particularly in the US are coming to terms with very quickly.

Attacks that Exploit

Finally, there are attacks that Exploit. Exploitation is exploitation in intelligence terms rather than the cyber sense. Rather than infiltrating a system, you are collecting intelligence on adversary actions to build a picture of what is going on. This can be collecting and analysing fresh data as it comes in, or it could also be taking previously collected intelligence and reanalysing it in the current context to build a more accurate picture of the threat posed by a particular adversary, a process called Back Bearing. Last year I showcased how you can use Back Bearing to put Russian intelligence operations in Ireland into context and this year, I can do the same by looking at the diplomatic lists, that the Department of Foreign Affairs publishes every month, and comparing February 2022 to March of 2022, when Ireland expelled 4 Russian diplomats for "security reasons" i.e. they were spies;

While I can't identify all four diplomats that we expelled, as one of them may have been some kind of lower functionary rather than a fully accredited diplomat, we can for example look at Igor Molyanov, who has a LinkedIn page. Now if you're expecting these identities to tie back to something major, you'll be disappointed. Vladimir Vasilchik, or in Russian Владимир Васильчик, which you can use to find a completely empty facebook (archived here) profile for example.

This is because these identities are what are known as Legends. These are credible identities, with backgrounds, that one can use get by as someone else, for example as a student, as we saw with Victor Muller Ferreira a.k.a. Sergey Vladimirovich Cherkasov, a Russian spy who attended Trinity Colege Dublin between 2014 and 2018, as part of building his legend.

What We Can Learn

1. Reassess Threat & Risk Models and Your Intelligence Cycle

In Intelligence, one of the most valuable things you can do is to look at your Intelligence Cycle and look for flaws in your processes. Generally, this is valuable as you want to always be producing your best intelligence but it's even more important when you are wrong about something. Some people find being wrong to be a bad thing, people perceive that it makes them a bad person or less worthy. I on the other hand, I LOVE being wrong! Being wrong is the single best way to learn something and to improve whatever you are wrong about. To quote one of my personal heroes, Gene Kranz;

Failure is an ingredient in life, it's an ingredient in growing. Probably the worst failure of my life, and our lives as mission contollers, is when we lost our crew. And we lived with that failure. And what we did about it though, became very important. We sat and established a set of values, a set of standards, that we would all live up to. They were expectations for ourselves and for others. Failure is an incredible, intense, learning process and if you use it as a learning process, it was worthwhile
Gene Kranz on Failure: My Path; Smithsonian National Air and Space Museum; @ 00:01:15

If we apply this to myself and my thinking on Russia, my biggest failing remains my horrendous Russian... Years of trying to learn it have not paid off all that well so I have limited access to some very valuable information. Google Translate can of course help, but if you want to go into a forum used by Russian soldiers posted in one part of Siberia to try and understand how they feel about various things, you are going to be gated off from a lot of the best information about how troops feel about various situations or how they see the world from inside Russia.

Of the data I do have access to, in English, the small amount of Russian that I can read, Russian via Google Translate or Russian I can have a friend translate, there are two other categories that my failings fall into. The first is my failure to connect the dots between disparate events, and the second is my failure to weigh data properly.

Dots I Didn't Connect

1. I was aware that Russian pilots had lower flight hours per year when compared to other militaries. The International Institute for Strategic Studies, in their 2014 edition of The Military Balance, estimated that Russian combat pilots had approximately 60 to 100 flight hours per year and transport pilots had 120 flight hours per year. For comparison, The US Air Force in 2018 had pilots flying 18 flight hours per month, or 204 per year. While this is lower than what the USAF wants, it is between double and treble what Russian combat pilots get by comparison. Ultimately, flying a plane towards the ground so you can fire off some rockets, is an utterly terrifying experience that you can't just go out and do! You need to train to be able to do things like that. Sames goes for a lot of things and when you are training, you aren't under fire from a billion stinger missiles with your actual life at stake. So to be able to tune out the monkey brain and focus on the mission is hard and requires you to train for these things, repeatedly.
2. I was aware that Russia had particularly poor logistics when compared to a western military. Where we would use a Company, a unit with between 80 and 250 people, Russia would use a Platoon, a unit with 10 to 100 people. In military terms, this is an order of magnitude smaller of a unit. I knew that Russia was tied to railroads and that they just didn't have enough trucks to supply their troops in an engagement, let alone consider the state of the trucks. What I wasn't aware of though was that Russia's military hasn't adopted the concept of pallets. When I first heard this, it broke my mind... For me, there are only two lessons worth learning from World War 2, and one of them that is that logistics win wars. You can see it in Normandy with the Red Ball Express, on small Pacific islands with the Tokyo Express, and you can see it on the Eastern Front where fighting happened basically along railroads or to cut rail links. You can even see it in US tank platoons where the US designed the Platoons around the GMC CCKW 2½-ton truck. One truck could carry all the fuel, ammo, spares, food etc, that a platoon of 4 or 5 Sherman's would need to operate for a day. Not to mention the Sherman itself was designed to be highly reliable so that it would need less maintenance and be less of a logistical burden and how the existing burden lead directly to the design of Roll On/Roll Off ships, which are commonplace today in military and civilian logistics.
3. There is a lot that could be said on corruption in Russia's Armed Forces, RUSI has a fantastic blog post linking to just some of the issues that have come to light because of the War in Ukraine. In particular, though I want to focus on the radios that Russian Forces are using. They should be using the R-187 Azert SDR radio, which on paper is a modern military tactical radio, but we really see them using a bunch of civilian Baofeng UV-82 radios, which you used to be able to buy on Amazon for around 100 quid. The Azert radio contract was to be 18.5 billion rubles but 6.7 billion was stolen as part of bribes and people skimming cash off the top for themselves. In the end, the radios ended up being cheap-ish junk, mostly made in China using off the shelf parts. This is no way to make one of the most mission critical pieces of military hardware.
4. The Su-25SM3 upgrade program, which would bring the Su-25 up to the early to mid 2000s by western standards in Close Air Support aircraft, started in 2014. By 2019, 25 upgraded aircraft had been delivered, with three more in 2020 and what sounds like a single one in 2021. We see similar things with the vaunted T-14 program where there were to be thousands of them built but to date but really we have only seen prototypes and the first deliveries were to arrive in 2022, but I don't think that will happen for reasons I can't quite put my finger on... The delivery was also to be made in to the Taman Guards but to say they have been decimated in Ukraine would be a gross understatement.
5. After reading Mark Galeotti's fantastic book, The Vory, on the history of the Russian Mafia and to an extent, Russian Organised Crime in general, I was well aware of the depths to which organised crime had permeated Russia, from culture to the government. Even when Putin went into Ukraine first in 2014, some of his vanguard were Russian gangsters along with local Ukrainian mobsters. I knew that Крыша (Krysha) literally meaning roof, or in context, protection, but I didn't think that the military would need protection too. The story of Misha the Bear and how he extorted three brigades at a base that became known as The Damned Place is worth reading up on.
6. Finally, I was aware of дедовщина (Dedovshchina) in the Russian Armed Forces. This is the culture of hazing as some people call it, but as I see it, it is the bullying of lower ranking soldiers by higher ranking ones. This over time has led to an internal culture of brutality in the Russian Armed Forces whereby the most brutal rise to the top. This is why so many Russian officers see no issues indirectly or indiscriminately bombing civilian targets or committing war crimes such as torture and murder in places like Bucha, Borodianka and Makariv. I can hardly imagine the effect that this culture has on a private who may never have seen any active combat at all and only gotten the most basic of training.

I can't even begin to fathom of any of this would impact Russian soldier's ability to fight or the state of their morale and I haven't even mentioned how behind the times their medical equipment is in the field or how just prior to the war some soldiers went days without rations when I could buy them online and in date when they were getting gone off ones.

Poor Data Weighing

1. Estonia's Foreign Intelligence Service publishes a yearly document, which they call International Security and Estonia. I have been reading them for years at this stage because they are fascinating documents from one of the few countries in Europe willing to call things as they see them, in particular, they see Russia as their largest threat and generally, they have a LOT to say about Russian actions in Estonia and the greater Baltic region. in 2021, they specifically said that Russian Armed Forces in Ukraine  "is a clear sign of Russia’s unwillingness to renounce aggression." (pp 18). In the 2022 report, which came out of the 31st of January 2022, the document literally said "In our assessment, the Russian Armed Forces are ready to embark on a full-scale military operation against Ukraine from the second half of February." (pp 10). While this is all data I am aware of, and by the middle of January I had my mind made up that Russia was going to invade Ukraine, including picking dates, they were one of the few to make that call and prior to anyone taking notice, make it clear that actions such as we saw from March of 2021, when the military buildup on Ukraine's border started, that this was par for the course for Russia.
2. I fell for Disinformation. Lots of it. Even though I should have known better. In particular, I wasn't as skeptical as I should have been with news sources such as TASS or Pravda. When there was a missile test, such as we saw with Sarmat, I shouldn't have assumed that this was a production specimen but a unique one off to have the troubled program finally seem finished to the world. When I was looking at military exercises like ZAPAD or VOSTOK, I should have assumed that they were more choreographed than I had realized as I have been told now that in some cases, troops trained just for their one bit to seem powerful to Dear Leader Vladimir Vladimirovich.

Now this is all stuff I should have known better. After all I do spend A LOT of time talking and thinking about Russian Information Operations. But it should also be a lesson in the power of Disinformation, particularly in an area that is known to be particularly hard to analyse as military power isn't as simple as comparing numbers and requires expertise well beyond a single area. It also requires that you dig really deep into some very weird details like the length of time that chromium-lined barrels for artillery canons can hold up to wear when you are firing hundreds of rounds per day and what you can do to mitigate the performance degradation that happens over time (pdf download for reference). Though, none of this stopped me from believing Слава победа Украïнi (Glory to Victory of Ukraine)

With Good Data Comes Good Analysis

In the run up to the War in Ukraine kicking off again, I was still subject to a lot of these flaws, but there was so much overwhelming data coming in on what was going on that it was very, very easy to discount the disinformation coming from Russia.

The other thing that is worth noting is that internally for Wonk's doing OSINT, I try and drive the F3EAD Cycle. One of the Wonks, who wants to remain anonymous, so let's call them Horacio, is incredible at using the F3EAD cycle! He uses a nearly entirely curiosity-driven approach to understanding what is going on in a given area and does so over time. They will fuse GIS, with imagery, AIS, ASD-B, and documentary evidence from the past and present, along with his thoughts and analysis as their work is ongoing. This continious process of recombination of data based on what is happening, and their open sharing for criticism and input from the Hivemind of Wonk's, allows them to continually refine their understanding of what they are looking at, build signatures and start to make intelligence driven predictions about what is going on over time.

That is real intelligence work! Which kinda leads me to my third failing. I do a lot of my thinking by taking notes and saving things, and I do so in a mostly siloed away. I rarely share it or work in a completely open fashion like Horacio, leaving me subject to my own biases. The few times I do come out of this silo are when there are major world events going on and the Hivemind dogpiles into a thread on Slack and brings the app to its knees. This is what happened in the lead up to the war and it brought around some interesting results.

The Rasputitsa to Russia's or Bezdorizhzhya to Ukrainians, or the Rainy Seasons, where the unpaved, and sometimes paved areas of Russia and Eastern Europe can become so impassible that even things like tanks, which should be able to cross all terrains at all times, get literally swallowed up by the mud. Knowing this was coming and that the Winter Olympics were on in China, and that Xi Jinping really enjoys sportswashing things like China's genocide of the Uyghurs, Putin was unlikely to make enemies on all his flanks. We also knew that units were coming from the Eastern Military District and with estimates of travel time from East to West of Russia, time to unload, make it to jumping off points, receive plans or objectives and plan for them.

You could make a pretty good guess that with Putin's short war hypothesis, that the war would begin sometime after the 21st of February and before the Rasputitsa, which generally starts at the beginning of March, but the time the Rasputitsa hits vary. Regardless it gives a neat little window of two weeks to have a quick 20 minute adventure, in and out. It would also allow Putin two months to attempt to wrap up Partisan activities before May 9th, Victory Day.

Using data from studies about Russian combat power and their perceived ability to attack in a given direction, along with my knowledge of how Russia's Armed Forces are supposed to fight, I made some predictions about what their targets would be, and in particular, I laid out some major targets for Russia such as Kharkiv, Kherson, Kyiv, Mariupol, Odesa, Sumy, and Zaporizhzhia. This allowed me to draw a map of what I believed Russia's offensive would look like;

For the most part, this is what we saw. The Northern Axis, in red, culminated with the Western Flank stalling in a 40Km Convoy to nothing and the Eastern Flank stalling at the Siege of Chernihiv. The Northern Front of the Central Axis was stalled in the Battle of Sumy but did go try to go around Sumy and deeper into Ukraine, reaching as far as the area around Brovary on March 31st, while the Southern Front culminated in the Battle of Kharkiv. The Donbas Axis pushed out to control the entire Donbas and Luhansk Oblasts. Finally, the Southern Axis would, along with the Donbas Axis push for Mariupol, where we witnessed the Siege of Mariupol, along with a push for Kherson and Odesa, though Ukraine headed off this push at Mykolaiv.

Overall I had quite the high hit rate. I picked the areas Russia would attack, though not exactly the correct methods, I picked the dates that Russia would attack and was off by 24 hours and I did this over a month in advance. This is the power of intelligence when driven by good data that has been understood, rigorously analysed and critiqued rather than fitting assumptions and biases to the situation.

Looking Forward

Back to cyber things. So if we look at Russian cyber activities in Ukraine, can we learn anything from what we see in the data?

If we graph the number of cyber incidents we have seen in Russia over time and apply a 4-week-moving average to give roughly a monthly trend of attacks, we can also see Russia's preparation for the short sharp war that was anticipated. They had a large number of initial attacks that couldn't be sustained. The attacks didn't go away but they started to trend down and this trend has continued. Given Russia's tendency to pursue options outside of diplomacy, such as cyber, when coercion fails, it's fair to assume that we can see an uptick in Russian cyber operations coming at a point in the future. I'm not alone in thinking this either, the US' number two on Cyber agrees;

A slow military progress continues to thwart the Russians on the ground in Ukraine. They may increasingly consider cyber options to divide our allies and to dilute international resolve against its action,
…
We have not seen that yet, but we’re not out of the woods. We have to keep our shields up, we can’t let our guard down.
Neal Higgins, Deputy National Cyber Director, US Office of the National Cyber Director; Prolonged war may make Russia more cyber aggressive, US official says

The question is when. Ukraine's Major General Kyrylo Budanov has his own opinion, which he doesn't expand on, as being the second part of August;

The turning point will be in the second part of August
Major General Kyrylo Budanov; Chief Directorate of Intelligence of the Ministry of Defence of Ukraine; EXCLUSIVE: Ukraine's Military Intelligence Chief 'optimistic' of Russian defeat 'this year'; 00:00:10

It is also worth noting that we may be seeing preparations for Ukranian action in that time period and Ukraine is using HIMARS to systematically target Russian ammo depots, both in occupied Ukraine and in Russia. Ukraine also has amassed a million soldiers, with the aim of taking back the south of the country. Given the time of year they would be jumping off in, their western equipment and what one would imagine is the influence of western training, it would appear that Ukraine is preparing to retake the south along a Mykolaiv Perekop axis and Zaporizhzhia Novooleksiivka via Melitopol axis. The question is what counts as the South as you could consider Mariupol as the South, even though it has been the Eastern Front of the conflict since 2014, but also Crimea is something Ukraine rightfully considers to be in the south of Ukraine. Mark Galeotti also thinks that this same time period will be on interest too, though for some radically different reasons;

For me, I think it’s September, it’s September when a whole collection of chickens come home to roost. And although I’m not suggesting for a moment that September, things are going to suddenly going to sort of change, nonetheless I think it’s in September that we might see the beginning of the potential for things in Russia to begin to change
Mark Galeotti; In Moscow's Shadows 67: Why September is the Month to Watch, and 'Putin, Ukraine and the Revenge of History'; @ 00:02:25

Though given that Galeotti can talk more openly about his thinking, he does and he greatly expands on his neat little quote stating that September is important because;

1. September is the end of Dacha season. Dachas are the summer houses or retreat that some Russians, not only wealthy ones either have, where they have plot of land or collective allotment where they grow some vegetables or have a little land to farm. For example, a friend of mine has a Dacha where his whole extended family go and farms strawberries. With September Russians will be looking at a long and difficult winter.
2. The trajectory of the war is trending downwards. And has been doing so for a long period of time and Russia lacks the capacity to continue large scale operations for extended periods of time. Primarily Russia will lack Manpower in the long run and the solution, of course, is mobilization, but this is politically risky for Putin but also the Russian military, due to its structure, would have difficulty training up people to go to war and not immediately die or desert. Not to mention that Russia may not have the functional equipment to equip such a force. Demoralization at home and on the front lines. Russians will see that they are stuck in a war that has no end, no improvement and only high costs.
3. September is when Russia will have local and gubernatorial elections. There is talk that they may not happen due to the Special Military Operation. The value in the election is that it keeps Political Technologists, the people who choreograph Russian politics, in business but it also generates economic activity by having these people employed and have them around for the next round of Presidental elections in 2024. Though the Siloviki, or securocrats, wouldn't like the elections to happen because elections can be a proxy for how the general public feel about how things are including debate. This would be unwelcome news. There are also issues with the future of the Liberal Party and Communist Party to stay on message with what the Kremlin will allow.
4. Economic Warfare takes time to bite and will be visible. Inflation is rampant, worse than what we are experiencing elsewhere in the world, and this is causing families to burn through their savings. Galeotti expects this to impact most families by then, though it should be noted that in a poll conducted between May 16th and 25th by Alexey Navalny, 49% of Russians are already there. Companies will be in a similar position. The State's budget will be squeezed and while for the moment the Kremlin has cut down on exports to Europe, it is doing so at record prices and boosting the state's coffers at a time when other revenues have collapsed. As people and companies are squeezed, less money is spent, unemployment goes up, inflation continues, and Russia cannot spend its considerable currency reserves in the face of this Economic Warfare. All of this will lead to pressure on the Kremlin.

All of this extra pressure will make the Kremlin less able to respond to various things as they arise, which I will come to in just a moment, but it should be noted from a recent report from Microsoft MISTIC that these attacks have already up, and as MISTIC note, they aren't on cloud servers but on-premises servers. While in the report they note they have less visibility into such attacks, they clearly have some signatures or other closed information that they can use to identify such attacks. I do wonder though, how much of this is Russia activating agents inside organisations, as last year I did note that this is a tactic Russian intelligence use and tracking down insider threats is an order of magnitude harder than remote attackers due to the nature of insider threats being trusted.

2. The Importance of Preparation

One thing that is continually preached by all Cyber Security methodologies is the importance of preparation. Ukraine has dealt with a withering barrage of cyber operations since 2014 and has done an incredible job of either defeating the operations or having something go down and restoring service quite quickly. Russia has been the perpetrator of the vast majority of these attacks too. So you would imagine that both sides were equally prepared, particularly in the Cyber Dimension, when the war kicked off again right?

Well not really no. As we have seen, Russia prepared for a particular type of conflict where it would be short, sharp and over quickly, with no contingencies for what would happen if this did not work out for them. As we saw in my graph above, Russia had a sharp rise in Cyber Operations before a gradual decline, to a continuous level. Part of this is because new Cyber Operations take time to create and preposition, but also because it fitted Russia's plans very neatly. This was what they had prepared for.

Preparation is about more than having a plan for what should happen though. Preparation in depth includes having all of the right people, with all of the right training, with a reserve of trained people, who have all done tabletop exercises, wargames etc, ready for when, for example, a cyber incident occurs. This is the difference between having prepared to for management to tick a box and being prepared in depth. It means that your staff have the mental bandwidth to deal with the regular day to day operations you would regularly do and cope with incidents as they arise.

We can see Russia did the box ticking exercise as they lacked the mental bandwidth to quickly pivot to operations they would have in the past. We can see this at Eurovision where Ukraine was clearly going to win and Russia was excluded. Normally when Russia is excluded from such cultural or sporting events, where it can gain political victories along the lines of Russia Stronk, it will lash out with Cyber Operations. We can see this with the World Anti-Doping Agency hack in 2016. Russia's state sponsored doping program was exposed and in response, Russia decided to leak the details of tests and Therapeutic Use Exemptions to the public and allow them to draw their own conclusions about the other countries doping and make it seem as though Russia is doing what everyone else is doing.

They did this again with the OLYMPICDESTROYER malware after they were not allowed to attend the 2018 Winter Olympics in South Korea. The event was a nearly all digital affair where your tickets were on your phone, WiFi was provided via the Olympics app, the host broadcaster had their coverage disrupted and the press centre went offline due to the malware. The organisers of the Olympics did an incredible job of restoring service before it became a major problem that would jeopardize the event and the Darknet Diaries Podcast did an incredible episode talking about not just the recovery but the psychological operations in the malware if you want to know more.

So knowing that Russia has a history of lashing out via cyber means when they are excluded, how come Eurovision didn't look like this;

I mused on twitter that this would have been "chef kiss levels of information operations". To me, this tells us a lot about the depth of capability of those behind Russian Information Operations. They are struggling to maintain operations at home, in Ukraine and against the West more generally, but are also incapable of pivoting to new situations as they arise, as we can see. This isn't to say that these hackers aren't capable, they clearly are, but that there maybe aren't nearly as many of them as we thought, or that they don't have the capability to plan these tasks as they arise or both.

Now, this isn't to say that we didn't see anything at all. A pro-Russian hacktivist group called Killnet, which very few people, if any, I know of had even heard of, took part in DDoS-ing network infrastructure for voting and attempted to disrupt performances.

When you contrast this with Ukraine though, you see an entirely different picture. By the end of 2014, the armed forces, with the exception of a small number of special forces, had failed to do anything about Russia's annexation of Crimea, the uprising in the Donbas and Luhansk regions and the blatant manipulation of presidential elections in 2014. These failures and the successes of Euromaidan and the Revolution of Dignity showed that Ukraine needed to totally reorganize. I don't just mean militarily, but really as a country. Ukraine knew that this was just the beginning and with Russian not achieving its objectives in 2014, a conflict with Russia would come sooner or later.

The Armed Forces began to change how training was done, other states sent missions to train Ukrainian Armed Forces in various weapons and tactics to become incredibly proficient at combating Russian tactics. They developed a Doctrine or set of tactics and strategies, to combat Russian forces when they would eventually come. They began to gut the law enforcement and intelligence agencies of pro-Russian personnel so that the West would supply intelligence and training, without worrying that Russia would learn about the tradecraft used by various intelligence organisations.

They went much future than totally reorganising the county's security though. Ukraine knew that Russia would be likely to target Ukrainian communications infrastructure among other things. Russia would go on to try and knock out power, twice, in Kyiv via cyber means, so they knew they had to be prepared to fix broken infrastructure during a war. This is something they also prepared for, including having telecoms engineers, escorted by troops, and repairing fibre cables earlier this year.

More than this though, regular Ukrainians had played a huge part in alerting regular people like me, in the West to what was going on in Ukraine during Euromaidan and the Revolution of Dignity (❤️Seb). They knew this would be valuable going forward to they knew to have regular people find and amplify pro-Ukranian symbols from across the world, such as this badass babushka on the Moscow Metro, three days into the war, as protestors were being beaten by riot police;

But most of all Ukrainians themselves were individually prepared and were willing to resist. A prime example from the first hours of the war is this video, where a woman in the Kherson region, which had just been captured and may have been a victim of shelling already, confronted armed Russian soldiers. She gave the soldiers sunflower seeds and told the fascist invaders to put them in their pockets so that when they die here in Ukraine, something good will come of their death.

This goes so far as that the sentiment of friends I have here in Ireland who are Ukrainians, or half Irish/half Ukrainian, they have the ultimate belief in the victory of Ukraine. Even at Dublin Pride, where we had a Ukrainian Grand Marshal and a section with Ukrainian's front and foremost. As someone who has put the Pride show on for years, I am immensely proud to have helped give our brothers, our sisters and our they/them's from Ukraine, who fight and die for our freedoms, a platform to be recognized. Nothing says this better than the first tweet I saw when the war began. That Ukraine will win.

3. Cyber is a Management Problem

Organisational and Governance Challenges

While in a lot of ways preparation is a management task, I wanted to make it, its own thing. To me, it really shows the importance of having all of the right people in the right place, who are ready to go, with a culture of being ready for incidents as they arise. And I don't want to say that Cyber isn't a technical problem. It is. But if we look at a lot of the issues that we have, they aren't going to be solved with technical fixes or some magic cyber dust.

Ukraine, between February 24rd and April 8th, was targeted with 237 cyber operations, utilizing 40 distinct pieces of malware according to Microsoft MISTIC (pp 04) and they had an incredible success rate in defeating such operations. The Cyber Peace Institute has documented since 2014, 59 campaigns, using malware, disinformation, dumping of personal information and election interference, that have caused societal harm. Something they view as attacks on infrastructure for civil society such as the water supply or hospitals etc. Ukraine has had a remarkably strong track record of stopping these attacks before they cause damage, mitigating them entirely or restoring services in record time.

Yet when Conti went after the HSE, we learned from the report that the ransomware was comprised 7 days before the malware was triggered, and detected 3 days later (pp 3). Active attempts were made to prevent the malware from spreading and the SecOps team was working on something, I don't know what. Ultimately, it's not the SecOps team's fault as they do incredible work in an organisation where the priority is your health rather than cyber.

For me though, what it highlights is how we treat these issues. In Ukraine, they follow the Estonia Model for Cyber Security. This isn't a formal model, more a way of thinking and addressing cyber. In Estonia, after the Bronze Night incident, Estonia reckoned with what had happened. They created one of the first Cyber Security Strategies, and they gave Cyber a cabinet level position where it was being accounted for at the highest levels of government. Being seen as weak on cyber is something that loses people seats in elections and cyber is a major part of daily reporting in regular news for normal people rather than just people like me.

They have bodies that coordinate policy between various stakeholders, monitor the success of previous plans, implement new ones and update plans as needed. In particular, the goal of the policy coordination is to ensure that Cyber Policy gets as much media attention and funding as is needed to meet its goals. They have an incident management unit, which is tasked with the security of the state's infrastructure and critical infrastructure. They have legislation to do everything from kicking in doors to ensure compliance to extra-judicial fines. There is a lot more to the model, such as how Esontia organized their military, intelligence and emergency management. You can read more about the Estonia Model with this report from the NATO CCDCOE here, but that's all I need to discuss to make my point.

If you contrast that with Ireland, Ireland doesn't have a cabinet level position for Cyber. We have a Minister, whose current title is the Minister for the Environment, Climate and Communications, and even within Communications, cyber is only a small part of this brief. Even if I go and take a peek at the DCCC's Gov.ie page, I can't find a reference to cyber anywhere on the main page and the only way I can even find a reference to cyber is by going into the profile of Ciarán Ó hÓbáin, the Assistant Secretary for Communications and reading their brief. And you know, this isn't me being a tad tired from writing 10k words. Nope, if you search google for "cyber" site:https://www.gov.ie/en/organisation/department-of-the-environment-climate-and-communications/, you get zero results. The body charged with cyber literally doesn't mention cyber.

If you look at how cyber policy is created, effectively what happens is that an EU Directive comes out and we wait until the last minute to do anything about it. Outside of the Public Consultations and going to your TD's surgery, I don't know of any other way for stakeholders to have their views heard, let alone ensure that there is adequate funding and media attention. The same goes for Incident management. I know how to report an incident to NCSC-IE but I have no idea what happens or would happen if I reported an incident, yet in Estonia, I can see entirely what the process is via their website and gain access to all sorts of cool toys too. Just like with the HSE's SecOps team, this isn't the fault of the NCSC, but it's again the same problem as we just aren't thinking about or investing in Cyber. You would think that the HSE hack would change this but... I actually went through the 2022 budget documents in search of more cyber funding, I think it went from 4.5 million to maybe 6 million, which to use a legal term of art, is fuck all.

Poor Investment Choices

This isn't just a problem at a state level though. Cybereason released a survey where they asked IT professionals about what happened after being ransomed. Globally 80% of those that paid the ransom were attacked again and of that 80%, 46% believe they were ransomed by the same gang again. Now, it's one thing to decide to pay criminals, but it's a whole other level of poor management to get ransomed, know there is a problem, do nothing about the problem and allow yourself to be put in a position where you may have to pay a ransom a second time.

This survey came out about a month after another one from Kaspersky, which showed that 9 in 10 organisations who were hit with ransomware before, would just pay if they were hit again. Not just that, these same organisations would rather pay the ransom as early and quickly as possible. This is because the cost in revenue to systems being so high, that it is cheaper to pay the ransom that lose out on said revenue;

This willingness for companies to stump up the cash could be attributed to managers having little awareness of how to respond to such threats, according to Kaspersky. Management may also be unprepared for how long it may take to restore data, with some businesses losing more revenue while their data is being recovered than by just paying the ransom.
Dan Robinson; Most organizations hit by ransomware would pay up if hit again; The Register

Though another way to look at it is rather than sacrifice a tiny proportion of said revenue on an ongoing basis, management would rather ignore the threat until the threat comes for them, then pay off the threat to go away and hope they stay away for extended periods.

And this to me is wild to me because of another recent survey that came out from 1E on how employees feel about all of these IT problems impacting them. 95% of employees found there to be issues in their digital experience and this decreased their productivity and morale. Some of the problems identified as challenges to a better experience are Security and Regulatory policies, IT being overwhelmed, IT's lack of training, technology isn't in place, and there is no management buy-in. Again, the issues aren't all technical. Sure security policies are, but IT being overwhelmed or lacking training or no buy in are all management problems that are solved by... Investing in IT... And that isn't just catching up on your tech debt, it getting on top of it and continuing to invest. Managing your Cyber is better for your bottom line, better for your reputation, better for your employees, and no downtime, because you're on top of your tech, is better for your customers.

Bridging the Gaps in Staffing

And you know, while I'm talking about staff, a friend of mine, Philipa, wrote an amazing article about how we need to break the stereotypes we have of what hackers should look like. I am a very typical looking hacker. I'm a white male with kinda scruffy hair, a budding bald spot, a kinda scraggly beard, I tend to wear printed tees with some sort of message on them, I wear shorts and sandals about 90% of the year, I have way too many hoodies. I dressed down for the day of this talk to make my point;

While Philipa, has a BS in Computer Science, she also majored in Psychology, and AI, but also a postgraduate LLB law degree in Intellectual Property Law, Technology Law, and Constitutional (fundamental) Rights Litigation and a separate Postgraduate Certificate in Education, which you need to be a teacher. She is incredibly accomplished, in multiple fields beyond technology, and she chooses to work in Cyber.

I have a very good friend who I won't name, but she is a director of cyber for a multinational here in Ireland and while she only transitioned into Cyber 7 or so years ago after 20 years in a different career, she is already incredibly accomplished, more than most men who fit the job description of hacker are or ever will be. Her degree wasn't in Cyber or Computer Science when she got it either. Yet she has told me about instances where she feels she is visibly treated differently to men in meetings, and not in a way that respects her status.

Even at this conference, just prior to my talk, Andrea Manning delivered a talk on understanding Cyber Crime. Andrea doesn't have a background in Cyber either. She originally studied Hotel Management and worked in a wide variety of industries before moving into data protection and cyber in 2015 when getting a degree in Business Information Systems. She now runs a company, CyberPie, whose goal is the provide cheap and easy access to cyber for microbusinesses here in Ireland. She is also my go to for cyber crime things because I genuinely don't who else I could go to, to ask about the various cyber threats the cyber criminals pose to Irish businesses.

And these are just the women that I know personally that come to mind as I wrote the talk. Age is also a factor too, as is where we expect hackers to come from. I help put on ZeroDays every year and I have done Lockpicking with Jester for the past 5 years now. This year we had the usual university and industry teams, but also we had school teams with age ranges from 7 and up. A girl from the Ballymun Coder Dojo team came up near the end of the day wanting to try the Lockpicking challenges. While she had never picked a lock before, there was a cryptex, biometric lock and a set of handcuffs.

This little kid obliterated the times of anyone also who even remotely tried these challenges. In the 6 minutes she had to do the challenges, she just asked me to open the biometric lock, she noticed I had a handcuff key on my wrist and asked me if she could use it, and while her mother struggled with the hint for how to open the cryptex, she got it in one. In 90 seconds, she had opened more locks than the vast majority of teams who took 5 mins to do the same, and some of whom I've been teaching lockpicking and physical security bypasses to for years. She had an innate curiosity and drive to just play and understand challenges and this is something you can't teach for all the money in the world.

And I haven't even mentioned, for example, the LGBTQA+ community who at Dublin Pride, Indeed and Tenable had HUGE stands in the Pride Village in Merrion Square, or the countless technology companies that had floats and staff walking in solidarity in the parade. All of these are people who don't look like me, but are in a lot of ways as capable or more capable of cyber than I am, yet I am the go to for Cyber because I look the part.

Overlooking these people is a critical failing in HR and one we need to recognise. These people that I have mentioned prove that not only do we need think more broadly about what we need in cyber, but recognise that not everything we need is Computer Science graduates. Even when we look at larger companies, there are all sorts of basic organisational issues that not just aren't technical, but Computer Science graduates will suck at like governance roles and strategy. For roles where you do need some technical understanding, then it's time to train people to do those roles because very few of the people like me that I studied with for example, are any good at all teaching others and teaching people is essential to preparing your teams to deal with incidents.

Not just that, Cyber people tend to think about Cyber as just computers, to such an extent that if you go and read the National Cyber Security Strategy for Ireland, the word physical is mentioned 4 times and none of those times are in the context of computers existing as physical objects in the real world. We have to recognise that not just do they exist in the real world but that they can have real world examples as factories run on Operational Technology, which is a fancy way of saying computers to manipulate physical processes. What happens if you are able to manipulate a process to blow things up? And that isn't far fetched, we saw it with the German Steel Mill incident in 2014, TRITON/TRISYS and this year with the attack on a Steel Mill in Iran. That kind of outside perspective is something you won't get if you only have cyber people.

Q & A

One of the things I was asked after my talk as part of a Q and A was essential if the Defence Forces had a Cyber Unit, would it be a silver bullet for cyber in Ireland. I am sorry to say that it will not be a silver bullet. It is something we need but you can't just magic away problems in cyber. The guards will be part of the solution as they need to be tackling cybercrime. The National Security Analysis Centre will be important in ensuring we have good intelligence coming from partners and also ensuring that we aren't adopting vulnerable technology.

But really this is a small part of the overall problem which is cultural. I seen a tweet a while ago, that got some traction, which stated that Ireland wouldn't join NATO because the Irish people value Neutrality, because we won't spend the money on the military, because we have a low risk of invasion and because EU, UK and US would step in, if we were invaded. I agree with all of this for the most part BUT for me it misses a key point. Conflict is not bilateral. Countries tend not to agree that they will have a battle at X place at Y time. Conflict can be unilateral and one country can just go to war with another.

Even outside of states, have you ever just been punched by some drunk eejit for no real reason at all? I have. I didn't want a fight, I wasn't trying to start one either. The arsehole just wanted a fight. And it happens today. This is effectively what Russia did in the invasion of Ukraine. Basically, no one wanted the war, not even ordinary, everyday Russians. And yet we got a war because Dear Leader Vladimir Vladimirovich wanted one because he wanted to go from Dear Leader to Vladimir The Great.

In geopolitical terms, this is called Strategic Narcissism, and Ireland has it in bucket fulls. Strategic Narcissism is where you can only view the intentions of others in your own terms. You lack the empathy to see the world through the eyes of another country. I have met people who say that they aren't bothered with cyber because it's expensive and "sure who'd hack me?" Well if Cyber Criminals can figure out a way to monetize hacking you, they will just hack you on the off chance you're worth something valuable.

This kind of divine faith, for lack of a better term, is not sound ground to build any kind of investment strategy on, be it Ireland's military or your government's health service or your company's next big product.

Acknowledgements

Cheers to members of the Irish Cyber Security and Privacy Discord, in particular Philipa, Liam and Owen, for helping me flesh out my thinking on a very small number of the management issues inside Cyber that I covered. And also to Schrodinger for challenging me and in doing so, helping me better display and explain my thinking on what we can learn form the threat intelligence I have available. I look forward to Schrodinger crucifying me after this post.

As usual, none of this would be possible without the wonks of the ACWP Slack! Cheers to Lima for venting with me on management issues, Bill for the continued AAR's which are essential, John for the photoshop of Eurovision, the elusive Horacio for their rad OSINT, and to Toby Tom and Ray for helping me better display the threat intel data because data is not my strong suit.

The guys from BSides Dublin asked me to talk about the Russian offensive in Ukraine. I use the term offensive because there has been a state of war between Russia and Ukraine since 2014 in my opinion. I had a radically different talk planned where I would talk about other things entirely, but I'll save them for another time since they are pretty rad and shouldn't be in the dark.

PDF of slides and notes for BSides Dublin
PDF of slides and notes for the ICSPC Discord

I would also note that while BSides asked me to talk about all of this, the initial inkling for me was planted several days into the war when a friend of mine asked;

So far, I'm hearing lots of concern about the possibility of massive cyber attacks, but very little evidence of any such thing
Don Edwards; #world-events; Irish Cyber Security and Privacy Discord

Finally, apologies for how long this took to write and post... Normally this is out within hours of me giving the talk, and written before the slides are, but I got COVID at BSides and oh boy... It put me down for the count and it took me a long time to get back on my feet... I'm still not 100% over a month later...

War Is Boring

The easiest way for me to explain why Cyber War would be to look at why War is boring on its own, which David Axe, like him or not, describes as;

… that much of warfare is about politics, paperwork and logistics more than it is about actual combat.
David Axe; Author Bio; Small Wars Journal

The way we think about Cyber in a lot of ways is the same. Though rather than politics, paperwork and logistics, Cyber Warfare is more about Politics, Legalities and Perceptions, though logistics and paperwork still matter. You still ultimately need to get implants etc into place, which is a logistical problem and if you joined any military and expected not to be doing paperwork... I have some very bad news for your career prospects.

Now I do want to note, because I was very lucky to have someone in the audience who had studied under Dr Thomas Rid, is that Cyber War as a concept is dead and gone. War cannot and does not take place in a single domain without spillover to other domains. Cyber War isn't real, but Cyber Warfare is very real and it is what people are thinking about when they are thinking about operations against computers, networks or systems.

Politics

Cyber war is an extension of policy by actions taken in cyber space by state or nonstate actors that either constitute a serious threat to a nation’s security or are conducted in response to a perceived threat against a nation’s security.
Paulo Shakarian, Jana Shakarian and Andrew Ruef; Introduction to Cyber-Warfare - A Multidisciplinary Approach; pp 2

Put simply, using cyber warfare to achieve one's goals is an option that exists because you can't get it through other policy actions such as active diplomacy, sanctions or other compelling behaviours. This is a very Clausewitzian view of the world where War itself is something that you do as a state when you run out of political runway, you turn to your next tool in the toolbox, which is war. The use of Information Warfare and Cyber Network Operations (CNO) opens up an area before war, where Grey Area Operations can take place.

The Bronze Night

The Bronze Nights are a fascinating look at the politics that underly a lot of Information and Cyber Operations. The story starts in September 1944 when the Wehrmacht had retreated from Tallinn and the citizens of Estonia, knowing what Soviet Occupation was like, proclaimed their independence, only to have the Red Army come in and reoccupy Tallinn. At the site the Bronze Soldier of Tallinn would eventually stand, the Soviet Union buried two soldiers, and post-war burying more and renaming the area from Tõnismägi to Liberators' Square.

To many Estonians, this was seen as a symbol of Soviet oppression and the statue that was there, was originally a smaller statue, but it was blown up by teenagers during the Estonian War of Independence. The Soviets rebuilt the square as a park and placed the Bronze Soldier of Tallinn there, where it remained until 2007 when a plan was unveiled to move the statue to the Defence Forces Cemetery of Tallinn, which was thought to be a less decisive place to have a memorial to the war dead.

Russians though, they saw it as a symbol of victory over the Nazis and more importantly, this was an idea that could be weaponized by the Kremlin, and it was. Russia feels it's important to protect Russian speakers outside of Russia and sees repression of them as a form of cultural genocide, something Putin has repeatedly stirred up over the years, from Ukraine now, to Estonia in 2007 to Chechnya in 1999.

When Estonia finally planned to move the statute, Russia began a coordinated campaign of DDoS incidents, website defacements spamming comments on news websites with what is most likely the first truly modern Fake News campaign. While the DDoS' and defacements were not that successful beyond the initial shock of sites being down or defaced, the spamming was incredibly effective at mobilizing Russian speakers against the removal of the statue. Those that were mobilized, or better radicalized, then began to meet with diplomats about what to do about the removal of the statue, including cash payments to prevent the removal.

They began protesting the site, camping in cars etc until eventually, Estonia began to dismantle the statue in preparation to move it. This is when a Kremlin-backed stooge assaulted a police officer and the police responded as police do, with massive retaliation, resulting in two days of rioting. Russia was ready for exactly this, immediately deploying stories throughout Russian media, including Fake News with doctored images of what was going on, which mobilized more people to protest.

Eventually, the statue was moved to the Defence Forces Cemetery of Tallinn, where it stands today, vandalized again in the wake of the Russian offensive in Ukraine. These events became the first real deployment of a set of tactics known as Hybrid Warfare.

Peeter Kaasik of the Estonian Ministry of Foreign Affairs, compiled an amazing report on the background to the Bronze Soldier of Tallinn, for the Estonian Foundation for the Investigation of Crimes Against Humanity, which is well worth a read if you are interested in it. And Ivo Juurvee and Anna-Mariita Mattiisen of The International Centre for Defence and Security wrote an amazing retrospective of the Bronze Nights titled The Bronze Soldier Crisis of 2007: Revisiting an Early Case of Hybrid Conflict, which is essential reading to understand the events.

Hybrid Warfare

Hybrid Warfare is a difficult idea to grasp. The idea was coined by Frank G. Hoffman, a Research Fellow at the US Marine Corps Center for Emerging Threats and Opportunities, who defined Hybrid Warfare as;

Conflicts are increasingly characterized by a hybrid blend of traditional and irregular tactics, decentralized planning and execution and non-state actors, the strategy states using both simple and sophisticated technologies in innovative ways
Frank G. Hoffman; Conflict in the 21st Centaury: The Rise of Hybrid Wars; pp 7

The EU and NATO have a joint project, the Hybrid CoE, where they describe Hybrid Threats as;

Coordinated and synchronized action that deliberately targets democratic states’ and institutions’ systemic vulnerabilities through a wide range of means.
Activities that exploit the thresholds of detection and attribution, as well as the different interfaces (war-peace, internal-external security, local-state, and national-international).
Activities aimed at influencing different forms of decision-making at the local (regional), state, or institutional level, and designed to further and/or fulfil the agent’s strategic goals while undermining and/or hurting the target.
Hybrid CoE; Hybrid threats as a concept

Personally, both of these are terrible ways to define anything... So I think about Hybrid Warfare as strategically targeted Political Warfare against Democracies and Democratic Intuitions, that blends conventional and irregular warfare with cyber and influence operations.

So for example, you could look at the Conventional Warfare as the Russian backed uprisings in the Donbas and Luhansk in 2014. The Irregular Warfare of the "Little Green Men" in Crimea in 2014. Cyber Operations such as the DNC Hacks in 2015 and 2016, and then the dumping of select data from the DNC hack as part of Influence Operations in 2016.

These are all targeting Democracies, but Hybrid Warfare has been used against Democratic Intuitions, such as the World Anti Doping Agency (WADA) after Russia was banned from participating in the 2016 Olympics for their state-sponsored doping campaign, which led Russia to carry out a Cyber Operation on WADA and dump data that made multiple top athletes look like they were also doping, which is an Influence Operation. They did the same to the Organization for the Prohibition of Chemical Weapons (OPCW), where after the Skripal Poisoning, Russia used Influence Operations to say that the poisoners were just tourists, and attempted to hack into the OPCW to see what they had, an attempt that was foiled by Dutch intelligence.

The idea here is what is known as Grey Area Operations. They are operations that utilize all available techniques, up to the threshold of war, without crossing it. These are what are sometimes called Shadow Wars, where you may not even be able to respond in a conventional sense to the conflict, but you may need to respond to prevent destabilization. For example, Russia backs Syria in the Syrian Civil War, which will make the conflict go on for longer, the longer conflict means more refugees to Europe, which fuels far-right politics, which destabilizes Europe.

The longer war also means that there is a conflict between religious groups such as Iranian backed Hezbollah, a Shia group, which is pitted against Saudi backed groups such as Jaysh al-Islam, who are Sunni. Both Iran and Saudi Arabia are using the conflict as one of several proxy wars they are using to fight each other in this Grey Area. Sticking with Syria, even though we are in theory moving away from oil and gas globally, there are still significant hydrocarbon deposits in the Middle East and attempts to recover these deposits are hampered by the various conflicts in the region, driving up energy prices.

It should though be noted, that just because I have listed a whole pile of bad things that are contributing to a horrendous humanitarian situation in the Middle East and unnecessary wars, that is only one side of the coin, the threat. As the former C at SIS, Sir Alex Younger notes, there is both a threat and an opportunity and spies love the ambiguity that Grey Area Operations give them access to;

"There was a difference, call it prosaic, between peace and war; there was a difference between domestic and international; there was a difference between cyber and real, largely because cyber didn’t exist,” he explains. “That’s all blurred now and we’ve got hybrid and ambiguity and conflict across the spectrum.” Ambiguity is a fascinating concept for a chief spy, he admits with an edgy laugh, because it is both a threat and an opportunity: “We are charged with dispelling ambiguity, but we also use ambiguity.”
Roula Khalaf and Sir Alex Younger; ‘The Russians did not create the things that divide us — we did that’

And this opportunity is best exemplified by US Intelligence essentially being dumped, fully analyzed and ready for dissemination in the run up to H Hour in Ukraine. Just skimming my notes for the month of February, the US began releasing troop estimates on the border with Ukraine, dropping information about some of those units, such as the mercenary group known as Wagner was deploying to Ukraine, finally dropping what we all knew to be true, that Russia was funding Neo Nazi and 'Neo Fascist' groups around the world, and that Russian commanders were given the order to invade Ukraine. All of this was done with the aim of preventing or more likely, postponing the invasion, something that was likely effective, but we will have to wait a long time to learn this for sure.

Legalities

I could spend forever on the legal issues around just the two words "Cyber Attack", but I will spare you the details as that is my secret bore you death weapon. Ultimately, in legal terms, the relevant branch of law for all wars is International Law. In International Law, there is a branch of law that depending on your perspective, you know as the Rules of War or the Law of Armed Conflict (LOAC), and the other term is International Humanitarian Law (IHL).

Now a lot of people think that having Laws of War is dumb because we just shouldn't have war... And like... I would also like to live in the Land of Milk and Honey but... I know that realistically, war is something that will happen and like many things in life, you buy insurance against the great evils we have seen in the past. And if any recent war Russia has been involved in is anything to go by, if you don't think we should have IHL, what I am hearing is that you are ok with absolutely grotesque War Crimes such as we have seen in Aleppo and Mariupol.

To understand simply why CNO opens the door to Grey Area Operations, you need to understand what it means to cross the Threshold of Armed Conflict. There is a whole process in the UN Charter about how states can legally enter a state of war, as generally speaking there is a prohibition on the use of threats of war or "Uses of Force";

Article 2
4. All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
The UN Charter; Chapter I: Purposes and Principals

Now Uses of Force are a complicated and vigorously debated topic, so in short, Using Force is to use military power. Something that damages or destroys property or injures or kills people. I won't get into Threats of Force though. So to go to war, if there is a general prohibition on war, you have very limited options. Firstly your aim must be consistent with the principles of the UN, so when Putin says that he is going to kill Nazis in Ukraine, what he is saying is not just an inspiring message to the homefront, but also that Putin is telling the world, in carefully crafted legalese is that they are going in to prevent humanitarian tragedies and/or Human Rights Violations. Now, this is preposterous which is why Russia didn't take the first path to war;

Article 41
The Security Council may decide what measures not involving the use of armed force are to be employed to give effect to its decisions, and it may call upon the Members of the United Nations to apply such measures. These may include complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of diplomatic relations.

Article 42
Should the Security Council consider that measures provided for in Article 41 would be inadequate or have proved to be inadequate, it may take such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security. Such action may include demonstrations, blockade, and other operations by air, sea, or land forces of Members of the United Nations.
The UN Charter; Chapter 7: Action with Respect to Threats to the Peace, Breaches of the Peace, And Acts of Aggression

The other option available is the Article 51 minefield;

Article 51
Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.
The UN Charter; Chapter 7: Action with Respect to Threats to the Peace, Breaches of the Peace, And Acts of Aggression

Long story short, it states that you can go to war if you are attacked or that you can be called into war because you are part of a collective defence agreement, Article 5 of NATO is generally the go to for people but there is also the signatories of the Common Security and Defence Policy in the European Union. There is also Article 107 of the UN Charter, or as I like to think of it, the 'Fuck the Axis' clause, but that's not really relevant unless you want to dig really deep into the weeds. And from this, you should also note that what Putin is doing is an Illegal War.

If we go back to Clausewitz again, we can see that he defined one of the preeminent legal criteria for war, which he called Violence;

…there is no known cyber attack that unequivocally meets Clausewitz’s first criterion: violence. No cyber offense has ever caused the loss of human life. No cyber offense has ever injured a person. No cyber attack has ever damaged a building.
Thomas Rid; Cyber War Will Not Take Place

We can get into arguments about TRITON/TRISIS being used to kill people and that IF, and that is a BIG IF, it had worked it would have absolutely been a Violent act. Or you could look at Stuxnet where according to Kim Zetter, in her book Countdown to Zero Day, President Obama was shown pieces of a destroyed centrifuge, though while we know centrifuges were being replaced at Natanz thanks to the IAEA, we don't know if they were destroyed or damaged, or if removal was part of malware eradication. You could even look at the German Steel Mill incident in 2014 where apparently cyber warfare was used to destroy a Blast Furnace, but little is known about this incident in open sources. Ultimately, in open sources, we are unaware of cyber causing such effects.

This understanding of cyber having yet to have such an effect is so clear that even here in Ireland, where we are so far behind the times, Irish law even recognises that Violence isn't something cyber is being used for as in Irish law, Violence implies that an attack took place and caused some harm to someone or something. The Criminal Justice act covering computer things only mentions the word Attack a single time, wherein the preamble, it quotes the EU Directive that was the basis for the law;

An Act to give effect to certain provisions of Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA; for those and other purposes to amend the Criminal Damage Act 1991, the Bail Act 1997 and the Criminal Justice Act 2011; and to provide for related matters.
Tithe an Oireachtas; Criminal Justice (Offences Relating to Information Systems) Act 2017

If you take the time to read the law, you will also notice that all of the sections are related to how a hacker accessed data, such as access without authority, interception or using passwords or tools to access the data without lawful authority. These complexities, have led me to carry around a fun bit of text to deploy where needed, including sources;

Cyber Attacks are an internationally defined legal concept, whereby a Cyber Operation [1] is carried out by a Subject of International Law that is reasonably expected to cause injury or death to persons or damage or destruction to objects [2] [3].

A Cyber Operation is the use of cyber capabilities to totally or partially destroy, capture, or neutralize tangible objects such as computers, networks, and other infrastructure in cyberspace, which make an effective contribution to military action by their nature, location, purpose, or use [4]. This effort is made to link the attacks to existing Humanitarian Law, but also because existing law expects that the use of such a capability should have the same impacts and characteristics as a kinetic weapon [5]. This Cyber Operation must also be carried out by someone subject to international law as not everyone is, these people are called Subjects of International Law. Subjects are limited to States, Entities Legally Proximate to States, Entities Recognized as Belligerents, International Administration of Territories Prior to Independence, and International Organizations [4]. Beyond this, Individuals, Corporations, Non-Self-Governing Peoples, and Entities Sui Generis in specific situations, such as Human Rights, Trade Law, National Liberation Movements, and the Roman Catholic Church respectively [6].

The criteria one should be looking for to identify a cyber intrusion as a Cyber Attack is;

❓ Was there a Cyber Operation?
❓ Was such an intrusion reasonably expected to cause injury or death to persons or damage or destruction to objects?
❓ Was the intrusion carried out by an actor Subject to International Law

1. Schmitt, et al, 2018. Tallinn Manual 2.0. On the International Law Applicable to Cyber Operations. 1st ed. Cambridge: Cambridge University Press, pp.521.
2. Schmitt, M., 2013. Tallinn Manual on the International Law Applicable to Cyber Warfare. 1st ed. Cambridge: Cambridge University Press, pp.106-110.
3. Schmitt, et al, 2018. Tallinn Manual 2.0. On the International Law Applicable to Cyber Operations. 1st ed. Cambridge: Cambridge University Press, pp.415-420.
4. Schmitt, et al, 2018. Tallinn Manual 2.0. On the International Law Applicable to Cyber Operations. 1st ed. Cambridge: Cambridge University Press, pp.435-445.
5. Brown, G. and Metcalf, A., 2014. Easier Said Than Done: Legal Reviews of Cyber Weapons. Journal of National Security Law & Policy, Vol 7(No 1).
6. Crawford, J. R., 2012. Brownlie's Principles of Public International Law. 8th ed. Oxford: Oxford University Press, pp.115-126.

Now we can quibble if taking an understanding of Cyber Law from the Tallinn Manual is an appropriate approach, but ultimately, under current legal understandings, Cyber, in the realm of military uses of Cyber, is a deeply legal topic. The ultimate impact of these legalities has even led Thomas Rid to proclaim that Cyber War has not happened, isn't happening now and won't happen in the future;

Cyber war has never happened in the past. Cyber war does not take place in the present. And it is highly unlikely that cyber war will occur in the future. Instead, all past and present political cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: subversion, espionage, and sabotage. That is improbable to change in the years ahead.
Thomas Rid; Cyber War Will Not Take Place

What is also particularly prescient about this observation is that War is not a thing that takes place in a single domain of battle. Cyber is a form of warfare that can be utilized as seen fit by a military. In the Fifth Domain, the Information Domain, you can use Cyber to have impacts beyond the information Domain, in Land, Sea, Air and in Space, making it just one of a number of tools in a toolbox rather than the tool you use to fight a war.

The Subversive Trilemma

Rid talking about Cyber as a sophisticated version of Subversion is also something worth examining as a recent paper by Lennart Maschmeyer makes clear where there are limiting factors that constrain not just the usefulness of Cyber, but also what Cyber is capable of. Maschmeyer Defines the three variables as;

Speed - The time taken from the start of the operation to the intended effect. Effective and secret reconnaissance takes time, as does the development of exploits for use against system vulnerabilities, using exploits at scale can take time to avoid detection and learning the systems and networks post exploit takes time.

Intensity - The severity of effects. Minimal system effects are relatively easy to attain, though they may not have the intended effect. Larger effects, such as we could have seen with TRITON/TRISYS, which could have caused the release of hydrogen sulfide gas that could have caused death or injury to people or caused a failure of plant systems resulting in an explosion.

Control - The amount of control you have over a given system. Put simply, the more control you have over a system, the more commands you have run on a given system, which in turn generates noise that could be detected and alerts to analysts have a tendency to be acted upon.

These factors are negatively correlated so if you prioritize one, the other ones are sacrificed as can be seen from this diagram from Maschmeyer's paper;

If we were to compare, for example, the OLYMPIC GAMES program as a whole to recent events, we can learn a lot about how this pans out in practice. The OLYMPIC GAMES was a project spanning 5 years, maybe more, and costing approximately a billion US Dollars, and over that time produced two pieces of malware, possibly three. The third is Stuxnet for North Korea, which very little is known about. The two main pieces are Stuxnet 0.500 and Stuxnet 1.001 and the subsequent patches, 1.100 and 1.101.

Stuxnet 0.500 was developed using a replica of the Natanz Enrichment Facility at the Y-12 National Security Facility where the aim was to create malware that lived on the PLCs that controlled the centrifuge's feed and dump systems rather than the centrifuges. It would feed excess gas into the systems, which caused excess pressure and forced the system to dump the gas to be enriched into a waste tank leading to next to no enrichment taking place. Development started in 2005 and was deployed approximately in 2007, where it ran for a period of time, laying undiscovered until 2013. It ran without any C2 whatsoever, which limited control and had the ultimate effect of just slowing the enrichment process. Stuxnet 0.500 had a slow operational speed with limited control, but massive effects.

Stuxnet 1.001 is the version of Stuxnet that everyone is familiar with. Development started in approximately 2007 with the aim of having more control over the virus so that the US could react to Iranian actions rather than deploying the malware and then not having malware present when systems were replaced. 1.001 was also intended to have larger effects, something the replica facility was used to test where Kim Zetter in her book Countdown to Zero Day mentions that President Obama was shown pieces of a destroyed centrifuge.

Initially, 1.001 was slower moving than expected and unhappy with the progress that was being made, the C2 that was in place was used to patch Stuxnet to the 1.100 variant, which is the variant most people are familiar with. This patch is the one that sent Stuxnet into overdrive and turned it into a massive news story that scared people. It was quickly patched to the 1.101 variant, which was more controlled and careful, but it was too late at that stage and the cat was out of the bag. In attempting to have more control and intense effects, for the same operational speed, Stuxnet became made too much noise and was detected. Most likely it was deemed to be an operational failure, though probably a strategic victory as it did lead Iran to come to the negotiating table to discuss what became the JCPOA.

If we look at Russia and their offensive in Ukraine, the offensive operation was approved on the 18th of January, to take place on the 20th of February. This was likely delayed several days to allow units to arrive from the Eastern Military District and also at the behest of China, to allow the Winter Olympics to finish and for China to have their propaganda victory. US influence operations dumping details of Russian plans, as covered previously, along with Ukrainian Intelligence publishing intercepts on YouTube, probably also delayed the operation until the 24th. Given the defensive efforts, which I will come back to later, this gave Russia a month to prepare not just operational plans for Land Sea and Air attacks, but also for Cyber Attacks too. This is likely why we see the use of low effort techniques such as website defacements, DDoS' or Wipers in use.

War Criming

Now, this is complicated, and I have tried to get in contact with Ms Oonah McCrann SC, who is the JAG for Ireland, and I have also tried to consult with James Creedon CJA, who is the Wonk's go to lawyer for Military Justice issues but sadly, I have not gotten a definitive answer. Yet!

When I was delivering my version of this talk to the ICSPD Community, I wanted to discuss the fun little element of the possibility of War Crimes being committed by hacktivists. As I mentioned previously, International Law is the relevant law in the conflict between states, not local criminal law, so the presence of an IT Army for Ukraine, in a Telegram group could be problematic.

Initially, I was under the impression that Article 43 of Protocol 1 of the Protocol Additional to the Geneva Conventions would matter a lot here as the IT Army could easily meet the criteria laid out in the law;

The armed forces of a Party to a conflict consist of all organized armed forces, groups and units which are under a command responsible to that Party for the conduct of its subordinates, even if that Party is represented by a government or an authority not recognized by an adverse Party. Such armed forces shall be subject to an internal disciplinary system which, ' inter alia ', shall enforce compliance with the rules of international law applicable in armed conflict.
ICRC; Treaties, States Parties and Commentaries; Armed Forces

My assumption was that while the IT Army is recruited via Twitter, and targeting data is given out via Telegram, I was under the impression that it would be considered an Organized Unit (The IT Army), that is Subordinate to a Command of a Party to the Conflict (Government of Ukraine via Telegram), and that there is a disciplinary system in place (The Judiciary of Ukraine). This would allow them Prisoner of War status in the conflict. Though a recent paper from the CCDCOE states otherwise;

... the IT Army will not be viewed as an organised armed group to determine combatant status, and so many of the questions relating to combat and the different forms of civilian participation matter greatly. For instance, although the privilege of being treated as a POW might not hold much significance for a cyber fighter, other aspects such as becoming a legitimate military target and having limited legal immunity from criminal prosecution 2 might become very important.
Ann Väljataga; Cyber vigilantism in support of Ukraine: a legal analysis; CCDCOE Law Library

Now this throws my entire argument into jeopardy, but, I didn't want to talk about the IT Army, I think it's pretty boring and really just an outlet for the Script Kiddies out there and maybe a few solid hackers, but they can join the SBU in wartime, so that is probably a better outlet as that's a place to accomplish real goals.

What I did want to talk about was Conti though! Conti made a really interesting post, which you can view here via onion.ly. Essentially, Conti made a statement that they "condemn the ongoing war" but if they see the US participating in "Cyber Warfare" against Russian critical infrastructure, they will be unilaterally entering the war, they will "deliver retaliatory measures". This would firmly place them outside Article 43 of Protocol 1 of the Protocol Additional to the Geneva Conventions, but since that isn't relevant anymore, it would fully render them an Unlawful Combatant, a nasty status to have bestowed upon one;

Unlawful combatants are subject to capture and detention, but in addition they can be tried and punished in a trial of the capturing parties choice, including Military Tribunal to render judgement on their belligerency
Ingrid Detter; The Law of War and Illegal Combatants; pp 1063

So... If Conti were to unilaterally enter the conflict, could they be treated as Unlawful Combatants, have a Military Tribunal in absentia, and have punishment rendered? Where the punishment could be a death penalty and have Conti be... Say... Drone strike-ed? I would love to know and if possible, have this taken care of quickly!

Perceptions

Once preparations for the offensive became crystal clear, we started to see the use of Cyber in Ukrainian Government websites being defaced and Belarusian Cyber Partisans ransoming ticket machines, Adam Boileau remarked on Risky Biz that;

… it’s not the cyber war we were promised.
Patrick Grey and Adam Boileau; Risky Biz 652; 00:05:10

And I think this is where the real problem comes in for understanding the use of Cyber during wars. People have a certain picture of what the Cyber Warrior should look like and that they should run around firing cyber bullets, all pew pew pew! They imagine something like this;

These are a pile of people in camo, they are resting trigger fingers on the finger guards of their rifles, I mean keyboards, they hold the keyboards like rifles, one dude even has the keyboard on a USB cable sling around his neck. The problem with this is that new forms of warfare just don't pop into existence, they tend to have long run lineages where you can look back at the history of a given form of warfare and learn a lot about today from how these forms of warfare evolved.

If we were to look at Naval Warfare, for example, most people have in their mind's eye something like an Iowa class Battleship firing shells that weigh as much as a Volkswagen Golf, 30 nautical miles with explosives that weigh as much as a grand piano. Or they imagine a more modern guided missile destroyer such as an Arleigh Burke class Destroyer firing piles of missiles off over the horizon to hit stuff they can only see on radar or know is there because they have other sensors informing them that there is stuff there to blow up.

But if you look back at the history of naval warfare, you don't really get this long range fire concept we have today. Naval Warfare originated in Ancient Egypt where 4000 years ago, someone had the bright idea that if you couldn't win on the land, you could cause havoc by going around your adversary and attacking or raiding their rear via building ships to carry troops down waterways. The result of this is what we know today as Galley's or more popularly the type of Gally known as a Trireme. These vessels were basically ships propelled by oars with a platform on top of them where you could have soldiers. In effect what was created was land, on a boat, so you could have a land battle at sea. You ram your adversary so that you can board their ship and have a battle for control of their ship.

We see a similar problem with how people think about modern Aerial Warfare where people think about big expensive projects like modern stealth aircraft such as this F-22 with an unusual camouflage scheme made of metallic plates or aircraft such as the unbelievably gorgeous F-117 Nighthawk.

Airel Warfare experiments started before World War 1 to see what was and was not possible that ultimately resulted in a lot of ideas that have stuck around until today, the best example of which is bombing. Though unlike what people think of when they see World War 2 bombers carpet bombing cities, using the Norden Bombsights, you have some guy, in a flimsy cloth and balsa wood plane, aiming with the Mk 1 Human Eyeball and basically chucking modified hand grenades out of the plane, such as this example of a 20lbs Hales Bomb;

Even though Clausewitz was long dead by World War 1, this kind of creation and change in warfare throughout history is what lead him to claim that;

Every age has its own kind of war, its own limiting conditions, and its own peculiar preconceptions.
Carl von Clausewitz; On War; pp 593

The finest modern example we have today is that of the French Cuirassier. These were a type of highly mobile light Cavalry unit that was intended to fight with sabre and firearm either on horseback or dismounted as needs be and were famous for having not just horsehair helmets but also breastplates like knights of old. At the start of World War 1, they rode into battle in not just their shiny armour, but their brightly coloured uniforms like a unit from a bygone era and in the face of machine gun fire, they didn't fare well.

But the idea of having a unit that can fight both mounted and dismounted with a range of weapons is not an idea that is dead and gone and not just that, the unit still exists today as the 12e Régiment de Cuirassiers. They have been Peace Keeping and performing Counter Insurgency Operations in Mali as well as training with NATO allies in recent years, having exchanged their horses for Steel Beasts. The mode of warfare changed drastically, but the concept of Cuirassier, infantry that fights mounted and dismounted, has arguably become modern infantry tactics.

The Preconceptions & Limitations of Information Warfare

If we then want to think as militaries do about how they intend to use Cyber, what we need to do is look to the past and see what Information Warfare was before computers or Cyber and then see how these preconceptions limit what Information Warfare can be used to accomplish.

Preconceptions

When most people think of Sun Tzu and his book The Art of War, they think that he was a strategic genius. Though to me, he is the first information warrior. His book is broken into 13 chapters, which are then subdivided into skills or arts one must learn to master that area of warfare. In a little bit, I will be discussing WayPoint 2028, which is how the US Army intends to fight wars from 2028 onwards. As part of this, one of the new units they will be deploying is the Theater Information Advantage Element, whose goal is to;

... provide enhanced non lethal capabilities, conduct information warfare protect friendly information and inform and influence activities ... though forward postured persistently engaged ...
Army University Press; WayPoint in 2028 – Multidomain Operations

What the US is saying is that they will be protecting friendly information, or Operational Security (OPSEC), and they will be performing influence activities, which could be any number of things from Deception Operations to Psychological Operations (PSYOPS). And these are things Sun Tzu has ideas about, from 2500 years ago, that are still relevant today. For example on OPSEC;

Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.
Sun Tzu; Art of War; Ch 1 Art 19

On Deception Operations;

Hold out baits to entice the enemy. Feign disorder, and crush him.
Sun Tzu; Art of War; Ch 1 Art 20

On PSYOPS;

If your opponent is of choleric temper, seek to irritate him. Pretend to be weak, that he may grow arrogant.
Sun Tzu; Art of War; Ch 1 Art 22

These are only from the first chapter of the Lionel Giles translation from 1910 and may be out of date, but what I want to get across is that for such generic examples, Sun Tzu, was thinking about major problems today, 2500 years ago. And I do mean generic, these could be applied prior to Information Warfare as we know it today, but Sun Tzu was just the seed that grew a tree.

Between Sun Tzu and our next character, the Islamic polymath, Abu Yūsuf Yaʻqūb ibn ʼIsḥāq aṣ-Ṣabbāḥ al-Kindī or just Al-Kindi, there were all sorts of things tried that birthed Encryption. We saw the first substation cipher, the Atbash cipher, which replaced the first letter in the alphabet with the last, the second with the second last and so on, we saw the first transposition cipher where parchment was wrapped around the Scytale. When the parchment is read normally, it is a garbled mess, but when wrapped around a Scytale, a message can easily be read off of it. Al-Kindi's contemporary, Al-Khalil, who introduced Algebra to the world, created polyalphabetic ciphers.

Up to this point, the only way to break encryption was to get the plain text one way or another, such as understanding the keying used in the Atbash cipher, or the right Scytale was recovered to wrap parchment around. Al-Kindi was able to understand that some letters are used more than others and that this could be used to break ciphers by attempting to see if you could make a plain text by replacing a letter in the ciphertext, with the most common letter of the alphabet or most common words in a language, something that he was able to do thanks to Al-Khalil.

This was the creation of cryptanalysis and it wasn't just frequency analysis that Al-Kindi discovered. He came up with techniques to break some kinds of polyalphabetic ciphers and how to class ciphers, not to mention being a foundational scholar of Islamic Philosophy, being one of the first, if not the first person to understand light and optics, not to mention popularizing Indian Numerals like we use today

Between Al-Khalil and the next cast of characters at Room 40, lots of things happened of note such as cryptography making it to Japan in the 1500s, the French created le Grand Chiffre, a substitution cipher that relied on rather on substituting letters for other letters, it substituted French syllables for numbers, which could be referenced on a table. It was thought to be uncrackable after the tables were lost until Étienne Bazeries in 1893. And now you know Mads Mikkelsen's rad character in Casino Royale, le Chiffre, means he was called the Cipher...

Anyway, Room 40 is an interesting bunch. Naval historiographer Drachinifel described them as a headteacher, a book publisher, a translator of theological works, a naval instructor, a barrister and a scientist. These people were so much more than that though! Room 40 isn't responsible for the birth of Signals Intelligence, after all the British had been using their near monopoly on cables and radio stations to transmit telegrams and diplomatic cables for decades at this point, but what they did that was important was they fused data. They brought together intercepted signals and cryptanalysis and this was the real magic.

Room 40 was set up just after the start of World War I with the specific intent of cracking German ciphers and by the end of 1914, they had all three of Germany's major codebooks, the SKM, the HVB and the VB codebooks. These codebooks were all used for naval communications and worked by having lists of possible orders or words that could be used to create a message to send. Each order or word would be given a numeric or alphanumeric code which would be what was transmitted via Morse Code.

These cracked codes allowed the British to achieve two major events in Information Warfare. The first was at the Battle of Jutland where the early warning of a massive German deployment of ships from Wilhelmshaven allowed the Royal Navy to position their ships in such a way that the Royal Navy could bring all their guns to bear on the German ships with withering fire and where the British had the setting sun behind them so they were black dots that were hard to see and gather gunnery data on. While this seems like a sure victory, the Battle of Jutland was ultimately inconclusive as the British had a fatal flaw in their ammunition handling procedures that lead to multiple ships completely exploding as well as having poor shell design that didn't penetrate targets but exploded on the armour belt.

The other major event was the Zimmerman Telegrams. Germany was sending some diplomatic traffic over US cables as their cables were cut on day one of the war. But the cable from Europe to the US went via the UK, at a site today known as GCHQ Bude, where the UK was able to intercept this traffic. The German State Secretary for Foreign Affairs, Arthur Zimmermann, sent a cable to Mexico, informing them of their intent to start Unrestricted Submarine Warfare. At the time it was a huge deal, less so today, but the US had drawn a hard red line under Unrestricted Submarine Warfare and would get involved on the side of the Entente in WWI if Germany chose to pursue this idea. To throw a spanner in the works, Zimmerman was inviting Mexico to join the war on the side of the Central Powers and was promised territory lost to the US in the preceding decades such as Texas, New Mexico and Arizona.

Mexico declined this offer as by the time they had the opportunity to reply, the British had publicized the story, though their store was that British agents in Mexico had stolen the telegram when they had cracked the diplomatic codes being used and decrypt the intercept, keeping Mexico out of the war, Germany isolated and the worlds largest economy on the side of the Entente. It should though be noted that it's not crazy to think that Mexico could have entered the war. After all just 3 years prior, the US had invaded Veracruz, the US was funding arms sales to anyone who rivalled Francisco "Pancho" Villa, and on the subject of Villa, the US had a decade long Expedition to capture Villa that included totally not invading Mexico and going at least 500 miles South of the US border.

This wasn't the only major breakthrough that Room 40 gave us. They also hit upon the idea of Radio Direction Finding, whereby turning the island of Great Britain into effectively a giant antenna, they were able to detect and locate transmissions made by German ships. You see long distance radio transmissions are a matter of power. The more power your transmitter uses, the further it can send signals. And the Germans only operated at full power. They could easily be heard from the UK. With the aid of spherical trigonometry, you can pretty accurately locate where a signal emanates from, using Spherical Cosine Law. Room 40 got so good at this that they stopped decrypting certain transmissions as they knew they were related to minefields and could precisely plot the locations of German minefields with great accuracy.

Room 40 ultimately became the Government Code and Cypher School or GC&CS and was based at a little place you may have heard of called Bletchley Park, ultimately becoming an organisation you also may have heard of called GCHQ.

Post World War I while there was a nearly unbelievable run of inventions and discoveries that lead to mechanical encryption, mechanical cryptanalysis, the massive proliferation of signal generating equipment like telephones, all sorts of wireless communication for the everyday person in the street and the birth of digital computing to just skim how we got to today, there are really only two things the left on the list of preconceptions in Information Warfare. The work of Claude Shannon and the idea of communication as a mathematical concept, and how this allows not just the entire concept of Electronic Warfare (EW), but more importantly for how people think about Cyber Warfare, the birth of Electronic Attack.

While you could argue that the Royal Navy getting a warning that the German Navy had left port and you could attack them, this isn't really an attack as the platform, such as Admiral Jellico's flagship HMS Iron Duke at Jutland, isn't collecting data on the Electromagnetic (EM) Spectrum and then attacking based on that. In World War 2, the UK would widely deploy their ASDIC system, which today we know as sonar, in combination with the Radio Direction Finding that Room 40 developed to allow the Royal Navy to locate and home in on Nazi U-Boats and drop depth charges or early forms of acoustic homing torpedoes. This concept of allowing platforms to gather and deploy weapons against targets that are only detected in the EM Spectrum opens up a whole new world to fight in.

The UK was not the only side playing around in these early stages of Electronic Warfare, in fact, all the major powers in World War 2 were playing with EW. The one to watch though, that's gotta be Japan! During the Battle of Singapore, several ditched Hawker Hurricane fighters were ditched, but in good shape, and were later captured, specifically that of Squadron Leader Richard "Ricky" Brooker, whose Hurricane, BE 208, was later restored and flown by Japan in 1943. These Hurricane's had a feature called Identify Friend or Foe (IFF) which allowed radar operators to distinguish friendly aircraft from enemy aircraft. This system went on to be used on ships as well as on aircraft so that the allies could detect friendlies across the board.

Japan had an air search that on the ground was called a Type 12 and aboard ships was called a Type 21, and it operated in the range that the IFF system would respond to radar pulses with. This response to pinging, from enemy sources, would make this maybe the first case in history of CWE-284: Improper Access Control. If you believe this as I do, it would also make this maybe the first instance of Cyber Warfare in history! And not just that, it would also be using what is undeniably modern attacker techniques.

Now the scuttlebutt here is a little speculative I don't have all the links in the chain but it's a great story if it's true! Japan also operated the Tachi 35 Height Finding Radar, and with a bearing and range from the Air Search Radar, Japan could figure out if something was a ship, or if it was a plane and by tracking movements and watching changes over time, you could build patterns and use those patterns to say, identify an Aircraft Carrier, in 3D space and do it to within as small a window as 1 mile.

I say 1 mile because the ping you get back isn't a little tiny response, it's a large wideband signal you get back, and because this is the case, you potentially can hide in this band, which is how I believe that Japan targeted the USS Bunker Hill, by utilizing the US' inability to see his plane in the natural camouflage of clouds and the concealment on the EM Spectrum provided by friendly US Aircraft;

Japanese Sub Lt. (j.g.) Yasunori Seizō piloted a Zero that went undetected by radar and emerged from the low broken clouds on Bunker Hill’s starboard quarter.
Naval Histroy and Heritage Command; Bunker Hill I (CV-17)

Now, one kamikaze getting in would be a fluke, but 30 seconds later there was a second undetected kamikaze, and then a little later there was a third. In maybe as little as a minute, there were three kamikaze attacks on Bunker Hill. I am a firm believer that coincidences don't just happen and while this was on the 11th of May 1945, I can see this as being a test of Japan's ability to perform kamikaze attacks on US carriers.

This isn't the only thing Japan was working on along these lines, they were developing something called a HAMA 63 Foe Aircraft Locator which the US Army Air Force described as an Interception Computer (pdf page 90-92) and was effectively a new type of entirely electronic and automated Ground-Controlled Interception (GCI) system, that was radically different from what the British for example operating. It is also possible that it was a very early form of Airborne Warning and Control System (AWACS) where an airborne radar plane could be used to identify Allied aircraft and have other aircraft in its formation target them.

Finally, if we look forward to the near future, I mentioned the US Army's WayPoint 2028 doctrine. This is generally interesting to me for a lot of reasons, but on the Information Warfare aspects of it, I want to point out a few things. First is that in the Perceptions section, I mentioned that you can use Cyber to have impacts beyond the information Domain, in Land, Sea, Air and in Space. This is how militaries think about weapons systems. You don't have a missile that you can only use to blow up a Frigate or a shell you can only use to blow up a tank. The missile is an Anti Ship Missile and can target all ships and maybe more. Tank shells can blow up helicopters and armoured personnel carriers as well as tanks.

This thinking has led the US Army to set up a what they call the TFC or Theater Fires Command, which will be used to provide fires to support missions and crucially, they show tube and rocket artillery in the video, but also some people with a pile of antennae all over the place. This is the big hint that they meshing the old school fires that one expects with new capabilities. The other interesting unit is the Cyber Warrior or the TIAE, Theater Information Advantage Element which will;

... provide enhanced non lethal capabilities, conduct information warfare protect friendly information and inform and influence activities ... though forward postured persistently engaged ...
Army University Press; WayPoint in 2028 – Multidomain Operations

Now that is pretty clear that these people should be Information Warriors rather than Cyber Warriors right? Well if you are familiar with the US Department of Defence's 2018 Cyber Strategy, you will be aware that Persistent Engagement and Defend Forward are what the DoD is calling Cyber. In effect, cyber is sexy with policymakers, but they don't understand it, so the DoD is telling policymakers that this is the cyber magic, but the boots on the ground, who know the details in and out of their roles and have spent years training, they know it as Information Warfare and that Cyber is just one of the tools available as they also have PSYOPS and OPSEC, which can easily be done without computers and are essential as we learned from Sun Tzu.

Limitations

I did say I wanted to talk about the work of Claude Shannon and his groundbreaking work A Mathematical Theory of Communication, but there's a new heading? Well, Shannon's work is both a blessing and a curse. While it opens up an entirely new dimension for battle, it also imposes a single massive limitation on what is possible in this dimension. Shannon defines a generalized communications system that looks like this;

Where the Information Source is the system that generates a message to be communicated and he defines the generation as functions. So when I speak, there is a function for speaking f and my speech happens over time, so the generation is f(t). Much like any function, you can add as many parameters as are needed by this function. The Transmitter takes the generated message and produces a signal for transmission. This isn't like the OSI 7 Layer model where a series of processes happen to send data, this is more like the Data Link Layer where data is put into Frames that can be transmitted.

Then there is the Medium as I call it, or as Shannon calls it, the Channel. This is simply the medium that the transmission can pass through such as air or a wire etc. The Reciever is the inverse of the transmitter, taking the signal and turning it back into a message. Finally, there is the Destination, which is the system that the message is intended for. For example, I gave the example of me speaking, you listening to me, makes you the intended person or system the message is for.

The curse is that if this entire dimension of warfare is defined by sources, transmitters, mediums, receivers and destinations, then you have a massively limited set of targets to attack. So when people are expecting a Cyber War and the massive power of cyber, they are aware that the potential of cyber is everywhere, but not necessarily that cyber can do what you imagine it can.

So when we see malware that targets Industrial Control Systems such as TRITON (aka TRISYS), people see that the malware targeted Safety Instrumentation Systems (SIS), and yes this is scary and dangerous and something that could legitimately kill people, but if you look at what SIS does, it is simply a sensor, a logic solver and a final control element. The sensor monitors variables in an environment, then the logic solver determines if these variables are within safe parameters for a process and if they are outside the safe area, the final control element is an off switch that turns a given process off.

So while this seems simple in theory, it ignores the hoops you have to jump through to get to an SIS and how the Subversive Trilemma impacts your actions, but most of all, it limits how you can actually use Cyber capabilities against the SIS. Though it should be noted that hackers have an advantage that militaries to date haven't had. Systems such as SIS' to Supervisory Control and Data Acquisition (SCADA), which allows humans to interact with the machinery of a process, are connected not just by cables, or wirelessly or some other medium, but they interact via protocols that abstract the physical operations taking place to something that not just computers can understand, but that hackers can natively interact with.

So What Cyberz Pew Pew do we See In Ukraine?

When it comes to Information Warfare, there are two models that you can use to look at Information Warfare. The first is the Borden Model, which breaks Information Warfare into 4 categories;

1. Degrade
2. Corrupt
3. Deny
4. Exploit

And second is the Kopp model, which breaks things down to;

1. Denial of Information
2. Deception and Mimicry
3. Disruption and Destruction
4. SUBversion / Denial

There is nothing wrong with the Koop Model, and it is still based off of the work of Claude Shannon, but I just have a preference for the Borden Model as for me, it is just easier to understand, so I will be looking at things through Borden's lens. And just for going forward from here, in the talk, to give background to the various categories of attacks, I give events from outside the current war, and then what we see currently so that you have the opportunity to fully understand the categories in the Borden Model.

Attacks that Degrade

Shannon defined Information as the reduction of uncertainty, better known as noise, in data transmissions. So to attacks that Degrade information, you have attacks that do useful work on the information itself. Borden saw this as attacks that introduce malicious noise into a system, such that the level of uncertainty remains high, but beyond the examples he gives in his paper, it's not a useful way to look at the problem. I see attacks that degrade as ways of attacking the information itself rendering the data useless or creating a delay such that the information is useless by the time it is available to be processed.

Wipers

Something that we have seen before and during the War in Ukraine is Wipers, some have even been directed at Ukraine previously like NotPetya, but there have been others such as Shamoon. There are more interesting attacks that degrade information in the War in Ukraine currently, so for background, I have discussions to follow on Shammon and NotPetya and I will skip over discussing the likes of WisperGate, HermeticWiper, CandyWiper etc and discuss what I see as more interesting forms of attacks that degrade information in the War in Ukraine.

Shamoon

Shamoon is a Logic Bomb, released by "The Cutting Sword of Justice". This group is widely believed to be Iran but there is no substantive evidence in open sources to say that this is the case. The bomb was set to detonate on the 15th of August, 2012, in the middle of the Muslim holy month of Ramadan, across the whole company of Saudi Aramco, and potentially also RasGas, the Qatari national petrochemical company, though this has never been publicly confirmed. The choice of timing would ensure maximum damage with minimal chance to stop the bomb as the company would be operating on a skeleton staff of western, non-Muslim staff.

The Attack is believed to have begun in April or May of 2012 via a phishing attack, potentially taking advantage of a vulnerability in Word or Adobe Acrobat which gave the attackers a reverse shell into the network. This computer was potentially a proxy for the rest of the network to a C2 server. Due to the flat nature of the IT Network, the attackers gained control of the Domain Administrator account and essentially had total control over the business functions of Aramco. They used this to deploy Shamoon on the network which used a dropper to drop 32 or 64-bit versions on devices and when the time came, along with a reporting component to communicate with the proxy or the C2 directly and a wiper called RawDisk, a commercial disk wiping program that can, in usermode, without using Windows API's, directly modify the disk, circumventing Windows security features. In total, the bomb hit 35k systems, about 85% of IT infrastructure and took about 3.5 months to recover.

Aramco had a separate Operational Technology network that was made of ICS, SCADA and SIS systems that were able to keep functioning, though to prevent the risk of this becoming infected, Aramco chose to disconnect from the internet. Something they did a total of three times throughout the infection. Which for the world was a lucky thing. Aramco provides 25% of the world's energy needs. If RasGas was also hit, that's 14% of the world's energy needs. In total, nearly 40% of the world's production of energy could have vanished in minutes. Would that have been sufficient "scale and effects" to be considered an Armed Attack if it had happened? Hard to say, NATO's CCDCOE has it as a real world example of a state or state sponsored hacking campaign, on its short, shortlist of 51 such articles.

It's also worth noting that Shamoon may not be dead. It has made two comebacks, Shamoon 2 which had similar targeting to the Aramco attack and timing in accordance with a time when people would be out of the office, though this was a weekend rather than a holy holiday. And Shamoon 3 which attacked an Italian petrochemical company, Saipem but operated with a different modus operandi to previous versions and had some previous functionality removed.

Jack Rhysider has an amazing episode of Darknet Diaries on Shamoon and it's not just amazing because of the background it gives you into Shamoon,  but also the recovery process for Saudi Aramco with the woman who lead the recovery.

NotPetya

NotPetya is a fascinating piece of malware. Essentially it is a data wiper, but not like any you have seen until recently with Russia's offensive in Ukraine. It masqueraded as ransomware, it even told you how you could pay to recover your system, but no key ever existed to decrypt your device, even if you paid. This may have been the first case of deliberately dysfunctional malware which had the absolutely intended consequence of destroying systems and making them unrecoverable. Not only did it have EternalBlue two months after it dropped, but it also had ways to get on to systems that were patched against this vulnerability.

The attack was simple. In Ukraine, basically anyone who files taxes or does business in the country uses a piece of software called M.E.Doc to do and file those taxes. The update servers for M.E.Doc were hijacked by Sandworm which essentially gave them a backdoor into thousands of computers, and on thousands of LANs and with EnternalBlue, it gave them the potential to access millions of devices. To ensure it could spread with incredible speed, Mimikatz was also used to access users' credentials and use them to access other machines on the network. The combination of both is brilliant as if there is a single unpatched device on the network, EternalBlue can get you in and Mimikatz can use credentials it finds to log into devices that are patched.

Once it was on a system it worked to encrypt the Master Boot Record, or MBR, which had two major impacts on a system. The first is that with the MBR encrypted, the system didn't know how to find the operating system. The second is that the Partition Table was encrypted so that the location of all your files is essentially lost forever†. With the MBR encrypted, the malware would set itself as bootable media in the MBR and boot to the error message you see below.

Wired has a breakdown of the cost of the damage caused by NotPetya that includes the $10 Billion in damages and the untold destruction of computers in what the Ukrainian Minister of Infrastructure summarised as "The government was dead"  as an estimated 10% of all computers in the country were dead and all of this was done in about 45 seconds in what has been called "fastest-propagating piece of malware we’ve ever seen".

If you want to learn more, there are tons of great sources on this! Andy Greenberg's fantastic book Sandworm, where chapter 24 is dedicated just to NotPetya. There's a great episode of Darknet Diaries on it and unusually, we have an inside account from the Identity & Access Management Subject Matter Expert, and later IAM Service Owner at Maersk who was on the front line of dealing with the impacts of NotPetya.

HTTP 418

This is hands down my favourite attack, it's simple, there's not much to say, but it's wonderful! Someone hacked the Russian Ministry of Defence's website to respond with the HTTP error 418, informing the world that it was no longer a webserver, but it was now a teapot when queried with the Hyper Text Coffee Pot Control Protocol. Effectively it's a very simple DDoS.

Painting the Electromagnetic Spectrum

Today in Ukraine we see some different things going on that are interesting. Russia operates a Numbers Station known to the world as The Buzzer or UVB-76. One of the things we have seen happen on the chunk of spectrum that UVB-76 usually operates on is where pirates have been drawing pictures in the waterfall of the spectrum by injecting bits of noise onto the spectrum. These bits of noise form a pixel on the waterfall. Of course, you can use pixels to make images and this is what the pirates have been doing. These pictures range from pictures such as My Little Pony characters, a cute little bee and various other objects.

Jamming GPS and/or GLONASS

Ukraine being a post-Soviet state has access to all of the toys that we left behind and some of these systems were Electronic Warfare (EW) systems. One of the things you can EW systems is to jam a radio frequency. While the concept of jamming can get very complex, so complex that I need help from a friend to explain it to me like I was a 4 year old, in its simplest form, jamming is just increasing the signal to noise ratio that the device to be jammed.

When we look at GPS, for Civilian or Military use, the signal that arrives at your device arrives at a precise frequency with very precise timing data attached to it. If you were to increase the noise around a given location, you would end up in a situation where the timing signature could be slightly manipulated by making it so that part of the signal was unintelligible or error correction changed the timing signature to something else.

Since we are dealing with things moving at the speed of light, and light travels one foot in a nanosecond, if you were to even make slight changes to the timing data, you could massively impact the location of things compared to where they actually are in the real world. Realistically you can only offset things by tens of feet, but that is more than enough to defend locations and we have seen exactly this in Ukraine recently where Ukraine has protected at least some of its air defences with this technique and there is little Russia can do about it

The KA SAT Kerfuffle

I brought this up with the ICSPC Discord but I chose not to use at BSides as the information had yet to firm up and I didn't want to make unfounded statements based on what I had inferred rather than on what there was evidence for, to such a large and public audience. Since then Viasat has released a statement and more data has come to light, so I can talk about what I know, sans speculation.

To understand this whole thing, you need to understand that KA SAT is a satellite operated by Viasat and bandwidth on this network is resold to others, and what is relevant in this case is that it is resold to Skylogic, a subsidiary of Eutelsat, where the satellite internet service is called Tooway. Viasat has made a statement where they effectively threw Skylogic and Eutelsat under the bus;

This incident was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement Viasat signed with Eutelsat following Viasat’s purchase of Euro Broadband Infrastructure Sàrl ("EBI"), the wholesale broadband services business created as part of Viasat's former partnering arrangement with Eutelsat. The residential broadband modems affected use the “Tooway” service brand. This cyber-attack did not impact Viasat’s directly managed mobility or government users on the KA-SAT satellite. Similarly, the cyber-attack did not affect users on other Viasat networks worldwide.
Viasat; KA-SAT Network cyber attack overview

In effect, Skylogic's Tooway network was compromised and as the attack went on, there was also a decline in the number of modems connected to the satellite. Ruben Santamarta, known for his Reversemode blog, released a post where he looked at the ASNs that Skylogic has and noticed that they use Fortigate appliances, which had some pretty major issues in 2021 with a leak of user passwords, which lead to a spate of hacks on Fortinet big iron. Once inside the VPN network, they were able to access the management API, which Ruben also found and posted in his blog. Through this, he concludes that the TR069 protocol was being used to install an app on the modems, which the AcidRain wiper, taking them offline.

Rubber-Hose Cryptanalysis

Finally, we have the attack that I predict most often, the attack where a provider is taken offline. Normally this is something that I would expect to see via having a cable cut, particularly one on the seabed as the lead times to fix such an issue are in years rather than days, but in Ukraine, we have seen an example of a provider going down due to what I have seen described on the grapevine as coercion.

The employee who was coerced is now safe which is good news, but we know very little else beyond that this person was coerced into giving up credentials and these credentials were subsequently used to take down Ukrtelecom. I'm sure you can imagine what I believe to be the series of events that took place given the heading I chose to use and Russia's history recent in places like Mariupol, Bucha or Borodianka.

Attacks that Deny

Attacks that Deny are attacks that attempt to render the assets that collect and process data useless. Traditionally, this has been attacks on receivers that are collecting information.

Suppression of Enemy Air Defenses (SEAD)

On the 20th of June 2019, the IRGC shot down an American RQ-4 Global Hawk drone that Iran contends violated Iranian airspace in the Strait of Hormuz. Iran used سوم خرداد or a 3rd Khordad, sometimes called a Sevom Khordad, air defence missile system.

In response to this, POTUS ordered a mix of kinetic and non-kinetic fires against these systems, but called off the kinetic ones, to keep things below the threshold of armed attack. The New York Times reported that multiple systems were targeted, they mention an additional attack;

An additional breach, according to one person briefed on the operations, targeted other computer systems that control Iranian missile launches.
Julian E. Barnes and Thomas Gibbons-Neff; U.S. Carried Out Cyberattacks on Iran

It would appear that US Cyber Command carried out this attack and it was their first since they became a full combat command. Given that they were able to attack what appears to be the command and control computers of a battery, this is effectively the suppression of enemy air defences and done in a way that doesn't put Wild Weasel crews or aircraft at risk. It is unclear if the attack was against a single battery, multiple independent batteries or against a battalion of batteries though, which could have wide-ranging consequences if the battalion command and control vehicle's systems were targeted;

The C2 unit provides communication between Sevom Khordad batteries. Furthermore, the C2 unit can connect other air defense systems of the Raad family, including Raad and Tabas, into a single air defense network. This allows to cover large area and targets can be engaged with a wide range of missiles from the cheapest Taer-1 missiles to the most capable Taer-2s. This adds the capability of facing different types of threats with different types of interceptors. In case of heavy jamming when even the X-band engagement radar can’t handle its duty, the C2 unit can provide an additional data link, connecting the system to electro-optical engagement systems of Raad batteries, in order to guide missiles toward targets.
Ehsan Ostadrahimi; Sevom Khordad - Medium-range air defense missile system

SEAD in Ukraine

By comparison, Russia has an option that the US didn't have when the US went after Iranian air defences. Russia can use things that go bang and boom.

If you compare these two events, you end up in a situation where when a commander is presented with options, to strike air defences, you have a Cyber team of at least 4, with a SIGDEV, SIGOPS, Signals Analyst, and Signals Exploitation to work on the project over months and they can't guarantee with certainty that their operation will go to plan. Or you can turn to the fighter jock who can basically guarantee that he will blow up the air defences with a 99% chance of success, within the next 24 hours.

The Other Form of Denial

As I mentioned previously, Information Warfare is a very old idea, but after Claude Shannon and before the invention of modern computing that gave us Cyber, the US was experimenting with traditional Information Warfare techniques such as Warfare like Electronic Warfare and Psychological Operations, but they didn't stop there, they were also trying to apply the same techniques in a more general sense.

One of the ideas they had was rather than go after the systems that gathered or processed data, they would go after the endpoints that analysed the data to form intelligence or to go after the endpoints that acted based on this intelligence such that there would be more opportunities to break the intelligence cycle, in the same way you can potentially stop cyber intrusions by breaking the Cyber Kill Chain. This idea was something the US called Command and Control Warfare or C2W.

Command and Control Warfare

In the sense that most engineers and analysts in the Cyber Realm would be used to looking at the world, a perfect example of C2W would be where DNS requests are blackholed such that the C2 Server never gets to act upon infected machines or when a new piece of malware is analysed and Yara rules are distributed which can prevent a system from being compromised or detect an existing compromise.

While this is entirely possible in the military realm, there is more you can do. For example, if a state was to run a malware campaign, they could go after those that planned and ordered the campaign and the same goes for those that plan and order military operations.

During the Air Campaign of the First Gulf War, the Coalition Forces went after the C2 Systems of Iraq. This is something I previously wrote about in my first post on Information Warfare, but the cliff notes are that the Coalition Forces, particularly the US started with the KARI fibre optic network, and then the POTS network, leaving only the insecure microwave for Iraqi Armed Forces comms. While they could stop here, they also targeted the literal command and control systems of the Iraqi regime. They went after Saddam's generals.

C2W in Ukraine

Today, Ukraine is doing the same thing. They are using drones. First, they are using modified commercial drones to find Russian positions and forward coordinates to artillery units so that fire can be directed, possibly using the indigenously designed Kvitnyk laser designated artillery shell, as can be seen here, directing fire at a Russian anti-air system;

They are using similar techniques to go after forward units rather than just sticking to more rear area units, as can be seen here being used as part of an attack on Russian formation;

They are also not limited to commercial drones, they have been purchasers of the Turkish Bayraktar TB2 too, to great effect to fire and direct laser guided weapons. The TB2 has specifically been used to target the command posts of Russian troops, in classic C2W fashion;

Ukraine hasn't been solely relying on drones though, they have also had significant help from the US as part of the JMTGU and Canada as part of Operation Unifier where among other items of training, they have been teaching Ukraine the finer art of Marksmanship. This isn't all the help they have been receiving on Marksmanship though as it appears that the CIA has opened the School of the Americas to Ukraine rather than just fascist dictators in South America, though I am significantly less fond of this kind of support given the history of the School of the Americas... So what has the impact of all of this been?

General's

Confirmed dead from top left to bottom right;

1. Major General Vitaly Gerasimov - Chief of Staff and First Deputy Commander of the 41st Combined Arms Army
2. Major General Andrei Sukhovetsky - Deputy Commander of the 41st Combined Arms Army
3. Major General Andriy Kolesnikov - Commander of the Eastern Military District
4. Major General Oleg Mityaev, Commander 150th Motor Rifle Division
5. Lieutenant General Andrey Nikolaevich Mordvichev, Commander 8th Combined Arms Army
6. Lieutenant General Yakov Vladimirovich Rezantsev, Commander 49th Combined Arms Army
7. Major General Vladimir Petrovich Frolov, Commander 8th Guards Combined Arms Army

Colonel's and Equivalent's

Confirmed dead from top left to bottom right;

1. Colonel Konstantin Zizevsky, Commander 247th Guards Airborne Assault Regiment
2. Colonel Andrei Zakharov, Commander 6th Guards Tank Regiment of the 90th Guards Tank Division
3. Colonel Sergei Ivanovich Porokhnya, Commander of the 12th engineering brigade
4. Colonel Sergey Sukharev, Commander 331st Airborne Regiment
5. Captain First Rank Andrey Nikolaevich Paliy, Deputy Commander Black Sea Fleet
6. Colonel Alexei Sharov, commander of the 810th Marine Brigade
7. Colonel Nikolai Ovcharenko, Western Military District's Deputy Commander of Engineer Troops
8. Colonel Denis Kurilo, Commander 200th Separate Motor Rifle Brigade
9. Colonel Igor Evgenievich Nikolaev, Commander 252nd Motor Rifle Regiment of the 3rd Motor Rifle Division

Lieutenant Colonel's

List

1. Lieutenant Colonel Denis Glebov, Deputy Commander 11th Air Assault Brigade
2. Lieutenant Colonel Yuriy Agarkov, Commander 33rd Motor Rifle Regiment of the 20th Guards Motor Rifle Division
3. Lieutenant Colonel Ilya Yuryevich Pyatkin, Special Rapid Response Unit
4. Lieutenant Colonel Sergey Savateev, Special Rapid Response Unit
5. Lieutenant Colonel Aleksey Sharshavov, Commander of 171st Independent Air Assault Battalion of the 7th Air Assault Division
6. Lieutenant Colonel Igor Zharov, Regimental commander of an unknown airborne unit
7. Lieutenant Colonel Alexey Narzullaevich Khasanov, Deputy Commander 31st Guards Fighter Aviation Regiment
8. Lieutenant Colonel Viktor Kuzmin, Political Officer 234th Guards Air Assault Regiment
9. Warlord Vladimir Zhoga, Neo Nazi piece of shit, self professed War Criminal and Commander of the Sparta Battalion

And this is only me skimming over the ones that I can find good pictures of. As of April 28th, I have possibly another General killed, 19 Colonels and 33 Lieutenant Colonels. Astonishing numbers for any war since 1900, before you even consider the 46 Majors, 87 Captains and 147 Lieutenants, before you even consider captured, wounded, missing or arrested officers. And I can't imagine how many Senior NCOs are dead when they are the backbone of militaries, or what the true scale of death is given that some of the best numbers we have come from leaks like this, from Meduza;

What is important that you take away from this is that Ukraine is systematically destroying Russia's capability to make and carry out strategic and operational plans. Ultimately we can't know the full impact of these deaths on Russia's fighting capabilities, probably until long after the war is over, but given how the war has progressed, it is clear that not just has the offensive not gone to plan, but that it has deteriorated as the war has dragged on, and not just because of the poor logistics.

Attacks that Corrupt

Operation Outside the Box

Operation Outside the Box was a raid on an undocumented nuclear facility, possibly a covert graphite reactor, in Syria by Israel in 2007. While the raid itself is interesting for multiple reasons such as the Iranian financing of the reactor, the deaths of multiple North Korean nuclear technicians or scientists in the raid or above all else the nuclear materials for the reactor came from North Korea, no, the most interesting part is how Israel used Electronic Warfare and possibly Cyber Warfare as part of the raid.

The raid required several Israeli aircraft to penetrate the airspace of Syria undetected to attack the facility. This happened in 2007 and the only nation in the world with stealth aircraft was the US with the F-117 and F-22 fighters and the B-2 Bomber. Israel used what they had, F-15s and F-16s for the raid along with electronic warfare aircraft. The attack took place in four major stages.

The first stage was to take off from Ramat David Airbase and fly up the Syrian coast until they reached the Turkish-Syrian border where they attacked a radar site at Tall al-Abuad in Syria. It was attacked with electronic warfare techniques, most likely jamming and then bombed with precision-guided bombs to take out the site. This created an entry point in Syrian air defence for the planes to penetrate the airspace. Once in the airspace, the really interesting part of the attack could begin.

Almost immediately, the entire Syrian radar system went off the air for a period of time that included the raid, say U.S. intelligence analysts.
David A. Fulghum, Robert Wall and Amy Butler; Israel Shows Electronic Prowess

Through a combination of jamming the HF and VHF communication links that are used for the command and control of air defences, other unknown forms of electronic attack from the electronic warfare support aircraft and the "penetration through computer-to-computer links", the aircraft were able to transit the airspace undetected and bomb the suspected nuclear reactor. It is unknown if the "penetration through computer-to-computer links" is a form of cyber warfare or if computers were linked via the HF/VHF network and were vulnerable to jamming or electronic attack.

It is believed that the electronic warfare support aircraft were able to create a spoofed image of the skies above Syria in what is called a "false sky picture" so that even though the Israeli aircraft were transiting the airspace, all the radar saw was the electronically manipulated image of the sky, that was what the Israelis broadcast and what they wanted the Syrian's to see.

U.S. aerospace industry and retired military officials indicated today that a technology like the U.S. developed "Suter" airborne network attack system

...
The technology allows users to invade communications networks, see what enemy sensors see and even take over as systems administrator so sensors can be manipulated into positions so that approaching aircraft can't be seen, they say. The process involves locating enemy emitters with great precision and then directing data streams into them that can include false targets and misleading messages algorithms that allow a number of activities including control.
David A. Fulghum; Why Syria's Air Defenses Failed to Detect Israelis

Essentially invisible to air defences, the Israeli aircraft proceeded to the target where commandos used laser designators to illuminate the target to be destroyed. With the facility bombed and destroyed, it was time for the aircraft to head home via the route they came, still undetected.

The vast majority of useful reporting on this comes from a fascinating article by David A. Fulghum, Robert Wall and Amy Butler called "Israel Shows Electronic Prowess" in Aviation Week which gives an account of the attack through the lens of electronic warfare.

The Ghost of Hostomel

Normally when people think about the Ghost of Somewhere in Ukraine at the moment, they think of the Ghost of Kyiv, the badass but unfortunately fictional story of the first Fighter Ace of the 21st Century. For me though, Russia's destruction of the An-225 Мрія, one of the greatest pieces of humanitarian equipment on Earth was a real gut punch. The Мрія could be used to transport a lot of things, but when you needed oversize cargo delivered somewhere in the world, in an emergency, it was the only platform that could be relied on and sometimes it was the only platform you could use.

After its destruction was confirmed, there were some incredible and heartwarming memes about how much it meant, not just to international nerds like me who think planes are cool, but to regular Ukrainians who knew it as this one of a kind, gentle giant that helped the world painted in a beautiful paint job that screamed Ukraine. it has even become a symbol you can buy a plushie of. But for me, the best example I have seen of its value is when someone spoofed false data into flight tracking sites that said the Мрія was running racetracks around Kyiv with the callsign FCKPUTIN.

The Scale of Propaganda

Just under a month before the Russian Offensive started, OpenFacto, a French language collective of OSINT investigators published an absolutely incredible article, that is in English on their Twitter. OpenFacto started looking into a collective of sites called InfoRos. Now InfoRos is a major news portal and it wasn't until 2021.

2021 was a bad year for InfoRos. The US Congress released a report on the unit behind InfoRos, GRU Unit 54777, there was a flurry of reporting by major American news organisations, some of which included focusing on Alexander Starunsky, which Meduza covered in detail here. But the really good stuff came from the Estonian Foreign Intelligence Service, where in their 2021 Public Security Environment Assessment, they dedicated nearly 5% of the report to the work of Unit 54777.

OpenFacto saw all of this and decided to poke around at InfoRos with some pointy sticks and see what fell out. Looking at the source of the pages, they were able to find a script, which had a dedicated nameserver that they could do a reverse lookup on. And wouldn't you know, they found not the 276 registered sites they claimed to be operating, but 1341;

When they started looking at the sites, they noticed that 75% of them didn't exist before 2019 or that it was a local site for a city or region that was acquired by InfoRos, effectively buying fronts to distribute Propaganda.  It's also interesting that while there is a distribution across the whole of Russia, the vast majority of sites are in areas that are in Europe.

The other major distribution of InfoRos sites are places where Russia has what it considers to be problem areas such as Ciscaucasia, where Russia has internal republics such as Chechnya and Dagestan, or neighbouring states like Georgia where Russia has fought wars to ensure that Georgia is a divided state with autonomous regions like Abkhazia and Adjara or breakaway states from Georgia such as South Ossetia. Not to mention Armenia or Azerbaijan who fought a war last year over Nagorno-Karabakh, or Turkey a NATO state fighting the Kurds inside Turkey, but also beyond their borders in Northern Syria and Northern Iraq.

The Quiet Corruption

While neither Borden nor Kopp discusses this form of Information Corruption, I believe that as professionals who work in Cyber should be aware that algorithms can be used to create a tailored view of what the world looks like. Now, this doesn't have to be malicious, Twitter for example changed up how they displayed tweets a while ago. Originally twitter would give users tweets as they came in, but over time they changed this so that twitter would show you popular tweets from your followers.

A less tasteful version of this tailored message would be the controlled implosion of the Evergrande company in China. While going through the controlled implosion, it was huge news here in the West with regular articles in various papers and segments on TV news shows. But inside China, it was a very different story inside the Great Firewall;

There are also kinda basic things, about you know, media, there was a New York Times piece, I think last week, about how Evergrande is everywhere in the foreign news and is nowhere in Chinese news and that means that, you know, Chinese people aren't maybe informed about what is happening. Obviously they know something about what is happening, but not to the extent, as they could if it was an open media.
Jen Patja Howell, Jacob Schulz and Katrina Northrop; The Lawfare Podcast: Katrina Northrop on the Evergrande Debt Crisis; 00:13:45

You can argue the merits and failings of limiting the reach of the story inside China and the ultimate purposes of doing it, but the censors at the Publicity Department of the Chinese Communist Party, or should I say the Propaganda Department of the CCP are making the active choice to not allow the media to report on the issues around Evergrande. You could also look at how Air-Moving Device has checked TikTok's API to see if certain phrases would trigger a manual review of a user's posts if they contained certain words. And how things are different when compared to Douyin, which is TikTok in China.

It should though be noted that this isn't limited to just China. Facebook for example has been shown to actively promote Holocaust Denial, and it is not alone with these problems. Reddit has repeatedly had similar issues, and more recently, Spotify has had this problem for throwing money at a moron who has had one too many head injuries and spends too much time JAQing off, writer Roxane Gay made a salient point;

I would never support censorship. And because I am a writer, I know that language matters. There’s a difference between censorship and curation. When we are not free to express ourselves, when we can be thrown in jail or even lose our lives for speaking freely, that is censorship. When we say, as a society, that bigotry and misinformation are unacceptable, and that people who espouse those ideas don’t deserve access to significant platforms, that’s curation. We are expressing our taste and moral discernment, and saying what we find acceptable and what we do not.
Roxane Gay; Why I’ve Decided to Take My Podcast Off Spotify

We can use algorithms for good and bad, it's just we have to make hard choices about what they should be used for as they can spread vile hatred, or be used to promote the good in the world.

Attacks that Exploit

Spot The Army

During the talk, I needed a moment to grab a drink before my voice fell apart and rather than leave people to look at me take a swig of water, I'll give them something to do. I already wanted to talk about Electronic Exploitation and I had the perfect example because as a nerd who keeps an eye on the future of warfare, there are only two units worth watching, the US 780th MIB and the US 11th ACR.

Colonel Scott Woodward, who used to Command the US 11th ACR is active on Twitter and posts some really cool things there, while also actively engaging with people. He was asked about the efficacy of modern visible camouflage methods and he showed an incredible picture where the 11th ACR, with up to 1000 troops taking part in a concealment exercise, and he provided this incredible image of that concealed battalion;

This image is 2400x1600 so you can have fun downloading the png and going pixel peeping in your own time to find the whole battalion if you even can. But Colonel Woodward was using this to make a different point, that on a modern battlefield, it doesn't matter how good your concealment is, if all your fancy wireless electronics like the radio in the Humvee, or the smartphone on that guy over there, or this data linked computer in the tank etc are continually broadcasting data and making noise to be detected. Not to mention the growth of active radar emitters on the battlefield for active protection systems or for reconnaissance of your forward area, and it really stands out as a large Electronic Signature;

These were taken at the National Training Center, in California. Concealment will help you stay alive a little longer in the close fight.

What does your EW footprint look like is the larger question. If I can see you like this, it doesn't matter how much camo you have pic.twitter.com/EihBe4nEG3

— LXVIII RCO (@theRealBH6) May 8, 2020

11th ACR thought they were safe because at 2300 it was dark, they were spread out over 6 sqkm, and took the opportunity to resupply with trains but even with the best concealment efforts, his battalion was detected by its Electronic Signature at 12km's distance;

Why Communication Networks Stayed Online

One thing that I and nearly everyone I know how looks like how Information Warfare impacts the Battlespace will tell you that the big lesson to have learned from First Gulf War is that if you want to decapitate a military's ability to fight, you have to crush their ability to command and communicate. Naturally, this would lead one to wonder why? And I think the best reason why is that they can exploit the intelligence, as seen in this video released by Ukrainian Intelligence;

Ukrainian intelligence published phone conversations intercepted from LDR and DNR militants who were shelling citizens who recently shelled civilians in Eastern Ukraine; SBU

This is a minute long intercept, which is one of several in that video. And this isn't the only intercept, the SBU has been publishing more like this on their YouTube channel. And this isn't the only reason why networks remain up. Both sides are using them to monitor the activity of each other. Not to mention how both sides have limited methods for C2, so are reliant on telegram channels for example to conduct operations at the tactical level.

Ukraine is not alone in doing this. Russia appears to be using similar techniques to target foreign volunteers. The story goes that Russia is using some surveillance equipment to find +44 numbers, but while phone surveillance isn't my area of expertise, this also doesn't seem like the smartest approach to me as Electronic Warfare suites have included IMSI Catcher-like systems for a long time and it would be easier to interrogate a SIM card for it's IMSI, which was a three digit Mobile Country Code or MCC that identifies the home of that device

Even if you change your SIM Card to a Ukrainian one upon entry to the country, you aren't safe as all devices have an IMEI which identifies the network and country a phone comes from and it is possible to get the IMEI number of a device and identify the country it comes from. In theory, it is also possible to get the IMEI from a device connected via WiFi too, though this is a more complex proposition with several nuances. Ultimately it's a failure in Operational Security that comes not from the stupidity of a soldier, but a lack of understanding of the underlying technology and how it works, and normally one that western soldiers need not worry about as they have secure radios rather than phones. Any combination of these was used to identify the Ukrainian Foreign Legion members at Yavoriv above or at Kharkiv below;

Russia was also caught in the act by Ukrainian Intelligence relaying voice and SMS messages to high ranking Russian officers and other individuals in Ukraine. It's quite the find as it shows that Russia is targeting Ukraine across its entire spectrum of communications infrastructure.

1/5 Another significant capture in #Ukraine. Reported discovery today of a #SIMBox being used to relay Voice calls & SMS and other info to Russian forces (including top leadership of Russian army) & other individuals in #Ukraine. I will explain what this is and how it works. https://t.co/6MQAghOFqF

— Cathal Mc Daid (@mcdaidc) March 15, 2022

Now, none of this is to say that networks haven't gone down. Networks have physical points of presence in the real world while sending data around the cyberz and while there is a degree self healing in BGP for fibre networks, on mobile networks, only 5G can self heal so if a GSM tower is hit or has a cable cut or antenna damaged, it is down and needs an engineer to go out and fix it. NetBlocks has done an amazing job of keeping track of these outages, in areas around the world, such as this drop in connectivity in Kharkiv on the first day of the war;

The Other Reason Why Communication Networks Stayed Online

There has been an absolutely gargantuan effort by engineers at telecom companies, including putting their own lives at risk to maintain network connectivity. When Ukrainians say Героям слава or Glory to Heros, I know they mean the soldiers on the front line and the EOD techs who make places safe by removing unexploded ordinance, but I can't help but think about the Heros who keep the state's phone and broadband networks up. They allow us to document Russia's barbarism in Mariupol and their atrocities in Bucha, but also to see all that is good in the world like those rescuing people's pets from near the front lines or people being helped to safety and families being reunited.

Radio Use And Intercepts

In western militaries, all communication is done via secure radio that handles voice, video, data, and satcoms. These systems are also moving towards integrating AR/VR and biometric data which is just wild. Generally, these are systems like the L3 Harris Falcon family of radios or something wild like a Persistent Systems MPU5 which are do everything systems.

Russia was supposed to be moving in this direction with the R-187 Azert SDR radio, which on paper looks pretty cool! Though they have been mired in a long running corruption scandal where 6.7 billion rubles were stolen. The gist of the story is that the radios were to be manufactured in Russia, using Russian sourced components, which makes a lot of sense, but somewhere along the way, they were sold to the Russian military as overpriced junk, with 60 suppliers from European countries as well as China, Malaysia and Taiwan. Not to mention that the final assembly allegedly took place in China and the software comes from an unknown company, known just as Elvis.

It is at this point that my new favourite Twitter account, The Radio Research Group, comes into the story! These people have basically been looking at radios for the whole conflict and identifying them, such as some below;

Some examples of The Radio Research Group's work on Russian forces includes;

1. Never before seen radios
2. The aforementioned R-187 Azart
3. Baofeng civilian radios which you can buy for 100 bucks on Amazon
4. SATCOM devices among others
5. A Chechen soldier with a pile of radios
6. And they identify all of them

They also have identified Ukrainian radio systems, though to a lesser extent as one would imagine they care a hell of a lot more about Ukrainian operational security than Russian operational security.

Some examples of The Radio Research Group's work on Ukrainian radios include;

1. Some US made Hytera radios
2. Motorola XPR radio with an interesting antenna
3. Motorola FRS walkie talkie
4. Ukrainian's also using Baofeng radios
5. Capturing Russian Azart radios
6. And my personal favourite, using Anti Drone Weapons, which are basically fancy handheld radios

The big thing I love though that The Radio Research Group did is identify all of the unencrypted comms that Ukraine and Russia were using. This gave David, my Signals Officer an idea! So he went looking for, and found Russian tactical communications and recorded them, which my Cryptographic Linguist Victor translated, and I can now present to you;

Intercept 1

Translation:
A: Yes, I can ??? you, ???
B: Ryazan I’m ??? (portrait?), over
A: ??? (Portrait?), I’m Ryazan, over
B: Ryazan, [we are] working on the 16th ???
A: Continue to work on this route, everyone stay alert [via radio], I’m Ryazan
B: Roger that, over

Intercept 2

Translation:
A: I’m Ryazan, over
B: I’m Uragan, over
A: Uragan, I’m Ryazan, over
B: How… can we… transmit data, or receive it? over
(bleeping)
C: Ryazan, I’m Geyzer, ???
A: Geyzer, Geyzer, I’m Ryazan, over
C: I’m Geyzer, will clarify how Uragan can pass data and receive it, over

Battlefield Shaping

Battlefield Shaping is the process of preparing the terrain for war. When people generally think about that, they think about the Gulf War in 1991 when Coalition Forces destroyed important targets in Iraq and ensured they owned the skies before commencing ground offensives. When we look at Information Warfare, and in particular Cyber Warfare, we see a similar thing. We can exploit intelligence gathered and launch attacks so that advances can be made but people tend to forget about the other aspect, the aspect of defence.

In the run up to the Russian offensive in Ukraine, there is an incredible untold story, that we have only gotten little glimmers of, of the defensive efforts to protect Ukraine's cyber infrastructure from Russia. It started as best I can tell in November of 2021 when US Cyber Command deployed Cyber Mission Teams (CMT) to Ukraine. CMTs are combinations of troops and specialist contractors who can go forward into the field and perform operations from those forward locations.

These CMTs systematically performed a statewide Threat Hunt, going through the cyber infrastructure of Ukraine and removing malware left, right and centre from various state bodies such as Ukrainian Railways and the Border Police. These CMTs also worked on a small budget of just 60 million dollars. This effort in destroying the prepositioning Russia had spent so long building up, as part of the Subversive Trilemma, that Russia's capacity was reduced. This could be one reason why we have seen so many DDoS attacks and Wipers, though that could also be because they are effective, particularly Wipers.

The linked article also mentions that Ukraine's police was the victim of a DDoS and one of the CMT partner companies, Fortinet, was able to have the US Department of Commerce cleared the funding of a "virtual machine" that is used to counter DDoS'.

Next in January, we saw a little advisory from the NSA titled NSA Issues Recommendations to Protect VSAT Communications. VSATs or Very Small Aperture Terminals are small satellite dishes, such as those that give you satellite TV or satellite broadband. The NSA advisory doesn't say much about what exactly the threat is, just that if you use one, you need to up your security game as there are threats to the terminals. In retrospect, it is clear that the NSA was aware that something like the Viasat Kerfuffle could happen or that they knew directly that it would happen, but were unwilling to divulge this information lest it burn Sources and Methods.

Also in January, Dragos' dropped a regular Knowledge Pack, which included a detection/detections of INDUSTROYER/CRASHOVERRIDE malware, which was used to take down one fifth of the power grid in Kyiv for a period of an hour in 2016. As well as this, the March Knowlege Pack included detections in February for INDUSTROYER/CRASHOVERRIDE and BlackEnergy, which was used to take down parts of the power grid in western Ukraine in 2015, effecting 225,000 customers for a period of 3 to 6 hours.

This variant of INDUSTROYER/CRASHOVERRIDE is being dubbed by CERT-UA as INDUSTROYER2. It's unknown how different it is from the original, for example, I have heard from some sources that they are radically different and should be called different names entirely and from another set of sources that there are a lot of similarities. I do know for sure that the wiper is different in operation and thus has been dubbed CADDYWIPER and that the payloads that execute on ICS systems were compiled on the 23rd of February 2022, hours before Russia began offensive operations in the early morning of the 24th of February. Though note that information on the campaign is still limited. The CERT-UA alert discusses that 9 substations did go down and that there is a set of Linux components which have not been recovered.

Here is the alert, authored by Ukraine's Computer Emergency Response Team, that had previously been shared with international partners about Russians "successfully" hacking Ukraine's power grid. https://t.co/8CNfwFhD9z pic.twitter.com/32ISNqqc3n

— Patrick Howell O'Neill (@HowellONeill) April 12, 2022

In April, Mandiant, along with FVEY making a rare joint statement, publicised the discovery of INCONTROLLER, malware that targets Industrial Control Systems (ICS). While attribution isn't specifically given, the targeting profile of the malware in North America, Europe and particularly Ukraine as well as the malware taking pointers from previous experiments like TRITON/TRISYS, and Russia's history with ICS malware with HAVEX, BlackEnergy3, INDUSTROYER and VPNFILTER, it's reasonable to assume that the malware came from Russia, something that Mandiant highlight with their graph of the nexus of Russian malware targeting ICS systems.

INCONTROLLER is comprised of 3 parts, TAGRUN, CODECALL and OMSHELL. TAGRUN scans for OPC Servers, enumerates them, brute forces credentials and allows the malware to read and write OPC Tag Values. OPC Tags are stores of data values like Data Access, which provide real time data on a sensor, such as the specific rate at which a motor is turning or Alarms and Conditions, such as a boolean value to check if a condition has been reached. There is also an extension for it called Historical Data Access, which as you can imagine provides historical, rather than real time data. While the majority of what TAGRUN does suggests recognisance, it should be noted that manipulation of OPC Tags could mask changes made by other pieces of the malware.

CODECALL is a framework that operates over the Modbus protocol to directly communicate with the Programmable Logic Controllers (PLCs) and contains modules that can identify Schneider Electric systems, connect to them, load and execute files and execute commands that can for example crash systems. OMSHELL is a modular framework used to identify and connect to Omron PLCs that allows it to enable telnet and use this access to execute arbitrary files or commands and to connect to a backdoor to execute arbitrary files or commands.

Mandiant list three attack scenarios. Scenario 1 uses OMSHELL and/or CODECALL can be used to crash PLCs to shut down operations. Scenario 2 uses all of the modules to reprogram controllers to sabotage a process. And scenario 3 has the capability to disable PLCs, such as the Omron NX-SL3300 Safety Instrumentation System (SIS), as TRITON/TRISYS did for the Schneider Electric Triconex, to cause physical destruction of industrial machinery.

And then we really started to see the Wipers... Ohh god did we see the wipers... Microsoft released a report on the number of engagements they had taken part in, from February 23rd until the 8th of April, they had 237 separate cyber operations against organisations in Ukraine, only two of which were INDUSTROYER2 with CADDYWIPER...

In January Microsoft MSTIC discovered WisperGate/WhisperKill which was a wiper that overwrote the Master Boot Record (MBR) leaving a message to pay the ransom.

Then ESET found HermeticWiper/FoxBlade and IsaacWiper/Lasainraw in February. HermeticWiper does the same overwriting of the MBR but it also has a worm component to spread across the networks it is on and also has a ransom component to hide its activities, though SentinalOne notes that the malware is poorly written and not just loudly generates events in the Windows Log, but also probably slows down the wiper component.

IsaacWiper is significantly less sophisticated and just overwrites the first 0x10000 bytes of a disk and then attempts to wipe all files on a given disk by writing random bytes over them, but does this in a single program thread so it would take basically until the sun engulfed the earth to erase a disk. I know that's a little over exaggerated, but it's really poor form from the Russians.

This is just scratching the surface of the offensive operations and defensive efforts that are ongoing as I haven't for example talked even talked about all of the wipers, such as SonicVote/HermeticRansom, DesertBlade, FiberLake/DoubleZero or all of the other operations such as MicroBackdoor or Armageddon, which is responsible for 4 separate campaigns in 2022 alone. But at some point, I have to stop collecting information and call a post done.

The other thing to note beyond how small of an effect that offensive operations have had, is something I want to dig into a lot more. Why did the defensive efforts work so well? Yes Ukraine has a well resourced and trained pool of defenders at the SBU, CERT-UA and the State Service of Special Communication and Information Protection of Ukraine (SSSCIP), but lots of states have similar things but that doesn't stop for example the UK getting Army recruits. Maybe the existential threat that Russia poses to Ukraine is one hell of a motivator when it comes to winning the war in the 5th Domain?

I do though wonder, what if Ukraine did what Estonia did? After the Bronze Night, Estonia really reckoned with what did happen and what could have happened if things had gone worse. The Ministry of Defence drafted one of the first National Cyber Security Strategies, anywhere in the world, in 2008. In 2011 this was handed over to the Ministry of Economic Affairs and Communications, making it a Cabinet Level responsibility with major top level buy in from the Government. Estonia also has the Cyber Security Council of the Security Committee of the Government, which is a separate body spread across the Government and government organisations, whose sole task is to implement the strategy and gauge its successes and failures.

Successive governments have also made sure that Cyber Policy gets all of the attention and funding that is needed, which has resulted in the creation of bodies like the Estonian Information Systems Authority to supervise compliance with cyber security standards, including if necessary, using door kickers to gain entry to facilities to ensure that critical infrastructure is defended correctly. It also houses bodies like CERT-EE, which along with CERT services, also provides some rad tools like baseline security profiles for information systems, X-Road and easily found education on Cyber Security for citizens. And this is just the civilian cyber defence too. I haven't talked about the role the military plays nor the work of Estonian Intelligence who are some of the best in the world, not to mention the Estonian Foreign Intelligence Service provides yearly Security Situation Reports that are packed with things happening in Cyber Space and essential reading in my humble opinion. NATO's CCDCOE has a fun write up on the detail if you're interested in it.

Ukraine has followed this with the SSSCIP reporting directly to the President. SSSCIP has CERT-UA there which does incredible work protecting the information infrastructure of Ukraine. Ukraine and policymakers are also acutely aware of the dangers posed by Cyber as they have been a bit of a Cyber Testing Range for Russia over the last decade, not to mention 8 years of war, and as this is the case, Ukraine provides all of the publicity needed to keep mind share with the general public, as well as mountains of funding. All this stands in stark contrast with Ireland where... Well, let's say I follow this kinda stuff closely and I have no fucking idea what's going on...

Where Is The Cyber Pew Pew!?

As a wrap up slide, I had a conclusion thing at the end with what I wanted people to take away, and nothing really has changed since then;

Cyber is still limited, it still takes a lot of effort and investment and there are still other weapons available and these weapons can be MUCH more effective. But I left the politics out of my BSides talk. The other takeaway I want to take away is;

• Путин — хуйло (Putin huul-yo) Putin is a dickhead 🖕 and;
• Перемога Україні (Per-em-ohh-a uu-cry-een-a) Victory to Ukraine ✊

Acknowledgements

Cheers to members of the Irish Cyber Security and Privacy Discord for giving me the chance to do a trial run of the talk before BSides, in particular, Don for the idea, Michael and Philipa for organising the talk and Liam for helping me get the flow of the talk just right with amazing feedback! To Ronan for being a sounding board to bounce ideas off of over the last year plus, to Owen for the seed of the idea on Ukraine following Estonia on strategy and finally to Schrodinger for keeping me up to date with the latest threat intel on the situation in Ukraine.

To the Wonks in the ACWP Slack generally, because they are rad and savage craic, but particularly Tinfoil for helping me test the video streaming and remembering stuff I had forgotten, aminal for patiently explaining EW like I'm a 4 year old because it's witchcraft, Jack for help with stuff that didn't end up in this post but was invaluable to my thinking, Microbiote for some graphics, David for his signals intercepts, Sinan for helping with Turkish linguistics and details on the TB2 system as well as video of it in action from Ukraine, and Bill for being a treasure throughout by organising the invaluable debriefs we're having to hone our skills. Finally to dman for being an invaluable stream of OSINT that keeps me in the loop

Finally, thanks to Victor for translating some Russian for me as my Cryptologic Linguist. To the guys from BSides, particularly Antonio for saying I should do a talk on this kinda stuff when we met at IRISSCON21 and Anne-Marie and Kim for pushing me to talk to Antonio! And Paul because while my initial talk didn't make it past the CFP, Paul wanted me to talk about the Cyber War, I wrote a whole new talk in a few weeks, based on the ideas Don gave me fueled by the opportunity Paul gave me.

I had a really fun chat with @parkinsbrea over an hour last week on doing OSINT on data coming in from a warzone as well as my own personal war stories in the trenches of OSINT and only a few slivers made it into a nice piece just published https://t.co/ZW3sKdEsNa

— 🖕Пу́тін хуйло́ 💙💛 Слава і победа Україні 🇺🇦✊ (@LegendaryPatMan) April 28, 2022

Like Russia is hardly stupid enough to send soldiers into the Exclusion Zone without any intelligence of what they were doing. And even if they did the soldiers would hardly be stupid enough to dig up radioactive dirt in the Red Forest of all places! And yet as it turns out... This is exactly what they did... We first got news that there were possible ARS cases among the Russian soldiers.

Again, this remained unfathomable... Experts like Cheryl Rofer said that it was extremely doubtful of this story, and he was not alone, I know a ton of people who know a lot more than I do about this, who work day to day in nuclear physics, nuclear medicine and dosimetry who found this unfathomable! But then once the Russians had left, we started to get imagery from on the ground and it didn't look good;

The nearest site to this location with a permanent Disimeter is Yanov Station, which went down on March 1st 2022, but its last recorded measurement was 618 nSv/h. To put that into context, per year, the US Nuclear Regulatory Commission, the average American receives 620 millirem per year, or in metric, 6200 μSv. So at 618 nSv/h, if you hung around for a month, you would absorb 445 μSv. It's not nothing, but it's an order of magnitude off of the threshold to cause cancer for example. It's less a month of extra radiation per year. But then we started to get dosimetric data...

That 618 nSv/h is equivilent to 0.618 μSv/h, so that counter at 11.32 μSv/h is measuring 18 times more radiation there than at Yanov Station, and that sensor in Yanov station is approximatly 1200m from where the Russian soldiers dug their trenches. Since those soldiers were there for 30 days or 720 hours, their total dose was 8150 μSv, or 1.37 times the yearly average dose, in a single month. It gets worse though... OSINT Technical upped the contrast in a video to see that some areas had an even higher rate;

At 71 μSv/h, for 720 hours, that is 51,120 μSv. To put that into perspective, the maximum dose permitted in the US, for people who work with radioactive materials in the US such as plant workers at nuclear power plants or doctors and radiologists who do things like Radiation Therapy to kill cancer cells, is 50,000 μSv. Now this might seem like a lot, but there is no connection between radiation exposure and cancer less than a total dose of 100,000 µSv. Not to mention that you wouldn't start to consider Acute Radiation Syndrome until the dose had surpassed at least 1 Gray, and this is only 0.05 Gray.

Is There A Way This Could Be True?

Sadly yes...

In a particularly ill-advised action, a Russian soldier from a chemical, biological and nuclear protection unit picked up a source of cobalt-60 at one waste storage site with his bare hands, exposing himself to so much radiation in a few seconds that it went off the scales of a Geiger counter, Mr. Simyonov said. It was not clear what happened to the man, he said.
Andrew E. Kramer and Ivor Prickett; Russian Blunders in Chernobyl: ‘They Came and Did Whatever They Wanted.’; The New York Times

Cobalt-60 is an immensely valuable isotope in the modern world. It is used to ensure that medical equipment is perfectly sterile, blood irradiation is used to ensure that blood is safe for transfusion and long term storage and a lot of radiotherapies use Cobalt-60 as a source for radiation to treat cancer.

The thing is though... While Cobalt-60 is immensely valuable for these use cases when it is used it is stored in safe containers where it is intentionally hard to get the material out of the case such as in this international standard case;

Depending on the size of the container and the amount of Cobalt-60 inside, handling of the Cobalt-60 can be fatal. Plainly Difficult has made some videos on Cobalt-60 exposure, based on the IAEA reports, where operator error, safety violations, the dismantling of medical equipment at scrap yards, and Orphan Sources have led to fatalities;
The San Salvador Radiation Event
The Soreq Radiation Accident
The Samut Prakan Radiation Accident
The Mayapuri Radiological Incident

All that said... Unit we get a report from the IAEA or the State Nuclear Regulatory Inspectorate of Ukraine, that there is indeed an Orphan Source, that was stolen by Russian soldiers, and that the Orphan Source is large enough, or was handled for long enough to cause Acute Radiation Sickness, I will remain immensely skeptical that there are any cases of Acute Radiation Sickness.

The highlight though was by far and away when two people I thought Lockpicking to at the old ITB Cyber Summer Camps in 2018 and 2019 told me that they were now in college, I don't recall where, but it was absolutely incredible to see a little game I play, have such a large influence on people that it changed the course of their lives

And I also did the usual thing of teaching Lockpicking, though I kinda left Martin high and dry as after the talk... Everyone kinda wanted to talk to me

The post I published on Information Warfare is going to be the subject of a talk at Ireland's National Cyber Security Conference on October 7th, 2021. As this is the case, I would like to tailor a little of that talk to some of the threats and risks to Ireland and our information environment. It's a shame that I only had 30 mins to lay out the issues as this post will probably end up taking longer to read than to watch the video because of the scale of the topic, but this is the nature of conference talks.

Video of the Talk

Video of the talk

PDF of the slides

Some of the aspects that I discuss in the talk are slightly different as talks come across better with pictures so I may in future talk about The Gulf War War in more picturesque terms as I found a bunch of cool information in both text and picture form that wasn't included in the previous post as it does a really good job of getting the picture across of how some aspects of the attacks worked.

Finally, I used Col. Andrew Borden, USAF (Ret.) Degrade, Deny, Corrupt and Exploit framework to look at threats and risks to Ireland, so instead of giving the background to this framework, I will just jump in, assuming that you have seen the talk or read the previous post and discuss. But first, I want to mention one of the major points I try to make. The Cyber-Physical Impact.

The Cyber-Physical Impact

The thing to understand about Information Warfare is that an idea like hacking or the concept of Cyber where you limit one's thinking to digital systems, rather than the broader spectrum of systems that computers interact with such as Operational Technology or the RF Spectrum. Computers control and interact with systems that do much more than the computer itself. As Bruce Schneier once pointed out;

As the chairman pointed out, there are now computers in everything. But I want to suggest another way of thinking about it in that everything is now a computer: This is not a phone. It’s a computer that makes phone calls. A refrigerator is a computer that keeps things cold. ATM machine is a computer with money inside. Your car is not a mechanical device with a computer. It’s a computer with four wheels and an engine…
Part of Bruce Schneier's tetimony to the House of Representatives, Subcommittee on Communications and Technology, Joint with Subcommittee on Commerce, Manufacturing, and Trade, Committee on Energy and Commerce; Understanding the Role of Connected Devices in Recent Cyber Attacks, pp 27

In every aspect that I can conceive, or that has occurred previously, an Information Warfare technique has involved the meshing of some form of manipulating the inputs and outputs of a computer to achieve an objective. This could be the returns of a radar, the varying levels of Chlorine used to make clean drinking water or listening to RF outputs of systems to locate them in a physical place. This is where, at least in part, the future of combat lies, because when everything became computers, so computers became everything.

The merging of the physical and digital realms opened up several threats that we have not fully comprehended the damage that could be done at this crossroads. In medical devices alone, in 2019, there were two advisories from CISA, in the US, whereby the sniffing of, and sending of data over RF, would allow attackers to send commands to the medical devices. One was in insulin pumps and the other was in pacemakers and while these would require an attacker to be roughly within Bluetooth range of a given medical device, if this unlikely scenario were to unfold, an attack could put either system into a state such that its use could be life-threatening.

Fundamentally, the concept of networking is about connecting two different systems in different geographic locations. This could be as simple two computers right next to each other all the way up to how Ireland has various networks, linked together that are connected to various countries all over the world creating a network of networks. These disparate systems all require physical infrastructure to link them together. Even wireless technologies have associated microwave towers. Even space-based systems require physical, on the ground to function, be they ground stations or launch pads to get into space in the first place.

I worry that this fundamental fact is something that has not entirely sunk into the minds of professionals and policymakers, for example, if you were to read the National Cyber Security Strategy, there are exactly four mentions of the word physical;

... These compromises can take the form of theft or destruction of data or money and the physical disruption or destruction of services or infrastructure. ... (pp 3)
... Recent years have seen the development and regular use of very advanced tools for cyber enabled attacks and espionage, and, likely for the first time, the physical destruction of Critical National Infrastructure by cyber enabled means. ... (pp 13)
... Lastly, at the top of this pyramid, are those State sponsored entities, usually military or security organisations, seeking to use network and information systems to conduct operations ranging from the exfiltration of data to the destruction of physical infrastructure. ... (pp 16)
... They could make laws to prohibit parties using their territories for illicit purposes or activities, and they could use physical borders as a means of defending against external threats. ... (pp 16)
National Cyber Security Strategy 2019-2024

While in this limited context, these seem like reasonable statements to make, and the fourth is a simple statement of fact, in that the internet has no borders. In the full context of the quotes, things are a little less reasonable. The first is a statement from the Executive Summary. The Second is the context for the first and while it is in a section about the Strategic Risks that Ireland faces, it calls the internet 'a-spatial' which is a patently false statement and goes on further to mention that there is an 'arms race' between Great Powers and that they have destroyed physical infrastructure, as best seen by Stuxnet and the German Steel Mill attacks. The second point is a contradiction in terms.

The third point is about risks to Critical National Infrastructure, is about the skilled and resourceful nature of APT's to physical and references the previous work of APT groups, hardly an in depth understanding of the two realms, and to be honest, this makes a lot of sense, security is an intangible idea after all, and arguably one that the public has a certain apathy for.

Degrade

Data can be degraded either by delaying it until its usefulness is reduced or by destroying it in full or part. For example, the use of concealment is an Attack measure (degradation) against the collection task. The use of jamming to reduce the Capacity of a communications channel (thereby delaying transmission) is another example.
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

It should though be noted that according to Claude Shannon's Mathematical Theory of Communication, Information is not collected, stored, moved or used to reduce uncertainty, Information is generated in the course of reducing uncertainty and this reduction in uncertainty is measured in bits. As this is the case, information cannot be destroyed, as the transmission of information is in bits per second, noise can be introduced to degrade the rate of bits per second in which a transmission is received. Claude also developed a diagram that can be used to visualise this process;

Something that I discovered along the way is that two professors wrote a paper on the nature of Information Warfare in evolutionary terms and came up with a set of diagrams to visualise Information Attacks, which I will include

Sea Lines of Communication (SLOC’s)

SLOC's are the primary maritime based economic routes between ports, they are the highways of the sea basically. Throughout time they have been essential in both peacetime as part of commerce, for example, the vast majority of products coming from China to Ireland come via container ship that makes multiple stops along the way, dropping off and taking on cargo before heading to the next port, finally arriving at Dublin Port with products to be sold here in Ireland.

In times of war they have been particularly important too, in the post-classical era, we have seen privateers attempt to capture prize ships or loot them of their goods so that the economies of your adversary would hurt. In World War I, the UK used the Grand Fleet based at Scapa Flow to Blockade the German state and attempt to starve it, leading to things like the Turnip Winter. By the time of World War II, Germany had learned from this and took its Unrestricted Submarine Warfare concept from WWI to the next level by beginning the Battle of the Atlantic to starve the British, which turned into a decisive battle for the Allies to secure their SLOC's in the North Atlantic and the North Sea.

By the time of the Cold War, NATO forces expected to be pushed back from the Fulda Gap towards the Franco-German border, something that the Warsaw Pact forces expected to take approximately 7 days.

In this timeframe, NATO forces would be expected to hold out for as long as possible for the US to mobilize and to arrive in Europe via massive sealift and airlift operations. The Warsaw Pact naval forces, particular that of the Soviet Navy and its massive submarine arm would spend most of the first 7 days of this conflict attempting to disrupt the sealift operation and to an extent airlift operation. One of the main plot points in Tom Clancy's Red Storm Rising beyond AMERICA, FUCK YEAH! is about US and Soviet operations in the North Atlantic to resupply and disrupt, respectfully, operations there.

The thing I want to get across though is that in 1992 when the VADM John McConnel became the Director of the NSA, he was shown a map of SLOC's and a map of Submarine Fibre Optic Cables. Over the course of his tenure between 1992 and 96, he effectively revolutionized the NSA, taking it from an organisation working on intercepting, decrypting and analysing microwave signals to one moving towards an organisation working on not just Submarine Fibre Optic Cables or even fibre optic cables in general, but to one working more generally in the space of Information Warfare, particularly via Cyber means.

Looking at Ireland

Ireland is a uniquely interesting case to look at, not just because I am Irish and that I live in Ireland, but because Geography is Destiny, we are at the crossroads between the US and Europe and the UK and because of it, a lot of subsea maritime infrastructure exists here, a recognised fact going back to 1858 when the first transatlantic cable was laid from Kerry to Newfoundland. And because of our past, we are a state that speaks English, but also now the only one in the European Union. At Slandail 2020, I took note of what the then CEO, and now Chairman of IBM UK and Ireland said that Ireland's economic success is built on; Ireland being a 'stable, democratic, safe and secure, rules based society'.

We have leveraged our geography and our past to create a so-called Knowledge Economy that is an appealing investment proposition for foreign direct investment. The Government's strategy across my entire life and for more time before that, going back as far as that of T. K. Whitaker, is to use this platform to attract multinational technology, pharmaceutical and financial companies to come to Ireland, to invest in Ireland, backed up by our dubious corporate taxation policy.

The subsea maritime infrastructure I mentioned, today are Transatlantic Submarine Fibre Optic Cables. There are 18 total Transatlantic Submarine Fibre Optic Cables that cross the North Atlantic. Five of them make landings in Ireland but more importantly, 17 of them transit our Exclusive Economic Zone or EEZ. Exclusive Economic Zone's are defined by the United Nations Convention on the Law of the Sea, where they are defined as;

Article 55
Specific legal regime of the exclusive economic zone
The exclusive economic zone is an area beyond and adjacent to the territorial sea, subject to the specific legal regime established in this Part, under which the rights and jurisdiction of the coastal State and the rights and freedoms of other States are governed by the relevant provisions of this Convention.

Article 57
Breadth of the exclusive economic zone
The exclusive economic zone shall not extend beyond 200 nautical miles from the baselines from which the breadth of the territorial sea is measured.
Article 55 & 57; United Nations Convention on the Law of the Sea

Essentially it creates an area, beyond our 12 nautical mile territorial waters, out to 200 nautical miles where Ireland has a sovereign right to, for example, all economic activities in the area or conservation of marine wildlife in the area. This means that we have privileges as a state to conduct activity in that area that no other state has without our permission. So what does this picture of EEZ covered in Submarine Fibre Optic Cables look like? Well, I created a composite image of our EEZ from the Irish Government and Submarine Fibre Optic Cable data from TeleGeography;

Normally, this is the part where I would state that we have some duties, as we do with our Neutral Status where we have to enforce our Neutrality, and we do have duties, but those duties are not to protect these cables from physical attack or deter cables from being tapped by various means on land at landing points and this is where the major risk opens up for us.

If we think in the traditional threat modelling methodology used in Cyber Security of identifying assets, identifying vulnerability in the assets, the threats to this asset and the risk being the non zero chance that something bad will happen and the threat will succeed in attacks, and mitigations that can be applied to these assets, how do we look at these SLOC's?

Lt. Shane Mulcahy, a Staff Officer of the Naval Operations Command Centre, wrote maybe the most important paper in the history of the Defence Forces Review. In his paper, he gives a brief history of the importance of Submarine Fibre Optic Cable, as well as some of the issues and risks associated with them before going on to forge a strategy based on political efforts in updating the United Nations Convention on the Law of the Sea to more reflect the importance of these cables and to ingrain protections for them in International Law, but also in two paragraphs, lays out the major risk that Ireland faces as a state;

Some will argue that given the international effort required to secure the vast North Atlantic maritime domain in which we reside, our part as a small, ‘neutral’ nation, should neither be significant nor central. It is worth remembering however that as an Island that has successfully grown a digital economy on a fragile maritime infrastructure, Ireland may have the most to lose.

Considering western preoccupation with weapons of mass destruction in previous decades, it seems almost comical to find that a ship’s anchor could now be described as an ‘existential threat’ to national security and prosperity. With no alternative to using these undersea cables, Ireland must become proactive towards securing the maritime domain on which our contemporary, digital society depends.
Lt. Shane Mulcahy; Patrolling Below the Horizon: Addressing Ireland’s Awareness of our Maritime Geospatial Domain; Defence Forces Review 2019

Not just is Lt. Mulcahy succinct, but he also lays out the key importance of Submarine Fibre Optic Cables to the state in that we have grown a 'digital economy' off of them and that our 'digital society depends' on them. I am not doing Lt. Mulcahy's article justice though as he talks about other issues beyond human damage such as earthquakes, subsurface landslides and 'curious sea-life'. It's worth reading in full.

This sentiment is also something that Dr. Cathal Berry, a TD for Kildare North and former Army Ranger Wing intelligence officer and 2IC is acutely aware of, but lays out in much better terms;

Tens of thousands of financial transactions are sent on these cables every hour along with communications. People think ‘the cloud’ is in the sky but it’s really in the bottom of the sea,
Jophn Mooney quoting Dr. Cathal Berry (TD); Navy called in as Russians suspected of targeting undersea internet cable

Before looking at mitigations, we understand the asset, the breadth of the risks from small to existential, accidental to deliberate, what is the threat here?

The first is relatively simple, espionage. The tapping of the cables is not covered by the United Nations Convention on the Law of the Sea,  but it is something that occurs and just as I was working on this talk, GUGI Yantar showed up off of the Irish coast. Yantar is a vessel of the Russian Navy's Main Directorate of Underwater Research where it is titled as an 'oceanic research vessel', a naval euphemism for spy ships.

Traditionally these ships are effectively the mothership of a submersible or a number of submersibles that they provide a lifeline to as missions are conducted on the deep sea. This is the same idea as RV Knorr deploying DSV Argo to discover RMS Titanic in 1985. It should be noted that the Mothership does not have to be a vessel like Yantar or Knorr, as you can deploy submersibles from submarines too, as best seen in Tom Clancy's The Hunt for Red October where USS Dallas deploys the DSRV or the Losharik that that is deployed from the Delta Stretch. These submersibles can be used to put things on, or retrieve things from the seabed. These things are equipment such as fibre optic cable taps, or passive sonar arrays such as the SOSUS network, but can do as much as is needed as long as work on the seabed is needed as this artwork from H I Sutton shows;

In the talk, I referenced a tweet from @The_Lookout_N, but I want to highlight the work of a fellow Wonk, @dbmee who was tracking Yantar well in advance of most others in the OSINT community. He created a gif that he tweeted that included both the track the ship had taken before The_Lookout_N's tweet and with knowledge of where she weighed anchor and did stuff, he looked at it in relation to the nearby Submarine communication cables that leave from somewhere near Ballina in Co. Mayo;

These types of activities can pose an unusual problem as espionage generally under International Law is a bit of a grey area that remains mostly unregulated and the practices of espionage, most of the time anyway, are dealt with by the principle of Consent by Silence. Under the United Nations Convention on the Law of the Sea, as long as they are in compliance with Articles 88 through to 115 and remain outside of Irish Territorial Waters, they have total freedom of action and navigation within the law, as long as there is no evidence of illegal activates. And since espionage is not economic activity, the Russian Government does not have the notify the Irish Government of the ship's arrival or activities in the area.

Yantar and other oceanic research vessels such as the French ship Dupuy de Lôme, or my personal favourite, the USNS Waters (T-AGS-45) which does 'ocean engineering', is rumoured to be used for work such as that undertaken by the Hughes Glomar Explorer of Project Azorian fame. These types of ships are not the only threat though, submarines are a larger issue.

Between 2016 and early 2020, there were persistent rumours that Russian submarines were operating off of the coast of Ireland, sometimes the rumour was that of an Akula class nuclear powered attack submarine, and other times it was that of a Kil0 class diesel eclectic attack submarine, was doing stuff off of the coast of Ireland. This stuff was always in relation to Submarine Fibre Optic Cables with the narrative of either working on taps of these cables or worse, severing these cables in the event of war. Beyond rumours, in open sources, there was very little concrete to be said until one day, Russia made a regular penetration of Irish Air Space but left its transponders on, and we got a track of their activity;

In the tweet, you can see the map shows that the aircraft took an unusual circular flight path while it was off the coast and as Rob notes, it is associated with its Trailing Wire Antenna used for VLF, but also ELF, communications with submarines below the surface, and this was one in one of the most densely populated regions of the world with Submarine Fibre Optic Cables.

Mitigating this could be difficult for a number of reasons for us. First of all the tactics traditionally used to deter these kinds of activities could be unpalatable to the Irish public, for reasons that will become clear, but also because a lot of these tactics would be extremely difficult or in one case impossible for us to accomplish.

Starting with the impossible, the most common technique is Herding. Herding is where you have advance intelligence that such an operation is going ahead by an adversary submarine. Knowing that this is the case, you send out your own submarine to patrol the area and attempt to locate the adversary submarine. When you have it located, tailed and identified as an adversary submarine, you place a call to a nearby Anti Submarine Warfare ship to close the range and have that ship begin to hound the adversary with sonar and perhaps weapons. Once a submarine knows they are found they will get out of there quickly. You can see this process done quite well, in an overdramatized fashion in this YouTube video.

This is clearly impossible because we don't have a submarine to herd with but also for a second reason which is that only one ship in the entire fleet of the Naval Service is equipped with a sonar system to detect anything below the surface of the sea, the flagship LÉ Eithne. She is equipped with the Plessey PMS-26 sonar system which was designed by a company that hasn't existed since 1989. Beyond LÉ Eithne, the most recent records of this system use, that can find records for, are of its use in a Danish Corvette class built between 1978 and 1980 and a Nigerian Corvette built between 1977 and 1980, both of which have been out of service for nearly 20 years. In 1984 when LÉ Eithne went into service it wasn't that out of date. It would be the only ship currently in the world operating such a system, if it was fitted of course.

Given that we lack sonar systems generally in the Naval Service, you can imagine that another option would be to install sonar systems on existing and future ships, and you would be right, though a number of issues present themselves, primarily the chronic underfunding of the Defence Forces in general. Given that none of our modern ships have sonar, it clearly isn't a priority for the Dept of Defence and even if it was, and we could get the sonar systems, we can't put ships to see because we lack the personnel to do so, which is part of a larger issue around pay and retention generally in the DF, but acutely in the Naval Service where the Government can't even be bothered to pay bonus' for ships going to sea short staffed.

To better detect and surveil surface vessels such as Yantar would require more patrols from the Naval Service, which runs into the same issues as before but the gap could be partly filled by the Air Corps running patrols in the CN-235 or the C295's which will replace them, but the fleet is stretched with two CN-235's so running regular patrols with just two C295's would also be a stretch. There are also staffing issues in the Air Corps so running these plans in high tempo operations with multiple crews may also lead to issues.

Deny

To Deny means to deny completely by a direct attack on the means of accomplishment. The use of a High Energy Laser to blind or destroy an electro-optic sensor is an example of denial by direct attack. Another example is a virus that destroys operating systems in a computer used to do Situation Assessment.
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

Air Control

Normally when someone considers the concept of Information Denial, we look at how an adversary denies you access to your Information Environment, but Ireland has placed itself in an interesting position and somewhat curious position of denying itself information.

Ireland has a HUGE area of airspace to monitor. If you look at the below image of Shannon Flight information region or Shannon FIR for short, you will see most of the area of responsibility of Irish Air Traffic Control where you will be in direct contact with the Traffic Controllers and you will be vectored on the waypoint or route you need to take towards your destination.

While this is a rather large area, it does not tell the whole story. Ireland and the UK also operate a second region called Shanwick Oceanic Control Region or Shanwick OCR for short, which is a gigantic tract of the airspace that covers 2.3 million square kilometres that goes from the north of Spain, out to the Molson-Guinness line which it follows north to south of Iceland, back towards just west of the Faroe Islands, down towards and around Shannon FIR and back to its starting point.

Somewhere between 1000 and 1500 flights per day use this air space, primarily a set of routes called the North Atlantic Organised Track System. There are four westbound routes, Alpha to Delta, and five eastbound routes, Uniform to Zulu, which you can see in the below image as green and blue respectively.

So one would imagine that an area of this size, with this many flights traversing though it would be very heavily surveilled and to an extent, you would be right. See the thing is that there are two different types of aircraft surveillance. The first is what you find at apps like Flightradar24 or FlightAware, or websites like ADS-B Exchange, where the aircraft broadcasts data or Air Traffic Control interrogates the transponder for data. When the aircraft is broadcasting data, it is doing so using a technology called ADS-B, which can be detected using ground-based sensors, or if the aircraft is equipped with satellite communications, using space-based sensors.

When Air Traffic Control interrogates the Transponder for data, the transponder will broadcast certain data depending on its operating mode. Mode A transmits its IACO code, such as AE01D8 for Cobra Ball 1, Mode C which transmits the IACO code and the altitude of the aircraft back, and finally, Mode S which transmits the IACO code, altitude and can allow for data exchange between Air Traffic Control. Mode S also has an 'Enhanced Surveillance' variant which allows for the track of the flight, ground speed, indicated airspeed and vertical rate etc, for more accurate tracking. This is what you see in things like Flightradar24.

And if you look at Shanwick OCR coverage from Eurocontrol, you'll see this amazing map of the area where there is huge coverage by both ground and space-based sensors;

The problem with the ADS-B is that for many reasons pilots can turn it off as they choose and because it is dependant on the internal navigational systems of the aircraft, if it goes off, Air Traffic Control loses all positional information about that aircraft. This is why you might sometimes see it called Secondary Surveillance Radar. The secondary part is because Air Traffic Control is unable to interrogate the aircraft when the transponder is turned off. They can of course use Primary Radar, or what people think of with radar, the spinning thing on top of structures, rather than the homemade antenna, that I made out of plumbers pipe I have hanging off of my dads shed.

As well as their being legitimate reasons for you to need to turn off the transponder, there are also illegitimate reasons such as we saw during 9/11 where hijackers turned off the transponders as part of their hijackings. As well as this a large chunk of military aircraft, for obvious reasons, don't come with transponders or by default have them off. This means that Air Traffic Control is dependant on being able to interrogate these aircraft by Primary Radar to gather track, altitude and identification data. Ireland has a minor issue though, while we do have Primary Radars but we only have terminal radars which are used on approach to airports. Also we only have them at three airports; Dublin, Shannon and Cork, even though we have 10 airports across the country, and these Primary Radars don't even cover the entire island and airports such as Donegal Airport aren't covered either.

We have for years talked about rectifying this situation by getting a long-range radar to better cover Shannon FIR and parts of Shanwick OCR, as well as to interrogate military aircraft, particularly Russian aircraft, as they make regular penetrations into Irish airspace, but as of yet, we still do not have this radar. If you want to see how regularly Russian aircraft make such penetrations, fear not, we have a not so secret defence pact with the British to defend our airspace, and if you want to see how regularly they occur, a wonderful OSINT nerd has a webpage to keep track of RAF QRA's or Quick Reaction Alert's so you can track these things after the fact, or follow his twitter accounts and get the news as it comes in.

When these QRA's are launched, generally you will find that the RAF will send out two Typhoon's and also launch a Voyager A330 MRTT Tanker for support, and occasionally an E-3 Sentry AEW.1, though they are going out of service fast and old since they are based on the Boeing 707 and are soon to be replaced with the and E-7 Wedgetail based on the 737NG. The Tanker and AWACS aircraft will sit in what are called Orbits, pre-mapped circles on a flight chart, where they can sit and wait for the Typhoons to refuel or where the AWACS can scan a large area of the sky with its massive radar, so much so, that if you look at the area around Ireland, there are so many orbits that it accounts for 22% all of these orbits in the UK.

Effectively, we are compromising our neutrality and offloading this burden to the UK, so that we don't have to think about or do anything about this issue. It doesn't have to be this way though, we could build and operate the long-range radar system and when I was a teenager there was news about the US offering Ireland some F-15's on the cheap to protect our airspace from what the US probably feared was our own 9/11 happening here. Though bear in mind while I vividly remember this story, and so does my dad, I haven't actually tracked down the source of this news or rumour.

It doesn't have to be F-15's or even NATO aircraft though. Sweden's Saab makes the JAS 39 Gripen C/D and E/F which would do a fantastic job with a low flyaway cost and the lowest operational costs by some margin to boot, but it also raises other issues such as retention crisis in the Air Corps too. Of course, there are other issues in that there have been comments made about there not being parking spots for aircraft, so infrastructure would have to be expanded and we could need extra expertise to deal with the engines in the Gripen, so things would not be as simple as just purchasing the Gripen.

Overall this has put Ireland in the somewhat precarious position of not knowing what is under the sea, because our ships lack sonar, not knowing what is on the sea because we can't put our ships to sea and we don't know what's in the skies because we can't see what is our skies if someone chooses not to be seen. Our overreliance on the RAF and the Royal Navy to protect our territory is, and should be seen as a national disgrace. As Dr. Cathal Berry said

"It completely undermines our status as a militarily neutral state that we have to rely on the RAF,"
Paul Williams quoting Dr Cathal Berry TF; Secret defence pact allowing RAF jets in Irish airspace ‘undermines our neutrality’, says TD Berry

Corrupt

To Corrupt is to insert false data. For example, the use of dummies on the battlefield is an Attack Measure against the Collection function. Intrusion into a communications channel and spoofing is another example. Psychological Operations (Psyops) is an example of Corrupting information being Stored in the protein processor (the human mind).
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

Information corruption is a broad topic that I have a lot to say on, so much so that I have several addendum posts in the works on various topics inside this such as a breakdown of what propaganda is, the various types of it as well as examples from history. The piece will also mention ideas that have come into vogue such as Fake News and Misinformation and the actions of states, companies and individuals and cover some tactics and techniques used as part of propaganda such as the Official History, Astroturfing and Political Warfare.

That is for another time though when I have significantly more research done on the topic and when I am prepared to treat the complex and charged topic that it is with the appropriate level of nuance required to approach to the subject.

It's wider than this though, you could look towards the illegal entry to Ireland of US during the Abortion Referendum where they tried to illegally influence the choices of Irish voters, or you could look towards the Hamilton68 dashboard by the Alliance for Securing Democracy which can be used to track the outputs of state backed news sources in Russia, China and Iran on various platforms, or to look towards Air-Moving Device who among other things occasionally talks about platforms like TikTok being used to expand and normalize the Great Firewall beyond the borders of China.

дезинформация

Or more simply Dezinformatsiya, a Russian word that until 1939 didn't exist in English, is the covert spreading of deliberately false information for the purpose of influencing public opinion or obscuring the truth. This is something we have come to live with on a day to day basis, whether we realise it or not. A prime example of the corrupted information environment we live in is the modern Vaccine Denial or Pro Disease movement. I know in my talk I called them the Anti Vaccine movement, but they aren't against vaccines, they are in denial about the facts of vaccines because of the disinformation charlatans have peddled for so long.

Robert Evans on his incredible Behind the Bastards podcast did a two-part episode on the history of the movement and begins by talking about early attempts at having a vaccine for Smallpox, an unimaginably bad disease to contract. The process was based on a 10th centaury Chinese technique where what one would assume is a doctor would take the scabs off of a calf with Cowpox, grind the scabs up into power or a liquid infusion and place into cuts that the doctor would make in the skin of someone to be inoculated in the hopes of getting a mild infection and surviving it.

This wasn't as stupid an idea as it sounded, it's the basis for which a lot of vaccines are developed today! We use live, weakened or dead vaccine particles to develop vaccines, even some of the SARS-Cov-2 vaccines people are receiving around the world today are based on this method. This method worked, the downside is that this Cowpox based vaccine was what we call a first-generation vaccine, where one could get really ill and sometimes die from the vaccination process. While today this sounds horrific, Smallpox was an infection that killed more people than were killed in all the wars between 1900 and 1999, combined when we had a vaccine to boot, shows that the occasional death from the vaccine far outweighed the public benefit of the vaccine.

Then the second generation of vaccines came around with the most important man you have never heard of, Maurice Hilleman, The Great Vaccinator, who Radiolab did an incredible episode on of his work, where in 40 years he developed over 40 vaccines, including 8 of the 14 that are regularly given to children and in some estimates is believed to have saved 8 million lives a year. These types of vaccines were developed to reduce the risks associated with earlier vaccines because let's face it, getting vaccinated, unless you hate the needle should be a pleasant-ish process rather than a scary one. Finally today we have vaccines for things like SARS-Cov-2 based on mRNA which are incredible and leading to huge breakthroughs in vaccines.

Now, your mom or whoever sharing this vaccine denial rubbish on Facebook isn't partaking in the act of Disinformation. They are doing Misinformation, they are sharing what they believe to be true because they have fallen for Disinformation. The real people at issue are people like who the Center for Countering Digital Hate called The Disinformation Dozen.

`The Disinformation Dozen` tells the story of the business model of the Vaccine Denial, Pro Disease movement. It tells the stories of the income received by these individuals through their organisations, including links to read their tax returns, loans they received to protect employee's paychecks and salaries that they earned from being on the boards of organisations as well as data about the wages of the 266 employees they have at various organisations, working on this disinformation and income they have from being speakers and promoters at each other's events, totalling a combined $36 million, which the CCDH break down by each disinformer.

The report also performed an analysis of the spread of this disinformation, tagging 483 pieces of content between February and March of 2021, in 10 private and 20 public Facebook groups that then went on to be posted or shared 484,876 times, out of a total of 689,404 pieces of Vaccine Denial content across the platform, accounting for 70.3% of the sample of content. They were also able to show that just three of the disinformer are responsible for over half of all the disinformation.

The report also highlights that there is a clear link between the disinformers and the social media platforms they use, and the income all parties earn as the report examines a number of legal filings made by the disinformers or their organisations about how the removal of content or fact checking of their content severely impacts the income of the disinformers, yet at the same time it allows facebook to earn up to $1.1 billion, for the 37.8 million followers the Vaccine Denial Audience has on facebook and Instagram, at an Average Revenue Per Person $29.23.

YouTube earned $707,222 in ad revenue, which it splits 45:55 with the content creator, YouTube earned $318,250 and the content creator earned $388,972. While advertising on YouTube is more complex as you may not be eligible for ads or you may have ads turned off on your channel, YouTube may have earned more from this content being viewed as ads could have been placed on other pieces of content outside of sample in the study. Finally, the report took a look at the followers of various accounts on Twitter, estimating that 392,575 followers are monetizable by having ads served, estimating that $7.6 million was earned.

If you have ever wondered how these people make their money and continue to contribute verbal, textual and audiovisual diarrhoea to discussions of public health, now you know.

Realistically speaking, this isn't a particularly big issue in Ireland as 87.42% of the eligible population is fully vaccinated, as of the 4th of October 2021, it is worth looking at the below graph of Government data which clearly shows multiple plateau's, in multiple age groups showing that some people are not and have not been getting vaccinated, while the have the opportunity to do so, it shows that there is hesitancy out there to vaccinate.

I cannot link these two things together and say that there is a causal relationship between the Vaccine Denial Disinformation and people choosing to not get vaccinated. I know from personal experience that some people cannot get vaccinated, so 100% is not possible, but the plateau's from people between 20 and 40 is unrelated to those that cannot get vaccinated as that is generally only a single-digit population, so there is hesitancy for reasons I can only speculate on. The 10 to 19 age group shouldn't be considered yet, as they have only recently been approved in part for vaccination, first for over 16's and recently from 12 and up, and the nightmarish process of going back to school would clearly impact this.

Exploit

To Exploit is to Collect against the adversary’s Movement of Data. This increases the data available for friendly Situation Assessment and makes the generation of friendly Information more efficient.
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

While Col. Borden has a definition of Exploitation in the context of Information Warfare and it makes sense to me, it may not be clear what exactly is intended by this. For me, the diagrams of Kopp and Mills do a much better job of describing what Exploitation looks like;

This idea can best be summed up as Exploitation being about collecting data on what the adversary is doing so that you have a better picture of their activities. This is best seen through the classic counterintelligence technique of Backbearing.

Backbearing

While I did just say that Backbearing is the classic counterintelligence technique, its use goes back a lot further than that. In Land Navigation or Orienteering, it is a set of bearings that you can use to work backwards along a path you have travelled so that even if you get lost trying to get from A to Z, you can safely work back from P to A and get un-lost. A great demonstration of the idea is seen in this tutorial for those interested.

In the world of intelligence, it has a similar meaning, though you don't know where A is, you just eventually realise based on the information you have, that you are at P and that you need to work backwards using the snippets of data or indirect data that you have to form a larger picture of what is going. You can form the larger picture by looking for things your adversary doesn't know and is attempting to find out about or figure out. If there is somewhere in particular that they are interested in and what you can infer from this. And if there is a new or unusual action that the adversary is doing that hints towards things.

A brilliant literary example is John le Carré's brilliant The Honourable Schoolboy, the second book in the Karla Trilogy. While not all of the book is about Backbearing, a significant part of the story in the beginning third of the book is about telling the story of the impact of The Fall, or the story of Tinker, Tailor, Soldier, Spy. In it, Smiley, Guillam, Sachs, and di Salis spend time in between the archives and meeting room working on figuring out the damage that Bill Hayden did and to see if he, during his time as a sleeper, though his recruitment and promotion of officers, cultivated a second-generation agent to take his place and ensure a continued flow of intelligence in the event of anything happening to Hayden.

While doing Backbearing on issues like this through open sources is quite difficult as these are intelligence matters discussed in the shadows or behind closed doors, but news does occasionally make its way to various journalists that have their ear to the ground on such matters. Since 1974, the Government has had the National Security Committee or the NSC, to brief an Taoiseach and the Government of Ireland on matters of National Security. More recently in 2017 Cabinet Committee F was established, apparently based on the British Government's COBR (sometimes seen as COBRA and pronounced this way), to bring together more cabinet ministers and have An Garda Síochána and the Defence Forces brief them on matters of state security.

In 2011, before Cabinet Committee F was formed, the FBI tipped off An Garda Síochána to the fact that six stolen identities were being used by illegals in the US. A Garda enquiry came to the conclusion that Russian intelligence had stolen six Irish identities and used them to produce fake Irish passports for cover. This lead to the Department of Foreign Affairs expelling a Russian Diplomat. Illegals are agents operating without the immunity provided by diplomatic cover and as such are taking a huge risk. Diplomatic cover would mean that in the event that your cover is blown, the worst that can happen is that you have to go back home. For illegals though, you are open to serious criminal charges.

In recent years though Russia has been quite active in Ireland. In 2015, the FSB, Russia's domestic intelligence agency, think MI5, applied to have an officer placed in the embassy in Dublin which the Department of Foreign Affairs declined, though Russia probably sent this officer under Diplomatic Cover regardless.

In 2017, Russian State-Sponsored actors were inside EirGrid, and while details of the attack are limited to knowing that a router used by EirGrid was compromised and that data transmitted through a GRE tunnel was visible, unencrypted, via a Man-in-the-Middle, nothing else is known. Though it is believed that due to previous attacks, such as the 2015 and 2016 attacks on power grids in Ukraine which resulted in power being lost for some time, it's possible that the intrusion was a similar attempt to turn off the power on the island.

2018 stands out as a particular year to look at because a fantastic series of articles broke from John Mooney in the Sunday Times. The first, the title of which is a contender for understatement of the year, 2018, implies one thing going on in that Russia is spying on tech companies here in Ireland, the article has a lot more to say beyond that, starting with the fact that it's not just the tech sector but also engineering and science sectors too as well as keeping tabs on Irish companies, Critical National Infrastructure projects and research at the European Space Agency Space Solutions in Cork, and I suspect those are not the full set of targets given the amount of R&D going on here in Ireland.

The article goes on further to state that Illegals have also possibly been operating here as in the same article it is made clear that Gardaí approached a Russian couple who befriended' a man working in the tech sector, whom Gardaí believe was the target of an espionage operation. This could be as part of the cultivation of an agent, or an attempt to get access to technology. This couple subsequently were withdrawn when their legend fell apart. Along with this, Gardaí believe that the SVR, Russia's foreign intelligence agency, think SIS/MI6, are recruiting sources in political, technology and business circles as well as aiding in the spreading of propaganda.

That article isn't done yet though. It further goes on to state that Gardaí and Defence Forces staff believe that Russia is operating a number of Signals Officers, who specialise in intercepting and transmitting information, and Cipher Clerks, who specialise in encrypting and decrypting information, out of the embassy in Dublin. This is believed because they only ever leave the embassy in the company of others believed to be intelligence officers operating under diplomatic cover. The threat is real enough that the Defence Forces are believed to have conducted sweeps of the area to identify unusual signals.

The second article in the series also discusses a lot, ranging from denials from the Kremlin to further details on Russian operations in Ireland such as Ireland being used for backdoor entry into the UK but the two major bits in the story is the not exactly a surprise piece of news that Russia is using Ireland's financial system to launder the proceeds of corrupti0n. The other major bit of news is the bombshell that Russia attempted to use cutouts here in Ireland to purchase 'controlled technologies' and that the Gardaí thwarted this attempt. Now controlled technologies, to me at least, are sanctioned technologies that any company selling such technology should have checkout out the selling as not being a sanctioned entity, and the other is for Dual Use Technologies that can be used for both peaceful and military uses such as missile and nuclear technologies.

The third article in the series deals with the expansion of the embassy in Dublin. The project was overseen by Zarubegproekt, the prime contractor for the FSB and SVR in Russia, who made the application for Planning Permission via a now defunct but unnamed Dublin architectural firm. This could be an attempt to imply that make it known that it was done in a possibly illegal manner, but without evidence to back up such a claim, it's just hinted at as the Sword of Damocles that is Irish libel law hangs over such statements in the press.

The proposed development would expand the embassy from a 2000 sq ft facility into a 10,000 sq ft facility, a fivefold expansion of the embassy. More importantly though, the expansion would also include a number of underground rooms to house 'ventilation, storage and heating equipment' to which undescribed experts say are located in unusual locations for such facilities, which raises the spectre that the embassy is being used as a base of espionage and military operations in Ireland.

Further to this, Zarubegproekt insisted that the construction of the facilities was to be carried out by builders flown in from Russia, which given the skill and expertise of builders and developers available in Ireland, it is a highly unusual request that could be read as there being classified technology being installed that no foreign nationals, such as Irish should see, and if they did see certain elements of the architectural diagrams, materials on-site or installation of equipment may raise eyebrows and hint towards the true use of this expansion. Eventually though, legislation was drawn up to halt the expansion of the Russian embassy.

Finally, the fourth major article of 2018 was about Russia smuggling in so-called 'Spy Cars' into Ireland, under diplomatic plates, which would mean that security services could not inspect the vehicles as the cars are inviolable under the Vienna Convention on Consular Relations;

Article 31
4. The consular premises, their furnishings, the property of the consular post and its means of transport shall be immune from any form of requisition for purposes of national defence or public utility. ...
Article 31.4 of the Vienna Convention on Consular Relations

This is a very smart approach as these 'Spy Cars' are suspected of housing communications and signals equipment in the tyre wells and boots of these cars, and possibly other places too. This allows the occupant, a Signal Officer, near-complete freedom to travel around Ireland and at a previously arranged time and place, drive past, or stop at a location while receiving or transmitting information to and from agents in the field or to and from sources they have cultivated. This can then be given to a Cipher Clerk for retransmission to Moscow for analysis or further instruction etc.

While we don't know exactly what is inside one of these 'Spy Cars', we got a pretty good glimpse at what the innards might look like when the Netherlands Defence Intelligence and Security Service disrupted an active attempt to hack into the Organisation for the Prohibition of Chemical Weapons (OPCW) in Den Haag in 2018, in the wake of the attempted assassination of Sergei and Yulia Skripal in Salisbury, UK, home of a famous 123-metre spire and clock.

The GRU agents got a rental car at Schipol Airport, kitted it out with what they needed and went to their hotel at the Marriott in Den Haag. This is a curious choice of hotel for four GRU agents to be in as it is right next door to the headquarters of the OPCW. The location the car was found in is also directly next to the fence that separates the properties. The equipment in the car was being used to hack into the OPCW's WiFi for the purposes of further intrusions into the network.

The ultimate aim of this operation is unknown, but since the weapon used in the attempted assassination, Novichok, is a fourth-generation chemical weapon that was developed in complete secrecy in the USSR and not that well known outside some very, very, very small and niche circles, Russia was probably very interested in where the OPCW got samples for comparison and how many they had, as well maybe making an attempt to sabotage the investigation.

I could go on talking about these issues but there is a story on this kind of thing every other month or so, and what I want to get across is the mountains of evidence that show that Russia is targeting Ireland across the spectrum, under the sea, on the sea, in the air and on land and doing so with a mix of civil, military, diplomatic and whatever other methods they can muster to conduct operations on Irish territory and that they are doing so for a wide variety of reasons. but there is one last story I want to highlight from 2020.

The smaller part of the story was the Russian agents were monitored while mapping Dublin port, something that would be quite handy if you know your Red Storm Rising. The major story though was related to the Submarine Fibre Optic Cables I mention earlier in this piece as Russia was attempting to map the precise locations of landing points of these cables by looking for weak points in the physical infrastructure on land and included a quote that I fully believe to be the case;

... the Russian service most likely had two intentions: spying, and cutting communications in time of conflict.
John Mooney quoting John Sipher, former Moscow based CIA offier; Russian agents plunge to new ocean depths in Ireland to crack transatlantic cables

This was also a very timely story to come out as it was out only a month before the inaugural Slándáil, the National Security Summit and it formed the backbone of a question, along with the paper from Lt. Shane Mulcahy, that I asked the authors of the National Cyber Security Strategy on why the Physical aspect of Cyber was so overlooked in the strategy.

Doing Our Own Backbearing

Rather than a conclusion as such, I would rather do some backbearing of my own and look at why I have talked so extensively about Russia and why. There are three main reasons, the first is that Russia sees us as an EU aligned state. Generally when the EU does something, Ireland follows, but also because we are a Western aligned state. This isn't to say that we are a puppet of the US or anything, but when Russia does something that is seen as unacceptable, such as attempting assassinations with chemical weapons, we like most western states expelled diplomats, actually on Austria was the only state who didn't expel anyone.

The second is because we a neutral state, not in the technical sense as defined by Hague Convention (V) from the Second Hague Convention, but because we believe we are one, it is seen by Russia weakness that can be exploited. As I have mentioned Ireland is used as a backdoor into other states such as the UK, but also because Neutrality tends to lead states to believe they are immune or to warp the perception of what things mean on the world stage. Sweden and Austria have been on the wrong side of this in the past where Sweden has a history of dropping depth charges on Soviet and Russian submarines entering its territory, setting traps for Soviet submarines and as recently as 2014 there was an incident where a Russian Lada class submarine made an emergency call from inside Swedish waters.

Austria though has had a much more troubled recent history where in 2018 an Austrian Colonel was a spy for Russia giving away details on the Austrian Air Force and Army artillery systems as well as information on the immigration situation in Austria and they were doing this for 30 years, and in 2020, there was another spy scandal where a diplomat was engaged in Industrial Espionage much like we see here. Vienna, but partially also cities Stockholm and Dublin to an extent, as capital cities in neutral states, as well as elsewhere like Geneva, are hubs for diplomatic activity and thus are homes for spies.

While he is best known for his past at 73 Easting and more recently being a bit of a clown, Gen. H. R. McMaster wrote a book recently on some of the things he tried to accomplish when he was Donald Trump's National Security Advisor and one of them was the concept of 'Strategic Narcissism' and he gave a lot of time on the Lawfare Podcast a while ago to discuss the concept;

Jordan, I think this has been a loadstone around our neck, is this tendancy to define the world only in relation to us and then to assume therefore that what we deciede to do or deciede not to do, will be decesive in achieving a favourable outcome. This is problematic because it is self referential and it doesn't ackwnolege the degree to which the other, esspescially adversary's, enemies, rivals, competitors, have over the future course of events.
H. R. McMaster discussing Strategic Narcissism on Lawfare's ChinaTalk Podcast @ 00:02:40

This for me at least sums up the last two points neatly. We don't, at a government level, view Russia as an enemy, but we aren't friends either, yet we try to get along nicely. The 'Strategic Narcissism' is that we ignore how Russia feels about us in that to an extent, we are a threat to them, but that they don't want to make us an enemy because we are a useful place to be acquainted with and if conflict were to break out, Ireland would be a useful place for Russia to operating in and around that presents them with a number of advantages. If you don't like the idea of 'Strategic Narcissism', Gen McMaster also has another them which is to say that we lack 'Strategic Empathy'.

The third issue is that we lack capability on a number of fronts in both military and intelligence matters, even in basic and simple terms. I mentioned the lack of sonar in the Naval Service, the lack of ability to view the airspace and for the Air Corps to control this airspace, but the problem to an extent is more fundamental than that. Logistics is the backbone of a military. Napoleon is said to have said that 'An army marches on its stomach' and this is a reference to the importance of logistics, something we are having a discussion about right now, and for the most part we are not talking about the logistics. As well as this, as Mark Galeotti points out, we don't even have the basics of counterintelligence;

Ireland doesn’t have a counter-intelligence capability. It’s a relatively soft target. Ireland is a major node for the global internet. It has a large concentration of tech companies. This is the new battle space of the future.
Mark Galeotti; Russian agents plunge to new ocean depths in Ireland to crack transatlantic cables

Security is an intangible idea that Ireland has a certain apathy for. There are a lot of people who do care about securing the state and I don't mean to disparage them and say that they have zero interest but that they are occupied with other things like their kids get a good education or that they can get a doctor when they need it or whatever is on their mind at work. This is a generalisation of affairs in Ireland, we tend not to have major discussions on matters of national security or defence strategy. We tend to assume that sure no one would attack us, that it will be grand so to speak, and this impacts our strategic vision for what the current threats are in the world to a great extent, imagining that we are living in a time just after then end of the Cold War, at the End of History and in how we choose to invest to deal with such threats. As such we don't have a National Security Strategy, there are ongoing consultations for it, but we should be clear that without a strategy and an honest look at the threats we face, because as I previously quoted the CEO of IBM UK & Ireland, security is key to our prosperity, and Gen McMaster agrees;

So I think that, espescially with involving these important issues, that involve security, that involve our prosperity, that involve building a better future for generations to come, we must be clear eyed about the nature of that challange and we have to establish objectives ...
H. R. McMaster on Lawfare's ChinaTalk Podcast @ 00:10:30

Really what we need is to come together, admit that while all of these are intangible idea's, that there are threats out there and that we need to protect ourselves from these threats, understand them and built a strategy around them. One that will include not just solving funding issues at the HSE, the unhoused crisis, the cost of buying homes etc, but also on wider topics like protecting our waters and our airspace from intrusions such that if a conflict were to begin that we would be prepared to deal with it.

I think that the approach is really important. The approach of first understanding problems on our own terms, then inventorying our vital interests, viewing whatever the challange is that you're facing though the lens of your vital interest and crafting and over arching goal with spesific objectives.
H. R. McMaster discussing shifting the overal stratigic policy of a nation on Lawfare's ChinaTalk Podcast @ 00:10:00

Finally, I want to mention Blowback. This is the intelligence concept of the impact of the unintended consequences of intelligence operations. If one of the above scenario's were to occur, such as damage done to Submarine Fibre Optic Cables, what would that do to a state like Ireland?

... the technological base of the Irish economy has developed significantly in recent years; the State is now home to a large proportion of Europe’s data (upwards of 30% according to some industry assessments) and the European headquarters of a number of the world’s largest technology firms. Critically also, the conceptual evolution of cloud computing has had profound implications for Ireland. In many cases, rather than being passive repositories of data, these centres are now home to live operational software environments; an outage or incident affecting one of those facilities could therefore have immediate disruptive effects on infrastructure or business across the EU or globally.
National Cyber Security Strategy 2019-2024; pp 13

What is the reputational damage to a state when we have great difficulties in communicating with the outside world and companies need their data that is stored in Ireland? Or all of a sudden a huge chunk of the world's compute power dropped off? Or if huge toolchains in the cloud that companies rely on vanished? What if financial transactions couldn't be sent? Taxes collected? The list goes on and on.

Tens of thousands of financial transactions are sent on these cables every hour along with communications. People think ‘the cloud’ is in the sky but it’s really in the bottom of the sea,
Jophn Mooney quoting Dr. Cathal Berry (TD); Navy called in as Russians suspected of targeting undersea internet cable

What Was Left Out?

Probably a lot, probably more than I am capable of knowing without being in a room of experts from every department in the government, but I do want to highlight two areas and explain why they were left out.

The Ransomware Compromise of the HSE

The ransomware compromise of the HSE is in a lot of ways a coming of age story for Ireland as it exposed a fundamental flaw in the security culture of the state. A prime example of this was when Paul Reid, Director General of the HSE, said that some services had been set back some 30 to 40 years. If malicious software is setting back something 30 to 40 years, it is indicative of out of date systems that are running software older than I am and maybe hardware that is just as old. The last time I was in A&E, earlier this year, there were computers running Windows 7 that were clearly networked systems. This massive tech debt is a problem.

We assume that investing once or in several smaller investments over a period of time are all that is needed to provide a service but we do not think about the recurring costs of things like IT or Information Security. As well as this, the HSE is complex beast where healthcare comes rightfully first. If healthcare is to come first, sacrifices come from elsewhere and while I can imagine there are a number of area's, in a number of state bodies where this is the case, there appears to be a fundamental mismatch between priorities and needs at a high level in the Government;

The other thing about the compromise is that the gang behind it are known as Wizard Spider and they are a financially motivated cyber crime gang. While you could look at their actions as degrading the ability of the HSE to deliver healthcare, something I found when I had an ultrasound on the day of the attack and had to give the radiologist all of the information about where she needed to scan and what for, and luckily I knew exactly what I was there for, not everyone would be as lucky. Or the compromise could be looked at thought the lens of Denying healthcare to some, the motivation was not one of an Information Attack, but was a financially motivated crime.

And just for reference, I call it a compromise and not an attack because attacks indicate that violence was used in the commission of an offence and this clearly is not the case. It's something I want to discuss more, but that will take some time as books like the Tallinn Manual's are hefty and dense volumes.

The Electrical Grid

I briefly mentioned that there was a man in the middle attack on a compromised router operated by Vodafone for Eirgrid, why not have that as a major talking point since it could be seen as Denial given that denying access to the electrical grid in this day and age? Or what about if the attack on Eirgrid succeeded and some generation capacity was Degraded?

Well, I did initially look into Degrade and Deny scenario's given that I have been working on a Malware Zoo of various pieces of malware which could be seen as something you could classify as a Cyber Weapon so I am acutely aware of malware that has not just attacked Industrial Control Systems, but also attacks on electrical grids such as those seen in Ukraine in 2015 and 2016. Or research that was conducted such as the Aurora Test that the US Department of Energy and Department of Homeland Security, where they used software to physically destroy power generating infrastructure via frequency excursion.

I also wanted to look at The Metcalf Sniper Attack which is a fascinating attempt to take down grid infrastructure by cutting control cables to prevent warnings that there was issues with the infrastructure. Then over the course of 19 minutes, shot over 120 rounds of ammunition from what appears to be several guns at a series of transformers, but not at the transforming circuitry, but at the cooling fins on the transformers. This caused roughly 240,000 litres of cooling oil to lead from them and allow temperatures to rise. As heat is impacts the performance of electronics, overheating leads to systems shutting down and this is what happened, but it wasn't clear that this had happened as the communications links had been cut.

Ultimately though, I chose to not concentrate on the gird, not because the link to Russia may be seen as more tenuous by some, but because anyone who has kept an eye on the grid for any amount of time knows that the current issues in the news about Data Centers are not news and this has been warned about for years. The narrow generation margins that have been run on the grid for the longest time have left us vulnerable to unreliable power delivery if we were to have an incident occur or have a compromise of the grid infrastructure were to occur as we saw here in 2018 or in Ukraine and an unreliable grid would make Ireland seem unreliable and could damage the reputation of the state in the eyes of foreign direct investors.

Plus events that could cause the kinds of damage seen in the Aurora Test, frequency excursion's, though not nearly as extreme, happen on a fairly regular basis and engineers at Eirgid make sure the grid is safe, online and functional so that you never notice. You can see some events from the past 3 years below;

And for context of what those frequencies mean, you can see the below tweet. For reference, the context of the tweet is after the 2021 event directly above where the Coolkeeragh gas power plant went offline suddenly and 425MW of generating capacity vanished from the network.

If such an event were to happen again as we saw happen at Coolkeeragh again, or if malware was nicely placed to wait for such an event, we would be on the brink of blackouts. If things got really bad and grid infrastructure started to need to be disconnected or turned off, starting again from scratch is called a Black Start and it is complex and risky.

Acknowledgments

Cheers to Ben, the editor 😳. I can't thank enough David for his amazing ability to watch and dig up things related to the mostly unseen and uncared for elements of National Security in Ireland like the power grid, and the naval and air space around Ireland. Journalist John Mooney, for his articles and podcast, his generous time, huge patience and tips on various goings on. And finally, a thanks to the many, many more Wonks for the discussions on the various cyber and information warfare aspects.

If you know me well enough, you'll see the throughline of how overhead imagery analysis got started by the allies being confused by reconnaissance imagery of Auschwitz, thinking it to be an industrial complex and concentration camp rather than all of the above and an extermination camp and how I think this kind of faulty intelligence exists, in an era where we can, and should do better. Also that I don't like to not know what something is and that I have a drive to know and understand things.

War is a legal concept from the field of International Law and while I feel like it is important to understanding this topic, there has been some much change over the last year or so, that I haven't been able to keep up with it all and I need to re analyse my thinking on several aspects. Tallinn 1.0 and 2.0 are still great, but this change has prompted Tallinn 3.0 to be written, to look at the issues in 1.0 and 2.0 though the recent statements of various states. I have heard rumor of another such book coming out from the NATO CCDOE which is an Operator's Manual, which I think may be similar to the US DoD's Law of Armed Conflict Deskbook. So looking at the legal aspects of such a conflict in cyberspace may have to wait for me to reanalyse my thinking or for a more complete expert opinion to come out in the field.

The next best thing to talk about, if you can't talk about if something is or is not 'Cyber War', would be to assume that such state exist and to look at what such a conflict may look like. I was thinking about saving for a talk at something like BSides Dublin or BSides Belfast or maybe something more towards this niche like Slándáil but the Human Malware situation has gotten in the way of this so... A blog post it is!

Understanding Modern Warfare

To understand how Cyber fits into modern warfare first, you must understand what warfare is, how it can be viewed, a little on the history of how we got to where we are in warfare and where wars are fought. First warfare is;

the activity of fighting a war or strongly competing, esp. with reference to the type of weapons used or to the way the fighting is done:
Definition of warfare from the Cambridge Academic Content Dictionary © Cambridge University Press

As I see things, warfare is best described though by looking at things as you would a tree. Each branch off the trunk is a Domain or Dimension of warfare and each branch off of a Domain is a Subdomain that encompasses a way of using a given type of warfare. There are generally said to be five Domains. Land, Sea, Air, Space, and finally, Information. It should though be noted that things are not limited to just those 5 domains. War can be fought Asymmetrically, can also involve the use of Chemical and Nuclear weapons, and can be about how much of your state's economy and populace you use to fight a war, so considering those areas is also important. This is a simple breakdown of the various domains of warfare;

• Land Warfare
  • Maneuver Warfare
  • Mountain Warfare
• Sea or Naval Warfare
  • Commerce Raiding
  • Mine warfare
• Ariel Warfare
  • Air Superiority
  • Aerial Bombing
• Space Warfare
  • Anti-Satellite Weaponry
  • Kinetic Bombardment
• Information Warfare
  • Computer Network Attack
  • Electronic Attack
• Asymmetric Warfare
  • Hybrid Warfare
  • Guerrilla Warfare
• CBRNe Warfare
  • Chemical Warfare
  • Nuclear Warfare
• Level of Integration In War
  • Limited War
  • Total War

Finally, a very, very brief history of warfare. Since essentially the stone age, when people figured out that a force could have a unit with pointy sticks and primitive shields to defend another unit with stones to sling, we have lived in an era of Combined Arms Warfare. Combined Arms Warfare has come in many forms through many generations. In the Bronze Age, Chariot was king of the killing zone, expensive to field and run but potentially lethal when used correctly in conjunction with a well-arranged array of units with spearmen. In the Middle Ages, we all know stories of a few Knights on horseback who would fight alongside Archers and Foot Soldiers, and in the Renaissance Era Artillery, Cavalry, and Soldiers armed with muskets would make up armies.

Granted this is a very western perspective, but Persian armies against Alexander the Great were composed of Infantry, Archers, Cavalry, Chariots, and War Elephants. The Mongolian forces in the era of Genghis Khan, while mostly cavalry to prioritize mobility, broke their cavalry into light cavalry who were horse archers and heavy cavalry who were lancers as well as using Foot Soldiers as needed. Aztec forces against Spanish Invaders were comprised of multiple kinds of ranged and close-quarters combat designed for use in jungles blowguns and small daggers as well as more conventional equipment such as bows, spears, and clubs. When Japan invaded Korea in 1592, they arrived with a force, of Samurai, Arquebusiers, Archers, and Spearmen. The Ashanti Empire, where Ghana is today, was mostly infantry and archers and in later years were infantry with firearms and artillery.

In the 16th century, things changed somewhat. The colonization of various parts of the world to draw the wealth of those regions meant that in times of war, you could destabilize your opponent by interfering with their ability to pay for troops or mercenaries. This spawned a growth in the use of Privateer's and to combat Privateer's, most navies began to greatly expand in size and capability. This brought on the era of Multi-Domain Battle. Understanding that war can be waged not just on Land, but at Sea, in the Air, Space, or Cyberspace is crucial to understand how it will be used going forward.

The era we currently live in is that of Joint Operations or Joint All Domain Operations. The idea is that sure there are different military branches, with different specialties and goals in combat, but the overall military strategy relies on a single, unified combat command based on a geographic area or a specific function that a command has. For example, the US military has a geographic command with USAFRICOM, or Africa Command which is in charge of operations on most of the continent of Africa except Egypt. An example of a Functional Command is that of USTRANSCOM Transport Command which unifies the various resources of the Army, the Air Force, and the Navy to provide to supply and transport needed materials.

Cyber is a Unified Functional Command in the US and the US DoD is quite clear about how they intend to use Cyber, as part of Joint All Domain Operations. It does not matter to the US DoD if you are in the Army, the Air Force, the Navy, or the Marines, the service you are in will be working as a team on operations to achieve its goals.

Finally, we must understand where battles are fought. In the past we had Battlefields and this is a simple idea. You have a place where both forces meet for an encounter or where one force uses its speed to dictate to an opposing force where a battle should happen and how it should happen. In the 20th century, though with the rise of aircraft, battles were no longer two-dimensional areas where you fought, they were three-dimensional spaces. This was still a battlefield though and even the arrival of space-based assets didn't change that.

The arrival of the 5th Domain though, Cyber or sometimes Information changed how militaries see the battlefield. It is now more than just a three or four-dimensional environment, it now includes an information component and awareness of the electromagnetic spectrum that cyber or other means could be used to exploit or apply a form of warfare. This thinking combined with Joint All Domain Operations turned combat domains from a place where specific forms of warfare only applied and turned these domains into communication mediums for forms of warfare

Network Centric Warfare

To understand Information Warfare, you need to put aside the idea of Cyber as its own Domain of Warfare and see Information as the real 5th Domain. You need to do this for the same reason that Cyber isn't the best term for all the things that someone in Cyber Security may be charged with protecting. Ultimately what they are doing is Information Security as it encompasses a broader set of issues beyond that of just digital systems, but includes physical devices, processes, and a general broader outlook towards securing systems and data. With that in mind, what is Information Warfare;

"... is any action to Deny, Exploit, Corrupt or Destroy the enemy’s information and its functions; protecting ourselves against those actions and exploiting our own military information functions".
Col. Andrew Borden, USAF (Ret.), quoting Vice Admiral Arthur Karl Cebrowski; What is Information Warfare?

This definition is quite clear, but that my not directly related to how Cyber is involved. Information Warfare once had a different name, Command and Control Warfare where the goal was the use whatever means to Deny, Exploit, Corrupt or Destroy an opponent's methods for commanding their units by denying them the ability to get orders out or understand the situation their units were in. With the advent of Cyber Operations, the name changed again from Information Warfare to Network Centric Warfare, as networks became a lot more important in every life as well as military life. As a general term, Network Centric Warfare and Information Warfare are interchangeable but the use of Command and Control Warfare has diminished somewhat.

Since Information Warfare is not limited to just cyber, it has a wide range of attack modes that a commander can utilize which was laid out in 1999 before Cyber had become a major focus for military operations;

Operations Security (OPSEC)
Concealment, Cover and Deception (CCD)
Psychological Operations (PSYOPS)
Destruction (Hard Kill)
Electronic Warfare (EW)
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

Information Warfare is the jamming of, intrusion into, spoofing of, or exploitation of an opponent's communications channels. Not just that, if your opponent is using some of these attack modes for their advantage, you can implement better OPSEC, CCD, or reduce your electronic signature. All this is done to improve your decision-making while degrading your opponents.

While there is no particular issue with this approach, Col. Borden notes that information is generated in bits per second which is not something you can destroy, just degrade so he updates VADM Cebrowski definition to be;

Degrade
Corrupt
Deny
Exploit
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

Network Centric Warfare aims to create an Information Advantage, a scenario where networks are embedded in your weapons systems are such that you generate and process information more quickly and resiliently than your adversary, while degrading their information generation and processing capabilities, to create a state such that;

... a commander can sense, understand, decide and act faster and more effectively than an adversary,
Lt. Gen. Stephen Fogarty, Commander of U.S. Army Cyber Command; seapking at CEMAlite Conference 2020

To understand how this looks in action, it's best to look at a case study. One of the best examples of how Information Warfare is used is to look at the Air Campaign as part of the First Gulf War, where the US utilized many aspects of Information Warfare.

First Gulf War Air Campaign

In 70's the Iraqis hired a French company, Thompson CSF, to build a fiber optic network to link its various command and control systems which was complete in 1986. Along with building a series of hardened bunkers deep underground, the overall command and control system would be quite difficult to eliminate with conventional means. The bunkers could communicate using a fiber optic network called KARI with redundant microwave radio links as well as landline links if there were existing telecoms trunks.

For Coalition Forces to achieve Air Supremacy for Operation Desert Storm, they needed to attack KARI to disrupt centralized anti-air command and control and interceptor command and control and to suppress enemy air defences. Within two days KARI had been so effectively suppressed by the use of precision-guided weapons, that they had switched to dumb bombs and gun strafing runs. Knowing knocking out KARI was priority number one, the NSA had positioned a Rhyolite/Aquacade Signals Intelligence satellite over Iraq so that when the Iraqis moved from KARI network to microwave links, the NSA was able to listen in on the communications and exploit this as they knew exactly what the Iraqis we're going to do as soon as they did and allow Collation Forces to counter these moves.

An exploit such as this, used so abundantly couldn't last forever and eventually, Iraqi intelligence figured out what was going on but by now they were reduced to motorbike couriers. While effective they are a slow method of transport in a vast country with a fast-moving battlespace. Effectively this degraded the Iraqi's Command and Control of their air defences by destroying their best communication links and forcing them to use less operationally secure communication links as well as slower methods to communicate as well as allowing their communications to be exploited and provide that vital Information Advantage.

While this eliminates the Command and Control network, individual missile batteries could still fire at aircraft. To deal with this, suppression of enemy air defences, or SEAD, was employed. Collation Forces flew sorties of Wild Weasels to attack batteries that dared to turn on their radars as well as flying Electronic Warfare aircraft to jam as well as the use of drones to emit signatures that matched other aircraft. This part of the mission corrupted the Information that battery commanders had with Electronic Warfare and the worry of the Wild Weasel aircraft around, real or spoofed is Psychological Warfare as you never know if your will be killed by attempting to acquire a target with your radar.

If you want to know more about the operation, Chapter 3 of Part 2 of the Gulf War Air Power Survey, published by the US DoD covers the topic nicely, with the good stuff starting on page 130 of Part 2. Information on spoofing is found on page 91 of Part 2. And Fred Kaplan discusses the impact of downgrading from fibre optic communication to microwave communication in Chapter 2 of his book Dark Territory.

The God of War

While the Air Campaign of the First Gulf War shows how Information Warfare can be used, it doesn't show its full utility. It just shows how for a particular adversary, how the way that information flows in that adversaries' networks can be exploited to achieve the given set of objectives for a given operation. It does not show the broad scale of things that Information Warfare is capable of achieving. To understand what it is capable of, it's worth noting two more things, the first is Fire and Fire Superiority, and the second is Soviet Artillery Doctrine.

Fires are;

The use of weapon systems or other actions to create specific lethal or nonlethal effects on a target.
US Joint Chiefs of Staff; DOD Dictionary of Military and Associated Terms, pp 82

Fire Superiority is;

Infantry units must mass the effects of fires to achieve decisive results. Leaders achieve fire superiority by concentrating all available fires. Massing involves focusing fires at critical points, distributing the effects, and shifting to new critical points as they appear
US Marine Corps; FM 3-21.8, pp 2-2

The ultimate aim of Fire Superiority is to create a Force Multiplier. Force Multiplication is;

A capability that, when added to and employed by a combat force, significantly increases the combat potential of that force and thus enhances the probability of successful mission accomplishment.
US Joint Chiefs of Staff; Joint Special Operations Task Force Operations, pp GL-11

The idea is that the more weapons systems you mass on a target or sector, the greater chance you have of accomplishing your mission. And this is one of the things that Information Warfare can and will do in the modern battlespace. From a wonderful book of Soviet tactics;

In modern offensive engagements, mutual fire support between the subunits on the offensive and fire resources increases in importance because of the drastic increase in the resources making fire strikes, the increased scope of offensive engagements, and their dynamism and maneuverability. In order to defeat the enemy, it is necessary to precisely coordinate the fire of the attacking subunits and attached and supporting resources in terms of target, place, and time.
V.G. Reznichenko in Тактика, pp 96

Since I am going to discuss Soviet doctrine, it would be a shame if I didn't use sources of Russian origin. Now I can't read Russian, but that does not mean I can't access literature that covers Soviet doctrine. There exists a wonderful book written by the Soviet's and published in English 'under the auspices of the U.S. Air Force' called Тактика or Tactics that covers Soviet military doctrine. It's a fascinating read and most importantly, there are translated quotes in there from Mikhail Vasilyevich Frunze, who is by far and away, the most influential military thinker of the Soviet Union and arguably also for the Russian Federation. As for as Frunze was concerned, the application of Fires was what won battles;

Fire constitutes the decisive factor and main force in modern combat. Superiority over the enemy may be achieved only by fire.
V.G. Reznichenko quoting M. V. Frunze; Тактика pp 88

In western military cultures, maneuver elements such as Main Battle Tanks are the hammer and artillery is the anvil, used in support of maneuver elements actions. You can see an example of this in action during G-Day in Operation Desert Storm whereas the XVIII Airborne Corps moved forward, the Iraqis fired artillery at them and coalition forces returned massive firepower that allowed maneuver elements to engage ground element who immediately surrendered.

The Soviets had a different outlook on things though. As far as they were concerned, maneuver elements supported the artillery and the artillery is the hammer. So much so that in the Soviet military culture, and even today in Russian military culture, artillery is still referred to as The God of War. They did so because they saw artillery as the in a specific way;

Artillery continues to be an important asset for delivering fire strikes on the enemy, having, as it does, great firepower and accuracy, a great capacity for quick preparation for action, and a capability for wide maneuver and rapid concentration of fire on the most important targets.
V.G. Reznichenko; Тактика pp 19

So why did they do this? They envisioned a battlespace where they use artillery to gain Fire Superiority, which allows maneuver elements to move without taking as many casualties as they maneuver because the opposing force is suppressed or unable to fire back because they have to deal with a force that is firing at them. They also place great emphasis on speed in battle as speed allows you to dictate the course of a battle. This allows you to prevent an enemy from running away or getting to an organized defensive position and allows you to engage them as you please.

Modern combined arms combat is characterized by resoluteness, great maneuverability, intensity and fast evolution, rapid and drastic changes in situation and a diversity of methods by which it can be conducted, and the development of high-momentum combat actions on the ground and in the air, on a broad front and in great depth.
V.G. Reznichenko; Тактика pp 36

We should break down some of those terms. Speed is pretty obvious, moving fast, as is intensity, and fast evolution is explained in the quote. By recognition of the diversity of methods by which it can be conducted, they are also planning a battle similar to a Battlespace where combat spans domains and forms of warfare. Maneuverability though, isn't explained and in Soviet artillery terms, it has a specific meaning;

Maneuver by fire is a Russian concept whereby fire is shifted from one target, line or sector without moving the firing positions of the artillery pieces. It is used in battle to cause mass destruction of important targets in a short period of time. All of the fires can be conducted against one target simultaneously or conducted against that target and then other targets one after another.
Dr. Lester W. Grau and Charles K. Bartles; The Russian Way of War, pp 234-235

Now that was quite a lot of discussion on the nature of Soviet Artillery. Where am I going with this? Well General Mike Hayden had a very interesting quote that he once gave;

"[Cyber] “It’s inherently global, inherently strategic, inherently characterized by great speed, inherently characterized by great maneuverability and hard to defend,” “Automatically, you know all the advantage goes to the offense.”
General Michael Hayden, former DICA and DNSA; Speaking at Westmont College

Bear in mind, when he was Director of the NSA in 1999, the doctrine of Information Warfare was being defined by the various bodies of the DoD, he was leading one of the major arms of any Information Warfare effort. He has a unique view of how Information Warfare would be used and what its capabilities are. Allow me to explain.

Seeing the Cyber component of Information Warfare as global is easy, the internet is borderless and it allows you massive reach. It's strategic in terms that Information Warfare is by nature, the denial, exploitation, corruption, or destruction of information effects how an opponent thinks and makes decisions. Any impact to that has strategic impacts. And it's got a massive advantage for those on the offensive as attacks are carried out in milliseconds and the lag between attack and detection can range from days to months where you can effectively exploit the information gathered.

But where the comparison to Soviet Artillery comes into its own is when he mentions the speed, maneuverability, and how difficult it is to defend from. Cyber essentially moves at light speed. Cyber would hardly be used to attack a single target, and by its automated nature, you could easily set up a strike package for several targets n, and when ready, fire at the first target and move through all targets on the list until you hit n, or if you so choose to fire simultaneously, without ever having to move.

But not just that, Soviet and modern Russian artillery has a number of uses;

They are designed to perform the following main tasks:

• achieve and maintain fire superiority
• defeat of the enemy’s means of nuclear attack, manpower, weapons, military and special equipment
• disrupt troops and command and control, reconnaissance, and EW systems
• destroy permanent defense installations and other infrastructure
• disrupt the enemy’s operational and tactical logistics
• weaken and isolate the enemy’s second echelons and reserve
• destroy enemy tanks and other armored vehicles that breach the defense
• cover open flanks and junctions
• participate in the destruction of enemy aircraft and the amphibious assault forces
• conduct remote mining operations
• provide illumination to troops maneuvering at night
• provide smoke screens and blind enemy targets
• distribute propaganda materials
  Dr. Lester W. Grau and Charles K. Bartles; The Russian Way of War, pp 232

Now isn't that curious? Artillery is a form of fire that while it has multiple uses, can be used to gain and maintain fire superiority, disrupt command and control as well as electronic warfare, and corrupt the information space with propaganda. Not just is Cyber in some ways directly comparable to artillery in how it could be employed, but their objectives also share some overlap.

The use of Information Warfare is essentially a form of fire, though not in a traditional sense though. Because it is a fire, it is a force multiplier, where an Information Advantage can be leveraged, with or without more traditional forms of Information Warfare to gain an advantage over an opponent with the idea that this will achieve the US goal of Full Spectrum Dominance over every Domain of the Battlespace.

Weapons Employment

Now after some background, I suppose I get on with what people are probably here for, some examples of Cyber Bullets going Zzzzzzzap or pew pew or whatever sound is made, can be used as a Force Multiplier in combat, just be aware that the terminology you may familiar with, may differ from what you expect as things tend to have a different meaning in a military context as militaries have its own lexicon.

Degrade

Data can be degraded either by delaying it until its usefulness is reduced or by destroying it in full or part. For example, the use of concealment is an Attack measure (degradation) against the collection task. The use of jamming to reduce the Capacity of a communications channel (thereby delaying transmission) is another example.
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

Sea Lines of Communication (SLOC)

If you have ever read Tom Clancy's Red Storm Rising, you will be acutely familiar with the importance of Sea Lines of Communication. One of the major plotlines in the book concerns Soviet plans to disrupt NATO's ability to resupply their forces in the European theatre of battle. To do this they attempt to close the Sea Lines of Communication between North America and Europe. This will continue to be a strategy in the future, though the ultimate aims of such a strategy and thoughts of what Sea Lines of Communication are may change from sea-based trade and logistics to data transmission across the seas.

For an example of this, Fred Kaplan in his wonderful book Dark Territory has an interesting snippet from the time the NSA was lead by VADM McConnell. He was presented with a map of Sea Lines of Communication and also with another of undersea fiber-optic cables and was able to grasp the similarity between the conventional thinking on Sea Lines of Communication and where this idea might go in the future;

Around the same time, one of McConnell’s aides came into his office with two maps. The first was a standard map of the world, with arrows marking the routes that the major shipping powers navigated across the oceans—the “sea lines of communication,” or SLOCs, as a Navy man like McConnell would have called them. The second map showed the lines and densities of fiber-optic cable around the world.

This is the map that you should study, the aide said, pointing to the second one. Fiber-optic lines were the new SLOCs, but they were to SLOCs what wormholes were to the galaxies: they whooshed you from one point to any other point instantaneously.

McConnell got the parallel, and the hint of transformation, but he didn’t quite grasp its implications for his agency’s future.
Fred Kaplan; Dark Territory, pp 30

During Operation Desert Storm, VADM McConnell ran the Joint Intelligence Center, the heart of the US military's information warfare operations, including working on the targeting of the KARI network as I mentioned previously. He knew how important information warfare was going to be and in his time leading the NSA he revolutionized the agency, taking it from an organization that was struggling to gather SIGINT from older sources such as microwave links, as they disappeared, only to be replaced with fiber-optic cables, to one that was capable of quickly pivoting to what others were doing, continuing to gather SIGINT and embracing information warfare;

McConnell had a lot on his plate: the budget cuts, the accelerating shift from analog circuits to digital packets, the drastic decline in radio signals, and the resulting need to find new ways to intercept communications. (Not long after McConnell became director, he found himself having to shut down one of the NSA antennas in Asia; it was picking up no radio signals; all the traffic that it had once monitored, in massive volume at its peak, had moved to underground cables or cyberspace.)
Fred Kaplan; Dark Territory, pp 35

In a time of war, the cutting of fiber optic cables would not destroy an adversary's ability to command its forces, but as I mentioned, the goal is to degrade this capability rather than to destroy it. As 99% of transoceanic data is transmitted over sub-sea fiber optic cable, any degradation of service will ultimately degrade the number of bits per second transmitted across oceans, which is the ultimate goal of Information Warfare.

Further to this end, an occasional paper in the Naval Historical Society of Australia mentions that the Australian government considers its sub-sea fiber optic links to be vital to the national economy, and has made the protection of such sub-sea cables a major issue as it presents major strategic consequences in times of war. By cutting such cables, not only do you degrade a state's ability to gather and use information, thereby degrading their informational awareness, you can also have secondary impacts such as disrupting the functioning of the national economy.

Domain Denial

While it is arguable that the tenuous relationship between data transmission and naval logistics is a real issue and based on the quote from Fred Kaplan it could be interpreted in various ways, Domain Denial does not have such an issue and is a common form of warfare as can been seen by the use of surface to air missile systems to assist in air control.

Unlike the land, sea, and air, space has become immensely important to civilians and militaries alike over the last 30 to 40 years. More capabilities have moved to space because they allow for a given function to be done more precisely, with greater coverage and expanded capabilities.

GPS for example, while it has become a staple of everyday civilian life, it has transformed how militaries perform targeting by allowing weapons to be guided on to a target, even if the target is on the move, you can update and relay the new position and use a constantly computed impact point to ensure your hit the target. If you don't have a precise place for a guided munition to hit, you can also use space-based assets like satellite imagery to figure out where a target is and then get a GPS location for it. And over time this has only grown in importance;

Almost all modern military engagements rely on space-based assets. During the US-led invasion of Iraq in 2003, 68 per cent of US munitions were guided utilizing space-based means (including laser-, infrared- and satellite-guided munitions); up sharply from 10 per cent in 1990–91, during the first Gulf war. In 2001, 60 per cent of the weapons used by the US in Afghanistan were precision-guided munitions, many of which had the capability to use information provided by space-based assets to correct their own positioning to hit a target
Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 2

While GPS, also known as Position, Navigation and Timing, and imagery intelligence is a part of the larger mission of Intelligence, Surveillance, and Reconnaissance, is a subset of what can be accomplished with space-based assets, it is capable of so much more than just that, as well as a subset of missions in each category for which I have only scratched the surface;

NATO currently uses six space-dependent capabilities for its alliance operations and missions:

• Position, navigation and timing (PNT)
• Intelligence, surveillance and reconnaissance (ISR)
• Missile defence
• Communications
• Space situational awareness (SSA)
• Environmental monitoring (weather forecasting)
  Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 10

So how would one degrade space assets to such an extent that the domain was partially or entirely denied to an adversary? The European Space Agency has done multiple studies looking into the cybersecurity of space-based systems and found that conventional civilian systems are vulnerable to "jamming, spoofing and hacking attacks", as well as providing some examples of previous attempts at using these tactics;

Examples of hacking, spoofing, spying in space

Some unclassified examples from open literature include:

• In 1998, German-US ROSAT space telescope inexplicably turned
  towards the sun, irreversibly damaging a critical optical sensor
  following a cyber-intrusion at the Goddard Space Flight Center.
• On October 20, 2007, Landsat 7 experienced 12 or more minutes
  of interference. Again, on July 23, 2008, it experienced other 12
  minutes of interference. The responsible party did not achieve all
  steps required to command the satellite, but the service was
  disturbed.
• 2008, NASA EOS AM–1 satellite experienced two events of
  disrupted control: in both cases, the attacker achieved all steps
  required to command the satellite, but did not issue commands.
  Jean Muylaert and Luca Del Monte; Cybersecurity of Space Missions, slide 3

It has gotten serious enough that the US Air Force Research Lab teamed up with the organizers of DEFCON to host the Hack-A-Sat CTF at DEFCON 28, where the second-place team, Poland Can Into Space, was able to gain control of an actual satellite, in orbit and turn it to take a photo of the moon, in a literal moonshot;

I won't quote all of what Beyza Unal identified as possible impacts of a loss of access to space assets, you can peruse them in the linked paper at your discretion, but I will discuss a few that are interesting to me and expand on them if possible.

Position, navigation and timing (PNT)

Losing connection with ships, aircraft, carriers etc. in conflict due to interference to their navigation systems.
Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 17

Any service interruptions to position, navigation, and timing systems directly impact the ability for multiple systems to operate correctly. As the quote states, loss of communication or interruption of service with PNT systems can directly impact your ability to command and control your forces. This can be taken a step further by entering the communications channel and feeding false data to warships. Denying or degrading access to such systems is a core goal of information warfare and possibly using such methods to pivot into feeding false data and luring a force into a trap is core to the corruption of information in information warfare.

This threat is being taken so seriously by the US military that the US Navy has brought back the use of the Sextant for Celestial Navigation, directly citing the risks of cyber attacks, as well as things like lightning strikes. The US Air Force has several Inertial Navigation Systems and Astro-Inertial Navigation Systems, in a range of aircraft including the B-1, B-2, RC-135, and F-35 as well as possibly the RQ-180 drone and it is believed that the upcoming B-21 will also have such a system. To ensure that in the event of nuclear war that ICBMs and SLBMs can navigate, the US land-based Minuteman-III has an Inertial Navigation System and the Trident D5 SLBM has an Astro-Inertial Navigation System.

Intelligence, surveillance and reconnaissance (ISR)

Loss of situational awareness in peacetime and at times of conflict, resulting in faulty decision-making.
Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 18

Having an Information Advantage relies on your ability to collect intelligence for processing, exploitation, and analysis. If you can degrade or deny a nation's ability for getting the data or corrupt the data they get, you will impact their ability to command and control troops, make good decisions, and also shrink the information environment they have. This in essence is the goal of Information Warfare.

Missile defence

Cyberattacks on missile defence could occur in the form of spoofing, thus deceiving the ballistic missile command system
Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 18

The US operates a satellite constellation called Space-Based Infrared System or SIRBS which has the main goal of using infrared sensors to detect the launch of all kinds of missiles from tactical systems such as an SS-1 Scud missile all the way up to the biggest ICBMs like the SS-18 Satan or the SS-X-30 Satan II.

If an adversary were to take control of the constellation it would deny the US access to missiles being fired at them on any scale on conflict and if there is no warning to run for a bunker or away from an area it could result in massive casualties. Even if only a few are taken control of and the US is either denied access to these satellites, or the data is corrupted by displaying a 'false sky picture' of the battlespace, it would reduce the time to act in the event of a tactical or nuclear first strike.

Communications

Losing communication systems or receiving spoofed data, thus compromising the integrity of information received.
Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 18

The US operates a communication network for battalions in the field called the Joint Network Node or JNN. The system provides a connection over satellite communications to achieve their networking beyond the local area they are in. The 11th slide gives a breakdown of the full networking capabilities of the system, which includes access to secret data networks such as SIPRnet and NIPRNet as well as other systems like video conferencing and VOIP connections. Any impact on the space-based assets that allow communication would directly impact the information environment that on-the-ground battlefield commanders have.

Space situational awareness

Loss of control or destruction of satellite control systems through the targeting of those systems or of mission packages by cyberattacks
Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 18

As I mentioned several times, and have shown evidence, there is a significant risk that control could be lost of various space-based assets. The European Space Agency showed that sensors can be destroyed, permanently degrading the capability of the sensor. If the satellite is in Low Earth Orbit, with full control of the satellite, one could deorbit it either into the atmosphere or ruin its orbit entirely, rendering it useless.

Though if you have control of the satellite, you could also corrupt data on the system to make GPS targets change since they rely on very precise timing and make guided munitions land off-target. Or simply, you could attempt to lock a nation out of its system and deny its use entirely.

Environmental monitoring

Weather information is fundamental for land, air, and maritime domains. Cyberattacks on weather forecasting systems could impact on operational capacity.
Beyza Unal; Cybersecurity of NATO’s Space-based Strategic Assets, pp 18

Weather data has played an important part in military operations since the dawn of time with some notable examples being the Battle of Agincourt, where recent heavy rain, on ploughed fields made the French attack on English forces an extremely arduous and tiring task to traverse such terrain in full plate armor. And Operation Overlord in WW2 where the Normandy Landings were delayed by a day due to bad weather from June 4th to 6th. While the 6th didn't have the greatest weather, it was decided to take the chance and it proved to be the right call.

Since the weather has historically played a massive role in all domains of combat, being able to manipulate the weather data of an opponent would allow you to directly impact the decision making of the opponent and could be used for your attack or to stall an attack for some time to allow you to get a better defence setup. While the impact of this would not be as large as previously since we live in an era where infantry is mechanized, planes can fly in all weather and ships don't have the same issues that navies used to have with big gun combat, bad weather and the impacts it has on terrain can slow operations considerably as well as stopping some, such as amphibious and airborne landings.

Corrupt

To Corrupt is to insert false data. For example, the use of dummies on the battlefield is an Attack Measure against the Collection function. Intrusion into a communications channel and spoofing is another example. Psychological Operations (Psyops) is an example of Corrupting information being Stored in the protein processor (the human mind).
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

Spoofing

Operation Outside the Box

Operation Outside the Box was a raid on an undocumented nuclear facility, possibly a covert graphite reactor, in Syria by Israel in 2007. While the raid itself is interesting for multiple reasons such as the Iranian financing of the reactor, the deaths of multiple North Korean nuclear technicians or scientists in the raid or above all else the nuclear materials for the reactor came from North Korea, no, the most interesting part is how Israel used Electronic Warfare and possibly Cyber Warfare as part of the raid.

The raid required several Israeli aircraft to penetrate the airspace of Syria undetected to attack the facility. This happened in 2007 and the only nation in the world with stealth aircraft was the US with the F-117 and F-22 fighters and the B-2 Bomber. Israel used what they had, F-15's and F-16's for the raid along with electronic warfare aircraft. The attack took place in four major stages.

The first stage was to take off from Ramat David Airbase and fly up the Syrian coast until they reached the Turkish-Syrian border where they attacked a radar site at Tall al-Abuad in Syria. It was attacked with electronic warfare techniques, most likely jamming and then bombed with precision-guided bombs to take out the site. This created an entry point in Syrian air defence for the planes to penetrate the airspace. Once in the airspace, the really interesting part of the attack could begin.

Almost immediately, the entire Syrian radar system went off the air for a period of time that included the raid, say U.S. intelligence analysts.
David A. Fulghum, Robert Wall and Amy Butler; Israel Shows Electronic Prowess

Through a combination of jamming the HF and VHF communication links that are used for the command and control of air defences, other unknown forms of electronic attack from the electronic warfare support aircraft and the "penetration through computer-to-computer links", the aircraft were able to transit the airspace undetected and bomb the suspected nuclear reactor. It is unknown if the "penetration through computer-to-computer links" is a form of cyber warfare or if computers were linked via the HF/VHF network and were vulnerable to jamming or electronic attack.

It is believed that the electronic warfare support aircraft were able to create a spoofed image of the skies above Syria in what is called a "false sky picture" so that even though the Israeli aircraft were transiting the airspace, all the radar saw was the electronically manipulated image of the sky, that was what the Israelis broadcast and what they wanted the Syrian's to see.

U.S. aerospace industry and retired military officials indicated today that a technology like the U.S. developed "Suter" airborne network attack system

...
The technology allows users to invade communications networks, see what enemy sensors see and even take over as systems administrator so sensors can be manipulated into positions so that approaching aircraft can't be seen, they say. The process involves locating enemy emitters with great precision and then directing data streams into them that can include false targets and misleading messages algorithms that allow a number of activities including control.
David A. Fulghum; Why Syria's Air Defenses Failed to Detect Israelis

Essentially invisible to air defences, the Israeli aircraft proceeded to the target where commandos used laser designators to illuminate the target to be destroyed. With the facility bombed and destroyed, it was time for the aircraft to head home via the route they came, still undetected.

The vast majority of the useful reporting on this comes from a fascinating article by David A. Fulghum, Robert Wall and Amy Butler called "Israel Shows Electronic Prowess" in Aviation Week which gives an account of the attack through the lens of electronic warfare.

Deception

Russian Military culture has other loves that artillery and one of those things is маскировка or maskirovka, literally disguise. It is their doctrine of deception and camouflage to deceive or deny information to an enemy and while there are many great conventional battles one can look at, even up to today, they have carried this thinking into the fifth domain and used it with great effect. I want to take a look at two examples;

Infrastructure Takeover

In 2019, it appears that a group known as Turla, believed to be Russian, appeared to hijack the infrastructure of APT34, an Iranian group, and then used it to deliver further malware to systems that APT34 had compromised. This may have gone unnoticed and Turla could have gotten free intelligence if it wasn't for their use of their tooling such as their custom version of Mimikatz, their packer and their custom windows service called Neuron. If this were to happen on a larger scale, repurposing existing tooling but sending the data to different command and control servers, you could muddy the waters of who is and who isn't hacking into your systems. Something the Symantec researchers who discovered this are well aware of;

Opportunistic sowing of confusion: If a false flag operation wasn’t planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators. Based on recent leaks of Crambus internal documents, its Poison Frog control panel is known to be vulnerable to compromise, meaning it may have been a relatively trivial diversion on the part of Waterbug to hijack Crambus’s infrastructure. A compromise conducted by one threat actor group through another's infrastructure, or fourth party collections, has been previously discussed in a 2017 white paper by Kaspersky researchers.
Symantec DeepSight Adversary Intelligence Team; Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments

OlympicDestroyer

OlympicDestroyer while not a particularly interesting piece of malware in many senses as it was just a tool used to gains access to networks via phishing and wipes the Domain Controllers within Windows environments. The two things that stood out about it were that it was a petty attack by Russia's GRU Unit 74455 or Sandworm, in retaliation for the slight of being banned from competition for systematic, state-sponsored doping at the 2014 Winter Olympics. And the second is the malware had a never before seen level of deception, that went so far that it was described by one person who worked on it that it was psychological warfare;

In fact, all those contradictory clues seemed designed not to lead analysts toward any single false answer but to a collection of them, undermining any particular conclusion. The mystery became an epistemological crisis that left researchers doubting themselves. “It was psychological warfare on reverse-engineers,” says Silas Cutler, a security researcher who worked for CrowdStrike at the time. “It hooked into all those things you do as a backup check, that make you think ‘I know what this is.’ And it poisoned them.”
Andy Greenberg; The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History

At first, a lot of eyes were on North Korea since there's some history between North and South Korea. But others look at Russia since they did have that doping ban... But then eyes turned to China as there was code used only by Chinese hackers. You couldn't be quite sure who was doing it. Russia was next to have the finger pointed at them when Cisco's Talos Group found a password-stealing tool that looked like NotPetya and Bad Rabbit, but it wasn't the same as those tools, more a rewritten version of the code.

The wiper component of the malware had some of the same code that BAE Systems had found the Lazarus Group, out of North Korea, had used for their wiper and it had the same method of wiping which is extremely distinct by deleting the first ox1000kb, or 4096kb of a file. Next Intezer found that part of the password-stealing code came from the Chinese group known as APT3 and Crowdsitrke connected parts of the code to XData malware used by Russian carding gangs.

Running out of idea's a Kaspersky researcher tried to look at the rich header of the malware to see if any details on the authors could be grasped at and he found that it had the same header as Lazarus Group, but on further analysis, he also pointed out that this couldn't possibly be the case and that the header was forged to match Lazarus Group.

Next up, a researcher at FireEye had the novel idea that instead of looking at the malware itself, why not look at the delivery method for clues as to who the attacker was. In essence what he did was take the infected attachment, look at the characteristics it has and try and match it to other malicious documents FireEye had and noticed that the same method was used to attack multiple Ukrainian targets over the previous few months. But the real break was when he looked at the IP address that served up the malware and the domain name that hosted it, account-loginserve.com.

This domain was responsible for Russian hacking of the State Board's of Election in the 2016 US Presidential Election. But not only that, the US DoJ, in their indictment of GRU Unit 74455, created a link between the operations of Russian Intelligence and the work of Sandworm.

In an interview on Darknet Diaries, Jack Rhysider and Andy Greenberg do a fantastic job of breaking down the whole hack and it's a wild ride! And Andy's reporting and book is an invaluable source of information on anything related to Sandworm.

Exploit

To Exploit is to Collect against the adversary’s Movement of Data. This increases the data available for friendly Situation Assessment and makes the generation of friendly Information more efficient.
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

This definition troubles me. I am used to exploitation in cyber terms, but Information Warfare did not spawn from cyber, it came before cyber and comes from the murky world of intelligence. I have struggled to get my mind used to this concept as in some ways it makes absolute sense, but in others, the language used around it is so specific to militaries that it is nearly a different dialect. The first useful pseudo definition I found comes from a paper I found on the US military's Defence Technical Information Center;

Information technology is already tightly woven with our military operations, providing heretofore unimaginable amounts of information. Exploiting this information has provided us striking capabilities; relying on it inevitably creates potentially crippling vulnerabilities. This, coupled with advances in the ability -to both locate and destroy command and control (C2) nodes makes C2, more than ever, a lucrative target set. History has shown successful militaries can achieve striking success through paralyzing the enemy's ability to exercise command and control.
Unknown US Air Force Author; Cornerstones of Information Warfare, pp 10

And the second I found comes from a supplemental document to JP-3-13 from the US Air Force on Information Operations;

Predictive Battlespace Awareness

Effective IO depends upon a successful PBA. As a maturing concept, PBA is “knowledge of the operational environment that allows the commander and staff to correctly anticipate future conditions, assess changing conditions, establish priorities, and exploit emerging opportunities while mitigating the impact of unexpected adversary actions" (Air Force Pamphlet 14-118).
Unknown US Air Force Author; Information operations, pp 41

From this, I gather that "Exploitation" in Information Warfare terms, that in the intelligence decision loop of Planning and Directing, Collection, Processing and Exploitation, Analysis and Production, Dissemination and Integration, and Evaluation and Feedback (pp 31-33), Exploitation is the processing of gathered data on an adversary to allow for analysis to find a weakness. In the conventional world of cyber, a decision loop such as the Cyber Kill Chain, Exploitation is the running of weaponised code on a victims device. While they use the same terminology, they have different meanings.

From the perspective of conventional cyber thinking, it is better to look at exploitation as a step in the Reconnaissance phase of the Cyber Kill Chain where it is more related to the research, identification and selection of targets from the processed return of data. If you think about it in terms of nmap returns, from the intelligence perspective, Processing and Exploitation is automated away in the background as data is collected and you are then presented with data that can immediately be analysed rather than looking at the raw returns of the scan.

Large Electronic Signatures

A great example of how data could be exploited in the field is to take advantage of the large electronic emissions of modern battle formations. The use of radio', GPS and other space and the growth of active and passive protection system on land vehicles use a range of infrared and radar emitters to detect and defeat incoming projectiles, all give off signatures that can be detected and used against you. While these systems have an effective range, the electronic emissions can travel much further beyond their usable or effective range.

A great example of this happened in 2020 when the commander of the US 11th Armored Cavalry Regiment, Colonel Scott Woodward, chimed in on a discussion on Twitter about the efficacy of modern visible camouflage methods. While he did have ideas about how to use such systems effectively, he shared a much more interesting piece of information about the electronic signature of forces during a training exercise;

The systems that did the Processing and Exploitation of data were able to create the above image which could be used by an analyst to determine the structure and size of a force and the best way to attack such a force. This the information advantage I mentioned previously that the US is looking for in its doctrine. You may not be able to see the forces with the good aul Mk. 1 Eyeball or night vision goggles, but you don't need to when you can see them in other ways. This could be through the use of infrared emissions or in this case the electronic signature of the forces.

As Col Woodward went on to mention, this was a battalion strength force, of between 300 and 1000 troops spread over an area that is roughly 6 km2, judging from comparison with satellite imagery, and included the units support units which he referred to as "trains". The opposing force he was fighting against was able to detect him at up to 12 km away from the electronic signatures his battalion emitted alone.

To give an example of the use of such information in combat, Russia for example has multiple systems currently in use that are capable of radio direction finding which can give a commander a bearing to a target or a range within which the target is based. If they have enough MASINT about the emitting source an analyst may also be able to gauge a distance to the target based on the signal strength. If an area can be narrowed down from doing this analysis on exploited information, a commander may be able to draw up a fire plan to be able to deal with their enemy without their enemy knowing they are seen and in danger until the first shots are fired or the first bombs drop.

Deny

To Deny means to deny completely by a direct attack on the means of accomplishment. The use of a High Energy Laser to blind or destroy an electro-optic sensor is an example of denial by direct attack. Another example is a virus that destroys operating systems in a computer used to do Situation Assessment.
Col. Andrew Borden, USAF (Ret.); What is Information Warfare?

Suppression of Enemy Air Defenses (SEAD)

On the 20th of June 2019, the IRGC shot down an American RQ-4 Global Hawk drone that Iran contends violated Iranian airspace in the Strait of Hormuz. Iran used سوم خرداد or a 3rd Khordad, sometimes called a Sevom Khordad, air defence missile system.

In response to this, POTUS ordered a mix of kinetic and non-kinetic fires against these systems, but called off the kinetic ones, to keep things below the threshold of armed attack. The New York Times reported that multiple systems were targeted, they mention an additional attack;

An additional breach, according to one person briefed on the operations, targeted other computer systems that control Iranian missile launches.
Julian E. Barnes and Thomas Gibbons-Neff; U.S. Carried Out Cyberattacks on Iran

It would appear that US Cyber Command carried out this attack and it was their first since they became a full combat command. Given that they were able to attack what appears to be the command and control computers of a battery, this is effectively the suppression of enemy air defences and done in a way that doesn't put Wild Weasel crews or aircraft at risk. It is unclear if the attack was against a single battery, multiple independent batteries or against a battalion of batteries though, which could have wide-ranging consequences if the battalion command and control vehicle's systems were targeted;

The C2 unit provides communication between Sevom Khordad batteries. Furthermore, the C2 unit can connect other air defense systems of the Raad family, including Raad and Tabas, into a single air defense network. This allows to cover large area and targets can be engaged with a wide range of missiles from the cheapest Taer-1 missiles to the most capable Taer-2s. This adds the capability of facing different types of threats with different types of interceptors. In case of heavy jamming when even the X-band engagement radar can’t handle its duty, the C2 unit can provide an additional data link, connecting the system to electro-optical engagement systems of Raad batteries, in order to guide missiles toward targets.
Ehsan Ostadrahimi; Sevom Khordad - Medium-range air defense missile system

NITROZEUS

NITROZEUS is a strategic cyber attack planned by the US in the event that Stuxnet failed, or that the Joint Comprehensive Plan of Action failed to be agreed and Israel decided that they were going to war with Iran. It was uncovered by documentarian Alex Gibney as part of the research for his documentary film about Stuxnet, Zero Days with subsequent reporting coming in not long after from Business Insider and the New York Times. Little is known about NITROZEUS beyond what these sources have reported.

What is known is that the program did exist, it existed to give the POTUS options short of war, that it was designed to use Information Warfare techniques to target the air defences, as was demonstrated by Sevom Khordad attack above, possibly to give the US and Israel air control over Iran, but also to go a step further and target many civilian systems most of which could be considered legitimate targets in the event of war;

I mean you've been focusing on Stuxnet. That was only a smaller part of a much larger Iranian mission. NITROZEUS. NZ. We spent hundreds of millions, maybe billions on it. In the event that the Israeli's did attack Iran, we assumed we would be drawn into the conflict.
We built in attacks on Iran's command and control system so that the Iranian's couldn't tralk to each other in a fight. We infiltrated their IADS (Integrated Air Defense System), military air defence systems, so they couldn't shoot down our planes if we flew over.
We also went after their civilian support systems. Power grids, transportation, communications, financial systems. We were inside, waiting, watching, ready to disrupt, degrade and destroy those systems with cyber attacks. In comparision, Stuxnet was a back alley operation. NZ was the plan for a full scale Cyber War, with no attribution.
Testimony of several NSA and CIA members who worked on NITROZEUS; Zero Days documentary @ 01:45:20

While in any event this would have been an amazing success, strictly in military terms, and mimicked many of the idea's in Operation Desert Storms' air campaign, it would have been a modernised version of it, updated for the 21st century, using only cyber rather than stealth aircraft and electronic warfare. Though the impacts of these actions were not lost on the people who developed NITROZEUS and some of them were not happy about the possible humanitarian impacts of the use of Information Warfare on such a huge scale;

Everyone I know is basically thrilled with the Iran deal. Sanctions and diplomacy worked. But behind that deal is a lot of confidence in our cyber capability. We were everywhere inside Iran, still are. I'm not going to tell you the operational details of what we can do going forward or where. But the science fiction cyber war scenario is here. That's NITROZEUS.
But my concern, and the reason that I'm talking, is that when you shut down a contries power grid, it doesn't just pop back up, it's more like humpty dumpty. If all the kings men can't turn the lights back on, or filter the water for weeks, then lots of people die. And something we can do to other, they can do to us too.
Is that something we should keep quiet? Or should we talk about it?
Testimony of several NSA and CIA members who worked on NITROZEUS; Zero Days documentary @ 01:49:50

This is probably the scenario most people think about when they think about "Cyber War" and it maybe best describes why Information Warfare and Cyber Warfare should be better-discussed topics in the light of day, rather than the shadows they reside in now. It presents strategic and possibly existential threats to states. Though I think this is better left to a case study I have an idea for later.

The Cyber-Physical Impact

The thing to understand about Information Warfare is that an idea like hacking or the concept of Cyber where you limit one's thinking to digital systems, rather than the broader spectrum of systems that computers interact with such as Operational Technology systems like valves, motors, solenoids etc, or the RF Spectrum. Computers control and interact with systems that do much more than the computer itself as Bruce Schneier once pointed out;

As the chairman pointed out, there are now computers in everything. But I want to suggest another way of thinking about it in that everything is now a computer: This is not a phone. It’s a computer that makes phone calls. A refrigerator is a computer that keeps things cold. ATM machine is a computer with money inside. Your car is not a mechanical device with a computer. It’s a computer with four wheels and an engine…
Part of Bruce Schneier's tetimony to the House of Representatives, Subcommittee on Communications and Technology, Joint with Subcommittee on Commerce, Manufacturing, and Trade, Committee on Energy and Commerce; Understanding the Role of Connected Devices in Recent Cyber Attacks, pp 27

In every aspect that I can conceive, or that has occurred previously, an Information Warfare technique has involved the meshing of some form of manipulating the inputs and outputs of a computer to achieve an objective. This could be the returns of a radar, the varying levels of Chlorine used to make clean drinking water or listening to RF outputs of systems to locate them in a physical place. This is where, at least in part, the future of combat lies, because when everything became computers, so computers became everything.

From the military perspective, this means that Information Warfare is a series of tactics, techniques and procedures that a commander can utilise in combat as either a form of fire to gain fire superiority, or as a toolkit for intelligence collection and processing to gain an Information Advantage over an adversary and use this advantage to make quicker and better decisions. Regardless of the way it is used, its targets will be information systems attacked so they can be used as force multipliers to accomplish missions.

The missions can vary from attacks on information systems like that of Stuxnet, malware that just attacked information systems to damage or destroy centrifuges at the Natanz Enrichment Complex in Iran, or it can be as I discussed earlier in this piece, attacks using planes doing bombing runs and strafing on fiber optic cable installations to prevent coordinated air defences over a country.

Acknowledgments

Cheers to Ben, the editor 😂, Jack, Sam and Tangui for their help on understanding Soviet artillery doctrine better, Jack again for his just generally amazing knowledge of military operations, Tyler, Dakota and Toby for helping me better understand the intelligence cycle and Zach for providing some sources I couldn't find elsewhere and finally to Zach again and Tinfoil for being great people to bounce ideas off of and help me better develop some of these ideas. A special thanks to Andrew, Toby and Issi for help in seeing though the fog of Dyslexia. And finally, a thanks to the many, many more Wonks for the discussions on the various cyber and information warfare aspects.

Now, as you can probably guess from the title, I'm using Ubiquiti gear... Specifically two UniFi AP AC Lite's. I have also been following Brian Kreb's reporting on them asking you to update your password and enable 2FA, then that a whistleblower was saying the breach was MUCH worse than Ubiquiti wanted people to know, and finally their confirmation that this was the case... A quick google will show you guides like this, that will tell you how to install the Network Controller software on an RPi BUT they get you to sign in with your Ui Account... Something I'm less than jazzed at with the current situation...

Prepping the Pi & Installing the Network Controller Software

Get your Pi, install the OS you want on the MicroSD card, drop a file into /Volumes/boot called ssh, nothing more, not even a file extension, do your first boot, get the IP Address of the Pi and SSH into the device.

If you want to know why the following steps are essential, you can read the guide that Pi My Life Up did on this. This process is mostly similar to theirs with less explanation.

# install the prerequisites
pi@ubnt:~$ sudo apt update && sudo apt upgrade -y
pi@ubnt:~$ sudo apt install openjdk-8-jre-headless rng-tools
pi@ubnt:~$ sudo echo "HRNGDEVICE=/dev/hwrng" >> /etc/default/rng-tools
pi@ubnt:~$ sudo systemctl restart rng-tools

# add and install the unifi software
pi@ubnt:~$ echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
pi@ubnt:~$ sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
pi@ubnt:~$ sudo apt update
pi@ubnt:~$ sudo apt install unifi

Configure the Network Controller Software

With your browser, go to https://[IP]:8443 and name the Controller and agree to the terms and conditions. When you hit Next, you'll be taken to the screen that asks you to login to your UI account, but you'll notice that there is a link to "Switch to Advanced Setup"

When you click this, it will take you to a menu where you can choose to not remotely manage your devices and to turn off using the Ui account

Once you say that yes you want to use a local account and that yes things will be fine and that no the world won't explode, you can create a local account

Proceed with the installation until finally you're at the dashboard and ready to reset AP's to factory default or install new AP's so that you can pair them with the controller and configure the AP's as you choose to do.

Just for Ubiquiti

If by chance Ubiquiti people do manage to stumble upon this, please don't remove this feature from the Linux controller software! You make incredible gear and now that I know I can continue to run your incredible hardware on my own terms, I want to buy even more of it! I have my eyes on a Dream Machine Pro, a 24 port POE switch,  a redundant power supply for both of them and some WiFi6 AP's. Being able to have control over these sorts of things without anyone from the outside makes me love and treasure IoT things, so much so that the doorbell and camera's look like a sound investment to someone who thinks that Internet of Shit  is one of the best accounts on twitter! I do not need a landline but I legit kinda want a phone too! Please leave this stuff in for those of us that choose to use it and not be beholden to need an account for this amazing gear to be functional.

The Zhang and Wen Calibrated Method

m is the Lg wave magnitude of the seismic event
h is the depth of burial at which the test occurred
Y is the yield in kilotons

solve m+(0.7875 log_10(h))-5.887 = (1.0125 log_10(Y)) where m = 6.1 and h = 430 - Wolfram|Alpha

Wolfram|Alpha brings expert-level knowledge and capabilities to the broadest possible range of people—spanning all professions and education levels.

Wolfram|Alpha

Be aware that while Wolfram Alpha will give you a precise answer, the answer is pseudo precise. In actuality, it has a ± 30% error bar, so a 100 kiloton yield could be as low as 70 kt or as high as 130 kt or somewhere in between. To date, I have been unable to get the PlusMinus operator to work with a percentage. I think this is because Wolfram Alpha interprets the input as an integer or float etc and percentages are operators, so when the calc is done, WA does its best to interpret what it was given.

Other Methods

I would also note that there are other methods, for example, fellow Wonk Jim Kiessling has his own scaling method on his LinkedIn and it's about as accurate as Zhang and Wen's, without the need for a PhD in geology. And Ben Muller at CNS is working on an amazing calculator that is much more applicable to nuclear tests from a much wider selection of sites in a number of other countries such as Russia and India

Update 12/04/22
Thanks to Aminal for adding variables to the calculation and Nathan for helping me update the description of what the calc does

And I can't stress this enough. I do not want this to be seen as a hit piece against anyone at the NCSC, NSAC, An Garda Síochána, the Irish Defence Forces or anyone else in the national security apparatus of Ireland. I have met several of them over the past few years and while they are passionate and deeply care about the mission of protecting Ireland from cyber threats it is not their fault that they collectively work hard on information security issues and are plagued by issues like being under paid compared to others in the private sector and international colleagues and under resourced and having to deal with successive governments who have had no vision or care for information security and it's importance in the modern era.

This is a long post, so if you want the gist of my thoughts and you want to skip the detail, the final section has a summation of my thoughts and some form of a conclusion.

2: Vision

The vision of the document is pretty standard. It is based around Protect, Develop and Engage which you will see in other cyber security strategy documents. The protection aspect is based around protecting the State, the people of Ireland and the critical infrastructure of the State. It's pretty standard aspirational language to say this is where we would love to be in 2024 in an aspirational document. Not much more to add.

Personally I would love to see how we plan to find a balance of risks and costs because historically, the Irish Government has chosen to choose the cheap option that does not account for risks.

I would also love to know more details about developing the capacity of the state in the 5th Domain because everyone that I have talked to about this, be they cyber security students, lecturers, industry professionals or friends elsewhere think working for for the government on information security matters is insanity when I could be working elsewhere doing my best work and getting better paid for my work too. How do you plan to develop the capacity when only those who see the mission of protecting the state as more important than pay when people who would look at the world that way are few and far between?

Finally to engage others nationally and internationally on a free and open cyberspace. This is a goal I'm 100% behind because alone, we will not be able to solve all the issues we face. Working internationally will also allow us to develop key skills and finally, another goal is to integrate cyber into our diplomacy where we have secure missions to other nations that have the capacity to help other nations develop some of the capabilities that we have.

3: Objectives

• To continue to improve the ability of the State to respond to and manage cyber
  security incidents, including those with a national security component

• To identify and protect critical national infrastructure by increasing its resilience to cyber attack and by ensuring that operators of essential services have appropriate incident response plans in place to reduce and manage any disruption to services

• To improve the resilience and security of public sector IT systems to better protect data and the services that our people rely upon

• To invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers

• To raise awareness of the responsibilities of businesses around securing their
  networks, devices and information and to drive research and development in cyber
  security in Ireland, including by facilitating investment in new technology

• To continue to engage with international partners and international organisations to ensure that cyber space remains open, secure, unitary, free and able to facilitate economic and social development

• To increase the general level of skills and awareness among private individuals
  around basic cyber hygiene practices and to support them in this by means of
  information and training

As goals in an aspirational document, these are fine. Personally, the key to this is the educational component. The pipeline of students doing cyber security is incredibly narrow, in part because of a small number of lecturers to teach the courses and in part because until very recently, ITB, now TU Dublin was the only place to get a solid education cyber. You could have a single module on it from various different colleges and universities, but you skimmed a huge area in a semester or went places like Trinity and Letterkenny which have societies to fill the gap that they both see in their education. And when Zero Days CTF comes around every year, the vast vast, vast majority of people taking part in the competition are current and former students from TU Dublin @ Blanchardstown, Trinity College Dublin and Letterkenny IT which is no coincidence.

Staying on education, educating all sectors of the economy of issues that they face will also be key. I don't know how best to accomplish this, but we have an economy where the vast number of people employed are employed in small and medium enterprise and these companies in the modern era are built on data. If anything were to happen to the database that stored this business critical information like a ransomware attack, it could shut down companies and that's no hyperbole. It's already happened. And not just that, if you follow ransomware, it's happening, all day, every day, everywhere and we're potentially one catastrophic zeroday away from having sectors or industries come to a halt. And there are very few companies that can handle something like, I believe historically it's been Saudi Aramco, Merck, Maersk Line and the NHS that have weather such a storm and done so not only because they had the know how to deal with such an issue and were somewhat prepared, but also because they had the cash reserves on hand required to deal with such attacks.

Education will also be key to dealing with the issues the general public faces from general cyber crime threats as in my personal experience, across nearly all age ranges there is very little conception of the threats they face, and arguably worse, what to do about such threats. And as someone who has tried to educate those who are not familiar with cyber security, the biggest problem I have personally found and I think it will be a major headache is going to be giving actionable information to people so that they can proactively raise their defence posture.  It's all well and good telling a 60 year old to use a password manager, but it's one thing to tell someone to use it and to explain why they need to use it and how they should use it as simply as possible.

And this actionable information, what ever it is, is going to create narrow, technical, sniping arguments in the community because this is how we have operated as a discipline for the longest time which means that even if it works for the threat model, people may ignore the advice as noise rather than signal. But as professionals, we also need to be aware of the threat model that others are using and not apply it to ourselves and we need to stay abreast of the latest information and how that applies to threat models as advice like not writing down passwords is garbage advice in the modern era.

Finally on education, we also need to start adequately funding third level. It's good that we are putting computer science into second level, but there is a shortfall in spending on third level that some say is approaching crisis levels and since our economy is built on knowledge, this in general is not something that we can allow to happen.

With a start on the education, and a wider pipeline of people coming into the industry, then we can start to look at other goals we have in mind. The major issue is that there will be a lag time that we cannot afford between now and education coming online. The only solution to this is to attract the talent needed from the private sector and the bottom line, like it or not, is that there is a huge pay gap between what the private sector can afford and what the government will pay you. When I graduate at the end of this semester, my starting wage as a graduate in cyber security roles exceeds what a public sector wage would be by a significant margin. While it is a pay cut I would be willing to make in the national interest, I am in a very small minority.

4.1: Strategic Risks

While I have been quite critical up to now, this is where for a brief moment things look up. There is actually an element of strategy here. The government is aware that Great Power Politics is back in vogue again and that this creates certain threats and risks at a global geopolitical level and it has an impact on international relations and international security. Specifically the threats to Ireland are on trade and the impact of influence over technology vendors which for Ireland, which has a small, open vulnerable with a lot of multinational technology vendors, we are vulnerable to a change in trade or technology winds.

All of these technology vendors in Ireland host a large proportion of European Citizens data and the infrastructure required to host all of this data. This data we host means that we will have to secure some of the most important critical infrastructure in Europe and be aware that are critical to the functioning of our economy.

Ireland is also aware and makes it extremely clear that;

Recent years have seen the development and regular use of very advanced tools for cyber enabled attacks and espionage, and, likely for the first time, the physical destruction of Critical National Infrastructure by cyber enabled means. As such, the field of cyber security is characterised by an ongoing and high stakes technological arms race, ...

We are aware that other nations are flexing their cyber muscles with cyber tools like the Great Cannon, Stuxnet, Flame, BlackEnergy and Triton and that this is part of an ongoing arms race between the actors that are leading the charge of great power politics and also that these tools generally go after critical infrastructure. Though curiously, while we call it an arms race, and we mention no tools, we do not call them arms or weapons when reasonably under some definitions, you could.

What is unfortunate is that while we are aware of the great power politics and the ongoing arms race;

... that any single State can only exercise a degree of control over the operation of the network in its territory

While this is indeed true, this misses a critical point in that while in an open, liberal nation like Ireland, it is difficult to dictate how private industry should do procurement of their infrastructure, but this does not mean that the role the government can play in advising the the private sector in what infrastructure they buy or even use the sovereign powers of a government to prevent the purchase of infrastructure or level the market playfield if it is uneven or if it does endanger national security;

“We're committed to Huawei, they have been a good supplier”

Yes, because the Chinese government are subsidizing your cheap business model via them and the trade off is you let their shitty product spy on your customers. https://t.co/DD6QtuyAyw

— Defence Ireland (@DefenceIreland) January 31, 2020

So the Chinese government subsidize them, and they subsidize @eir who then put their shitty product in their network so they can compromise their customers. Customers like the Guards. pic.twitter.com/W1sMmQszEj

— Defence Ireland (@DefenceIreland) January 31, 2020

What’s worse is that the @eir CEO @carolan_lennon is going around citing that they have the Garda mobile contract when asked about Huawei security concerns by @adrianweckler as if its an endorsement. How long have they got the contract and was it before Huawei concerns arose?

— Defence Ireland (@DefenceIreland) January 31, 2020

It does not mean the government has a fig leaf for allowing the stupidity that is the body charged with protecting the national security of Ireland, from using subsidized, cheap Chinese network equipment on the Eir network. An issue so grave in the UK that Huawei's equipment placement in the network is extremely restricted and are effectively banned on networks in the United States, both for national security concerns related to what they know about Huawei. While you can argue about how much risk the UK is taking onboard vs the US approach, at least the UK had a discussion on the pros and cons on settled on an approach for good or ill. We didn't and we just let it happen and that has really mortgaged our future national security for a cheaper present installation of infrastructure, didn't discuss the risks and adopted it, no questions asked into the body charged with protecting our national security. That is a travesty that we cannot let continue if we are to take our national security seriously.

In some cliff notes, the government is aware of the issues that IoT devices could cause to security on a broad scale. That the government is not willing to pursue an intrusive system of monitoring, that there is a general issue around the openness of publicizing cyber attacks, even to the government and finally, the Government has set up the National Security Analysis Centre (NSAC) to assess technology in national security area'so that the government can receive good advice on the strategic threats we face as a nation.

4.2: Hybrid Threats

Hybrid Threats are;

... multidimensional, combining coercive and subversive measures, using both conventional and unconventional tools and tactics (diplomatic, military, economic, and technological) to destabilise the adversary.

In simpler terms, they are disinformation campaigns aimed at destabilizing and in general are difficult to counter by their nature. While they can use various techniques, the most common is the hack and dump method that Russia used extensively during the US Presidential Election of 2016.  The EU is much closer to Russia than the US and countries like Estonia have been dealing with such hybrid war going back as far as 2007.

While I am by no means an expert on electoral security or hybrid warfare, I do see this as a massive threat. Ireland has, even throughout the Great Recession, had a mostly stable, open, liberal democracy and that could be a major factor in continuing to attract companies to come to Ireland in the wake of Brexit and if there is to be a more unified tax policy in Europe. It is good to know that at least we have a working group thinking about these issues and that we are contributing to European efforts to fight off disinformation and hybrid warfare and I hope that we are doing more than thinking and issuing a report with some thoughts in it and that if there are recommendations, they are followed as this is crucial to the future of our small nation.

Though someone on twitter who does know a great deal more about this is far from impressed;

The nod towards hybrid threats is frankly either pretty lazy or pretty incompetent. Nothing in here suggests the #Irish state is prepared to put in place the structures necessary to build intelligence on, analyse and counter false narratives and disinformation etc. pic.twitter.com/E07iVQDvxg

— Rory Byrne (@roryireland) December 27, 2019

4.3: Critical National Infrastructure and Public Sector Systems and Data

The Governments strategy until now has been that of risk reduction in the area's of

energy, transport, banking, financial market, health, drinking water supply and distribution and digital infrastructure

Which are defined in Annex II of EU's Directive on security of network and information systems (NIS Directive). And also online services, listed below, which are defined in Annex III of the same document

online marketplace, online search engine and cloud computing service

While the Irish Government's document does not make clear what they mean by reduction of risk, it isn't an information security term, the NIS Directive makes clear that it is the common risk mitigation strategy. It is also clear that while the NIS Directive covers certain sectors of importance, there is awareness that mitigating risks does not eliminate risk nor does it account for unknown unknowns. And that while the NIS directive does cover these sectors, it appears that an inventory of infrastructure has been done so that they are aware that the NIS directive does not cover all the infrastructure deemed critical and that some critical infrastructure is interdependent on other critical infrastructure such as the energy sector powering most of the other NIS sectors.

It's disappointing that the only real paragraph they have on securing public sector systems says that some departments and agencies are ISO 27001 compliant while others aren't and there's no mention of doing anything about the other departments and agencies. There are governance issues around classified information, be it Irish, shared with Ireland or stored in Ireland for whatever reason and that plans are underway to deal with this issue.

And finally;

The nature of these networks and technology is relevant also; being software defined and virtualised means that new types of security measures will likely be required in this sector to ensure the security of both the 5G network and of the services dependent on it.

At least the government appears aware that traditional threat models and defensive mechanisms will not work for 5G.

Appendix 1: Actions

This has been an extraordinarily long post by my standards so I'm not going to go point by point across all actions proposed, only the ones that I think are worth mentioning, but you can read them if you so desire in the document. Though I may not discuss the timeframes as I know that they have slipped already given the release date of the document.

Measure 1: The National Cyber Security Centre will be further developed, particularly with regard to expand its ability to monitor and respond to cyber security incidents and developing threats in the State.

Great idea and I really hope that it gets up and running sooner rather than later. Monitoring attacks in the state and gaining visibility into the threats that the state faces, as well as being able to fuse our data with that of international partners is key to protecting even the most basic of services provided by the government and is essential in staying abreast of emerging threats internationally. I worry though what 24/7/365 staffing of such an organization would look like and how it is intended to be staffed.

Measure 2: Threat intelligence and analysis prepared by the National Cyber Security Centre will be integrated into the work of the National Security Analysis Centre.

This is a common sense measure, but an important one and one that should have been done when both bodies were set up. If we have a bodying working analysing threats to national security, you need to feed them adequate intelligence so that they can accomplish their mission. This is also probably benefits from Measure 6 which will further develop threat intelligence efforts at the NCSC.

Measure 4: The NCSC, with the assistance of the Defence Forces and An Garda Síochána, will perform an updated detailed risk assessment of the current vulnerability of all Critical National Infrastructure and services to cyber attack.

This is basically a plan to deepen the vulnerability assessment of critical infrastructure which is well warranted as living in a post-Triton world as we have had the threat landscape expanded to include devices that were previously considered systems that would not be attacked.

Measure 5: The existing Critical National Infrastructure protection system will be expanded and deepened over the life of the Strategy to cover a broader range of Critical National Infrastructure, including aspects of the electoral system.

Measure 3 is not worth mentioning as it's basically just complying with an EU Directive but it feeds into this measure which is to say that while the NIS misses some aspects in infrastructure which we deem critical, we should assess the risks to all of our critical infrastructure.

Measure 7: Government will introduce a further set of compliance standards to support the cyber security of telecommunications infrastructure in the State.

Well, that vague... It's based on Directive 2018/1972 from the EU and the key thing that needs to be done at a high level is the following from paragraph (94);

Security measures should take into account, as a minimum, all the relevant aspects of the following elements: as regards security of networks and facilities: physical and environmental security, security of supply, access control to networks and integrity of networks; as regards handling of security incidents: handling procedures, security incident detection capability, security incident reporting and communication; as regards business continuity management: service continuity strategy and contingency plans, disaster recovery capabilities; as regards monitoring, auditing and testing: monitoring and logging policies, exercise contingency plans, network and service testing, security assessments and compliance monitoring; and compliance with international standards.

That may come from EU law but my god, there's more strategy in what the major issues are in that paragraph than nearly the entire document released by the Irish Government and that directive covers more of the wide spectrum of threats we face.

And a little late if you're worried about Huawei 5G equipment, it's a shame that the Irish Government is adopting regulations designed to deal with security of supply, access control to networks and integrity of networks and security incident detection capability, security incident reporting and communication AFTER such equipment has been adopted and when it is unknown if such equipment has a secure supply chain, can maintain network integrity or has adequate logging because the UK, even though they have allowed Huawei to operate at a restricted capacity in the 5G network, the UK NCSC are by no means impressed with Huawei gear.

Measure 8: The NCSC will develop a baseline security standard to be applied by all Government Departments and key agencies.

Is this a case of XKCD 927 or is this adopting ISO 27001 across the board? Measure 10 also covers this where the heads of IT in each dept will work with the NCSC to deploy this security baseline, whatever it is.

Measure 9: The existing ‘Sensor’ Programme will be expanded to all Government Departments, and an assessment will be conducted by the same date as to the feasibility of expanding Sensor to cover all of Government networks.

This genuinely scares me. When I was doing CCNA Cybersecurity Operations, sensors are defined in 5.2.1.8 as;

IDS and IPS technologies share several characteristics, as shown in the figure. IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices:

• A router configured with Cisco IOS IPS software
• A device specifically designed to provide dedicated IDS or IPS services
• A network module installed in an adaptive security appliance (ASA), switch, or router

I have also though seen sensors as honeypots or canary tokens but I really hope it's not the traditional definition I know as a sensor because the thought that in 2020, we have government networks that have no IDS or IPS whatsoever is a scary thought... Does that extend as far as firewalls also?! I can't imagine that's the case but I would consider the deployment of both mandatory in this day and age.

Measure 11: The NCSC will be tasked by Government to issue Recommendations with regard to the use of specific software and hardware on Government IT and telecommunications infrastructure.

100% on board with this! But as I said before, maybe we should have thought about this just a little earlier when it came to telecommunications and this might be a great opportunity to look into FOSS and what it could offer as well as what other vendors have to offer.

Measure 12: Government will continue to ensure that second and third level training in computer science and cyber security is developed and deployed, including by supporting the work of Skillnets Ireland in developing training programmes for all educational levels and supporting SOLAS initiatives for ICT apprenticeship programmes in cyber security.

There's not much more to say here. Integrating cyber across all second level and above education, in as broad a spectrum as possible is a commendable initiative! I just wish we had more in the way of detail.

Measure 13: Science Foundation Ireland (SFI) will promote cyber security as a career option in schools and colleges by means of their Smart Futures Programme.

The fact that we aren't speaks volumes.

Measure 14: Science Foundation Ireland along with DBEI and DCCAE, will explore the feasibility through the SFI Research Centre Programme, the Research Centre Spoke programme or other enterprise partnership programmes to fund a significant initiative in Cyber Security Research.

This shouldn't be to explore the feasibility of a Cyber Security Research Centre. This should just simply be to set up a Cyber Security Research Centre. End of. It shouldn't be a question because we want to promote a cyber as public sector, private sector or academic career path, you can't think about it in terms of maybe. It has to be in terms of doing. A combination of this with Measure 15 and Measure 16 could be beneficial as links between the public and private sectors with academia to design and built the technology and do research into what is needed going forward is an important step.

Measure 17: We will reinforce Ireland’s diplomatic commitment to cyber security, including by stationing cyber attachés in key diplomatic missions and by engaging in sustainable capacity building in third countries.

I genuinely think this is fantastic! Hire people to work in a diplomatic capacity to share out skills with the rest of the world! I would drop my life to work on something like this I believe in it so much. It's the cyber equivalent of Peace Keeping and it's a genuinely commendable initiative. I just hope that we can have enough staff so that we can staff all the posts we will need to in Ireland and working on diplomacy globally.

Measure 18: We will create an interdepartmental group (IDG) on internet governance and international cyber policy to coordinate national positions across Departments.

Can we lead a global Arms Control initiative for cyber like we did for nuclear weapons? There's already the start of a framework for this in Microsoft's Digital Geneva Convention and I will totally go and get a Master of Arts in Nonproliferation and Terrorism Studies! I've kinda already been accepted into the course I want to do;

YES!

— Jeffrey Lewis (@ArmsControlWonk) January 16, 2020

Measure 19: We will deepen our existing engagement in international organisations, including by joining the Cyber Security Centre of Excellence (CCD-COE) in Tallinn, Estonia.

I think Rory says all that's need to be said here and I hope we do get a volunteer corps of some kind, though I do think this is a welcome development and something we should do more of. Working alone on the same issues as everyone else

Joining CCD-COE is a welcome development. Sending one person is hardly that revolutionary. An opportunity for the state to doing something really farsighted and leap ahead by embracing the Estonian Cyber Volunteer concept was missed. https://t.co/KPjp5M9g6h pic.twitter.com/POhWzgGSHn

— Rory Byrne (@roryireland) December 27, 2019

What's Missing?

You could say a lot is missing but really... The only thing missing the human factor. There's ideas and technologies that could be implemented, but to run the JSOC, you need people to sit in chairs and analyse events as they arise and you need them there all of the time. There needs to be a rapid scale up in the numbers of people working at the different bodies across the nation on cyber security and national security issues and the only way you're going to get that is by getting the people to work the problem.

And I'm not alone though, I've used Rory Byrne's thread on twitter already in this but the whole thread is worth the read rather than the select few tweets I have shown but I do want to show some more from him as well as others on more stuff that's missing;

There is no mention of recreating the very successful model of the UK NCSC Cyber Security Information Sharing Partnership (CiSP). So a key way to broaden and engage stakeholders from the wider business, NGO etc community on day to day threat sharing is lost.

— Rory Byrne (@roryireland) December 27, 2019

There is no mention of reconfiguring and enhancing state structures such as the Garda and Defence Forces to be able to increase their large gaps in recruitment, training and retention of staff.

— Rory Byrne (@roryireland) December 27, 2019

Regarding education and building the cyber experts of the future. The strategy is lazy and fails to even bother looking at some of the oustanding initiatives across the water. We are patting ourselves on the back for some pretty mediocre resources compared to UK Cyberfirst etc. pic.twitter.com/dkxJISeQo6

— Rory Byrne (@roryireland) December 27, 2019

Wrapping This Up

What I find really frustrating about this strategy is that it appears that behind the scenes that a lot of work has been done by the right people to identify the problems and lay them out in a coherent fashion including an annex of actions, you could almost say I had a glowing review of most elements with all but a few items, like the Guards contract with Eir, where I was at least constructive in my criticism.

But the wheels come off the strategy bus is when you look at the ambition the plan shows in the annex of actions. Some of them come down to just following the law, basically defeatedly saying that we have to because we don't have a choice. Or that we recognize that X is an issue and this will be solved with public information campaigns or with more third level graduates but does not account for the lag time between those graduates coming online and now and how that gap is to be plugged or the recognition that educating the general public on general cyber security matters is a difficult challenge that even experienced professionals fail at a large majority of the time.

And on the education front, maybe we need to look at what other nations are doing like the Cybersecurity Maturity Model Certification (CMMC) in the US. It's a way in which you can begin the process of building a cyber capability within an organization through bootstrapping and adding capabilities over time and requires formal certification to make sure you meet the requirements of each level of the certification. This kind of approach will gradually raise the bar security across the whole sector of defence contractors over time in the US.

There's no mention of how we could even consider the cost of this or where the money should be raise for it. Or if it's worth using something like the Ireland Strategic Investment Fund to provide funding some of the grand scale, long term projects listed in this. The strategy isn't aware that this might need a strategic funding source that isn't from the daily budgets of the Department of Defence of or the Department of Department of Communications, Climate Action and Environment or the Department of Justice and Equality.

It is a strategy, but it lacks ambition and arguably a grounding in realities of how dynamic information security is and how statically we seem to see the problems at a national level. We realize they are there but we think that they can be solved with little change when historically the implementation of deep and far reaching operational security measures have required organizational sea changes. Or how we plan to integrate cyber into more of what we do since that's what we really need to do, to effectively tackle this issue head on and to be able to think about these issues in the modern, broad sense since it is an issue that effects everyone.

Maybe it's too short term to accomplish wider goals? Maybe I expect too much of what's politically possible in Ireland? Or maybe I see issues like the fact that these missions are spread out across multiple bodies being the issue but the civil service does not? Maybe we should look at utilizing the Department of Defence more fully and make it a full cabinet position again with it's remit being that of National Security and move bodies like the NCSC, NSAC, the Defence Forces and the national security elements of An Garda Síochána all in under one roof? I don't know what all the answers are, but what I do know is that we need to start looking for better answers.

And just to show that I'm not some arsehole on the internet throwing stones at glasses houses, this is an issue I really worry about and I think we are not doing enough on, nor are we really prepared for at a national level and for the betterment of the nation, I will happily give 5 to 10 years and maybe even more, to the NCSC, the NSAC, the Defence Forces, An Garda Síochána, being a CCD-COE representative or working as one of the cyber attachés mentioned in Measure 17, working on these issues in Ireland or with international partners at home or in far flung postings and accept whatever pay cut I have take compared to my fellow graduates when I graduate from college at the end of the current semester because this is the hill I intend to die on.

I have said something to that effect every time I have made this commitment to the above agencies, every time I have met them throughout my time in college and have always been referred to Public Jobs where they never seem to hire anyone. So I will look forward to Slándáil 2020 where I will continue to meet people in these bodies and continue to attempt to join their efforts.

While the regular hosts of the pod were aware that we were investigating, they were no aware of the extent of the investigation we had done and when I opened my big fat mouth on twitter and documented the scale of what we had done in the thread below, well... They asked me to go on and talk about some of things we got up to in our investigation

If you're interested in hearing me talk about the investigation and what other things we get up to on Slack, you can grab the pod in the tweet below and listen