Geopolitical Cyber Risk: Cyber Operations in Modern Warfare
Introduction
In today’s world, it is widely recognized that cyber operations has become a key component in the conduct of modern warfare. However, due to our limited understanding of armed conflict and geopolitics, we often find it difficult to interpret these events in terms of their implications for our threat landscapes.
This blog post aims to offer a comprehensive analysis of cyber operations strategies, focusing on the typical targets and tactics employed by states during conflicts, drawing from historical observations. By studying these elements, we are going to have valuable insights for more accurate threat modelling, risk assessment, and forecasting in the realm of international cyber conflict.
Likely Targets During a Conflict
Before we begin, I strongly encourage everyone to view Lincoln Kaffenberger’s talk at the SANS CTI Summit. This presentation, which also served as an inspiration for this post, lays out a solid framework for analysing geopolitical cyber risks and offers some practical insights: Lincoln Kaffenberger’s Talk.
A notable point from the talk, which I’d like to highlight, pertains to the sectors frequently targeted in times of conflict. Below, I’ll list these common targets of cyber attacks during wartime. Following that, I will try to provide more context on military decision-making that result in this kind of targeting and discuss how this information can be integrated into our threat models.
Now let’s delve into it.
Wartime Activities Overview
Ideally, the actions undertaken during or before a military operation should support at least one of these three purposes: 1. Achieving a tactical objective, 2. Gaining and sustaining a strategic advantage, and 3. Weakening the opponent’s war fighting capacity. Let’s explore a few examples:
Supporting a Tactical Objective: These activities aim to disrupt various aspects of the opposing force, enabling free movement of friendly forces during an operation. They are primarily tactical and are therefore carried out in coordination with the military operation aimed at achieving the specific objective. Such activities may include kinetic attacks targeting logistics, command and control systems, ammunition, and other supplies.
There is an increasing trend in militaries utilising cyber attacks for similar purposes. Particularly, disruptive cyber attacks against information systems have proven to be highly effective. Some very recent examples are:
- U.S. conducting cyberattack on suspected Iranian spy ship to inhibit the ship’s ability to share intelligence with Houthi militants in Yemen. [*]
- DDoS attacks at websites that provide critical information and alerts to civilians on rocket attacks twelve minutes after the Hamas attack on Israel. [*]
In both of these cases, the attacks were coordinated with a kinetic military operation, and intended to disrupt some aspects of the opposing force.
Gaining and Sustaining Strategic Advantage: The purpose of these actions is to indirectly affect the warfighting capabilities of the adversary, often by weakening their Centers of Gravity (COG). COGs are essentially the key strengths that enable a nation to maintain its war efforts. It’s common for nations to focus on undermining their enemy’s COGs during a conflict.
Potential COGs include:
- Advanced intelligence and situational awareness
- Superior mobility of military forces
- The quantity and/or quality of arms and personnel
- Funding for the war effort
- Domestic public support for the war
- Alliances and backing from the international community
The last three factors mentioned: funding, domestic, and international support for the war, play a significant role in influencing the war’s outcome. Therefore, parties engaged in a conflict actively seek to disrupt the financing, exert pressure on the economy, fracture alliances, hinder international support, and sway the public opinion of the opposing state through all available means.
It has been noted that cyber operations also play a significant role in this context. One common wartime activity is information operations (IO) targeting the citizens of the opposing nation and its allies. This heightened level of IO activity requires an increased effort in intelligence collection for use in disinformation campaigns. As a result, a rise in cyber espionage activities is often seen prior to or at the onset of a conflict. In some cases, these are accompanied by disruptive cyber attacks aimed at exerting pressure on media outlets or prominent individuals who publicly support the rival state. All these efforts can be viewed as strategies to achieve and maintain information dominance.
Disruptive cyber attacks targeting the key economic sectors of a rival state are often employed to exert economic strain. Additionally, these types of attacks can be used to apply diplomatic pressure on allies and neutral states, as outlined in my previous post: Geopolitical Cyber Risk: War and Coercive Diplomacy. One thing to note that a COG typically deteriorates over an extended period. Therefore, efforts targeting these are also likely to be sustained over the long term.
I highly recommend checking out the following post from SecAlliance, which, in my view, excellently demonstrates the application of COG analysis in assessing potential cyber threats: Factors Influencing the Likelihood of a Systemically Significant Cyber Attack on Western European Financial Services.
Weakening The Opponent’s War Fighting Capacity: The purpose of these actions is to undermine the material capabilities of the opposing state’s warfare. Cyber attacks aimed at disrupting key sectors such as manufacturing and energy can be seen in this light, depending on the targeted entity. For example, the aerospace, chemicals, automobiles, and parts organizations have all seen a significant rise in attacks. [*] These attacks often exploit the low tolerance for outages in the manufacturing sector, where IT service disruptions can halt production and lead to significant revenue losses. Another notable example of such activities includes the Stuxnet, Duqu, and Flame malware families. While these attacks were not conducted during wartime, their objective was to significantly hinder the nuclear capabilities of Iran and potentially the DPRK, targeting their nuclear warhead production infrastructure.
Hierarchy of Targets and Possible Course of Actions
As cyber defenders, our task is to realistically map out and prepare for various potential cyber threat scenarios that could arise in a conflict situation. This section is dedicated to outlining those scenarios, each defined by the nature of the potential target — opponent state, supportive states, or neutral states that might be drawn into the conflict. This process involves identifying the goals of potential adversaries (objectives), the conditions or events that could initiate their hostile actions (triggers), and the specific types of cyber operations they might employ at certain targets (actions).
Here’s a breakdown of how this mapping works:
Note: A more organised version of this strategic outline is available in this spreadsheet.
Opponent state
For an opponent state, we can expect actions like persistent cyber intrusions targeting the government, military, and intelligence agencies for critical intelligence, as well as disruptive attacks aimed at key industries and communication channels. These are maneuvers aimed at gaining a strategic advantage and crippling the warfighting abilities of the opponent.
Triggers: Armed conflict
- Objective: Gaining and sustaining strategic advantage
1.1 — Persistent cyber intrusions targeting gov/mil/intel agencies and their contractors, the defense industry, and think tanks for political, military and technological intelligence
1.2 — Persistent disruptive attacks targeting key economic sectors to exert economic strain (e.g: energy, banking and finance, tourism, manufacturing, large private companies)
1.3 — Persistent disruptive attacks targeting media outlets and communication systems to interrupt the flow of information - Objective: Weakening of war fighting capacity
2.1 — Persistent disruptive attacks targeting key industries to undermine the material production capability (e.g: chemicals, raw material, aerospace, energy, manufacturing and defense) - Objective: Supporting a tactical objective
3.1 — Coordinated disruptive attacks targeting communication and information networks in support of an ongoing military operation
States offering political, economic, or military support to the opponent
When considering states that provide support to the opponents of one party, we prepare for scenarios where these entities could face similar cyber intrusions and disruptive attacks. These are likely motivated by a desire to exert economic strain or to discourage their alignment with the opponent of that party.
Triggers: Providing political, economic, or military support to the opponent. Public statements or other signs of support to the opponent. Advocating or supporting hostile policies in favor of the opponent. (e.g: sanctions, embargo)
- Objective: Gaining and sustaining strategic advantage
1.1 — Persistent cyber intrusions targeting gov/mil/intel agencies, the defense industry, and think tanks for political, military and technological intelligence
1.2 — Persistent disruptive attacks targeting primary industries to exert economic strain (e.g: energy, banking and finance, tourism, manufacturing, large private companies)
1.3 — Persistent disruptive attacks targeting media outlets and communication systems to interrupt the flow of information - Objective: Discourage alignment with the opposing state
2.1 — Disruptive attacks targeting key economic sectors or critical infrastructure in retaliation against any perceived political, economic or military support for the opponent state - Objective: Counteract the propaganda efforts of the opponent
3.1 — Disruptive attacks targeting media outlets, large private companies, and prominent individuals that publicly support the opponent state to discourage public support
Neutral states
Neutral states, often overlooked, can also be significant in the cyber conflict landscape. They could be subjected to cyber operations if they show any inclination towards supporting the opponent of either party. In these cases, the objective often shifts to gaining a strategic advantage or countering propaganda efforts.
Triggers: Providing political, economic, or military support to the opponent. Public statements or other signs of support to the opponent. Advocating or supporting hostile policies in favor of the opponent. (e.g: sanctions, embargo)
- Objective: Gaining and sustaining strategic advantage
1.1 — Cyber intrusions targeting gov/mil/intel agencies, the defense industry, and think tanks for political, military and technological intelligence - Objective: Discourage alignment with the opposing state
2.1 — Disruptive attacks targeting key economic sectors or critical infrastructure in retaliation against any perceived political, economic or military support for the opponent state - Objective: Counteract the propaganda efforts of the opponent
3.1 — Disruptive attacks targeting media outlets, large private companies, and prominent individuals that publicly support the opponent state to discourage public support
Example: Russia-Ukraine Conflict
In the specific context of the Russia-Ukraine conflict, with Russia as the acting party, the following detailed cyber operations strategy can be outlined:
Opponent State (Ukraine)
- Objective: Gaining and Sustaining Strategic Advantage
1.1 — Cyber intrusions into Ukrainian government, military, and intelligence networks, especially targeting communication channels and data repositories, to gather intelligence that could offer strategic advantages.
1.2 — Disruptive cyber attacks on Ukraine’s key economic sectors like energy, financial services, and manufacturing, aiming to weaken the national economy and disrupt daily life.
1.3 — Systematic attacks on Ukrainian media outlets and internet service providers to control the narrative and disrupt the flow of accurate information within Ukraine. - Objective: Weakening of War Fighting Capacity
2.1 — Targeting of Ukrainian defense manufacturing, including plants producing arms and ammunition, through cyber sabotage to hinder Ukraine’s military supply chain. - Objective: Supporting a Tactical Objective
3.1 — Coordinated cyber attacks on Ukrainian military communication networks during key ground offensives to impair coordination and response capabilities.
States Offering Support to Ukraine (e.g., NATO Member Countries, European Union)
- Objective: Gaining and Sustaining Strategic Advantage
1.1 — Cyber espionage against governments and defense contractors in NATO and EU countries providing military aid to Ukraine, aiming to uncover future military plans and logistics.
1.2 — Persistent cyber attacks on the energy and banking sectors of these supporting nations, particularly those that have imposed sanctions on Russia, to create economic repercussions.
1.3 — Ongoing cyber operations against media and communication channels in these countries, aiming to disrupt pro-Ukraine propaganda and influence public opinion. - Objective: Discouraging Alignment with Ukraine
2.1 — Retaliatory cyber attacks targeting critical infrastructure in countries that have provided significant military support to Ukraine. - Objective: Counteracting Propaganda Efforts of Ukraine
3.1 — Cyber operations aimed at media outlets and prominent social figures in supporting states, particularly those vocally opposing Russian actions, to undermine public and international support for Ukraine.
Neutral States (e.g., Countries Not Actively Involved in the Conflict)
- Objective: Gaining and Sustaining Strategic Advantage
1.1 — Cyber intrusions into political and military intelligence networks of neutral states, especially those considering humanitarian or diplomatic support for Ukraine. - Objective: Discouraging Alignment with Ukraine
2.1 — Disruptive cyber attacks on neutral states’ key economic sectors as a warning against siding with Ukraine or imposing sanctions on Russia. - Objective: Counteracting Propaganda Efforts of Ukraine
3.1 — Cyber campaigns targeting media and influential figures in neutral states to prevent the spread of pro-Ukraine sentiment and maintain a neutral or pro-Russia stance in the conflict.
This strategic outline should be further refined with insights derived from the observation of the acting party’s behaviours in past conflicts. The capability to conduct cyber operations does not guarantee their use in every scenario. States may choose to refrain from targeting critical infrastructure or key economic sectors due to potential political backlash or other considerations. Therefore, developing behavioural models based on historical patterns and tendencies of the involved parties is crucial. They can help in anticipating the moves of the adversary more accurately and in preparing more targeted and effective defensive strategies.
Conclusion
To conclude, the study of cyber operations during times of armed conflict presents a detailed understanding of the strategic objectives and methodologies employed by nations in the digital domain. This analysis is instrumental in enhancing threat modelling, risk analysis, and forecasting in the context of geopolitics. By identifying the hierarchy of targets and the diverse tactics used, from disrupting an adversary’s economic stability to manipulating public perception, we gain critical insights into the evolving nature of digital warfare. This post underscores the importance of envisioning potential future scenarios, especially during periods of tension and conflict. By doing so, we can assess their potential impact on our security, allowing for better preparedness and response. And the most critical lesson here is the need to integrate foresight into our cybersecurity practices.
I hope you liked this post. See you in the next one!
