Irregular Warfare Podcast - Digital Irregular Warfare: Cyber at the Tactical Level
Episode Date: May 20, 2022This episode explores how cyber tools and weapons are used at the tactical level within irregular warfare. Our guests, Dr. Trey Herr and Major Sally White, highlight some of the limitations of executi...ng tactical cyber operations. They also provide insights into how information operations and cyber tools can be integrated together in the irregular warfare space for better utility and to influence target populations through both physical and digital effects. They conclude by noting that tactical cyber capabilities are still at the developmental stage and face constraints with authorities and legalities, and offer their takes on how to best utilize the domain for tactical irregular warfare operations.
Transcript
Discussion (0)
One of the things you see time and time again is buying software is treated as one of two things,
either an unimportant side item to the core lethality, the core capability,
or very similar to buying the lethality itself, right?
We still try to buy software like it's a tank, and it's not, and it's a problem.
You're still going to have to think about the second and third order effects that could come from the use of certain capabilities.
When it comes to authorities, that is the sticky point.
And frankly, that's been one of the most challenging aspects of dropping cyberspace down to the tactical level.
Welcome to Episode 53 of the Irregular Warfare Podcast.
I'm your host, Abigail Gage, joined by Laura Jones.
In today's episode, we consider how cyber tools and weapons are used at the tactical level within irregular warfare.
Our guests begin by describing how cyber is utilized at the tactical level and highlight the limitations of executing tactical cyber operations. They go on to offer insights in how information operations and cyber tools can be integrated together
in the irregular warfare space for better utility
and to influence a target population
through both physical and digital effects.
They conclude by noting that tactical cyber capabilities
are still at the developmental stage
and offer their take on how to best utilize the domain
for tactical irregular warfare operations.
Major Sally White is a cyberspace
operations officer in the United States Army with operational experience at both joint and
army cyber organizations. She holds a master's and a PhD in political science from Harvard University
where her research explored the impacts organizational subcultures can have on the
development of cyber doctrine in the army, navy, and air force. Dr. Trey Hare is the director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Thank you. Kennedy School, and a non-resident fellow with the Hoover Institution at Stanford University.
You are listening to the Irregular Warfare Podcast, a joint production of the Princeton Empirical Studies of Conflict Project and the Modern War Institute at West Point,
dedicated to bridging the gap between scholars and practitioners in support of the community
of irregular warfare professionals. Here's our conversation with Sally White and Trey Hare.
Here's our conversation with Sally White and Trey Hare.
Trey Hare, Sally White, welcome to the Irregular Warfare podcast.
We're so excited to have you joining us today and appreciate you taking the time for a conversation on cyber.
Thanks for having us.
Thanks so much. Happy to be here.
Today, we're talking generally about tactical cyber and irregular warfare.
But let's start by jumping in with a broader question. Cyber is both a domain and a tool, a place to fight and a way to fight.
How does this duality influence the importance of cyber today in the irregular warfare environment?
So I think the duality or the dual nature of cyberspace as both a place to fight and a way we fight or a method that we have to
create effects on our adversaries. Frankly, I think it complicates our ability to understand
what cyberspace is and what it's for. And from a military perspective, it complicates our ability
to understand how and in what capacity it can influence operations. So, for example, we think
on certain timescales and certain timetables,
and we have expectations about forces available and capabilities that are available and weapon
systems that are available. And we have a way of thinking that's very predicated upon things that
are available at a certain time. And in cyberspace, because it's both a place like, you know,
fighting on land or in the air and at sea, but it's also a way of doing things that
doesn't necessarily have set capabilities that you can just pull off the shelf and throw at a
problem at any given time. It can be difficult to integrate when you're talking about like the
timing of operations and sequencing of operations, because oftentimes if you want to create an effect,
that's going to be predicated upon identifying an opportunity to create that effect, which is
going to be based on access into certain pieces of equipment or devices, which may or may not be something that's available at a
given time. The time, I think, is really interesting. I agree with Sally. I think part of the challenge
with this has been the way we conceptualize. And a lot of what's fun about cyber is we're still
fighting over words. We're still fighting over terminology, right, from the academic standpoint.
We're not sure we agree on what is. But I think that the way that you frame the question is significant for two reasons. One is cyber is
effectively a layer. And in this, it's not that novel, right? RF is a layer. We've had RF energy
as something that we had to consider in the battle space for a long time, going back decades. So I
think in that, cyber is pretty intelligible. We've got a really large corpus of private sector and
academic understanding of how digital systems behave, what they do, how they're built. The challenging piece, I think, is the second part of your question, which is where we're generating effects with cyber capabilities, which in, I think, a lot of cases, what we're now, to some extent, what we're now talking about is those effects leaving that domain, right, peeking their head out and starting to affect physical systems and the disposition of forces on the battlefield, the outcomes in otherwise kinetic engagements. From that standpoint, I think Sally's
right. We're used to pulling something off the rack, loading it, firing it. That does not exist
in this space in the way that we've wanted it to. And so I think the fact that it's a layer
probably has started to come back and influence the way we think about it as a tool to generate
capabilities more in the last five to 10 years than it did at the first 10.
Taking this kind of 30-year timeframe back to 92 and some of the early stuff that was being done by Arquilla and Braunfeld,
that was really conceptualizing this as a highly strategic space, a layer that we had to defend or disrupt or counter with respect to the adversary.
Now, I think the way you see cyber being discussed and utilized as a capability,
it's much more about tugging that layer as it's impacting these other spaces around it. And that force generation question that Sally mentioned is a really key
driving force behind at least what I've seen in the way that we think about and use cyber
capabilities. And so this discussion, I think, is really timely in part because the ongoing war
in Ukraine is challenging some of our pre-existing conceptions about how those forces were going to
be generated alongside kinetic effects, moving through that layer to actually affect the battlefield. So it's timely.
So one of the challenges that we're confronted with from a military standpoint, based on what
Trey was talking about, and this idea of how framing cyberspace in a military construct
shapes our expectations of what it can do for us, is as we're trying to educate the force on,
hey, you need to think about this as a domain of warfare and incorporate it into your planning. We are simultaneously not offering them capabilities
that are presented within a framework that they can understand and sometimes can even access.
And so it's like, hey, you have to think about this. It's a part of the environment, but it's
also like you can't have this and I can't exactly tell you how it's going to be incorporated into
your planning or how you can achieve effects in support of your desired outcomes? Well, I think that's a good segue into this next question,
because we talked a lot about how you conceptualize the space or how you conceptualize
it, merging it with operations. But what are the tools available to practitioners to actually do
that? And how do you separate strategic level cyber effects from those more tactical level
cyber effects?
I always struggle with what's the right way to describe what we mean when we say something like
cyber tools or cyber weapons, cyber capabilities. I mean, ultimately, what you're talking about is
using cyberspace digitally and EMS interconnected devices to create effects in the physical world
and on those devices. And so that can be a very fluid
process, as I mentioned earlier. So sometimes you might have something that you can pull off the
shelf and launch into the ether and it creates the desired effect at the appointed time. But
other times it's going to be this process of trying to figure things out on the fly.
But when it comes to talking about cyber tools, capabilities, whatever we want to call them,
at the various echelons, you're going to run into a couple different themes. So number one,
it's always going to be a resource and a prioritization issue. So essentially,
when you're talking about capabilities at the tactical edge, oftentimes, when you have sort
of prefabricated capabilities that we're trying to field to the active force right now, on the one
hand, you know, we're fielding things that are not super complicated, that can delegated down from an authorities and a capability standpoint to the tactical level.
But on the other hand, oftentimes when you talk capabilities of the tactical edge, what you're really talking about are requests up to a higher echelon to get resources and attention to solve your particular problem.
And depending on who you are and where you are and what organization you're a part of, that's going to dictate what level of resources you're going to get dedicated to solving that
problem. But I think there's a reason for that, right? And there's two. One is that they're so
important for this discussion, I think for a lot of these, to disambiguate between the effects and
the means of delivering those effects. And so on the battlefield, most of your way into an opponent's
system is going to be through the propagation of radio waves. It's going to be through EW.
And so to get to the adversary to deliver that effect, you need to find some way in.
The second piece of that, though, which I think is significant is, one, the tools are basically software.
We're talking about programs that are built and combined to create effects in a different logical system, in a computer system.
But where they're built and what kinds of effects they're designed to create very significantly. And for some of these tools, they are incredibly specific, bespoke,
highly, very expensive, defense industry developed, contractor developed capabilities.
In some cases, they're off-the-shelf commercial tools you could go and download online right now.
And the combination of these in the most advanced and compressed environments, right? It's not that
the most challenging target needs only these highly sophisticated, specifically built systems,
or only low-end targets need these kind of off-the-shelf capabilities. They are mixed
and matched constantly by us and by adversaries. So the tools are basically software.
Where the interesting piece comes in, I think where the magic comes in for our discussion is,
effects on the battlefield aren't the only tactically significant effects we can have.
And what we're seeing out of Ukraine, more at the operational level, but there's a great report from Microsoft's
state threat intelligence team, Mystic, that came out in late April. And they describe the sequencing
of effects operations through destructive malware and targeted espionage in a way that appears
somewhat sequenced. I think their description for it, if I'm remembering this correctly, cyber and kinetic military operations appear to be directed towards similar military
objectives, right? That these are sequenced in such a way that what I'm doing on the battlefield,
objectives I'm trying to seize, forces I'm maneuvering around are being affected by
these cyber capabilities, even though they're not being delivered by my battlefield forces.
The extra dimension I would add to this is we have what's being deployed on the battlefield, but there's a lot of places that we can pull
and push that affect the battlefield that aren't directly deployed from there.
And so the other side of this, I don't know if Sally would disagree with this, but I feel like
the fuzziness that we've been in really sort of distressed by in the last decade or so in the US
especially is how do I use capabilities that are not being generated, maybe even in theater,
in a way that has operationally significant and operationally timely effects to influence
battlefield outcomes? But my sense, and I am curious your style of statement, my sense is that
we are still really figuring out how to do this effectively. And I think, again, what you see in
theater here with a fairly sophisticated cyber actor, right? The Russians are a no shit player in this space,
mill and Intel, and they have struggled to really tightly synchronize in some cases,
the generation and use of these effects. They have been able to keep them coordinated,
but that's, you know, at that end of itself appears to be a struggle. So
close this by saying we're still figuring this out. I think really where we generate and how.
Yeah, absolutely. And the first thing I thought of, Trey, with your comments was this new buzzword of convergence that has introduced in multi-domain operations. And the Maneuver guys, they're like,
oh, it's just synchronization. It's just synchronization. And from my perspective,
honestly, I feel like it is something different because we are talking about exactly what you
said, which is you don't own all of the capabilities whose effects you're trying to converge at a certain place in time.
But we're talking about, you know, converging, I guess, like strategic all the way down to tactical.
It's kind of a different way of understanding space and time, I think. When we talk, you know,
how does that bear on the tactical battlefield? One is going to be looking at the combat mission
teams and how they're integrated with their respective combatant commanders planning and priorities. But you can imagine that, you know, those are going to be looking at the combat mission teams and how they're integrated with their respective combatant commanders
planning and priorities.
But you can imagine that, you know,
those are going to be aligned
against pretty high priority targets
with unique types of effects,
not necessarily the one-off effects
that you'd expect to materialize at the tactical level.
And the fact that cybercom did not have any forces arrayed
against quote tactical level problems or requirements
was identified by the Army back when
we were really trying to build this stuff out in the early to mid-2010s. So we asked the question,
how can we better support service level requirements? How can we support the tactical
warfighter? And so in response to that question, you know, a bunch of experimentation was conducted
and dot mil PF analysis, et cetera, et cetera. And essentially the Army ended up creating a new
battalion,
the 915th Cyber Warfare Support Battalion down at Fort Gordon. Their sole focus and purpose in life is to fill that gap of, we don't have any national forces that are arrayed towards the tactical
level. Their ultimate goal is to build, I think, 12 expeditionary cyber teams that are going to
be regionally aligned, almost in the Cyber Command Combat Mission Force model. But these are going to
be expeditionary teams that can bring specific capabilities to focus exclusively on those
tactical level problems. Can you bring this back then and tell us where this tactical cyber element
fits within a regular warfare? And is it more that cyber at the tactical level exists as a means to
increase an operator's ability to produce kinetic effects on the battlefield.
And that's just more of a force multiplier for a team.
Or are there actually ways in which we can conduct irregular cyber warfare?
I can't help but think about this in the context of a broader discussion on information warfare.
So I might escape the bounds of our cyber conversation here.
You know, the irregular warfare Warfare Annex to the National Security Strategy. It talked about irregular warfare as a struggle to influence populations and affect legitimacy,
having different missions within that and different enabling operations within that.
We've kind of rapidly run into this problem of our capability was built for a specific purpose.
Authorities and policies don't allow us to expand that purpose in a way that we need to, to meet the challenges that we face and to fight the adversaries where we need to fight
them. So in army doctrine, for example, we are afraid to introduce the word information warfare
or the phrase information warfare. And so I just think if we're talking, you know, what can cyber
contribute to irregular warfare? We're going to limit ourselves if we only are allowed to talk
about that in the context of creating technical effects or using technology to create kinetic effects. I think
there's a lot more possibility in the information warfare space, but we don't have an organizational
structure or an authority structure or a set of policies or even a national strategy or even a
service strategy. We're just missing all of the other stuff that would allow us to execute that.
sort of a strategy, like we're just missing all of the other stuff that would allow us to execute that. We're really hamstrung on this side of the ocean in that we've got this somewhat increasingly
artificial bifurcation between systems, digital systems, security, cyber, and information security.
And this is something that has been written a multitude of times. It is the concept of
1000 theses, right? The Chinese to some extent and
differently the Russians to a different extent are not subject to the same limitation. They see
these as views. They see the contest over access to and deployment of information as part of a
broader cybersecurity. If you are constrained by rules of engagement, if you are constrained by
the footprint of your force in place, if you are constrained by a size of
a population or your need to remain covert, then the ability to generate influence in your
environment over an adversary or over an intermediate population is a really significant
utility. Now, that could be turning off the lights at intersections. That could be turning cars off
in motion so that you can capture a kill. But it can also be releasing information over WhatsApp, drive population in a certain place, change sentiment, move them physically
around a geography. And so what we would think of as the information effects of cyber operations,
turning off TV stations, turning on certain other broadcasts, right, punching through,
almost in a classic psyop sense, right, punching through electronic interference to spread a
message or a narrative. This all has kind of significant cyber ramifications. Cyber might be more the
delivery system than the effect in our parlance, right, around information warfare, but they are
significantly complementary and have, I think, a lot of application in a regular warfare,
in part because cyber is a bad substitute for kinetic effects. As we've seen in the last 70
plus days, the choice between a
2,000 pound munition and malware on a building is not a conversation, it is stark. But if your
attempt to non-kinetically shape the battlefield can be driven by effects you can build over time,
deploy with more control, that's an incredible asset for an irregular operator.
One of the things that's been really challenging, I think, for cybersecurity and cyber operational doctrine in the States is we've tended to put cyber
capabilities in the sense of a near-peer conflict. We haven't really had that many wars to fight with
them, but we've had a lot of instances where we've tried to secure, to protect, to maintain control
over physical space and populations. Some really good stuff getting written in. You guys mentioned
the Princeton tie-in, so we'll cite Stathis Kallivas here, right? The stuff that has been written around population control on defection, right? Trying to compel access to information across a battle space, especially with a small unit, especially when there's a number of different adversaries in the same AO. Cyber plays a significant role in magnifying effects and gaining access to that kind of information.
effects and gaining access to that kind of information. It's also, and I think I'll end on this on the irregular piece, really helpful when we start talking about distinguishability,
right? The little green men in Crimea were unearthed in a lot of ways by open source
intelligence gathering, which if you are in an op in a denied information environment, right,
can be enabled by cyber regulations, opening up, punching the pin in the balloon to get
information out of a network to create access where the network has been turned off. And we've seen that deployed in Ukraine. Russian efforts,
in some cases, to turn off TV stations, disable radio broadcasts, where that can be overcome or
countered by cyber operations in response, is in effect a cyber conflict raged through this space.
So it absolutely has application, again, even if it's not capabilities being generated in theater
in the moment. So I'd like to pull a thread a little bit. Trey brought up that we spend most of our energy
thinking about cyber operations in relationship to our near peer great power competitors.
With the democratization of cyber tools, the widespread availability of
cyber tools, how has that line between state and non-state actors blurred?
cyber tools. How has that line between state and non-state actors blurred?
Yeah, it's really blurry. It is a super problem. And I say that because all the way up to the National Command Authority is still trying to get their arms around what categories are valid and
which are not. All respect to the folks writing and thinking about great powers, but it's always
been kind of a wacky distinction like Russia and China, clearly not the same sort of entity.
What they want, how they operate looks different. India, why aren't they part of that?
It sort of blows that discussion up. So realistically, three answers. One is to
generate sophisticated physical effects through cyberspace is still very difficult, but it's
really more about knowledge of the physical system and time to prepare and recce that system
than it is about detailed understanding of
some sort of arcana in cyberspace. The cyber side is more accessible than it was 20 years ago.
In some ways, that democratization has lowered the bar or the barrier to entry in terms of
experimenting and creating physical effects. But to create useful, really destructive kinetic
effects, you still have to really know your way, not just around these machines. So there was a piece of malware that was sort of announced before it had
been used called PipeDream just a couple of weeks ago. It was a joint announcement from a couple of
federal agencies and a private sector company called Dragos. PipeDream operated against a class
of industrial controller and was able to, without really manipulating the code on that device,
create destructive physical effects were to be used. That takes a lot of understanding, a detailed, intricate understanding of that
physical system. And so that has not necessarily democratized in the same way. The capacity to
maintain and gain access to detailed reconnaissance and intelligence information about those systems,
that's less accessible. But that's the top end of the bucket. So let's take it down a step.
How do you potentially create physical effects, but absolutely gain access to sensitive information on the most modern technology available, the most up-to-date iPhone, a modern browser? That stuff is available for a couple million bucks a pop.
You can even, it has now gotten to the point where private companies will sell you not just the product, but the entire service. Where that cyber capability is provided to you, it's kept up-to-date against the latest patches, and it's supported with reconnaissance information, with staffing, and with training.
That is the high-margin service business of selling, effectively, access to systems and the capabilities to exploit that access.
Principally, the markets there have developed around countries that want to gain access to sensitive information from journalists, from political dissidents,
countries that want to gain access to sensitive information from journalists, from political dissidents, and in some cases to basically build rent intelligence programs through cyberspace to
gain espionage on foreign adversaries. At the low end of the scale, there are a lot of ways to create
effects on the digital system. And there are a lot of tools out there to do it. Some of them built
for legitimate purposes of testing. Some of them out there to sort of test the limits of what
security teams can do or how or where they are of the security of their products.
But at the root, I think the proliferation question you ask is a good one.
We haven't necessarily seen anybody set themselves up overnight as a, quote, cyber power,
unquote, in this space because of these proliferation networks.
But it could be done.
And we absolutely have seen new entrants in the space largely as a result of capabilities gained from
other countries and these private sector players. Where this goes that I think is really interesting
and something that the team at the council is working on right now is what happens when these
kinds of capabilities start to empower non-state groups to play back in more significant ways
against state players outside of espionage. But I'm talking about magnifying otherwise kinetic
physical effects. We're really interested in what the cartels, for example, are going to be doing
with cyber capabilities over the next decade, where they have already started to contest for
physical control over territory, for influence over population. A lot of those are regular war
concepts that we were just talking about, but in a different frame, not a state-centered frame.
You think about some of the contests that, you know, small non-state groups, terrorist
organizations, quasi-proto-state organizations we've seen emerge in the last
decade. What that looks like if they start to exercise influence over physical space,
gain information through these kinds of capabilities, it does change the dynamic
in the international security environment in a very, very interesting way. So yeah, big deal.
Lots more work to be done. Fun problem.
That's fascinating, Trey. When you bring it up to cartels and the non-state actors branching out into the world of creating physical effects through cyberspace,
makes me think of how important norms have become in shaping the way that states behave in
cyberspace. And we've taken it for granted that those norms exist, but just as in physical space,
I think that could potentially be a challenge when it comes to non-state actors who don't abide by those norms or who don't need to. When I think about the impact
of non-state actors and the democratization of capability, I think about it in a couple
different ways. On the one hand, I think you undeniably see an increase in the volume of
effects. We've seen it in Ukraine. We've seen it in, you know, Ukraine part one. We saw it in Georgia
in 2008. You know, you see it all over the place, all the way back to the 1990s in the Balkans.
But you still have to ask yourself how significant are the effects that are being generated and
who are they actually affecting?
And so when we're thinking about uniformed military forces engaged in conflict, I would
venture to guess that the majority of the time, the types of effects that are going
to be created from non-state actors, whether it's armies of activists who have been recruited
to DDoS websites or something else, aren't necessarily going to be created from non-state actors, whether it's armies of activists who have been recruited to DDoS websites or something else, aren't necessarily
going to be the most important thing that you're focusing on.
And really, they're just going to create legal challenges for echelons that are much
higher than you exist at.
Sally, I think you bring up some really great points about some of the unique legal and
ethical questions around cyber.
Could we explore that a little bit more,
especially at the tactical cyber level? What are the unique legal ethical questions and what
authorities do we have or are we missing that would help the practitioners better understand
how tactical cyber fits within the other domains? And do those authorities even exist at the
tactical level? Yeah, great question and great follow-on question, Laura. So I guess I'll address the ethics question
first, because I don't necessarily think that the ethics of employment of tactical cyber
capabilities are uniquely different from the ethics of the employment of other capabilities
at the tactical level, in that you're still going to have to think about the second and third order
effects that could come from the use of certain capabilities. When it comes to authorities,
that is the sticky point. And frankly, that's been one of the most challenging
aspects of dropping cyberspace down to the tactical level. A bit of my background,
I was involved with the Cyber Support to Corn Blow initiative back in 2015-2016,
which was the Army's attempt to answer General Odierno's question of what does
this mean for the warfighter? And we were kind of walking a fine line of having to get the Army as
an institution to think about this stuff at the tactical level while not really offering much in
the way of capabilities and what capabilities we could incorporate into planning, even at a
hypothetical level. We were just hand-waving the fact that you would have the authority to execute this. So the way we're thinking about it now is, again, a lot of what
is going to be delegated down to the tactical level when it comes to execution, it's just going
to look like electronic warfare. So it's not going to be super fancy, but it's going to be something
that can create effects in cyberspace, in the electromagnetic spectrum, and that the tactical
level operator or brigade commander can authorize pushing the button for. Anything beyond that, it just starts
to get complicated. And that's where I'll go back to my previous comment, where it's like,
at the tactical level, you are trying to generate a demand signal to get national level resources to
solve your problem. So we're working through it. It's highly imperfect. To answer your question
bluntly, Laura, know that I don't think the authority structures are there. But it's certainly
part of the consideration as we're trying to build out this capacity.
I think it's significant that we recognize, too, very much like in World War I, the strategic
bomber took the battle space and kind of expanded it dramatically, right? It took the sort of home
front, battle front distinction and just destroyed it. We saw that breakdown even more over time over
the subsequent 60 years. In this instance, not only are we able to
affect civilian populations at home and the battlefield from effectively the same space,
we also have significant account to be taken of the platforms, the companies, and the entities
that exist in both of those environments. And so from the ethical standpoint, where I think we
start to trip ourselves up a little bit is less what can we do and more to whom can we do it,
right? If to affect
a local population's understanding of an ongoing religious conflict, do we have to work through
a multinational social media company based in California? What are the ethics of that? And in
some cases, what is the raw legality of that? As opposed to, can I put something on a local
language, local short-range radio broadcast, right, as maybe was more often the instance in the 80s or 90s. So that adds a significant complexity to it on both
ethical and legal grounds. I think the other piece is we know law of war applies, right? The law of
armed conflict has been applied into cyberspace. There's been great tomes written, good articles
applying it, authored. And so the same notions of discrimination and proportionality should apply.
The challenge, at least, that I've seen is, and we, I think, started to see cybercom start to work some of these issues out through their operations around JTF Ares targeting ISIL. But the ability to make those determinations at the speed of operational need is still really challenging.
group of strategic lawyers in a room who are thinking about a long running operation that may have effects months from now. It's a different thing when you have a 30 second window of
opportunity, right? Or you are trying to sequence effects in such a way that you have even less time
to wait on a legal determination. You need to have pre-baked understanding approvals. And I think
that's the kind of debate that we're seeing rage up and down, frankly, the chain of command right
now. So it's a good question. Again, I feel like we don't have the straight, solid, what do I do
now with an answer? But that's part of where cyber is right now. I think where we've come in 30 years
is less that we don't know what we don't know. It's that we are still trying to figure out exactly
how to package, modularize, and deploy what we know. We are able to have, we have the tools to
have better debates now, but they are still debates. One of my passionate topics of discussion
is how you can create the right concept, but there's still a great number of organizational frictions that exist between you and implementing that concept. And so I think we've gotten the concepts right in many cases, but oftentimes it's not conceptual stuff that's preventing us from doing this.
to what you were saying. I'm just kind of arranging the different variables in my mind on this question. But when we talk about authorities at the tactical level, it's obviously difficult to
delegate those authorities appropriately. But the question of why is it difficult to do so,
I think it's a two-part answer. One is the ethics you discussed, Trey, which is, you know, there are
second and third order effects to meddling in cyberspace that can't necessarily be assessed,
evaluated, and or controlled at the tactical level by the person
who's making that decision. But then it also comes down to resources, access, and infrastructure,
which is, you know, you're not going to have a platoon leader who can push the button on,
you know, some future variant of Stuxnet because that's just not how it works. So it's like
prioritization and, you know, what are we going to actually delegate down to that level?
But we know about this, right? The strategic corporal is a well-established construct.
We just have to recognize it scales out, right? It's not just that your local decision-making in a particular instance is going to have national repercussions. It's that your ability to deploy effects might continue to ripple around well beyond the AO, setting precedent, having physical effects, having logical effects for a long time to come.
Cyber, and this is maybe one other note, because I think we've got a lot of regular folks interested in this space.
Cyber is incredibly interconnected.
So very much like the effect on a population, a community, a particular religious sect can ripple across a country outside into a region.
In cyberspace, talking to one computer is very rarely limited to just talking to one computer.
To Sally's point, we need to be considerate of those wider consequences in part because we don't understand, we often can't control with great specificity how they propagate. I'd like to jump in and kind of meld those two concepts that we were just
talking about with the last couple questions. And if you've got kind of nebulous actors,
potentially non-state actors or non-state actors who are sponsored by states that may be operating cross borders,
or if you are using information tools that may be borderless and that may proliferate along,
you know, global digital networks. It's like, is the combatant command structure
really the best way to posture offensive and defensive cyber forces? And does it really follow that COCOM structure
to where you've got operational forces and then tactical level forces? And are we constraining
ourselves by trying to do that geographically? It's really tricky for these kinds of conversations
not to get incredibly abstract very quickly, in part because they are implicating foundational
concepts in the way we organize man, the queen, trip, and fight. I think that equip and train piece is really significant,
but the fight piece really drives a lot of the analysis. So the answer I try to offer on is
effects are still largely local because objectives are still largely local. We have interest in
adversaries operating abroad, but when we're talking about tactical specificity and we're
talking about operational capabilities, we have some definition in where we want the effect to
take place, even if its route to the battlefield is highly circuitous, or the platform through
which that effect is being generated has a much larger footprint than just the AO that we're
operating in. You know, we're used to thinking about wars and what's legal. We're used to
thinking in terms of geographic combat zones, we're declaring, you know, specific regions.
But in cyberspace, I think it's much more related to designating the infrastructure and or the use of that infrastructure.
You know, so what do we designate as a combatant?
And so in cyberspace, the answer to that question is going to not necessarily be bound by geography in the same neat and clean way that we would when we're talking about like actual armed forces. But frankly, at a certain level of prioritization, those questions, like we have
a way to answer those questions. It's just the farther down you go is when it starts to become
difficult. But again, I just don't necessarily envision a future in which, name your tactical
echelon, but I don't necessarily envision a future in which massive potential second and third order
effects from a cyber capability are going to rest in the hands of a brand new lieutenant or something.
At least not intentionally.
Not intentionally, yeah.
Can you both go into potentially how cybercrime, both state-sponsored and perpetrated by non-state
actors, fits into this greater picture? And are there lessons learned from cybercrime
that have application to the tactical implementation of cyber?
Yeah, I'll take a stab at that one. I'm sure we could rattle off a list of high-profile cyber
attacks on American companies over the past two decades, but we've decided that none of those
crossed the threshold of bringing us into war. We could talk about the Sony attack, North Korea,
a state actor attacking a private American company, And that, again, didn't reach the threshold. So we determined. I think what's unique about cyberspace is that it's a great venue for
inflicting punishment deliberately below the threshold of escalating into conflict. And I
think that's why we've seen, you know, just this explosion of activity over the decades,
and why we haven't seen these escalation dynamics that a lot of theorists were concerned about in the early years. We haven't seen them necessarily play out the way that we
might have expected if everything were black and white. I think Sal is dead on for two reasons.
One is distinguishing, again, between delivery and effect. You might know how to counter the
delivery system, but that effect can be deployed a number of different ways in a lot of these cases,
it will find another way and we will deploy it another fashion. But the more important issue is, right, once something is known,
the delta between known and everybody's inoculated against it is huge. And I think in the military,
unfortunately, that's significant. And one of the things that you see time and time again is
buying software is treated as one of two things, either an unimportant side item to the core
lethality, the core capability,
or very similar to buying the lethality itself, right? We still try to buy software like it's a
tank. And it's not. And it's a problem. We see crime using cyber effects and leveraging information
that exists in cyberspace all the time. I think what distinguishes that kind of criminal activity,
which is absolutely on a spectrum and is in some cases executed by states, the DPRK is a great example of this, right?
They are literally knocking over banks in some cases.
It's Bonnie and Clyde with nuclear weapons.
As we wrap up today's conversation, we definitely want to make sure we talk a little bit about
the implications that have come up during the course of this conversation.
So Trey, Sally, what do you see as the key
implications for policymakers and practitioners as you reflect on cyber in today's irregular
warfare environment? I'd say it's three things. One is that the maturity of theory that we have
in this space around cyber effects operations and their impact on politics significantly lags the need for good
theory in this space. We are still in the early days, the second generation, maybe third at the
very beginning of cyber scholarship. And that's unfortunate because the need for good thinking
and good theoretical constructs on how to think about these effects, their implications on policy
is overwhelming. So I think there's a little bit of hope there in the last year and a half, two years. There started to be some more work being done by
junior scholars and some folks coming into the space with different ideas. I'm really encouraged
by that. But I would say if you're a policymaker looking at this, don't assume that what's been
written is the best representation of what could be theorized. I think in many cases, unfortunately,
we're still trying to get there. We're still trying to get the ball down the field.
The second is the way that we think about cyber capabilities in the offense and in the defense is way too bifurcated.
And what I think we observe increasingly, especially in the private sector, is the relationship between attack and defense is highly, highly complementary.
And the amount of information that attackers gain, the way that informs their own defenses and vice versa, is a really significant feedback loop for effective cyber operations at the strategic level. Not just generating good effect on target, but
having that effect render value back all the way up the chain to the home territory, to private
sector companies, to all those other entities we talked about being a part of the environment
practically. And so I think as we see, especially in the U.S., the discussion about the next U.S.
cyber strategy and national security strategy come out, recognizing and tying those two camps together as a really significant port, I think of being a port rather, is a big piece.
Tying those two communities together is of great importance to having a good conversation, to generating good policy down the line.
And I think the last thing is just as we're talking about this, one of the things that strikes me is the notion of a battlefield and tactical effects on that battlefield for regular warfare or any other frame is a little bit of an artificial distinction.
Not because there are not significant operational constraints and realities that exist in a kinetic battle space.
And again, we've seen this in Ukraine, right?
The war, the violence, the speed, the lethality that's been demonstrated in this battlefield have a significant impact on the way that forces are going to operate for the next decade. Cyber is going to be a part of that conversation. We can't assume that we know exactly
how cyber will be used in that context, but it is clearly different. When bullets are flying,
when bombs are dropping, it is clearly different. But the ability to effectuate that space is so
intightly dependent on capabilities, on platforms, on companies that
aren't present in that environment, that I think a little bit of our discussion sort of up to this
point of a battlefield and a not cyber environment of a tactical and a strategic has introduced some
kind of artificiality in the distinction between those two communities, between those two environments,
and really between the two needs. And so if I'm a policymaker coming out of this, I would think a
little bit more about
chains and feedback loops and relationships between these environments rather than trying
to sort of arbitrarily distinguish this is a maneuver space, it's a battlefield, and this
is everything else. Because I think unfortunately, when we get into these environments where we need
to deploy these capabilities, we end up having dependencies outside of that battlefield. And if
we haven't clarified those relationships and how information is going to flow and how content and capabilities are going to flow,
we're really at a significant disadvantage relative to the adversary.
When it comes to policymakers and practitioners, I think there are two big areas in which we have
room for significant improvement. One is somewhat structural, and it has to do with how quickly we
can iterate the creation of capabilities
and their employment, and then the research into particular target systems and foreign systems and
the information landscape in different places that allows us to run that iteration. So essentially,
how can we get that cycle to be as fast as possible? And that's a question that's going
to bear on academic research, it's going to bear on technical research, and just general, you know, good old government organizational dynamics. But, you know, one of the big sticking
points when we think about the employment of cyber effects going all the way back to the beginning of
the conversation is, you know, has to do with the tempo of operations and what our expectations are
of how responsive a military capability is going to be. So I think the more work we can do to kind
of tighten up that process, the better position we'll be. The second has to do with how we think about and calculate risk.
So this was one of the big challenges, I think, at the beginning and continues to be a challenge,
but in a different way.
Early on, it had to do with the desire not to escalate or not to proliferate capabilities
or not to reveal certain capabilities, et cetera.
But ultimately, we had this very, very finely tuned calibration of how we approach the question of risk.
And we did not have a very risk-accepting mindset
when it came to using cyber capabilities.
I think we've improved a little bit.
You know, we're a little bit more willing these days
to use that domain for various reasons and activities.
But now I think there's a need for adjustment
when it comes to the intersection of cyberspace as a physical domain
and the cognitive informational realm that, frankly, is often the primary purpose of cyberspace
when it comes to how we're interacting with the human element and populations. So I don't really
have a very succinct way of saying this, but when it comes to things like cyber-enabled information
operations or the information warfare question, you know, that phrase that we don't want to use,
I think we should probably devote a bit more time and intellectual energy to thinking through what is the actual problem that we need
to solve? And are we limiting ourselves by keeping things separate in their distinct bins of cyber,
of psychological operations, of information operations, etc.? And are those separations,
I mean, they're certainly artificial constructs, but are they inhibiting our ability to be effective in the broader information environment of which
cyberspace is a part?
So that gets to, I think, the implications for academics, you know, the broader theoretical
questions that I think need to be addressed.
Number one is, how can we come up with an integrated theory of information that encompasses
both the physical and cognitive realms?
We're somewhat unique in our bifurcated understanding of information and our absolute
unwillingness to let those two understandings meet. And I just did a research project on the
history of Army information operations doctrine, and it's quite striking how difficult it's been
for us to reconcile that tension between a physical interpretation of information that
has to do with machines, with technology, with bits and bytes, and our understanding of information that has to do with machines, with technology, with bits and bytes, and our understanding of information as meaning and as a way that we can influence the human mind and
populations. And I think it's really important as we're moving deeper into the 21st century
to come up with a way that we can theoretically reconcile those two pieces, because then that's
going to allow us to be more effective in this broader information environment. And ultimately,
when we think about cyberspace, we're really talking about, yes, you know,
you can create cool technical effects on systems,
and sometimes those effects are going to have physical manifestations.
But more often than not, you're maybe a couple levels removed,
but ultimately you're still trying to influence human users
and you're still trying to influence, you know, human decision makers.
And so cyberspace, it's one thing that we can leverage
to achieve desired ends that ultimately, again, tie back to human beings.
And so I think there's a lot of work to do from a theoretical standpoint, thinking about this topic of information and this topic of information warfare, whatever the heck we want to call it, if information warfare is an unpalatable term.
We've built out this massive cyber infrastructure.
And what's amusing to me is that originally cyberspace computer network operations was subordinate to information operations.
is that originally cyberspace, computer network operations,
was subordinate to information operations.
And so in the process of building out this massive cyber infrastructure, we've developed an exclusively technical focus.
We've lost sight of that broader information environment
and the idea of psychological influence.
So it's like, okay, how can we get that balance right
for the types of conflicts and crises and competition spaces
that we're going to face here in the 21st century?
I think that's just a huge question that needs to be thought about a little bit more.
Sally, Trey, thank you so much for joining us today
on the Irregular Warfare podcast.
It's been another great conversation.
We really appreciate you lending us
your expertise and your time.
Thanks so much for having us.
This has been a lot of fun.
Thank you.
Yes, it's been great.
Thank you for joining us for episode 53 of the Irregular Warfare podcast.
The Irregular Warfare podcast releases a new episode every two weeks.
In the next episode, Kyle and Ben discuss Plan Colombia with General Alberto Mejia,
who served as General Commander of the Military Forces of Colombia, and Dr. David Spencer.
Following that, Kyle and I will explore irregular warfare in Ukraine since 2014.
Be sure to subscribe to the Irregular Warfare Podcast so you don't miss an episode. The podcast
is a product of the Irregular Warfare Initiative. We are a team of volunteer practitioners and
researchers dedicated to bridging the gap between scholars and practitioners to support the community
of irregular warfare professionals. You can follow and engage with us on Facebook, Twitter, Instagram, Thank you. And one last note, what you hear in this episode are the views of the participants and do not represent those of Princeton, West Point, or any agency of the U.S. government.
Thanks again.
And see you next time.