Cyber and Information Operations

Something interesting came up in an extended (and wandering) Twitter thread discussing the relevance of certain legacy information security frameworks (like the CIA triad) to modern concerns like disinformation campaigns. The aspects of this discussion that most interested me were the following two items:

“Which part of the CIA triad covers disinformation? Having a semantic argument using a model so outdated that it doesn’t even allow for information warfare is so 2000 and late.”

“Integrity covers disinformation. The purpose of disinformation is to reduce the overall integrity of information.”

What is interesting about this exchange is both sides are wrong. The reason for this comes from an initial faulty premise: that the set of cyber operations (as covered in the CIA Triad, perhaps with the more recent additions of authentication and non-repudiation) contains activities such as information operations associated with disinformation campaigns. This perspective seeks to combine disparate fields into a single functional category, resulting in curious (and potentially worrisome) over-generalizations and misconceptions of the far broader field of information warfare. While the two fields can be related and applied jointly for overall strategic purposes, establishing a one-to-one link between the two muddies many nuances and differences in the methodologies, expertise, and targeting of these disciplines.

In thinking about information warfare, my thoughts are probably unduly influence (if not polluted) by my time and training as an Information Warfare (now renamed to Cryptologic Warfare) Officer in the US Navy. Within this field, and the broader military information warfare community, “information warfare” is not a monolithic concept but rather a diverse field of operations encompassing different disciplines focused on defending, altering, or attacking information-centric sources of value across multiple levels of warfare. As such, the broader Navy information warfare community includes not only my past career field, but intelligence, IT, and weather operations as well as all of these combine to define or inform the operational environment for involved stakeholders (in this particular case, the warfighter from the carrier strike group down to the inserted SEAL team). On a broader government level, such concepts extend further to seemingly benign but significant messaging functions such as public affairs and strategic communication.

Before moving further, I do want to insert a disclaimer and a note of caution. While recourse to Joint Publications and Field Manuals from past military experience is pedantic at best, and either irrelevant or distracting from non-military problems at worst, looking for analogies from past experiences and how they apply to broader operations and more general problems can be quite useful. In this sense, I seek not to force a military viewpoint (and at that, a US Navy-specific conception) of information operations on a field that is far broader in scope than such items. Rather, I hope to extract useful lessons and examples from these fields to apply to more general civil, political, and commercial discussions based on work already done within the scope of military activities. As such, these extractions are neither verbatim nor expected to be applied without modification – but rather to serve as an example from which more nuanced strategies and actions can be developed.

That out of the way, I’ve been indoctrinated (for better or worse) into looking at the field of information operations as broken down between five distinct – if at times mutually-supporting – pillars: Computer Network Operations (CNO – aka, “cyber”), Electronic Warfare (EW), Military Deception (MILDEC), Operations Security (OPSEC), and Psychological Warfare (PSYOP, aka “Military Information Support Operations” or MISO). As a note of background, I attended various joint, Navy, and IC schools covering CNO, EW, MILDEC, and OPSEC as part of my career. While each field is distinct in its methods, technologies, and execution, together they form a whole covering “the information environment” – the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information. (Stolen by gnomes from US DOD JP3-13).

As such, conflating disinformation campaigns designed to influence or sway the public of an foreign polity (essentially, a PSYOP event) with computer network operations is very confusing. Viewed in this framework, CNO encompasses the attack, defense, and exploitation of information systems. Within this context, CNO does not and cannot influence foreign (to the actor) audiences or build desired perceptions as CNO remains a technical, abstract field divorced from messaging and related influence operations. One performs (offensive) CNO to impact items such as confidentiality, availability, and integrity of information systems – for intelligence collection, system disruption, etc. Given this focus and the scope of operator activity, the conception of audiences (aside from those tasking the operations at hand) becomes irrelevant at best and distracting at worst from the objective at hand.

Disinformation and related PSYOP campaigns take a different view. Rather than corrupting or compromising information, well-executed, effective disinformation campaigns require the development of a product attuned to the desired audience to facilitate a shift in opinion and perspective. The methodologies behind such an approach hinge on psychology, anthropology, and area studies expertise rather than the technical background and application associated with CNO. While government bodies generally (and the US military especially) tend to over-specialize and over-compartment operations, in this example attempting to take someone skilled in CNO and drop them immediately into a PSYOP environment with expectations of success since both are “information warfare disciplines” would be silly.

And yet, the two can and should be linked as part of a broader information operations activity. CNO may remain quite technical and discrete to its domain of information systems – but the information and accesses gained through such operations can be used by appropriate, knowledgeable entities to further other objectives. In this case, CNO becomes a collection mechanism or dissemination vector for a PSYOP campaign designed by experts in the field of foreign audience influence. At this stage, disinformation operations becomes a CNO-adjacent operation – but as relevant to “cyber” as the actual exploitation of collected information or the strategic objectives furthered by a specific infection event.

Essentially, well-resourced, mature actors in the information warfare space will utilize all pillars and mechanisms of operations to achieve broader strategic goals. As such, cyber operations will provide the foundation for or the means through which other operations take place. For example, leadership (even up to National Command Authority levels) can leverage cyber capabilities for specific targeting and effects as an avenue for achieving strategic communication through demonstrations of capabilities. Cyber becomes the vehicle for such efforts, but actual targeting, timing, and purpose is set by broader priorities tying together an understanding of the victim’s leadership, population, and pain-points. This sort of blended operation effectively combines disciplines to produce impacts that are multiplicative in nature than any single discipline of information operations on its own – and thus demands a wide category of knowledge and expertise to function. Limiting scope or perspective by shoe-horning all such activity into one discipline and its models and idiosyncrasies leaves the advantages of such multi-disciplinary operations behind.

But a multi-disciplinary understanding of information warfare is even more important for defensive purposes. Attempting to build out an information security (meaning cyber in this instance) framework that can capture items such as disinformation or influence operation seems not only fundamentally misguided, but doomed to failure. Trying to adapt or replace existent cyber defense models and methodologies to include concepts falling well outside the realm of cyber operations will waste resources and doom such efforts to eventual failure.

For example, looking at Russian-linked election “meddling” over the past several years, we can find many instances of cyber-enabled operations (such as the US Democratic National Committee hack) providing the “raw material” for subsequent campaigns. But how and to what extent can cyber-focused defense actually blunt such efforts? In my view, the answer is quite limited. While better cyber-focused defenses might prevent truly game-changing information gathering as exhibited in the DNC case, the gamut of influence operations extends from publicly available information to magnification of rumors and prejudices through semi-legitimate vectors (like the Internet Research Agency) to establish and magnify a message. There is no firewall, endpoint defense product, or zero-trust model designed to counter or defend against a campaign of Twitter and Facebook posts aimed at swaying public opinion.

Attempting to counter such campaigns through purely technical means within cyber defense models is simply nonsensical. Railing against existing cyber models for failing to incorporate non-cyber operations simply misunderstands circumstances. Instead of pursuing traditional technical and policy mechanisms designed for the realm of CNO, other avenues of information warfare require tailored solutions for relevance and efficacy. In the case of disinformation, commitment to transparency, education, counter-messaging, and actor exposure – all distinctly ‘soft’ subjects better left to academics and journalists than network defenders and white hat hackers – are far more relevant and effective than even the most audacious of responses – such as a denial of service against suspected “trolls”. This is not mere fantasy either, as real (and effective) examples exist designed to counter this type of information operations in the Baltics and Finland.

Computer- and information technology-enabled information operations will continue to proliferate given increasing social connectivity and the unfortunate popularity of social media. Yet in identifying this trend, we as defenders and as citizens of open societies must not confused enabling efforts and delivery mechanisms with actual attack vectors and objectives. Attempting to force elements of modern information warfare, such as social media-disseminated influence and disinformation operations, through a cyber-specific lense results in a fundamental misunderstanding of operations, and resulting poor defenses. If cyber has a role in such endeavors, it is in making collection of non-public information more difficult or establishing the means to identify and collect intelligence on adversary planning to conduct such operations. But actual defense against disinformation will be a far messier, more difficult process for which no truly technical solution exists – attempting to think this is possible is to engage in some of the worst wishful thinking.

Returning to the very start of this discussion, models have their uses so long as they are distinctly tailored to their application and field of operations. As such, legacy items such as the CIA Triad in cyber defense still retain a great deal of relevance. That threats have migrated to other types of operations, even if containing a veneer of cyber enabling, does not reflect on the relevance of the model, but instead highlights the agile and evolutionary nature of adversaries. Rather than trying to force all such events (even those that superficially involve computers and networks) into the same framework, defenders (broadly speaking) can learn from and adapt aspects of military conceptions of information operations to apply greater granularity to analysis and responses. In doing so, defenders can ensure the development and application of relevant countermeasures designed to meet the threats at hand, instead of attempting to cast newly emerging vectors in a familiar if irrelevant light.