International Agreement for Control of Cyber Weapons

Tag: Cyber Intelligence

Escalation Levels in Cyber War

Cyber Readiness Levels

Cyber war may be thought of as a low-level type of conflict. In its initial stages, it does not have an offensive nature, but instead is focused more on intelligence collection.

Intelligence collection. There are two aspects: (1) the collection of specific pieces of information (data) that can be used later as an input into intelligence analysis; (2) collection of macro-information that helps to make a “cyber map” of the information space of the enemy. This would include understanding of (a) the major networks and components of the enemy cyber structure; and (b) the types of a characteristics of vulnerabilities of the enemy cyber structure.


Figure 1 – Levels of Readiness for Cyber War. Kinetic, Information and Cyber Operations stand in a general hierarchy leading to increased levels of violence.

Active Cyber Disruption. The second level of cyber operations is more aggressive and offensive in nature. At this level, cyber weapons are deployed for specific purposes of disruption.

Information Operations. Beyond cyber, any national defense campaign employs the use of propaganda, information operations, disinformation, or other tools, in order to shape the psychological environment both of the target country, but also of the national audience. Information operations involve the placement into the meme-space of alternative ideas, the objective of which is to compel public opinion to move in a way more favorable to the originator’s way of thinking. Propaganda and information operations are a well-known tool of statecraft.

Kinetic Operations. After the battleground has been prepared by cyber and information operations, the next level of actual military conflict. Killing people, destruction of property, and other arts of classical warfare. In all nations, this level of conflict is seen as being the “last resort”, an action taken when all other means fail in solving the national conflict.


Figure 2 – Levels of Escalation of Cyber War. Prior to initiating cyber attacks, there are several precursor levels of escalation.

Levels of Escalation of Cyber War

There are at least five (5) levels of preparation before offensive cyber operations begin.

General Intelligence Collection. Cyber has emerged as a major tool of intelligence collection. Economic, military, and government intelligence can be collected through cyber in a way that is at least two orders of magnitude less expensive than any other means. The use of automation in particular can change the need for specific targeting (because web-bots can simply scan everything). In addition, collection can be asynchronous; that is, information can be collected for use later, even though when it is collected, there is no specific purpose to get it.

Targeted Intelligence Collection. More specific cyber intelligence is collected with there is a known target. Examples would be a specific person, or a specific facility (government, commercial, military). Cyber can either be a support for other means of technical intelligence TECHINT, or can itself be a tool, e.g., cyber could be used to support collection of MASINT (Measurement and Signature Intelligence), FISINT (Foreign Instrumentation Signals Intelligence). Targeted intelligence collection occurs when a tangible and known threat has been identified.

Cyber Target Preparation. Once cyber targets have been identified, a number of steps must be taken to perfect the attack. This means testing or simulating the attack on a mock-up copy of the target, and if necessary placing into the target cyber infrastructure (such as a server, control device, or other location) of malware that can be activated when needed. It is crucial that the cyber attack profile of each target be identified and verified prior to launching an attack.

Preparation of Disinformation. Planning and preparation for disinformation actions. This involves changing information, inserting information, destruction of information, or denial of access to information.

At this point preparations have been put in place. Malware is positioned, and relevant information has been collected analyzed.

Initiation of Cyber Attack. The active phase of the cyber attack begin. Keep in mind that in a nation-state confrontation, this refers to initiations of hundreds of targets at the same time.

Cyber Command and Control. Any successful cyber program must have some type of command and control structure to (1) control initiation of attacks; (2) monitor performance and effectiveness of attacks; (3) monitor the overall cyber conflict and be able to report on lethality (effectiveness) of attacks.

Making After Before

Intelligence is about finding out about something before it happens.  Detective work is about finding out how something happened after the event already has taken place.

In the cyber world, the detective work is much easier than the intelligence work, although neither are particularly elementary.

Before the fact, and after the fact.  Lets start with after.  A criminal act is carried out.  These days, it is either a cyber act in itself, or it is dependent in some way upon some aspect of the cyber world.  Once a person involved has been identified then law enforcement can get a court order to demand all of the cyber baggage being carried around by the perpetuator.   Phone calls, travel records, banking records, credit card records, social media accounts, emails.  Each of these sources of information give important clues to the network of individuals who are the living system supporting the defendant.  Degrees of separation.  By linking the responsible person to their contacts, and then those contacts to all of their contacts, then by the second or third level the number of affiliated persons becomes very great.

But usually it is possible to determine the wheat from the chaff, and to use the numerous hints given by the cyber footprints left by the perpetuator. It is possible to uncover a network of individuals, places of interest, and even more about what happened before the event.  With good detective work, it is possible to find anyone else involved, and even get hints regarding any future similar event if one seems to be planned.

But finding out things before the fact is much harder.  For one thing, there may be no starting point, no person who can be identified.  This essential first step is easy after the fact, but before is another issue.   So the essence of the problem becomes how to find the subject of interest, the starting point.

This is one of the reasons why in combatting terrorism and its use of social media and Internet, investigators are caught in a dilemma.  On the one hand, there is a need to stop or severely limit this type of activity.  On the other hand, if the activity is cut off, then there no longer remains any cyber clues left regarding the identity of the terrorists or criminals or other subjects of interest.

In discussions over a cyber arms limitation treaty, one of the stumbling blocks is the question of how to determine the source of an attack.  It is the same type of problem.  How to find out the after before it it happens.  Making after before.

Daesh in Paris

The November 13th, 2015 attack by Daesh in Paris was devastating.  We have learned that the criminals had rented an apartment in Paris to prepare themselves, probably to wait for Friday the 13th, the day on which in 1307 Philip IV of France arrested hundreds of the Knights Templar.  The “crusaders” were crushed then, and Daesh wanted to strike again now.  The use of AK-47 Russian assault rifles against teenagers attending a heavy metal concert seems to have been particularly heartless.  Many are calling what happened in Paris “France’s 9/11”.

In response, the French are in a state of shock, and are insisting that their lives will not be changed by this attack, the worst loss of life for the French since the Second World War.  Many have been gathering at the Place Vendôme leaving candles and flowers.  Many French citizens interviewed have insisted that they are not afraid, and that their lifestyle is not going to change, but this is wishful thinking.

The President of France, François Hollande speaking in the Palace of Versailles to a joint meeting of the French Senate and Assembly, set forth some of the changes that need to be made to fight this terror.

There are an number of expected measures, such as hiring of more law enforcement and judiciary personnel.  Border controls will be improved.  A series of bombing raids by French jets were launched in Syria targeting the small city Raqqa, the self-proclaimed capital of Daesh.  The sole French aircraft carrier, the Charles de Gaulle, is being moved into position in the Eastern Mediterranean, and this will triple French air power.  French diplomats are attempting to get the US and the Russian Federation to join in a coalition to destroy Daesh.

There are a number of cyber measures also being proposed.  These include (a) an increase in funding for cyber intelligence services to support the police and military; (b) a change in the rules of evidence for criminal proceedings allowing the judiciary to use information gathered by intelligence services; (c) perhaps more authority to interfere with social media and web traffic that has been used to promote Daesh.

The use by Daesh of the Internet as a major recruiting tool has been a shock to those who propose unrestricted Internet freedom.   Indeed, the use of the Internet for criminal and terrorist activities long has been a motivating factor for governments to grab control over its use.  On the one hand, we cherish the principles of freedom of communication and freedom of information.  On the other hand, we have a need for governments to protect the public from danger.

This is a trend towards control over the Internet that we have seen in other countries.  In this case, it means the blocking of Internet traffic, and the monitoring of individuals who are reading and distributing this revolutionary information aimed at incitement.

It also has emerged that law enforcement is frustrated by how the terrorists are using encryption, and the hiding of their communication within video games.

All of these challenges, particularly breaking encryption, are extraordinarily tough technical problems.  It is not known how many organizations are capable of breaking encryption, if any.

This is a strange type of “weapon”.

Since Daesh is not a government or a state, its use of the Internet as a weapon would not be covered under a traditional cyber arms control treaty, although the use of the Internet in this degraded fashion should be considered at all levels.

It is difficult to anticipate what the downstream consequences  will be.