Exploits

First, we need to ensure that exploits are not confused with vulnerabilities. Vulnerabilities, though leveraged in attempts to gain access to cyber systems, are not resources as they are not created, managed, or maintained. A vulnerability is simply a flaw in the target system. An exploit is the ability to take that flaw and turn it into an effect on the target system that benefits the entity executing the exploit. Unfortunately for the resiliency of exploit resources, they are at the mercy of both challenges to the operability of the exploit as well as the existence of the vulnerability itself. If either is affected, the result might be an inability to exploit the system. Think of a facial recognition that can’t tell the difference between some faces and pictures of those faces. This vulnerability is exploited by people who print out pictures of legitimate personnel to get unauthorized access through the facial recognition system. This exploitation could be disrupted by either the company that makes the technology realizing the flaw and updating software to fix it or the organization seeing someone using the printed picture of employees and stopping the exploitation process itself.

In the cyber domain, a likely scenario for the loss of an exploit as a resource is that the security industry itself discovers the vulnerability that the exploit leverages and does something to fix it. Depending on how the fix occurs, it may be possible that the exploit can be tweaked to still achieve the same results, or it may be that the exploit resource is no longer available. The vulnerability can also be discovered by other hackers besides the perpetrating state leveraging the same vulnerability to attack systems. Whether the other hackers are state sponsored, amateurs, or organized crime related makes no difference, if they get caught, the security industry will analyze how they exploited their target systems. In the very least, this will result in the vulnerability being addressed and may even completely rule out any potential for a workaround tweak to the perpetrating state’s exploit resource if it was similar at all to the one in the discovered hacking operation.

In these likely examples, the perpetrating state was not caught carrying out its operation so there were no second- or third-order effects related to the loss of the exploit as a resource. A more impactful situation would occur should the perpetrating state use the exploit in hopes of placing a cyber-attack effect on an enemy system and get caught doing so. In this case, not only does the perpetrating state lose the exploit as a resource but potentially tips their hand to the intent of the mission it was used in. Even worse, there is a chance the exploit and related methodology can be used to tie the operation where the exploit was caught to other operations by the perpetrating state. Imagine the same exploit was used to deliver cyber-attack effects to several enemy organizations. If on the last organization, the exploit was caught, it could be used to discover and attribute exploit activities against the other organizations and the planted cyber-attack tools would also be discovered and lost.

To mitigate the loss of individual’s exploits as a resource to the warfighter involves a careful balance between operational requirements and risk. Each time an exploit is used, it potentially is the last time it will be available as a resource. This chance is extremely elevated when the exploit is used to deliver cyber-attack effects as they typically announce the presence of cyber activity and invite investigation. There is also a trend in cyber operations in general to save effective or custom exploitation tools until they are really needed. In an offensive security assessment, this might be for big ticket items that improve the assessment; in warfare it might be saving a particular exploit for a high-value target. In not using the exploit resource, the risk that the underlying vulnerability is discovered gradually increases over time. At the end of the day, weaponizing a vulnerability into an exploit is done for a reason, and each commander and decision maker should carefully weigh the impacts of both using that resource and holding on to it in regard to completing missions and maintaining the resource for when it is needed.

Access Tools

Once a system has been exploited, in many cases the perpetrating state will want to return to that system or to remotely interact with it in some way. This requires that some code be kept running on that system as an access tool that the state can leverage. In the case of a cyber-attack effect, this could be due to the tool being put in place far ahead of the actual attack and needing to be communicated with to execute the attack effect. In intelligence gathering the system may be a source of regular updated information the state wishes to continually have access to. Similar to how an exploit as a resource was impacted by both its own viability and also the existence of the vulnerability, access tools are reliant on several aspects which all pose different resiliency challenges. An access tool has code it relies on to execute what commands are sent to it, it has to have some form of communication so that it can deliver access, and in many cases, it has some form of persistence on the target system to survive power cycling. Issues with any of these access tool aspects can impact its availability as a resource.

A likely way the use of an access tool as a resource is impacted is the access tool code is no longer executing on the target system. If the tool was not persisted and was simply running in the volatile memory of the system, it would be gone upon that system rebooting. A system might reboot intentionally by users or administrators or unintentionally due to something like an update or power outage. In either case if the access tool had no method of persistence, it would be gone from the system and no longer a resource the warfighter could leverage. The persistence method itself is also liable to change or discovery in the same way an exploitation vulnerability is. Either the security industry discovers the persistence method and begins addressing it or some other malicious code uses the same persistence and gets discovered. Worse than simply losing an access tool resource due to a machine restarting, in this case the access tool itself may be discovered and forensically dissected, potentially impacting any missions using that or similar access tools.

More impactful than the loss of execution for an access tool is the discovery of its communication methods. If a target state discovers odd communications coming in or out of its networks and ties them to access tools on machines, the result could be worse than simply losing the access tool as a resource. In this situation, the perpetrating state which installed the tool might not know that the enemy is on to their activities. If the access tool is being used to gather intelligence, the enemy might begin feeding misinformation which would be interpreted as legitimate. Discovery of communication methods can also be used to determine the location of other copies of the access tool on other target systems by the specific enemy or even globally if they ultimately pass the data to the security industry.

Mitigating the loss of access tools, both in singular instances and in widespread discovery, is necessary to maintain an ability to pull back information, deliver other tools, and execute them on enemy systems as part of cyber warfare. There are many clever ways to make access tools more resilient. Whenever possible, persisting an access tool on a system so that it gets executed after reboots should be avoided to remove one aspect of an access tool that may be discovered. The code running on the system can be made resilient to some forensics by being made to decrypt only when running in an environment that matches its intended target. In this way, moving the access tool to another device to dissect it will result in an inability to look at its code. The tool itself could also be made tamper resistant and simply delete itself when attempts to access it happen in any way not specifically prescribed. In this way, an access tool may be discovered, and the access to a machine itself lost but other enemy systems accessed in the same way are potentially safe. The best way to make access tool communications resilient is to make them blend in with typical behavior of the enemy network as much as possible such that they do not invoke interest of security personnel, and even if they do, searching for the likeness of the access tools communication would result in devices doing normal communications as well and slow down investigative efforts that would prevent the access tool from being leveraged as a resource.

Attack Tools

This last operational resource I will cover is obvious in its value and intent, deny disrupt degrade or otherwise negatively affect the target system. Depending on the strategic intent behind the attack, the tool itself can be inherently very resilient or especially not so. Some cyber-attacks can be very general in their mission. Consider an attack to delete data gathered by an enemy system. A tool to do this is likely not very complex, data on most systems can be made unavailable through corruption or deletion in many ways including native operating system commands such as “del” on Microsoft Windows or “rm” on Linux and Unix variants. Once a system has been exploited, if the attack tool can be as simple as executing existing operating system commands to achieve the required effect, that attack resource is resilient as it is unlikely to be affected since it is part of the underlying target system. Where things get tricky is when the attack is complex or surgical in nature. If instead the strategic goal was to alter the enemy collected data to misdirect the enemy, simple deletion will not do. A specific tool might have to be created that is able to interact with the data type the enemy system produces. In this case, the ability to alter the enemy data is very specific and less resilient.

A likely loss of an attack effect centers around the vulnerability of the target of that attack. Since all cyber-attack effects require some level of vulnerability exploitation to be possible, they run the same risks of exploits. More so, there is also the likely potential that the target itself will incidentally become altered in a way that makes the original attack methodology invalid. In our example of needing to develop a custom tool to alter data collected by an enemy system, if the target system simply changed the way it wrote data to use disk space more efficiently, the way the attack tool accessed the stored data may no longer exist. In this scenario the attack tool still executed fine, but it no longer affects the target data in the intended way which means the strategic value of the attack resource is reduced or lost.

A more impactful resource loss could occur if the enemy discovered a flaw in its system that was likely to be leveraged in an attack. Now instead of the attack simply failing, the enemy is ready for it, knowing it is an attack vector that may be leveraged. In such case, the enemy puts itself in position to monitor and understand the attack methodologies of its enemies as it can lie in wait, knowing where an attack may come from and learn more far more about the attacker tactics and tools than if it simply fixed the issue due to normal patching and upgrades instead of identifying it as a cyber-attack path. This puts wider operations at risk in a cyber war.

There are times where extremely specific and tailored attack effects will be necessary in cyber wars. In such cases they should be used as infrequently and efficiently as possible to avoid being tied together or disrupting wider operations. Mitigating the loss of attack effects and improving the availability of this type of resource is most enabled by approaching attack effects from as broad perspectives as possible, using uncomplicated, native, and replaceable attack effects where possible and when they still achieve desired strategic results. Further, strategic decision-making about when to use cyber-attack effects should incorporate the complexity of that attack effect and risks to its resiliency, continued availability, as well as other ongoing operations that would be compromised if it were discovered.

Obfuscation

Obfuscation resources are those which exist in the cyber domain between the friendly and enemy cyber assets and are involved in the obfuscation of operational activities in an effort to avoid their detection or attribution. This is typically accomplished through redirection of the communication methods between the perpetrator and its operational resources. This redirection requires leveraging assets that are not associated with the perpetrating state to alter the communication protocols, paths, and procedures to prevent discovery of that communication, attribution of that communication to the perpetrating state, or the tying together of multiple communication paths or operational resources. An easy way to do this is to purchase internet hosted cloud services and installing virtual machines on them responsible for obfuscating the flow of communication from operational resources back to the perpetrating state. This is a practice common in offensive security assessment such as penetration testing where the assessor wants to disassociate various activities from each other they may pay to have a virtual computer hosted in several different countries and, for instance, exploit the target from one, and have the access tool communicate to a separate one to attempt dissociating the two. Cyber warfighting operations can operate in the same way using third-party redirection to obfuscate cyber domain actions.

A likely way that this obfuscation through redirection resource could be lost is when the device or devices being used to do the obfuscation are lost. If the obfuscation resources are virtual machines redirecting communications hosted in cloud providers, this could be because the traffic to the device was deemed malicious or inappropriate by the provider and they simply terminated the virtual machines. If the obfuscation resources are real or virtual computers, the loss of the obfuscation resource might simply be due to power issues or failure of whatever tool is installed on those machines to handle and/or alter the communications going through it.

A very impactful way obfuscation resources can be lost is when they are discovered by the enemy or even worse attributed back to the perpetrating state. Discovery of obfuscation resources by the enemy also potentially puts them in a place to use this new understanding of how the perpetrator operates to tie together diverse missions against itself and potentially other targets at a huge detriment to the perpetrator’s ability to conduct cyber warfare. If the enemy knew where the attack is coming from, in the cyber domain or any other, it is a problematic loss of capability, and as such obfuscation resources are extremely important to the success of warfighting operations despite their being more infrastructure than weapon.

To avoid the loss of obfuscation resources as a whole and mitigate the impact of individual redirection losses, there needs to be varied and leveled obfuscation efforts within the cyber domain. It is also important to do as much as possible to ensure that loss of obfuscation and redirection infrastructure does not lead to the loss of operational resource through either discovery or lack of communication lines. Obfuscation and redirection resources should be configured in a way that they have secondary and tertiary means of continuity of communications between operational resources and the perpetrating state operators using them. These obfuscation resources should also be varied to the extent possible to ensure that discovery of one does not lead to the discovery of others both within the same mission set against a particular enemy and in global operations against many target sets.

Frontend Infrastructure

To conduct cyber warfare, the perpetrating state must at some point have a presence on cyber systems with access to the internet. This frontend infrastructure consists of the resources that handle the receipt of communications from operational resources once they are handed off through whatever obfuscation means were utilized. When access tools reach back to this frontend infrastructure, those specific resources are called listening posts. When instructions are being sent from the perpetrating state to the access tool, which is waiting, there is no need of a listening post as the tool itself is listening. In both cases the frontend resources are required to send and receive the communications, instructions, and collection from operational resources in enemy cyberspace.

Though important these resources are much more likely to be dependable and need less in the way of mitigations to guarantee resiliency. After all, they exist within the control of the perpetrating state and any failure of frontend infrastructure systems is likely due to environmental issue as much as warfighting ones. A listening post resource is likely to fail because of an error in its code requiring a reboot or a power outage in the area it physically resides, or any number of other operational considerations faced by civilians and military cyber systems alike.

More impactful but less likely is the tying of the frontend infrastructure resources to an actual cyber-attack effect conducted against an enemy. This likely would also require failure of obfuscation resources. No matter how it happens though, this type of resource failure means that the perpetrating state makes itself and its frontend infrastructure targets of its enemy’s cyber warfighting efforts. This would require a minimum a complete overhaul of frontend infrastructure and obfuscation resources to allow for continued cyber operations. Such failure also means that the perpetrating state could be identified and called out on the international stage for its actions in the cyber domain at a point where it was not ready to disclose such activity.

Improving the resource resiliency of the frontend infrastructure is in part highly reliant on the successful implementation of obfuscation resources. It also requires the implementation of availability and integrity assurances. Though the frontend infrastructure itself is a resilient resource, the fact that without it all resources past it cannot be interacted with or leveraged means careful considerations must be made. Guaranteeing infrastructure availability and the subsequent availability of other resources communicating through it are integral to strategic decisions and tactical operations.

Backend Infrastructure

Frontend infrastructure may be the conduit to and from the internet and enemy cyberspace for cyber warfighting activity, but actions within the cyber domain also require a backend infrastructure as a resource to process data collected by cyber operations and about them. This data falls roughly into two categories. There is that which was intentionally collected as intelligence through cyber activity in enemy cyberspace. There is also data about operations that can be used to further improve both tactical and strategic efficiencies. The second type of data, operational data, that is processed by backend infrastructure includes items such as how targets were accessed, when, what issues were found, and problems with other resources such as communication issues through certain obfuscation resources or issues executing exploit resources. Collecting and processing this information is a resource itself to cyber warfare, as is obviously gathered intelligence. Both are generally made available to the perpetrating state in backend resources after they have traversed from operational resources on enemy systems, through obfuscation resources and the frontend infrastructure.

Like with frontend infrastructure, backend infrastructure is also within the control and protection of the perpetrating state and as such faces high resiliency. Though not very likely, an impact that could happen to backend infrastructure is that the operational data from previous operations, detailing who, what, where, when, why, and how, could get lost or corrupted which would mean that it was no longer a resource to be leveraged by the cyber warfighters. This would impact tactical efficiencies but would not likely lead to a disruption in cyber warfare activity.

Very impactful would be an issue in the backend infrastructure resource which leads to the loss or corruption of intelligence gathered or of battle damage assessments from cyber-attack effects. In this case the loss of the resource means that strategic decisions are uninformed, and the effectiveness of previous missions is unknown and cannot support future strategies. Safeguarding backend infrastructure as a resource available to the warfighters and decision makers is integral as it is the point where leaders are informed of the cyber warfighting effort. Mitigating the loss of this resource should be carried out through redundancy and planned continuous operation.

Skill

The resource of skill is the ability for human operators involved in warfighting activity within the cyber domain to adequately interact with technological resources and carry out operations. Without skilled operators to carry out cyber missions, the technological resources which make up operational and support resources are next to useless. A strategic decision maker or commander may decide to employ one operational tool or the other, but that decision is based on an expected performance out of that operational resource. The humans operating those resources must have sufficient skill to employ those resources in the expected manner and allow for the highest level of strategic and tactical success in the cyber domain.

The most likely way cyber skills as a resource can become unreliable or unavailable happens in the same way any specialized skillset fails. Over time, without regular use, skills atrophy. The greatest danger to the proficiency of cyber operators is gaps in the use of their skills in carrying out cyber operations. Any specialized skill, cyber or otherwise, takes time to develop. Unfortunately, in many military settings, individuals rotate as a part of regular existence after periods being stationed in one place or another. Someone with highly developed skills is likely to atrophy almost completely in the years a rotation of station may bring about. There are many other reasons individuals who carry out cyber operations may have their skills atrophy due to lack of use, but military duties certainly bring about challenges to the resilience of such a resource as skill.

More impactful and more difficult to mitigate than the atrophy of skills is when they become obsolete. Given the fast-paced evolutions constantly occurring with technology involved in the cyber domain, there is always a chance that the enemy targets themselves or otherwise involved technologies change. This change could be in such a way that learned skills by the perpetrators are no longer viable for conducting cyber activity on the systems. If this occurs, there is potentially a need for the operators to completely retrain before being able to effectively leverage operational cyber resources again, seriously hampering the perpetrator’s warfighting capabilities.

Mitigating these impacts to the skills of human operators involves appropriate operational tempo. Cyber operators should be engagingly employed to keep up in their proficiency. This must be done in a way that doesn’t overwork those resources and also affords them the time needed to carry out enough research and training to stay on top of potential technology trends. This balance allows for skills to be maintained and ensure that they evolve with changes to stay tactically proficient.

Tradecraft

Where skill is the ability for human operators to hack enemy systems, tradecraft is the resource which allows those operators to conduct missions effectively and to not get caught. Good tradecraft allows for the accomplishment of cyber warfighting missions in adequate timelines while maintaining appropriate levels of stealth and avoiding attribution. Where skill initially comes from training and is honed with real-world experience, tradecraft is harder to develop as it is more a decision-making process than a memorized and proficient task. Tradecraft does have the benefit of not degrading like skills do without use. The benefit of being experience based means that tradecraft is more permanent once learned.

A common way tradecraft can be eroded as a resource is through lapses in judgment during training and operations. Where repetition enforces the needed skill level to accomplish a task, it dulls the sharpness of tradecraft-based decisions and observations. Repeating the same task over and over can lead to complacency and overconfidence. These issues lead to a cyber operator adhering less strongly to good tradecraft and putting operations and other resources at risk.

Worse than complacency and lapses in judgment is when tradecraft is blatantly ignored. This can occur when warfighters in the cyber domain disregard good tradecraft in efforts to accomplish missions in faster timelines, please superiors, or appear more skilled and achieve career advancement. The impact to a perpetrator’s warfighting capability when operators are put in a place where their tradecraft is sacrificed is the potential forfeiture of all other resources. Poor tradecraft by cyber operators can lead to access, exploit, and attack tools being discovered, obfuscation infrastructure being lost, and frontend infrastructure being attacked. It is also important to note that at times an operator may have all intentions of following good tradecraft practices but be told by decision makers that mission goals or other issues like potential loss of life are important enough to risk loss of cyber resources.

Tradecraft is best developed and maintained through engaging cyber operators in missions which do not lead to complacency. This can be done through avoiding too much repetition and varying operational duties. To avoid a disregard for tradecraft, military organizations should strictly enforce tradecraft-related infractions. These organizations should also take steps to ensure that cyber operators do not feel pressured to throw caution to the wind in efforts to speed up mission success or career progression. Further, cyber operators should be regularly made aware of the impacts bad tradecraft decisions can have on other resources involved in cyber warfare to maintain an appreciation for the importance and far-reaching impacts of their actions.

People

Lastly and more importantly than tools, infrastructure, and skills involved in cyber warfare are the warfighters themselves. As a resource, cyber warfighters are difficult to come by, finding those who will sacrifice themselves for their country, complete military training is hard enough. Out of that pool of warfighters, finding those with a knack for cyber operations who can complete in-depth technical training to become ready to carry out cyber warfare is harder still.

It is unfortunately commonplace that such talented individuals are drawn out of the military sector and into industry where their talents, leadership, and work ethic are extremely valued. This retention issue is a serious challenge for military and government organizations hoping to grow personnel pools as a resource for conducting cyber operations. There are always those who wish more than anything to remain in service of their nation’s security and that keeps some willing to stay in military or government occupation. Others see the higher salaries and more varied options of industry as an opportunity to better their quality of life. Altruism aside, this is a very real problem for maintaining readiness to fight cyber wars.

More impactful than losing such professionals to industry where they still contribute to the nation and even potentially to security as contractors is when such talented individuals become disenfranchised. This can happen for any number of reasons, probably chief among them being overworked and under-recognized. Extremely talented individuals carrying out warfighting missions in the cyber domain can easily overwork themselves, duty is a potentially intoxicating excuse to keep working and lead to operators being burned out. Leadership and commanders can also be too mission focused and forget the importance of the operators themselves, pushing more mission completion without regard to the risks of losing those operators.

Like any organization, those that are responsible for carrying out cyber operations must take care of the people who do it above all else. Without those people, there is no warfighter to carry out war in the cyber domain. Recognition should be given when appropriate, personnel should not be overworked nor allowed to overwork themselves. At the risk of sounding cliché, people are the greatest resource available in cyber war and should be protected as such.