We have established various resource types involved in cyber warfare and their importance to the success of the warfighter and the effectiveness of commander and decision makers. We will now cover the concepts of resource control and resource ownership as well as their uniquely amplified impact in the cyber domain. The threats to resilience and mitigations to them covered in this chapter cover for the most part threats posed to cyber warfare resources by the operating environment and defensive capabilities of the enemy and industry security apparatus. Loss of resource control and ownership are exceedingly more dangerous to the mission at hand and to overall success of waging a cyber war and represent loss of capability containment and potential damage to innocent non-combatant individuals and systems. Loss of control and ownership also potentially lead to state-developed capabilities being brought to bear against itself or its allies by enemy targets.
Resource Control
Resource control is the ability to start, stop, direct, interact with, and manage a given resource and its activity. Losing control of a resource, in any domain of warfare, occurs when that resource is still being used or active but no longer being wielded by the perpetrating force. Though upon destruction, a warfighting resource is no longer at the control of the perpetrating state, it is not actively being utilized by another entity or acting on its own without control and will not be covered under resource control. Destruction of a resource is considered final, if destruction is complete, and not under the purview of resource control and the factors that mitigate the loss of resource control. The other qualifying attribute of resource control loss is that though no longer under the direction of the original wielder and owner, the resource itself is not being recreated simply re-targeted.
Think of the Soviet warfighting equipment left behind in Afghanistan when the USSR finally decided to pull its ground forces out of that country. Thousands of AK-47 assault rifles and other weapons were now under the control of local Afghan tribes. This is a loss of control of those individual resources because they were not all destroyed and were now being used by other forces, enemies in fact of the Russians. What is worth noting in this scenario is that though the Afghans not had at their disposal thousands of AK-47s, tanks, heavy machine guns, and other weapons, they were still not in a position to now create their own. When the AK-47s became unserviceable or tanks broke down and other weapons failed, they would be discarded, and the Afghanis would then once again be without those resources as they had no way to recreate the resource themselves.
The United States suffered a similar loss of resource control when ISIS forces took many weapons left behind for Iraqi forces by the United States and used them against non-combatants, US allies, and troops. Similar to the Afghanistan example, the ISIS fighters had no capability to replicate the US weapons left behind and used them until they no longer worked, at that point discarding them. If the ISIS forces ran out of ammunition for a particular US weapon, it would be discarded; if a US Humvee broke down, it was likely discarded. In this way loss of resource control can be seen as temporary, lasting as long as the resource itself is likely to last.
Resource control is not limited to a loss of the resource where it falls into the hands of an enemy or other operator. There is also the concept of containment and a loss of control where the resource is not in the hands of a particular external operator but is no longer under the direction of the perpetrating state. This loss of control can still be enemy initiated. If you consider a drone, or unmanned aerial vehicle (UAV), there are many examples and even open source information on the internet on how to jam communications links to UAVs and drones. If the enemy is unable to take over control of the drone but is able to hamper its ability to take direction or fly resulting in its crash, control of that resource has still been lost.
Resource control can also be as benign as losing the ability to communicate with a GPS satellite. The satellite may still perform its GPS mission but without control from a ground station may be unable to adjust orbit to avoid a collision or falling into the Earth’s atmosphere. Similarly, without enemy involvement but more dangerously, loss of control could also be represented by the automated tracking and firing mechanism in the Phalanx CIWS radar-guided 20 mm cannon engaging birds and other non-aggressive targets with fire. This is what happened when a Japanese-based Phalanx CIWS locked on to and shot down a US plane during an exercise. Thankfully the crew was safe, but this is clearly a dangerous example of control loss.
Resource Ownership
Resource ownership is the ability for a state to maintain the unique ability to recreate a warfighting capability. Once the enemy or another state is able to re-create the same capability, the resource is no longer owned by the perpetrating state. Resource ownership is more a concept of exclusivity vs. the operability concern of resource control. In traditional warfare resource ownership is a concern, but the timelines involved in an enemy being able to recreate a weapon or other warfighting resource is timely. Once a weapon system is understood enough to recreate it, the enemy still has to find the resources to manufacture the capability and then bring it to utilization. In the cyber domain, this timeline can be much faster, making the danger of resource ownership loss potentially an immediate concern.
Let’s consider the first nuclear bombs developed by the United States, which were developed in a long, secretive, and herculean effort. Given the deadliness of this resource and the labor required to create it, the United States certainly would want as little risk as possible regarding potential loss of ownership. If another country or countries during World War II were able to recreate the resource, resulting in a loss of ownership by the United States, the bomb would no longer be a US-only resource. Even with such a high concern for maintaining exclusive ownership of the nuclear bomb capability, the United States still tested and even used this weapon. This was done without fear of endangering the exclusivity of the weapon because in use and in testing there is next to no information that an enemy could glean to further its own nuclear bomb efforts. There was no chance that in using the bomb against Japan the Japanese Empire would be able to recreate the capability.
Resource ownership in the cyber domain is a more immediate threat upon use of a particular resource, particularly tools. Whether an attack, access, or exploit capability, once a cyber resource has been used on an enemy system, there is a chance that it might be caught and forensically analyzed. Upon analysis the enemy will likely be able to leverage the same capability within a significantly short time window. This means that unlike the nuclear bomb example, a cyber-attack, once used, has the potential to almost immediately be turned against similar targets by the initial victim.
Resource ownership can also be lost when it is not recreated but becomes so understood by the adversary that they develop countermeasures effectively nullifying it. If a resource is no longer viable because the enemy has made it completely ineffective, it can no longer be considered a resource in that conflict and is therefore no longer a resource owned by the perpetrating state. During the raid on Osama bin Laden’s compound Abbottabad, Pakistan , one of the stealth helicopters delivering the SEAL teams crashed, most of it was destroyed but the tail portion fell on the outside of the compound wall and was mostly intact. Pakistan allowed the Chinese to take and analyze the tail portion of the aircraft. If the Chinese were able to reverse engineer the stealth technology on the helicopter tail section and make their radar able to detect it, the United States would no longer own that stealth resource in a conflict with China.
Resource Examples
As we did in this chapter, we will examine the various resources and examples of loss of control and ownership for each as well as covering the impact of that loss and potentially mitigation.
Exploits
Exploits are used to gain remote access, escalate privilege, and in general manipulate a target system in ways its owner does not intend. The danger is relatively low for a remote targeted exploit resource that it is taken and utilized by an external entity. Even in possession of a tool that launches the exploit, without the ability to recreate it themselves, they are unlikely to be able to target it adequately against other systems to constitute controlling it themselves. On the other hand, tools that perform local privilege escalation can be executed on any target with the similar vulnerability. It is therefore a realistic possibility that a privilege escalation tool could be discovered on a victim system by the enemy and then taken and used by that enemy on other systems.
The loss of control over an exploit resource can also occur if a remotely exploiting and self-spreading virus begins exploiting systems outside of the intended target range. With the self-spreading virus going after unintended systems and if the perpetrating state cannot cease the weapon’s activity, it has lost control of that resource. This can occur when things like device addresses are used as targeting logic for such cyber tools. The virus may be meant to spread to any target in the enemy within a specific set of network addresses; however, if one of the infected systems is taken to a place where it can communicate with a different network that uses similar address schemes, the tool may spread there too.
Losing ownership of an exploit resource is something that should be carefully considered prior to leveraging it. Cost-benefits must be weighed in the decision to use an exploit that is unique to the perpetrating state. Once an exploit is utilized, the enemy may notice it, and having captured network traffic or forensically gone through the victim system is now able to similarly leverage the vulnerability through their own similar weaponized exploit. At this point the perpetrating state has lost ownership. An exploit resource that is exclusive to the perpetrating state is one that is viewed as a zero-day exploit, in that no other entity has the same capability and the security industry does not know of the capability. This is an extremely valuable resource to be protected and safeguarded. If ownership is lost, it puts the perpetrating state in a potential race to defend itself from the same capability.
In fact, if an enemy was able to recreate a previously exclusive zero-day exploit, the perpetrating state might even decide to make it publicly known to the security industry in hopes of heading off the enemy’s ability to utilize it. This is not a danger to all exploit resources, many systems I have come across in offensive security assessment are well known, decades old exploits with available patches and fixes. Just because an exploit is known and no longer exclusively owned by a state does not mean that potential targets have fixed their systems against it. If in a specific conflict however the enemy observes the exploit and instead of recreating it for themselves simply nullifies the ability for the perpetrator to leverage it against their systems, the perpetrating state has summarily also lost ownership of that resource.
As covered in this chapter, mitigating the risks associated with exploits is a tempered approach to their use. Even in situations where a perpetrating state uses a publicly known exploit against an enemy system, once the enemy learns of the exploit, they may update their systems making them invulnerable. In this case, exclusivity and ownership was not a concern, but the exploit still ceases to be something the perpetrating state can utilize. The concepts of ownership and control loss of ownership come with significant concerns of not only limiting the capability of the perpetrating state but potentially endangering others. Say a perpetrating state acts irresponsibly and lets a powerful exploit fall under the control or shared ownership of an enemy state who then uses it against all of its enemies. Does the perpetrating state share some responsibility for letting this exploit into the wild so to speak? What if criminals now use that exploit to target innocents? These questions may seem excessive due to being cyber domain activities, but they can still be warfighting actions that ultimately impact non-combatants and that is worth contemplating.
Access Tools
Of all the examples we will discuss regarding loss of control, access tools as a resource are overall the least impactful when this happens. One way control of an access tool might be lost is if the enemy discovers its presence on a system or systems and begins manipulating the access tool’s environment on that system so that it behaves in ways the enemy wants. The enemy may not be able to reverse engineer the functionality of an access tool used to pull back information out of a network, but they might be able to determine what files on the system the access tool is monitoring for and collecting. If this is the case, the enemy can actually control what information is making it back to the perpetrating state that installed the access tools.
Control can also be lost without enemy intervention. Earlier we discussed how a satellite used for GPS may lose its ability to communicate with its ground station and operators. This didn’t stop it from sending GPS signals but means that the control of that resource was lost. Similarly, an access tool, which beacons out to the internet every so often to receive tasking, may be on a system that is moved to a network that can’t talk to the internet. If a laptop, for instance, was exploited and an access tool installed that monitored Twitter posts for tasking was taken inside a secure facility with no network connection, the tool itself would still be trying to reach out for tasking but would be unable to reach Twitter. Though this situation itself means that the perpetrating state loses the ability to communicate with that system and the access tool, it could lead to the discovery of the access tool on the system as it is continually trying to reach out to the internet from a non-internet-connected network which may be caught by defensive software or devices as being anomalous or malicious.
If the access tool was discovered due to this loss of control, it could lead to a loss of ownership. Discovering an access tool on a secure network, an enemy may perform forensics on the device and ultimately learn how to recreate the access tool for their own use. The command and control aspects of an access tool may not seem very valuable or pose a significant risk if they fall into enemy hands, but there are other portions to an access tool that might. If an access tool, for instance, had previously unknown stealth capabilities, able to get past security scans, or had new persistence mechanisms able to survive a reboot or a hard drive wipe, these would be dangerous resources if the enemy can determine how to use them. Similar to the exploit example, the enemy could also simply incorporate this new knowledge into their defensive capabilities, meaning any existing similar access tools are either discovered or nullified.
We have already discussed the concepts of environmental keying to prevent access tools from being used on systems they were not meant for or even executed for forensics analysis in a lab. Anti-tamper capabilities can delete the tool upon inspection by enemy security personnel as well. Access tools should also address the loss of control resulting from an inability to receive new tasking. A solution to this might be setting up a certain number of unsuccessful call-out attempts now resulting in the tool uninstalling itself or a similar functionality to ensure that eventually, upon loss of control, it will do its best to avoid a loss of ownership of that resource.
Attack Effects
There is the possibility that control of attack effects is lost in a similar fashion to exploits. If the tool is discovered on a system, there is a chance that even without fully understanding or reverse engineering the tool, an enemy is able to execute it against systems similar to the one it was designed for. It would be safe to say that the danger for both loss of control and ownership is higher with an attack effect that an exploit or access resource. This is because exploit and access resources are typically intended to not be noticed. Attack effects on the other hand are warfighting actions designed to have a noticeable effect on enemy systems.
Though an attack effect itself is not going to spread by itself (that would be an exploit), there is still a potential for a loss of control. As in some of the examples covered in this book, attack effects may be executed from a launch point machine against a remote one. What if that launch point machine was a virtual machine or backed up in its entirety and then deployed to other networks within the enemy state. This would result in the attack effect being launched from copies of the original launch point but in networks that were not the intended target of the attack effect. This not only poses a greater danger to a loss of ownership, but the loss of control means the perpetrating state may be responsible for acts of cyber war being inadvertently launched against non-combatants.
Losing ownership of an attack effect is also a serious concern. Having an enemy able to recreate an attack effect means it could be used against friendly systems and other third parties. Just as with exploits, publicly known and available resources can be used to carry out attack effects, including operating system commands that come installed with software like Microsoft Windows. It is not very concerning if an enemy learns that the perpetrating state used the del command to delete files in a cyber-attack. On the other hand, if the attack effect was exclusive and therefore a resource of only the perpetrating state, the enemy coming to share ownership of it is a serious loss of capability and a potential danger to wider global cyber systems.
Precautions should be taken to avoid the replay like issues of the virtualized launch point example or the recreation of tailored attack effects by an enemy to use against friendly forces and those uninvolved in the conflict. To this end, if a specialized attack effect is needed, then it should be tailored as much as possible to the specific target at hand. This way if the enemy is able to capture the capability’s and recreate it, they will similarly have an extremely limited target set of potential victims. This does go against resiliency efforts at making an attack effect that is likely to be useful longer and against a wider array of targets, but if the attack effect is dangerous enough, then it is a worthwhile sacrifice to ensure it is not effectively repurposed by the enemy.
Obfuscation Infrastructure
If discovered by an enemy, the perpetrating state may lose control of its obfuscation resources with little to no effort by victim state. Denial-of-service attacks are unsophisticated but effective. If the obfuscation infrastructure is identified as being related to operational resources found in the enemy cyberspace, the enemy can simply send so much traffic at the obfuscation infrastructure that the perpetrating state can no longer communicate through it. Control can also be lost of such infrastructure if the larger networks which obfuscation and redirection systems are a part of have communication issues. If an internet service provider for the third-party network which hosts the obfuscation infrastructure is having issues, it can affect operations by the perpetrating state no longer being able to communicate with/through or control its redirection points.
Losing ownership of obfuscation infrastructure is especially dangerous to missions, conflicts, and a cyber war in general. Losing ownership of obfuscation infrastructure would happen if the enemy or another entity were able to exploit and gain privileged access to that system without the knowledge of the perpetrating state. If this happened, not only would the system no longer obfuscate the activity of the perpetrating state, but the enemy could use its new access to stealthily hamper ongoing operations, have direct knowledge of capabilities and activities, or, worse, continue attempts to swim upstream toward the perpetrating state’s own frontend and backend infrastructure.
Every precaution should be taken to maintain the security of obfuscation infrastructure to avoid possible compromise by enemy hackers. This can be accomplished through both security software and standards and efforts to avoid attribution to operational resources. If the obfuscation systems are not tied to operational resources in the enemy cyberspace, then the enemy will not have reason to target them with denial or hacking attempts in the first place.
Frontend and Backend Infrastructure
Control of frontend and backend infrastructure can be lost if that infrastructure no longer affords the perpetrating state the ability to communicate to and across the internet or receive communications from other resources. This would also mean that the backend infrastructure receives no information to process and is handicapped in its further usefulness as already collected operational and intelligence data becomes increasingly dated. The loss of control and ownership both for frontend and backend systems is likely to only come if they are attributed and successfully targeted by enemy cyber warfighting activities.
Lack of functionality due to a loss of control is damaging to ongoing operations; however, enemy ownership of frontend or backend cyber systems is a damning situation. If this were to occur, it would mean the enemy is within the intelligence gathering and warfighting apparatus of the perpetrating state.
Compromise of this level is unlikely as it would involve the enemy state identifying and attributing each system in the chain of cyberspace operations from exploit or access tool all the way back to backend infrastructure. For this to be done, it would also require that attribution and system exploitation by the enemy be unknown to the perpetrating state. If the perpetrating state detects attribution of any resource, the repercussions should be determined and all mitigating steps implemented to avoid further tying of resources. For instance, if it becomes known to the perpetrating state that the enemy has identified an access tool, it would be in their best interest to immediately cull any resources related to it. Such resources might be obfuscation and redirection systems used to carry its communications back to frontend infrastructure or exploits used to install the access tool on the system. These responses should be well thought out in efforts to mitigate the impact of enemy attribution or loss of control or ownership to other resources or operations.
Tactics, Techniques, and Procedures
Regarding the loss of control and ownership, I have decided to combine the personnel-related resources of skills and tradecraft into a single resource of tactics, techniques, and procedures, or TTPs. TTPs in essence are the signature behaviors of any group whether they are a special force’s unit or cyber warfighting operators or criminal hackers. Actors are often characterized and attributed by the security industry largely by their TTPs. This is how hacks and attacks are associated with one group of hackers or another or one state or another.
A state perpetrating cyber warfare actions loses control over its TTPs when they have been sufficiently attributed to identify the uniqueness of the perpetrating state. Once the enemy realizes that TTPs represent a singular entity acting against them, they can begin responding to that specific entity. This could lead to the identification of the actor behind the TTPs which would possibly lead to political and international issues. It also means that the enemy can characterize the perpetrating state’s behavior and better defend themselves from it and detect it. At this level of fidelity, the enemy can also pass along these known TTPs to the security community at large or their allies which could hamper the perpetrating state’s cyber operations against other targets.
Ownership of TTPs is lost when an enemy has a high enough fidelity in understanding the perpetrating state’s TTPs that it can emulate them to a degree where they are indistinguishable. This poses a serious problem as the enemy can now operate under a mantle that allows them to be perceived as the perpetrating state. Such a capability could be used by the enemy to draw other states into the conflict by making it seem that the perpetrating state is also conducting cyber warfare against them. Even if the perpetrating state realizes this and changes to no longer be similar, the perception will remain, especially if at loss of control of its TTPs the perpetrating state was attributed to the public by the enemy prior to them sharing ownership of those TTPs. Short of coming out and admitting that if the actions were at first done by the perpetrating state but that it no longer operates that way, the perception would stay that it was the perpetrating state performing the activity whether it was the enemy in its guise or not.
Losing control and ownership of TTPs is clearly a slippery and dangerous slope. Avoiding this involves the constant effort to avoid attribution. More than that the perpetrating state must enforce a standard for the constant evolution and alteration of the behavior of its cyber warfighters. Not getting caught and consistently changing are the most important efforts that can be taken to ensure a state’s control and ownership of its personnel-related resources.
People
The warfighters themselves may be the most valued resource we discuss, but they also present the greatest potential damage to the cyber warfighting capability of a nation if control or ownership is lost. Losing control of a cyber warfighter means that the actions of that warfighter are no longer at the direction of the perpetrating state. This can be a situation where the cyber warfighter no longer follows rules such as tradecraft or rules of engagement. Loss of control over an operator carrying out cyber warfighting actions risks compromising many other resources. If it is ever determined that a cyber warfighter is no longer acting under the control of the perpetrating state, that individual should be removed from operational status in a conflict until control can be guaranteed over that individual’s actions.
Loss of ownership of a cyber warfighter is when the perpetrating state no longer has the ability to exclusively dictate the actions of that cyber warfighter. This is where insider threats become real and pose critical danger to the warfighting capabilities of a state. Ownership of a warfighter can happen when that warfighter decides to take ownership of themselves in their capacity. This situation happens when an individual, completely of their own volition, decides to perform actions of their own motivation using the state’s resources. This could be something as personal as using a state-developed exploit to access an ex-lover’s personal systems to get revenge. It could also be revenge against the state itself, using attack effects against friendly targets, if the individual felt slighted enough to do so. Another possibility for the loss of ownership over the cyber warfighter resource is if that individual begins to act at the direction of a foreign or enemy handler. At this point the cyber warfighter is now an agent of the other state and essentially an enemy themselves. All of these insider threat scenarios manifest themselves as loss of control or ownership of the cyber warfighting resource and in a time of war are potentially treason.
Laws themselves haven’t been able to deter the loss of control or ownership of human assets whether they are cyber warfighters, infantry, FBI agents, or spies. Efforts should be made to avoid the circumstances that motivated individuals such as Aldrich Ames to feel so slighted by their own state that they act out on their own volition. The same and more must be done to avoid enemies and foreign states from gaining sufficient influence over internally developed cyber warfighters to take control and ownership of those resources.
Summary
In this chapter we covered the concepts of resource control and ownership. We discussed how the loss of each pose a threat to the warfighting capabilities of a state. Further we went over the exemplar cyber resources and how control and ownership could potentially be lost for each of them. This was done to show the extreme pace with which cyber resources can become lost or turned against the perpetrating state or third parties in a cyber war and mitigations against this were also provided.