Tom Uren

Hello everyone, this is Tom Uren. I'm here with another between two nerds discussion with the Gruk. G' day Gruk, how are you?

Gruk

G' Day, Tom. I'm fine. On yourself?

Tom Uren

I'm good. This week's episode is brought to you by Run Zero, which is an active and passive network discovery and asset discovery solution that makes it easy to find what you've actually got on your network as opposed to what you think you've got on your network. So he sent to me this document from the National Security Agency. It's been declassified, it's from 1997 and it's called Cryptolog, the Journal of Technical Health. So this is not a publication I've come across before. It's volume 23. So presumably at that time it had been going on for some years. And it's a special issue and it's an overview of information operations. And what really struck me as I looked through it was both how far sighted it was and it feels very correct. It feels like they captured something at the time and also how at the same time, talking about information warfare, nothing's really changed. It sort of lays out a vision that remains a vision. And the various authors, only I think one of them is actually named. The others are redacted. Hit on things that feel to me correct, that are truths, but have not really progressed at all all that much.

Gruk

What I find interesting about this document is how they are sort of clear eyed and they've got this great vision and they sort of understand the domain that they're getting into and at the same time they're sort of, they're constrained by the doctrines and the thought processes that they exist within already. Like they don't think this is a thing we could do during peacetime. Right. They still think of it as like this is a wartime activity and we should be ready for it during wartime.

Tom Uren

There's several different articles in here, so I'll just read out some of the titles. Thinking out loud about cyberspace. IO like capital I, Capital O IO IO it's off to work we go. And that refers to information operations. The Infowar Revolution. The role of information warfare in Strategic warfare. Thoughts on a Knowledge Base to Support Information Operations in the Next Millennium. So it's all about how information is working its way into warfare.

Gruk

So.

Tom Uren

So I guess that's the dominant framing that they've got. And that makes sense in that NSA sits within the Department of Defence. It's got a very strong support to military operations. Heritage like that's the Whole reason the organisation existed. So you can hardly fault them for that, I guess.

Gruk

Right. I mean, I contrast this with the way other nations were also looking at the same opportunities and coming up with their own vision documents. I mean what's profound to me is how everyone has these sort of big visions of these huge vistas of untapped potential. That is, it's going to be the creative and smart and best thinking people will be able to really explore this dimension and really develop and come up with new things. And 30 years later we're still doing the same stuff that they lay out as examples.

Tom Uren

Yeah.

Gruk

For example, here's something we could do and it's, you know, 30 years later we're still just doing that thing. We haven't.

Tom Uren

Yeah. So part of some of the articles in the. I guess I'll call it a magazine feel a bit science fictiony. Laying out a vision of the future. So for example, like this paragraph I'm looking at a major aspect of the information age is that it is ushering in a totally new sphere of operations, a new environment called air quotes. Cyberspace. For many, cyberspace is an ill defined comic book concept, perhaps something created by a science fiction writer or a Hollywood producer. But for NSA in the information age, cyberspace is both real and virtual. To me this very strongly gives the idea that the author, who I think for this one is Bill Black, who was. I don't know him, but he was. It's. He's referred to as the director's special assistant for information warfare. I strongly get the feeling that Bill Black was a science fiction fan. And later on he refers to Independence Day, the movie.

Gruk

That great sci fi classic that explored the dimensions of information warfare and really pushed the boundaries of what we could do with the ma.

Tom Uren

He talks about it as a. That's why he references it, because he says that information warfare makes its appearance in Independence Day, which is funny because I can't even. I can't remember that at all. But anyway, I guess that made me think about the role of these kinds of magazines in an organization like nsa, a very big organization. And we spoke the other week about how these organizations can be like factories and if you're trying to drive change, I guess like this is what you do. You try and present a vision in an internal magazine. And back in 97, I guess it would have been hard to talk to a. A workforce in any other way other than in print.

Gruk

Yeah. And it's a little bit funny thinking about it that these visions of future war in cyberspace were being put out on a print magazine that people would collect.

Tom Uren

I think at that time they had the World Wide web internally. But this looks like it was printed like what we're looking at. At least this looks like it was.

Gruk

Printed and scanned absolutely.

Tom Uren

Y.

Gruk

This reminds me of a paper that I read fairly recently on called Bureaucracy Does Its Thing. And one of the things it brings up is once you have these bureaucracies in place, they develop, you know, institutional inertia, and they are resistant to change. Like massively resistant to change. So that was about the Vietnam War and how the DoD recognized that it needed to do this new type of thing about, you know, not killing lots of civilians and being nice to people and being very careful about killing only the. The bad guys with guns so that they could secure the hearts and minds of the people.

Tom Uren

Right?

Gruk

And they knew this and they knew that they had to do it. They had to put people sort of living in villages and all of this stuff. They understood all this stuff, and, and they put huge amounts of money and resources and effort into doing it, and they just couldn't because that was not what they did. It was just not possible for them to do this sort of thing. They couldn't readjust. And I sort of wonder in a way if that's what's happened here, because I do feel like so much of this is like, here's what we should be doing, here's some potential, some opportunities, here's things we could think about, here's an opportunity for us to really come up with some bold new ideas. And here we are 30 years later, and it doesn't necessarily seem like those bold new ideas have materialized.

Tom Uren

Right, right. So there's a paragraph here. For IW purposes, access to these computer controlled infrastructures can permit the degradation, disruption, or destruction of the network and the functions they serve. I would describe that as offensive cyber, you know, degrade, disrupt, deny, destroy. And that's exactly the same doctrine, at least last time I looked, that the US uses today. So like 30 years later. But it also seems to be one that's not fully formed in the sense that they talk about it. But it's hard to put a whole lot of compelling examples.

Gruk

So they've got a footnote on page one. It says, DDOD 3600 Information Operations, dated the 09 December 1996, defined CNA, which is a computer network attack, as operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and computer networks themselves. So in the 30 years since this was written. I think they might have changed some of the wording a little bit. Maybe they don't talk about computer networks.

Tom Uren

I think they call it offensive cyber operations instead of computer network attack. But that's maybe the biggest difference.

Gruk

Yeah, nothing has changed. Right. It's a little bit disappointing in a way to see they had sort of like such vision and hope and like all of these exciting possibilities out there. I mean, to be fair, some of it is very, very wrong. For example, cyberology. So they're trying to take this parallel. So like cryptology is, I guess it's the active use of cryptanalysis to get codes and all this other stuff. So cyberology would be the active use of cyber to do things that are information related. And it's just, oh, thank God that we missed that one.

Tom Uren

Well, that one, that one was never going to take off.

Gruk

It was never happening. On the other hand, the central activities that he talks about, exploitation, protection and attack will be worked together, thus benefiting all of them. So that's very true. Right. Like I think this is a thing we've talked about where if you don't have exploitation and attack with your defense team, then your defense team will fall behind because they won't know what the state of the art is and they won't be able to know figure things out. And similarly, without having a really good defense team, your attack team will suffer because they will not be able to anticipate what they're coming up against. So yeah, it was very accurate that you do have to have all of these together.

Tom Uren

That, that one's interesting because it's held for almost 30 years, I guess. So I guess the current state of play is that in NSA you've got the Cyber Security division, which is the protect function, you've got the whatever TAO tailored access operations has become. I don't know if it's still called the same thing, but that's the hacking and exploitation and then the attack. You've got Cyber Command, which shares a head with NSA and used to share a lot of personnel over time, but that's gradually being split out. And so the same thing is happening in the UK. So it's interesting that 30 years later, maybe that's something that will be tested. Does ATTCK really need to sit with the hackers and the defenders when we're doing this show in 10 years time, we can revisit this.

Gruk

So it's interesting actually how they predict that one of the problems that they will face in doing their job is that people will view the government's use of information technology as an invasion of personal privacy. And for us, this is difficult to understand. We are the government and we have no interest in invasing the personal privacy of US Citizens.

Tom Uren

Right, right. I think that historically where they're coming from is that militaries and governments and citizens use separate networks. And so it was very clean to be able to say, well, I'm targeting this radio frequency which is used by the Russian government. And now it's. Everyone's on the Internet, so you've got to target the Internet. And. And so where they're coming from is we're still looking for the Russian military or the terrorists or whatever. It's just that it's swimming in this soup of people's.

Gruk

Everyone else's stuff.

Tom Uren

Yeah.

Gruk

I mean, they're very right to say that people will be scared and upset by that because, you know, partially with the fact that what they do is secret, but that they're doing it is not.

Tom Uren

Yeah.

Gruk

So the specifics that we're not actually looking at your emails, we're just looking at email in general is a hard.

Tom Uren

That's so reassuring.

Gruk

Oh, that's much better.

Tom Uren

Lots of emails, millions of emails. Just not your email.

Gruk

Everyone's emails, not yours. So I'd like to bring up that. Actually, one thing that is interesting here, how different states use different language to describe the information domain where we operate with cyber. And for the Russians, that's just the information sphere, which includes everything from print, magazines, emails, computers, tv, you know, it's. It's all of the information space at once. And the US is trying to do that as well. Where they now talk about information operations in the information environment, or like the information operations environment. It's like they're trying to capture that same idea, but we're stuck with this idea of cyberspace. Right. So while the Russians think about information as a sphere that you operate in, and the Chinese have a similar approach because we use the term cyberspace, space has this sort of implicit baggage. It implies dimensionality, that there's a here and a there, that you can go from A to B, that it's in a specific place. So that by using this term, we've sort of already closed off our thinking in a way that we've limited the way that we understand things to now being how do we think about a space? Like how do we attack through a space? Whereas with these broader ideas, you're thinking about like, how do I manipulate information to achieve this end, which is a different style of thinking. And you can See that some of what they're doing here is they're trying to match that sort of like, you know, understand information as a means of waging warfare and doing attacks through cyberspace. These two concepts that they're trying to put together.

Tom Uren

Yeah, yeah. To me it seems the US never really integrated cyberspace and information operations together. Like they actually sit in different organizations. This article in Cryptolog IO IO it's off to work we go. It defines information operations as actions taken to affect adversary information and information systems while defending one's own information and information systems. And I always thought the problem with the US's thinking was that it was defined in a military way. And so it was constrained within areas of operation and was never global. And so you can sort of see how a cyber operation would fit within that, with, within that definition. But you don't often think of a cyber operation actually changing the battle space, I guess, like, you know, doing something that would shift people's hearts and minds. That's just not the way people think.

Gruk

You know, to that point, I'd say that if you look at the Russian concept of information warfare, they would include things like paying influencers in the US to promote their ideas into the right wing sphere. And that's not how the US thinks about it. That's not within the domain of cyber. And yet, if you want to look at effectiveness, the Russians have caused disruptions and interruptions to aid Ukraine several times now thanks to the use of information operations like that. And I think that like, you have to give credit where it's due for this has been an effective way of waging information warfare. And the fact that it's sort of like that's just not how it's done. It feels a bit funny, you know.

Tom Uren

Yeah. I get the impression that that kind of thing is on the cards when you've got a defined area of operations or whatever, but most of the time, because that doesn't exist, because it's mostly not on the table. It's not something that people reach for all the time, if that makes sense. Like the authority to use it mostly doesn't exist. So it's not a default.

Gruk

Right. It's not like reading everyone's emails, for example.

Tom Uren

Except not yours.

Gruk

Yeah, except not you.

Tom Uren

So another thing I really thought was interesting, a different article talks about how there's different perspectives on information and information warfare.

Gruk

I'm literally reading the same one right now and I wanted to bring it up as well.

Tom Uren

Yeah, right, okay, so. And I, I thought this perfectly captures it well. I don't know about back then, but certainly right now. So it's, it's had enduring truth. There are three fundamental concepts of information warfare. First, we have the information in warfare crowd. These folks originate predominantly from the intelligence community and the ranks of military historians.

Gruk

You know, some of the upper class of society upon which they sort of just label them as the proper intellectuals and the better. The better class.

Tom Uren

Yeah, I felt recognized and seen by this paragraph, to be honest. They view IW as nothing new, pointing out that information has always been important in warfare. Today there's a lot more information and we've gotten better at moving it around. This group spends its time arguing about whether systems should be push versus pull and how to get the right information to the right person at the right time in the right place.

Gruk

Right. Which right? Right. Right is I think what we're getting at.

Tom Uren

Right.

Gruk

And they have the correct view. And then there's some other groups who have these bonkers ideas.

Tom Uren

Well, the second group is information technology in warfare gurus. This group which is comprised of much of military establishment around the world, and.

Gruk

I see here in parentheses it says and other knuckle draggers from the Gulf.

Tom Uren

War, they perceive that the future of warfare lies in long range, high precision munitions. Information warfare is viewed as a force multiplier to enhance existing combat operations. I am not in that group, but that strikes me as that's the way defence procurement has gone. Things have gotten more, more expensive, more and more amazing, more and more capable. The, the money I think that flows into that type of procurement is a recognition that that is, is a dominant paradigm, an accepted wisdom perhaps. Finally we have the information warfare group. Proponents who understand the information age and know the fundamental nature of warfare will be dramatically different in the digital realm. This group recognizes that information operation will lose its battlefield context in the next millennium. And I guess that's the crucial sentence. Like the US military doctrine, it's never lost its battlefield context. And I think there's good reasons for that. Based on like, you know, democracy. They believe that increasingly a society's leadership will desire to limit crisis and conflict and that those leaders will look to resolve conflict before it begins, via digital coercion if necessary. This group to some extent perceives the diminution of powers vested in nation states and sees the emergence of transnational special interest groups who will desire to further their objectives with inexpensive, efficient, surgical bit based capabilities.

Gruk

Oh, sorry, I'm just, I strain my eyes with rolling it. Bit based?

Tom Uren

Yeah, so up until that part it was like, oh, he's talking about Al Qaeda, which. And this was written in 97.

Gruk

He might have been talking about Al Qaeda, but I think what he captured is actually broader. Like incels. ISO would be. Yeah, like, that would be a transnational group who has an ideology that they. It's a special interest group. Similarly, I would say that, you know, the BTS Army. Right. Like a fandom of a K pop group is. Again, it's a special interest group that's transnational, that they. They have these expensive surgical capabilities and they use them to advance their interests. Which happen to be lots of views on YouTube and like the most downloads of a single in the first 24 hours and things like that. Like, it's super on. It's. It's spot on. Like, this is very, very accurate.

Tom Uren

Yeah. I feel that you're in this group and I'm in the first group and.

Gruk

Oh, that's not a yes. Yeah, I can see that.

Tom Uren

I think you're much more comfortable talking about these sorts of things. And to me, that speaks to indoctrination. And when you end up in somewhere like nsa like you, you drink the Kool Aid, you imbibe the culture. It's like a baby growing up like you. You sort of learn more and more about less and less. And I think that there's no organization in. Not that I'm aware of in Western democracies where it's like we're in information warfare. And I think there are subgroups that live and breathe that.

Gruk

Yeah. But I'd say they're sort of trapped in this cage of the doctrine of information operations, as it's perceived by the agency that they're within or the organization that they're within. I guess I'm putting it a little bit in adversarial terms. Trapped within a cage. But if you do have this expansive vision of how things should be or could be.

Tom Uren

Could be. Yeah.

Gruk

You're then up against this inertia of the way that things are and the way that we've always done things. I sort of wonder, like, is it possible even to steer that ship? Like, there's just so many interlocking parts. Like, okay, say you come, you get to nsa to the point where NSA has embraced this vision of like, we should be paying for influencers to parrot our talking points in other countries. Even if NSA believed that they would have to get authorities from the rest of government to fund and support that. So you couldn't just change the idea inside this one agency and achieve that.

Tom Uren

Yeah, no, I think that it doesn't make any sense for NSA to do that. And part of the reason is that if you're that type of organization, you can steal secrets and you can probably come up with a way of measuring how effective or how important or how significant the secrets you've stolen are. Like, this is a priority one requirement. We've got Putin's email. Like, this is amazing.

Gruk

Along with all the other emails, but not yours. You should see the stuff that Tom Yoren's talking about.

Tom Uren

And then if they were doing information operations, they would then say, and we also got an influencer to talk about.

Gruk

Someone with over 3000 Instagram followers has been discussing it.

Tom Uren

And there's no way that you can balance up those two. Like Apple and. Well, they're not even fruits in the Color Purple.

Gruk

They're certainly two different things, but they're probably not even on the same conceptual plane.

Tom Uren

That's right, yeah.

Gruk

From this Perspectives thing, I think that this group three that he's talking about is this unrestricted warfare stuff.

Tom Uren

Right? You're talking about the Chinese. Is it a paper or a document or a book?

Gruk

There's a book that came out in 1999 called unrestricted warfare. It was. It was released sort of like by some thinkers in the pla, as far as I understand. Right. So it was a sort of a vision document. You know, here's what things could be. And it got a little bit of a bad reputation because people looked at it and they. They read it as, here is China's plan to destroy the US as opposed to sort of, here's how we imagine things could go. There are no rules. You need to blah, blah, blah, expand your vision and all this stuff.

Tom Uren

So they also have been reading science fiction books and watching films.

Gruk

Absolutely. Absolutely right. And sort of very early on, they've got this. They put forward this idea of new concept weapons, which would be things like stealth technology and precision guided bombs, where you take technology and you sort of push it to the boundaries of what's possible. You know, these new concepts allow you to create new weapons.

Tom Uren

Right. More and more precise and more and more capable, longer range, better precision weapons, etc.

Gruk

Faster turnaround. And all this stuff.

Tom Uren

Stealth weapons.

Gruk

Stealth like all of this stuff. Like they say the Americans are great at this, but they have this next thing, which is that rather than new concept weapons, there's a new concept of weapons where you would then take the idea that anything can be a weapon. You just need to imagine a way to do that. They say that, you know, the Americans have not been able to get their act together in this area. This is because proposing a new concept of weapons does not require relying on the springboard of new technology. It demands elusive and incisive thinking. However, this is not a strong point of the Americans.

Tom Uren

Burn.

Gruk

Who are slaves to technology and their thinking. The Americans in invariably halt their thinking at the boundaries where technology has not yet reached, which is. It's not wrong. I think people might quibble, but I think that they've sort of captured this thing of like, how can we make a better bomb given these new technologies. Whereas what they're trying to advocate here is to sort of like how could we make a man made tsunami, how could we cause hurricanes, how could we make the stock market collapse, how could we force someone to resign that we don't like? It's looking at how could we turn everything into a weapon that would help us achieve our goals.

Tom Uren

Yeah, yeah. So in the information warfare space, and I guess I'm thinking here about things like the, what's it called? The Information Research Agency, which was the, what's his name? Putin's chef?

Gruk

Prigozhin.

Tom Uren

Yeah, that's right. Prigozhin, who died tragically in a, in a plane crash where it collided with a missile. And, and there it seems like the Russian state was paying for propaganda to be produced. The Chinese state has a deliberate goal of. Xi Jinping calls it telling China's story. Well, so they've got cgtn, China global TV network, I think, and other mast heads that they fund and influences and stuff like that. And they also engage in influencer capture.

Gruk

Right.

Tom Uren

So you get Western influences who promote Chinese interests based more on the ecosystem rather than which the Chinese state sets up. Whereas there's nothing like that from. Well, there's Hollywood, I guess.

Gruk

Well, that's what I was going to say is like to a degree these, these other states can't quite imagine that like Hollywood or the New York Times or whatever is completely free to do whatever they want. And they just so happen to choose things that promote American hegemony. Like that's what's happening. Like they're not being directed to do that. Ignoring the Hollywood US military connections. The US military will let you use their equipment for free in your movie as long as they get to read the script and make corrections first. So like that does happen. But it's. I think Hollywood wouldn't write other movies anyway because American audiences don't want to see the American bad guy.

Tom Uren

Some of the conclusion of one of these articles is it's important to Understand that information operations and the associated cyber based capabilities are very information intensive propositions. Shaping cyberspace is a long term activity which will require a serious continuity of effort.

Gruk

Yep.

Tom Uren

And so that's why nothing's changed.

Gruk

Yeah, they recognized the problem and they were right.

Tom Uren

Yep, they recognized the problem. They were right. And it seems like just the dynamics of the way a liberal democracy, the limits and authorities around the organization, the separation of the state and basically the information environment, these are all things that are insurmountable if you're working from within an organization. Like you cannot in NSA do anything about any of those. And so the situation has basically remained the same ever since then. That seems to me to be like doubling down on your strengths. And so the US conventional military force is unparalleled and so they're playing to their strengths. Their intelligence collection also probably best in the world. And so they're integrating those two, getting better at, better at doing that. And at the same time that forces other countries to try and figure out alternative methods. Maybe a cheaper, like to fight on a different playing field altogether.

Gruk

Right. It's an asymmetric information warfare.

Tom Uren

Right.

Gruk

I think the conclusion here is very, very telling. We have to have a stake in all three information warfare camps, which is the information in warfare, information technology in warfare, and then information as a sort of warfare domain. So we have to have a stake in all three camps discussed earlier and as information providers and information protectors, especially for role in camps one. And.

Tom Uren

Like, I think I could quibble with your interpretation there, but I think you have hit on something that in protection and providing like intelligence and defense, they seem particularly relevant to, to those first two camps. Whereas the unrestricted, I'll call it unrestricted warfare, it's like, well, you know, you, it's information dissemination. What are you, what are you making.

Gruk

Up stories and telling lying on the Internet? That's everyone's. Thanks a lot, Tom.