A

Hello, everyone, this is Tommy Wren. I'm here with the Gruk for another between two nerds discussion. G', day, Grok.

B

How are you? Fine. Yourself, Tom?

A

I'm well. This week's edition is brought to you by Authentic. I have a discussion with Authentics CEO Fletcher Heisler about the importance of IDPs identity providers and why they are super critical and why customers are looking to have identified variety of options. Catch that on the podcast channel this week. So, Grak, you sent me a paper.

B

Yeah.

A

And the title of the paper is Narrow Windows of Opportunity, the Limited Utility of Cyber Operations in War. Now, I get the feeling that much of our audience would think, just based on the title, this is a paper that we would really love. And now, to be clear, I haven't actually read it, so there's that disclaimer, but I almost immediately had an instinctive rejection of. Of the title. And I think it's because of the way the title just frames. Yeah, the situation. And it seems that a lot of time the people who talk about cyber operations in war, well, naturally enough, military people, but they sort of start out with this funnel where they look at narrower and narrower aspects and of course they end up in a place where it's not very useful.

B

Yeah. So I think that that captures the basic problem is that even just for the military, I think cyber is not useful in the way that they want it to be useful. They're looking for some sort of like.

A

Nuclear type capability, even though they're looking for cyber fires.

B

Right.

A

To go with other sorts of fires. So that's the term of art for.

B

Right. So they're going to look at it and they're going to be like, you know, we're going to like, find, fix and finish. And we want to do that with cyber. So, like, we get eyes on target, we figure out what they are, and then we use cyber fires to destroy that target and then we can move on. And that makes no sense, generally speaking, with what cyber is really good at. Like, it's just.

A

Yeah. Once upon a time I wrote a paper for the Global Commission on Cyber Stability defining offensive cyber. And it was based on doctrine, the available doctrine at the time, which was mostly US military doctrine. Australia had produced some things as well. And the definition I came up with was offensive cyber is operations that destroy, disrupt, degrade, deny. And that is an extremely military, relevant definition, but also a very narrow one. And the more I think about it, the more I think that that definition is just missing the point entirely of what cyber operations are actually good for.

B

Yeah. So, like, I think it's not out of the question that, that cyber can do though, like the 5Ds. I just, I wouldn't say that. That's right. Like you can do those things. That's great. But that's not the real. Like, that's not the strength, that's not the benefit. Like, which of those 5Ds is China's? 2 decades of IP theft? Like, none of them. But in terms of overall impact to geopolitical strengths and like the Fate of Nations, obviously the IP theft was much more impactful overall.

A

Yeah. So we actually spoke about, and it was an episode called the Fate of Nations where we spoke about whether cyber could have strategic effects. BTN117 and if I remember correctly, that was one example, the long term drip, drip, drip of intellectual property theft. And I think the example you liked was Russian, I guess Russian propaganda.

B

Yeah.

A

Information operations shaping debate in America.

B

Yeah, very much so. And I think in the year 1999 and 2000, there was this resolution going through the UN about whether we should limit the use of offensive cyber. Which is. Which is not what they called it, but that's what they meant. Should we have a thing in place to stop the use of cyber attacks against other nations? Should we ban it, Some sort of treaty, whatever. And the US was against it because they were so far ahead of everyone else in terms of their cyber capabilities that they didn't want to sort of hobble themselves. But what's very interesting is that in this debate, all, all of these countries were putting forward what they meant by offensive cyber, and the Russians put forward their ideas and their ideas were things like break the social cohesion of society's fabric, interfere with the moral and psychological aspects of society, disrupt the spiritual cohesion. Like all of these things that have nothing to do with the Western concepts of cyber. I believe that they were looking at like the ways that they've used disinformation in the past, the ways that they've had to deal with propaganda. And the things that they worry about are like having the sort of core of a society shattered by another nation. Like that, that worries them because that's what they aimed to do all the time. And the west was like, that's stupid. Like that's, that's not a thing.

A

That's right. Why would we worry about that?

B

Can you imagine? Yeah. Like, to me, I think that there's a sort of fundamental disconnect of like, if you decide that cyber is a thing that can do these five Ds and anything else just doesn't count, like, oh, that's espionage or that's financially motivated or that's criminal or that's. That's propaganda, or any of you can find a way to make sure it doesn't fit your definition, then, yeah, you're going to find that, like, cyber is kind of weak, like, it's not a very strong force because you've just ignored all of the possible ways that it's strong.

A

Well, I was thinking about how people dismiss it in warfare, but also, it seems like other things in warfare are not massive game changers. Like, you kind of look at the Ukraine, Russia war, right? And that's basically ground to a standstill or a stalemate. And cyber hasn't been decisive, but nothing else has either.

B

Yeah, like this is sort of World War I thing of, like, poison gas. Seems like it should be a decisive thing because people can't breathe poison gas. But it turns out that, yeah, like, it just, it makes the fighting worse and harder and more brutal, but it doesn't change the dynamics in any major way. Like, it doesn't break the front lines and become a war of maneuver. Again. Like, if poison gas is not the game changer it was imagined to be in, you know, over 100 years ago, why should cyber be a game changer now? Nothing is. Nothing fits that definition because except for nuclear weapons, which basically end the game entirely.

A

I mean, it is true that you can't blow up things or very, very rarely can you blow up things with cyber. And so missiles and bombs just have a far greater impact on the battlefield. Like, each has their place, I guess.

B

They've got this quote that they cite in here from a paper that also kind of dismissed cyber. Why hack what you can destroy? And I think that that's right, which is during wartime, you do want to destroy things, Right. If you're trying to win a war, you kind of do it by making the other side stop fighting first. And the way that's understood in the west is that you pummel them until it doesn't matter if they want to fight or not. They can't. And I think if you look at all the wars that the west has won recently, you can see why that's not a very good way of winning wars.

A

Right.

B

It turns out that the political will is probably more important than the existence of an army.

A

Right. Yeah.

B

So I think the reason of why hack what you can destroy is destroying doesn't win wars.

A

I also go back to right at the beginning of the invasion where there were a couple of operations that aimed to destroy Ukraine's military's ability to communicate. There was the viasat hack and there was another telco hack at the same time. And it seems like they've been forgotten in the midst of history as ineffective and useless. But I think if the initial invasion had turned out well, people would be singing their praises and saying how instrumental they were. And it absolutely. These feel like the kind of intricate, I guess like a special forces operation, like when they come off, it's amazing.

B

Right.

A

And people really endorse them and think that they're key. And so it's just a matter of the twist of fate that we disregard them and ignore them.

B

Yeah, so I think that's absolutely correct. Like if the invasion had worked, we would be flooded with papers about how hermetic wiper or whatever was the central pillar of, of the successful invasion. That wiping the email servers of the Ministry of Agriculture was one of the pivotal events that led to the fall of Kyiv. And I think that because that didn't happen, it's just dismissed. And I think either one of those takes is wrong. Well, I think it's correct to dismiss it, but I think the reason to dismiss it is that that's not the sort of attack that can be helpful. So on the other hand, if you look at like Albania, who got hit by Iran with the same set, or not exactly the same wipers, but like the same attack concept, like the, the same Con Ops concept of operations. Right. It was wipe the servers, wipe government ministries, attack the sort of infrastructure that allows government to run and that caused massive disruptions. And part of the reason it didn't in Ukraine is that the Ukrainians have had eight years, or at that point it had eight years of being disrupted all the time. It ceased being effective by that point. Whereas if you take Albania, who hadn't had that, it was effective. I think dismissing it out of hand is also the wrong approach. Because if it were to happen in Europe, I don't think that there's any European states that are resilient enough to bounce back quickly.

A

No state has been attacked as much as Ukraine had been at that time.

B

So I think we're using a worst case scenario example for all of these things.

A

At some event, quite a long time ago, someone said to me that cyber has never been shown to have a strategic effect. Now at the time I said that it has, but it's a long term changing, you know, strategic timelines.

B

Right?

A

Yeah, yeah. And in fact, now, many years later, I think that it actually is the thing that states use in peacetime to have strategic effects. It's just that any single incident doesn't cause a strategic effect. It's the sort of slow accumulation over time that actually results in states being in a very different place. And so talking about conventional forces actually misses the point. And so therefore talking about using cyber to assist conventional forces misses the point twice.

B

Yeah, very much. I absolutely agree with that. So I think the most effective offensive use of cyber is during peace time, sort of gray zone conflict. That's where you can just use small things or you can use subtle effects to have long term consequences, long term impacts.

A

Yep, chip, chip, chip, chip.

B

Yep. And it works during peacetime in a way that doesn't work during wartime. You can psychologically influence people during peacetime in a way that you can't during wartime, because during wartime they hate you for killing their father or forcing your family out of their home and blowing up the car or killing the bear. Like all of these things, you hate that group of people. So you're not going to listen to their propaganda, you're not going to. Anything that they put forward is not going to be accepted. Anything that puts them in a good light is going to be rejected. Whereas during peacetime there's the opportunity, like you don't have that animosity to deal with. There's an opportunity to influence perceptions that's just like it's not viable during war. And I think in a way, because cyber is actually really good at persuading people and influencing perceptions, it sort of naturally makes the most sense as a peacetime strength, like a peacetime power.

A

In fact, the framing of its limited utility in wartime is it's the thing that's least useful in the circumstance that occurs the least often because for the vast majority of the time we're actually in peacetime. And the flip side of that is that like, we think it's actually tremendously useful in peacetime. The other interesting thing you sent me was this document from rusi, which is the Royal United Services Institute, which is a UK national security think tank. I think it is the world's oldest national security think tank. Is that right?

B

Pretty sure. I know I've read papers from 1800 and something from them which are right.

A

So it has started what it calls the UK Cyber Effects Network, which is about the UK's National Cyber Force way of working, I guess, trying to understand what it's doing well, what it's doing poorly. Now again, it feels like framing the whole thing in a national Security think tank, based on the way that the national cyber force thinks about what it's doing, is falling into that trap of starting from the narrowest possible conception of cyber. The first step is to break out of all of that thinking that's layered into.

B

Yeah. So I feel a little bit like one of the first lines from that Chinese document, unrestricted warfare, is that the first rule of unrestricted warfare is there are no rules?

A

Does it actually say that?

B

Yeah, yeah, yeah. And it's. I think that that's a thing that's missing here in a way. From that concept document, they're trying to talk about, like, a new concept of weapons. So there's new concept weapons which are like, what if we use a hypersonic, a missile, or what if we figure out a way to make tanks stealthy? There's sort of anything that you can do that's still a weapon. But a new concept of weapons is to then say, like, social media is a weapon, movies are a weapon, anything is a weapon. Like, that's the concept. So new concept weapons can sort of expand your arsenal with investment, whereas a new concept of weapons throws open your arsenal to anything because you can weaponize all of it. And I think that cyber gives you access to that in a way that a lot of other things don't. Like, if you look at cyber from the new concept of weapons perspective of like, how can we use this to influence events in a way that benefits us? There's so much you can do. And if you just say, how can we use this to influence events in a way that benefits us by disrupting, destroying, denying, or degrading their computer?

A

Right. Yeah.

B

You just.

A

Five kind of annoying things that are painful and annoying rather than constructive or shaping. So the uk, the cyber force, they released a paper, I think it was a couple of years ago now, responsible Cyber Power in Practice. And I. I actually really liked it.

B

I love it. Yeah.

A

And it talks about a doctrine of cognitive effects. And their idea is that they want to shape the thinking of small groups of people in a proportionate and responsible way. And it feels like they're getting really close to what some cyber adversaries are doing, but they're then saying, we'll only do it in little ways that aren't. Now, to be fair, that could mean shaping the thinking of, say, Xi Jinping or Vladimir Putin or.

B

Yeah.

A

Or whoever. But it. It seems to explicitly rule out.

B

Yeah, they're not talking about, like, the Sunday knitting club of the, you know, East Moscow Grandmother's Association. Like, that's not the small group that they're aiming at necessarily. It's.

A

Yeah, yeah. So it seems to me that definition is much better than the offensive cyber, deny, degrade, destroyed, disrupt, because that is a subset of, I guess the UK calls them effects.

B

Yeah. Even out of those five Ds, there's no deceive. I mean, I think that that's a huge thing, is if one of the things that the Russians in their 2000 UN definition, one of the things they listed was to provide information to a population such that they have a view of reality that is not like, that doesn't match the facts. Like, basically you. You put like, that is literally one of the things that they say is a problem. Let me. Let me get the actual quote, because it's really good. So on page eight is where the thing starts. And so, like paragraph five, right. We are referring to the creation of an information weapon, the use of which, depending on the level of society, blah, blah, blah, can have devastating consequences comparable to the effects of weapons of mass destruction. It is obvious that such a weapon can be used by terrorists, extremists, or criminals use as well as by individual lawbreakers. So they think it's like the worst thing ever, but then you start looking at the things that they worry about. So this is paragraph 13. Manipulation of information flows, disinformation and concealment of information with a view to undermining society's psychological and spiritual environment and eroding traditional cultural morale, ethical and aesthetic values. Like, nothing they worry about is ddddd.

A

Yeah, Nothing is as we would define cyber narrowly. Yeah. I think I look at each of those bullet points or items and I say that doesn't really sound like cyber. And it could sound like something much bigger than cyber, like, based on my definition.

B

Yeah. Well, I think this is because the Russian concept of cyber, is that a small part of information warfare. It's not separate from paying someone to say something on a news station. It's within the same umbrella of offensive activities.

A

Yeah, yeah.

B

So one of these documents from the Russians has a line saying something like the use of information to create a perception of reality that differs from the real world. And for them, like, that is a use of cyber. Like, that's the thing that makes sense. And for me, that makes a lot of sense as well, because most people get their information about the world mediated through a computer. So if you control the computer, obviously you control their perceptions of reality. That's powerful. But that's not necessarily useful during wartime because you're not blowing something up. Right.

A

Right.

B

It's not immediately useful in the way that, you know, a hand grenade is useful.

A

Oh, I think also in wartime, the censorship and information control of nations is just a lot. It's just ramped up. So even in democracies, there's very strong censorship and propaganda efforts domestically in a real serious war. I think it's interesting that that RUSI page, it talks about the UK's definition of offensive cyber. So that definition comes from the 2022 UK National Cyber Strategy. And it says adding, deleting, or manipulating data on systems or networks to deliver a physical, virtual or cognitive effect. So that's far broader than the five Ds deny, destroy. That would be a subset of that.

B

That's a much more useful conceptual understanding.

A

Now when I read the responsible cyber power that document that sort of laid out their thinking, it was very clear that they were trying to target specific groups. And so although the definition is far broader, it feels like the targeting is still going to be a lot narrower than say Russia or China, which is like propaganda's for the whole world, it's for everyone. It's not just for specific people.

B

Yeah, sugar is for breakfast approach. Whereas, you know, we're trying to be healthy.

A

And it seems to me that the, the justification for that, the rationale for that was because we're living in a democracy, we can't go around manipulating everyone because that wouldn't be right. It's not the way things are done. And so it doesn't feel to me that this is something the UK is planning to do anytime soon, engaging in a broader shaping campaign around the world.

B

Right, but I think we'd be wrong to dismiss entirely that they wouldn't target shaping the minds of a leader and his immediate advisors. That would have the same impact potentially as shaping the entire population of a country. Right, and it might be easier as well because you're much more focused on a small group, so you can have an outsized effect quickly. But just going back to this paper that started this, they have this model of how they understand the use of cyber during wartime. I think it's the techie model, teci. So these stands for target effects, complexity and integration. So the target can be one of critical infrastructure, the government, the media or other, which I guess could be everything. Then there's the effect, which is a high, medium, low or no effect. And these are physical destruction, destruction of data, disruption or exfiltration of data, which I don't think those are the same thing. And then there's absence of effects which. Okay, then there's the complexity, which is a high, medium, low. So if it uses novel malware, it's high complexity, whereas if it uses known malware, it's medium complexity. And DDoS and simple brute forcing are low complexity.

A

Right.

B

So I would say that just from that, it's not a useful metric because if we look at scattered spider and lapses, they're all low complexity, but very, very high impact. So I think that matching the complexity to the level of impact or just sort of how useful it is during war fighting or how they are not connected things, they exist in isolation. And then I think the integration here, we've got a high, medium, low and no. And that's whether it's sort of basically the degree of integration between cyber and non cyber capabilities during the operation. And this is obviously very important from the point of view of the military where they want to be able to use cyber to assist them. And I, I can see there might be, I mean there's bound to be cases where it is useful. Right. You'll have things like when the, the Israelis disrupted the, I think it was the Syrian air force air radars.

A

Right.

B

You know, and that was a cyber capability that was used. So my understanding is that they, they made a large number of planes show up. Like there was.

A

Right.

B

They flooded the whole thing. Right. And so that, yeah, like that's going to be high complexity, tight integration, blah, blah, blah. Like all these things. That's the minority of cases where you use cyber. Like how many times does that happen compared to all the other things that happen? I think focusing on like just doing that, you know, it's missing this big picture of where cyber is useful.

A

Right. It's like focusing on a highlight reel from a sporting event rather than the 85 minutes of just grinding away that actually wins the game.

B

The entire season of getting there. Right? To then look at like, you know, and here's that one goal in the second half that took them over the line. It's like, yeah, but there were 13 games. Like there's a whole lot of stuff that happened. And then you get to like this one thing and you're like, and here's this one spectacular final keystone event.

A

Yeah, yeah, yeah. So even though the paper, like in a way it's, it's probably right that like cyber does have limited utility in a battlefield.

B

This paper is right about the wrong things. So it captures quite well the limitations of cyber in a war fighting context. It's not super useful when you're in a trench, but I think that misses the point, because cyber is useful before you get to trenches, right? Like, so cyber can influence the way that states are going and therefore interrupt whether it has a say in whether the war will happen or not, in a way. And I think that that's more powerful than on the battlefield. So I think that to focus on where it's not particularly strong is a misunderstanding of cyber. And I think that the UK gets it right when they talk about cognitive effects, virtual effects, physical effects. The idea that it's useful in all of these different ways and to focus on just how can we impact this small, you know, small domain of human activity in this specific case is very, very misguided, which is unfortunate, because my PhD is on the use of cyber during wartime. So, if you'll excuse me, I have to go call my supervis.

A

Thanks a lot, Grog.

B

Thanks.