​Iron Rain: What defines a cyber insurgency?

'A fool pulls the leaves. A brute chops the trunk. A sage digs the roots' - Author Pierce Brown

The western world is grappling with a cyber insurgency. The widespread adoption of the 'kill-chain' coupled with the use of memory resident malware has fuelled a cyber-attack wildfire.

The security architectures mandated by regulators and standards bodies are collapsing. History does indeed repeat itself. One should study the evolution of insurgencies to better grasp the nature of cyber security 2018.

In the Red Rising trilogy, Pierce Brown introduces a military tactic that could work only in a world where humans live on multiple planets and asteroids. We won't spoil the book completely (read the series, it's awesome) but for the purposes of this blog an Iron Rain can be defined as a mass invasion tactic. Enemy fleets gather outside a planet's atmosphere and use pods or other drop ships to launch an unbelievably overwhelming military force on the planet's populace.

It's overwhelming. It's instant and those who mis-react are doomed to fall to the Iron Rain.

So it is with cyber attacks, although attacks are not standalone and in many cases they are simply part of a larger 'Iron Rain' effort. Follow the strategy behind most nation state attacks and you will quickly start to realise that these efforts resemble insurgency tactics rather than standard military ones.

But what defines a cyber insurgency?

The US Department of Defense Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms (Washington, DC: U.S. Government Printing Office [GPO], 12 April 2001), defines an insurgency as 'an organised movement aimed at the overthrow of a constituted government through the use of subversion and armed conflict.'
In cyber terms 'an organised movement aimed at the disruption of cyber systems and through subversion and armed cyber conflict.'

The goals of the cyber insurgency may vary, although the following conditions must exist:

1. Actions must be directed against a common entity or authority
2. Attackers must have the tools of cyber insurrections, and the systems to launch attacks against targeted entities.
3. The cyber insurgents must be willing to use cyber force against their targets. This element distinguishes a cyber insurrection from intelligence gathering purposes.

In the U.S. Marines, we were taught to think differently. We were taught to think like the enemy and take it to them when needed. The Marines have a history of doing more with less, and they take pride in it. Just like infosec teams.

Over the past few years it has become apparent that our enemies are emboldened and becoming more aggressive. We must shift thinking and tactics to begin to turn the tide. Intel changes, things move fast, people's lives are at risk.

It is fundamental that cyber security professionals take a page from the annals of irregular or low intensity warfare to understand how to combat this threat. We must consider how defenders can best modernise their cyber security strategies.

Much of the strategic tenets below is derived from The Marine Corps Counter Insurgency Manual or FM 3-24 MCWP 3-33.5 and adapted to the world of cyber. We will discuss strategies to help combat cyber counter insurgencies, in later articles.

First, to consider cyber insurgencies effectively we must discuss the idea of irregular warfare.

Low intensity warfare or irregular warfare is a violent struggle among state and non-state actors for legitimacy and influence over the relevant populations. Irregular warfare favours indirect approaches, though it may employ the full range of evasion and other capacities in order to erode an adversary's prevention, detection, and response capabilities.

When counter insurgents attempt to defeat an insurgency, they perform a range of diverse actions intended to counter an insurgency. Leaders must arrange these diverse methods effectively in time and cyberspace to accomplish strategic objectives. The various combinations of these methods with different levels of resourcing provide each team with a wide range of strategic options to defeat an insurgency.

Effective cyber counter insurgency operations require an understanding of not only of available cyber security capabilities but also the capabilities of the adversary.

The tasks performed in countering an insurgency are not unique. It is the organisation of these tasks in time and space that is unique. For example, financial organisations may employ strategy to align and shape efforts, resources and tasks to support strategic goals and prepare for specific attacks on their institution. In support of this goal, good strategies would normally emphasise security cooperation activities, building partner capacity and sharing threat intelligence.

Business leaders and security leaders must have a dialogue to decide the optimal strategy to meet the security needs of the organisation the team is supporting. Different capabilities provide different choices that offer different costs and risks.

Unified action is essential for all types of involvement in any counter insurgency. Unified action is the synchronisation, coordination and/or integration of the activities of entities with cyber security operations to achieve unity of effort. An organisation must have a unified approach to cyber operations.

We must begin to think collectively as an organisation. The time for siloed decisions is over. The time for unified action is here and we must unify our strategies to combat ongoing cyber insurgency.  Stay tuned for more!