Read the whole thing, then come back and think about:
. . . There was another historically unique and critical aspect to the fighting – the emergence of synchronized cyberspace domain actions as an intelligence indicator for strategic, operational, and tactical level military operations. Unlike the (alleged) Russian cyberattack upon Estonia in 2007, the (alleged) Russian cyberattack on Georgia was accompanied by physical domain combat between Russian and Georgian military forces. The (alleged) Russian network attack operations in virtual cyberspace occurred prior to hostilities and later mirrored (apparently synchronized with) Russian combat operations in the land warfighting domain.7 These attacks included various distributed denial of service (DDOS) attacks to deny/disrupt communications and information exfiltration activities conducted to accumulate military and political intelligence from Georgian networks. These attacks also included web site defacement for Russian propaganda purposes.8 One of the first elements of Georgian society that were attacked was a popular hacker forum – by attempting to take out Georgian hackers, Russian-supported hacker militia preemptively tried to forestall or mitigate a counter-attack (or returning fire) from Georgian hackers.9 What is not widely known is that pro-Georgian hackers made limited but successful network counter-attacks against Russian targets.10 Hacker wars between (often quite talented) patriotic amateur hackers, cyber militias, and organized criminal gangs have become a widely accepted de facto form of nation-state conflict over the past twenty years (for example: Israeli vs Arab/Muslim (Sept 2000), India vs Pakistan, US vs China (April-May 2001), Russian vs Estonia (April-May 2007), etc…). These non-governmental national assets are generally used for the traditional purposes of imposing one nation’s will and conditions upon another.
Two and a half years later and we can only allege? That’s the plausible deniability irregular information operators offer.
One of the first targets of enemy Civilian Irregular Information Operators will be friendly Civilian Irregular Information Operators.
What are some of the operational and intelligence lessons that can be drawn from these conclusions? First, for Russia or China to employ their people’s patriotic ‘hacker militia’ to conduct a network attack against a target nation-state, they must engage them first – to motivate and ‘sell’ them on the concept; steer them toward appropriate targets; synchronize those cyberspace operations with combat activity in the physical realm; and discuss the most effective cyberspace tactics, techniques and procedures (TTPs) to be used. The patriotic hackers and cyber militias need to be focused by the aggressor government against the opponent‟s center of gravity and their activities to be synchronized with attacks against that center of gravity from the other domains. These hackers and cyber militias need to understand the opponent‟s center of gravity in order to develop cyberspace domain approaches and techniques to effectively attack it. These preliminary cyberspace activities often create an identifiable signature that can be tracked and monitored in advance of combat operations. Nations need to monitor hacker chat rooms and communications of potential aggressor nations in order to intercept and understand this activity.
How would the United States employ our people’s patriotic ‘hacker militia’?
What arm of the fedgov.mil octopus could engage them, motivate and ‘sell’ them on the concept, steer them toward appropriate targets; synchronize those cyberspace operations with combat activity in the physical realm; and discuss the most effective cyberspace tactics, techniques and procedures (TTPs) to be used?
Nobody in our .gov/.mil could overtly engage them without suffering political retribution from Legislative/Executive branch elements that do not want American patriotic hacker militias engaged. That leaves former or retired .gov/.mil beyond the reach of retribution, and contractors that don’t get much political oversight.
Russian-oriented hackers/militia took out news and local government web sites specifically in the areas that the Russian military intended to attack in the ground and air domains. The Federal and local Georgian governments, military, and local news agencies were unable to communicate with Georgian citizens that were directly affected by the fighting. This provided an intelligence indicator of the ground and air attack locations. It created panic and confusion in the local populace, further hindering Georgian military response. This effect also provides a future aggressor nation with an opportunity to conduct military deception operations via feints and ruses to mislead the target nation population, government, and military. A sudden „blackout’ of cyberspace activities in a specific region may provide an indicator of a tactical or operational level conventional attack. Or it could be used as a sophisticated cyberspace operation as part of a larger deception plan, creating a feint in the cyberspace domain to lure opposing forces into believing an attack is imminent in another warfighting domain. Use of patriotic hackers and cyberspace militia themselves might be a deception effort to attract the target nation‟s attention away from the aggressor nation‟s top-quality military and intelligence community cyberspace operators that quietly conduct the main effort in the overall cyberspace domain operation.
Are we even allowed to use MILDEC anymore? Could any U. S. MILDEC’ers work by, with and through American patriotic hackers and cyberspace militia?
In future combat, aggressor nation patriotic hacker militia can be called upon to conduct cyberspace fire & maneuver operations performed directly in support of forces in other domains, They could also be extensively utilized to conduct deception efforts in cyberspace in support of operations in the other domains or to act as a distraction for other cyberspace operations conducted by government professionals against target nation high value targets (HVT).
UPDATE 012911: This Week at War: Lessons from Cyberwar I