Illustration © 123RF
By Clotilde Dauchy, « Liaison Manager » and Dr. Sandro Gaycken, Founder and CEO of Monarch
Based in Berlin, Monarch is an ethical private intelligence solutions provider focused on the protection of democracies and critical infrastructures and on the development of a range of nation-state level cyber capabilities for militaries.
Offensive Computer Network Operations (CNO) have been a part of electronic warfare for over three decades.
Consisting of the exploitation of system weaknesses for espionage – Computer Network Exploitation (CNE) – or damage – Computer Network Attack (CNA), they offer a tactical advantage to states which invest in their development. In the last 15 months, we have witnessed the variety of ways these tactics can be used to support strategic warfare in the conflict with Ukraine.
They may be used to disrupt enemy communications, intercept signals, disrupt, disengage, and damage weaponry, interfere with critical infrastructure functioning (cutting resources off), and support disinformation, all this creating fear and uncertainty in the overall population.
While CNO is generally understood as three strains, with CNE and CNA considered separate to Computer Network Defense (CND), the larger strategic defensive advantage which offensive cyber expertise provides cannot be underestimated. Network defense which is oblivious to offensive techniques, tactics, and procedures (TTPs) is left playing catch-up and easily fails. Defensive methods must therefore be based on knowledge of offense to develop effective mitigation mechanisms. Additionally, offensive TTPs are in constant development, to adapt to patching and defense, meaning this knowledge must be kept up to date at all times, or it will rapidly become obsolete and useless.
Defense hardening through offense has for instance been done through non-commercial bug bounty programs, such as the US Department of Defense’s Hack the Pentagon initiated in 2016 and repeated in 2018 and 2022, in which cybersecurity esearchers were incentivised to identify and disclose vulnerabilities in the government’s public-facing networks, such as the Facility Related Controls System (FRCS). This method of lawful and ethical hacking led to the disclosure of over 700 issues, its success leading to the Department of Homeland Security reproducing the initiative with the “Hack the DHS” program. Even more importantly, solid offensive cyber capabilities can be a deterrent on their own. A cyber criminal – whether backed by a nation-state or as an individual – will think twice about attacking a system with the ability to attack them back.
Exploit development and the acquirement of bugs for intelligence and military purposes can provide a critical means of deterrence in an unstable international arena. Cyber weapons have many advantages over kinetic ones: they can be covertly placed in advance and triggered at any point in time, and provide an option for reversible, non-lethal damage, therefore lowering the risk for escalation to kinetic warfare. Non-lethal and reversible impacts
can include the short term switching off of critical or military infrastructure, ransomware attacks to deny access to data, or the remote control of military satellites to hinder operation. In-depth understanding of the broad range of capabilities within offensive cyber, as well as their methods and their command and control is vital, as some weapons may also cause irreversible and lethal damage, and can target critical infrastructure, leading to potentially uncontrolled scalation.
In the case of Stuxnet, where the target was the Iranian Natanz uranium enrichment facility, the initial infection was introduced through a removable drive into one of the network computers, spreading from there. The worm however spread far beyond its original target and impacted a large number of nuclear facilities throughout Iran and beyond. It was developed with the assumption that Natanz was air-gapped, spreading through the internet, and may have escaped the facility due to a breach of protocol, likely human error, by a Natanz worker. Awareness to such risks is vital in the development of malware for espionage or damage purposes, as the consequences of a poorly developed cyber weapon could clearly be disastrous
Government institutions, Western cyber commands in particular, face a serious challenge when it comes to procurement of cyber offense experts. While a few nations have managed to build successful offensive cyber teams, namely the Netherlands, the UK, and the US, many still struggle with both hiring and retaining high talent. This is due to a variety of factors. Most importantly, talent is limited, and consists mainly of individuals with an independent mindset, which may be difficult for government teams to adapt to. Most hackers will prefer the private industry or freelance work, both of which provide better pay and more freedom. Due to complex and long procurement processes, identifying and hiring freelance hackers for government support can remain rather difficult, and become expensive as said freelancers must be kept on retainer.
Incentivising active cyber as a field of education to create more talent could appear a worthwhile endeavour, if it were not for the other issues which will drive said talent towards, once again, the private sector. Furthermore, this is a very unique strain of work in which it is difficult to succeed and even simply access knowledge to build expertise from, not to mention the decades this solution would take. In the short and medium terms, two main solutions can be identified: using the private sector as a supportive mechanism and investing in long-term internal change in the functioning of cyber government institutions.
The private industry is a way to bypass a range of issues mentioned above. Specialised companies focused on building cyber capabilities have the ability to use expertise to fit evolving needs, ranging from consultancy and training to building a sustainable command, manned with talent capable of mission requirement assessment based on individual targets and development and deployment of cyber weapons. By trusting such companies to identify and subcontract the most appropriate suppliers for each step of the process, government institutions avoid time waste in the bureaucracy of the procurement process, and save money in not retaining unused capabilities, the need for which may vary from one year to another. One problem in the way of public-private partnerships however remains trust. Few such companies with the required expertise to provide support and lead to valuable progress exist, which means collaboration with foreign – even if EU-based – companies may be necessary. This is a leap of faith to take, and government institutions must rely on their own judgement of expertise in this very complex area, and trustworthiness based on company experience and ethics.
Investment in the private industry does not however solve the deeper issues causing the struggles in retaining talent. Building capability is one thing, retaining it is another. National cyber institutions must focus on long-term transformation in order to become fully functional and sustainable. This means the increase of pay and incentives, the simplifying of procurement measures, and the support of cultural transformation.
Most importantly, this also means the regular hiring of expert consultants for the identification of capability gaps and ongoing targeted recruitment, to fit the most pressing needs in constantly evolving territory. SWithout significant development, governmental cyber capabilities will remain vulnerable to nation-state and individual attackers and miss out on significant tactical and strategic advantages both ad bellum and in bello.