Building a Cyber Force Is Even Harder Than You Thought

In the past decades, over 40 states have publicly established some sort of military cyber command, with at least a dozen more planning to do so. Yet despite this proliferation, there is still little appreciation of the sheer amount of time and resources that an effective cyber command requires.

In my book No Shortcuts: Why States Struggle to Develop a Military Cyber-Force, I break down the challenges of building an effective cyber command into five categories I call the PETIO framework: people, exploits, toolset, infrastructure, and organizational structure. What does this mean for aspiring cyber powers? First, the most important element of developing an offensive cyber capability are the people — not just technically savvy ones but also linguists, analysts, front-office support, strategists, legal experts, and operation-specific consultants. Second, much attention has been paid states’ deployment of zero-day, or unknown, exploits. However, known exploits and tools can also be highly effective if the attacker has a superior knowledge of their target and their capabilities. Third, infrastructure investments — such as establishing a cyber range for training and testing — are an essential requirement to develop an offensive cyber capability and come at a great cost.

 Technical People Aren’t Enough

A widespread view in business management is that as the cognitive skills of a job increase, people — rather than technology — become more important. These “thought jobs,” as Daniel Pink calls them, require greater problem-solving skills and creative thinking, which means that businesses can only be successful if they cultivate a culture that prioritizes the human element. For aspiring cyber powers, this is true for more than just technical experts.

Of course, a military cyber organization needs vulnerability analysts, or bug hunters. These employees search for software vulnerabilities. They also need developers, operators, testers, and system administrators to successfully execute an operation, and make sure capabilities are reliably developed, deployed, maintained, and tested.

But building an offensive cyber capability also requires a more comprehensive workforce. First, frontline assistance is required to support the activities of operators and developers. This can include activities such as registering accounts or buying capabilities from private companies. Second, a military or intelligence organization with the best cyber force in the world is bound to fail without strategic guidance. Operational or tactical success does not equal strategic victory. An operation may be perfectly executed and rely on flawless code, but this does not automatically lead to mission success. For example, U.S. Cyber Command may successfully wipe data off the server of an Iranian oil company without actually securing any change in Iranian foreign policy. An organization can only function if there is a clear understanding of how the available means will achieve the desired ends. An important task of strategists is to coordinate activities with other military units and partner states. They are also involved in selecting target packages, although a separate position is often created for “targeteers.” The targeteers nominate targets, assess collateral damage, manage deconfliction, and help with the planning of the operational process.

Any military or civilian agency conducting cyber operations as part of a government with a legal framework will also deal with an army of lawyers. These legal experts will be involved in training, advising, and monitoring. Compliance with the law of war, the law of armed conflict, and any other legal mandates requires legal training operators, developers, and systems administrators to prevent violations. Legal experts provide planning support as they advise, review, and monitor operational plans. For example, in the planning of U.S. Cyber Command’s 2016 Operation Glowing Symphony, which sought to disrupt and deny ISIL internet usage, these experts helped to specify the notification plan, mission checklist, and authorization process.

Embedding legal experts at the various stages of a cyber operation is hard. Indeed, it likely requires numerous critical conversations with the leadership and operational teams to ensure they sufficiently understand what is being proposed before they can give approval. Also, the way certain operations are executed makes legal vetting harder. For example, in the case of self-propagating malware like Stuxnet, once you commit, it is difficult to go back.

A diverse group of technical analysts is then needed to process information during and after operations. Non-technical analysts are essential, too, particularly for understanding how people in the target network will respond to a cyber operation. This requires analysts with specific knowledge about the country, culture, or target organization. There is also the need for remote personnel. As security researcher and former NSA employee Charlie Miller puts it, “Cyberwar is still aided by humans being[s] located around the world and performing covert actions.” In the case of the Stuxnet attacks, for example, a Dutch mole, posing as a mechanic, helped the United States and Israel collect intelligence about Iranian nuclear centrifuges that was used to update and install the virus.

Finally, a cyber command needs administrators for human resourcing, liaising with other relevant domestic and international institutions, and speaking to the media. As Jamie Collier observes, “[G]one are the days when spy agencies did not officially exist” and kept “their personnel and activities guarded surreptitiously away from the public view.” Communication can help to overcome public skepticism. This applies not just to intelligence agencies, but to some degree also to military cyber commands, especially when their mission set is expanding and concerns about escalation, norms deterioration, or allied friction are growing. In addition, being more public facing may help for recruitment purposes in a highly competitive job market.

It Is More Than Just About Zero-Days

The most talked about element of developing an offensive cyber capability are exploits. These fall into three difference categories: zero-day exploits, unpatched N-day exploits, and patched N-day exploits. A zero-day exploit is one that exposes a vulnerability not known to the vendor. An unpatched N-day exploit is one that exposes a vulnerability in software or hardware that is known to the vendor but does not have a patch in place to fix the flaw. A patched N-day exploit is one that exposes a vulnerability in software or hardware that is known to the vendor and has a patch in place to fix the flaw. Oftentimes, attackers must combine multiple vulnerabilities into a chain of attack, known as an exploit chain, to attack a given target.

Much policy attention is devoted to states’ hoarding of zero-days. Jason Healey, a Senior Research Scholar at Columbia University’s School for International and Public Affairs, conducted a study in 2016 to understand how many zero-day vulnerabilities the U.S. government retains. Healey states with high confidence that in 2015/2016 the U.S. government retained “[n]ot hundreds or thousands per year but probably dozens.” This largely corresponds with other reporting. More mature military and intelligence organizations benefit from carefully designed procedures to use their exploits as efficiently as possible.

We should not, however, exaggerate the importance of zero-days. “[P]eople think, the nation-states, they’re running on this engine of zero days, you go out with your master skeleton key and unlock the door and you’re in. It’s not that,” Rob Joyce, then-head of NSA’s Office of Tailored Access Operations, said during a presentation at the Enigma Conference. He continued, “Take these big corporate networks, these large networks, any large network — I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days. There’s so many more vectors that are easier, less risky, and quite often more productive than going down that route.”

Indeed, for military cyber organizations in particular, the race for N-days is often as important. In deploy N-day exploits, attacks can take advantage of the time it takes to develop a patch and the time it takes to adopt a patch. The average delay in patching an exploit differs based the size of the vendor, the severity of vulnerability, and source of the disclosure. While it takes an average of just over a month for in-production web applications to patch “medium severe vulnerabilities,” it takes vendors on average 150 days to patch vulnerabilities in supervisory control and data acquisition systems. Adopting the patch can also take a considerable amount of time — especially in environments that lack standardization, such as industrial control systems. Partially due to the long lead-time on industrial control-system patching, we have witnessed several prominent attacks against these devices and protocols. For example, in December 2016 a Kremlin-backed hacker group known as Sandworm used malware dubbed CrashOverride or Industroyer to turn large parts of Ukraine dark. To do this, the attackers bypassed the automated protected systems at a Ukrainian electrical transmission substation by using a known vulnerability in its Siemens SIPROTEC relays.

Testing and Infrastructure Matter

There is a widespread belief that launching cyber attacks is cheap while defending against them is expensive. But as Matthew Monte observed, based on his experience in the U.S. intelligence community, “Attackers do not stumble into being ‘right once.’ They put in the time and effort to build an infrastructure and then work through Thomas Edison’s alleged ‘10,000 ways that won’t work.’” This requires infrastructure, an absolutely crucial element of cyber capability that is not talked about enough. Infrastructure can be broadly defined as the processes, structures, and facilities needed to pull off an offensive cyber operation.

Infrastructure falls into two categories: control infrastructure and preparatory infrastructure. Control infrastructure refers to processes directly used to run an operation. These are generally burned down after a failed operation. This type of infrastructure can include domain names of phishing sites, leaked email addresses, or other abused technologies. It also includes command-and-control infrastructure used in remotely conducted operations that maintain communications with compromised systems within a target network. This infrastructure can be used, for example, to keep track of compromised systems, update malware, or exfiltrate data. Depending on the goal and resources of an operation, the command-and-control infrastructure can be as basic as a single server operating on the external network.

More mature actors, however, tend to use more complex infrastructure and techniques to remain stealthy and resilient against takedowns. For example, Russia-based Fancy Bear spent more than $95,000 on the infrastructure they used to target people involved in the 2016 U.S. presidential election. And this is often about far more than just renting infrastructure: An organization may run a whole set of operations just to compromise legitimate webservers to use them for running future operations.

Preparatory infrastructure concerns a set of processes that are used to put oneself in a state of readiness to conduct cyber operations. Rarely will an attacker throw away this infrastructure after a (failed) operation.

One of the most difficult things to do when crafting good attack tools is testing them before deployment. As Dan Geer, a prominent computer-security expert, points out, “Knowing what your tool will find, and how to cope with that, is surely harder than finding an exploitable flaw in and of itself.” Much of the preparatory infrastructure for an attack usually consists of databases used in target mapping. An attacker will need to do a lot of work to find their targets. Network mapping exercises can help an organization understand the range of possible targets, sometimes also referred to as “target acquisition.” Hence, the most mature actors in this space have invested enormous resources in network-mapping tools to identify and visualize devices on certain networks.

There are also other targeted databases. For example, GCHQ maintains a special database that stores details of computers used by engineers and system administrators who work in “network operation centers” across the world. The reason why engineers and system administrators are particularly interesting targets is because they manage networks and have access to large troves of data.

An illustrative, high-profile case is the hack of Belgacom, a partly state-owned Belgian phone and internet provider with the European Commission, the European Parliament, and the European Council as part of their customer base. The British spy agency GCHQ, possibly assisted by other Five-Eyes members, used malware it had developed to gain access to Belgacom’s GRX routers. From there, it could undertake “Man in the Middle attacks,” which made it possible to secretly intercept communications of targets roaming using smartphones. As reporters discovered, the Belgacom Hack, code-named Operation Socialist, “occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.”

Preparing for cyber attacks also requires creating a cyber range. This is a platform for the development and use of interactive simulation environments that can be used for training and capability development. In past years, businesses have increasingly invested in cyber ranges, based on cloud technology. These ranges are either developed on public cloud providers — such as Amazon Web Services, Microsoft Azure, or Google — or private cloud networks deployed on premises. Cloud cyber ranges generally provide flexible hands-on learning environments with convenient click-and-play scenarios for training. For military cyber organizations, however, the conventional non-cloud-based ranges are generally still preferable, given the need for highly customable simulation environments and bespoke operational testing and training.

In trying to keep up with the fast pace of developments in cyber conflict, much expert commentary has focused on whether cyber effect operations can produce strategic advantages or be influenced by norms. Yet, we first need to address a more fundamental question: When are states actually able to conduct operations in the first place? While the proliferation of military cyber commands suggests major change is afoot in cyber warfare, making these organizations work remains much harder and more expensive than it appears.

This essay is based on No Shortcuts: Why States Struggle to Develop a Military Cyber-Force, published with Oxford University Press and Hurst Publishers in May 2022.

Max Smeets is a senior researcher at the Center for Security Studies at ETH Zurich and director of the European Cyber Conflict Research Initiative,

Image: Joseph Eddins, Airman Magazine