Escalation Levels in Cyber War
CYBER READINESS LEVELS
Cyber war may be thought of as a low-level type of conflict. In its initial stages, it does not have an offensive nature, but instead is focused more on intelligence collection.
Intelligence collection. There are two aspects: (1) the collection of specific pieces of information (data) that can be used later as an input into intelligence analysis; (2) collection of macro-information that helps to make a “cyber map” of the information space of the enemy. This would include understanding of (a) the major networks and components of the enemy cyber structure; and (b) the types of a characteristics of vulnerabilities of the enemy cyber structure.
Active Cyber Disruption. The second level of cyber operations is more aggressive and offensive in nature. At this level, cyber weapons are deployed for specific purposes of disruption.
Information Operations. Beyond cyber, any national defense campaign employs the use of propaganda, information operations, disinformation, or other tools, in order to shape the psychological environment both of the target country, but also of the national audience. Information operations involve the placement into the meme-space of alternative ideas, the objective of which is to compel public opinion to move in a way more favorable to the originator’s way of thinking. Propaganda and information operations are a well-known tool of statecraft.
Kinetic Operations. After the battleground has been prepared by cyber and information operations, the next level of actual military conflict. Killing people, destruction of property, and other arts of classical warfare. In all nations, this level of conflict is seen as being the “last resort”, an action taken when all other means fail in solving the national conflict.
LEVELS OF ESCALATION OF CYBER WAR
There are at least five (5) levels of preparation before offensive cyber operations begin.
General Intelligence Collection. Cyber has emerged as a major tool of intelligence collection. Economic, military, and government intelligence can be collected through cyber in a way that is at least two orders of magnitude less expensive than any other means. The use of automation in particular can change the need for specific targeting (because web-bots can simply scan everything). In addition, collection can be asynchronous; that is, information can be collected for use later, even though when it is collected, there is no specific purpose to get it.
Targeted Intelligence Collection. More specific cyber intelligence is collected with there is a known target. Examples would be a specific person, or a specific facility (government, commercial, military). Cyber can either be a support for other means of technical intelligence TECHINT, or can itself be a tool, e.g., cyber could be used to support collection of MASINT (Measurement and Signature Intelligence), FISINT (Foreign Instrumentation Signals Intelligence). Targeted intelligence collection occurs when a tangible and known threat has been identified.
Cyber Target Preparation. Once cyber targets have been identified, a number of steps must be taken to perfect the attack. This means testing or simulating the attack on a mock-up copy of the target, and if necessary placing into the target cyber infrastructure (such as a server, control device, or other location) of malware that can be activated when needed. It is crucial that the cyber attack profile of each target be identified and verified prior to launching an attack.
Preparation of Disinformation. Planning and preparation for disinformation actions. This involves changing information, inserting information, destruction of information, or denial of access to information.
At this point preparations have been put in place. Malware is positioned, and relevant information has been collected analyzed.
Initiation of Cyber Attack. The active phase of the cyber attack begin. Keep in mind that in a nation-state confrontation, this refers to initiations of hundreds of targets at the same time.
Cyber Command and Control. Any successful cyber program must have some type of command and control structure to (1) control initiation of attacks; (2) monitor performance and effectiveness of attacks; (3) monitor the overall cyber conflict and be able to report on lethality (effectiveness) of attacks.