In an MSNBC interview posted to YouTube on February 24th, 2022, approximately 24 hours after the initial invasion of Ukraine by Russian military forces, Leon Panetta former US Secratary of Defence and former head of the CIA was asked whether now is a good time for the US to use offensive cyber-war against Russia. Rather that address the question directly, Panetta addressed the greater context of the invasion for Ukrainian national security. The question is worth addressing though.
So, is now a good time for counter forces to launch a cyber offensive?
Is now the time for offensive cyber-attack?
It Depends. That is the short and true answer. Here comes the why.
Probably the most effective use of cyber weapons in warfare is when they are purposed for for gathering information, aka spying. The most advanced forms of cyber weapons (known as advanced persistent threats or APT for short) are silent, virtually undetectable except to the most advanced cyber security products such as state-of-the-art enterprise endpoint detection systems, and can maintain their presence on a target system indefinitely unless they are detected. Even once they are detected, they can be difficult to remove and rebuilding a clean malware-free system can be challenging unless proper foresight as been put to the task of building a cyber readiness and response program. This is strategically known as a detection and response. But again, the most advanced strains malware can exist virtually undetected against all but the most advanced detection and response. It’s plausible that the US has such spyware capabilities, even plausibly already in place within the Russian government’s infrastructure.
But, when you use cyber in an obvious and blatantly offensive way, such as attacking military operations, oil and gas pipelines, electrical grids, or other critical infrastructure such as hospitals, you potentially leave a footprint. Because an offensive attack on critical infrastructure is obvious and observable, the likelihood of the the target obtaining samples of the malware is increased. And thus their ability to analyze it is understand it is also increased.
Once a sample has been obtained, the target can conduct reverse engineering on the sample and eventually discover how the malware works. It’s probable that a state-level cyber warfare branch of the military could complete the reverse engineering within days or even hours of obtaining a sample. This can further lead to non-optimal consequences that could have a significant impact on the outcome of the war. In other words, once the cat is out of the bag, the game changes.
Cyber Weapons Can Be Turned Against
Once the enemy is able to understand how the malware works, they can copy it and use it in their own offensive cyber campaigns. The nation’s military that launched the original attack may have defences against it, but it’s unlikely that the greater IT ecosystem would. This presents the potential for the cyber weapon to be turned against the side that used it with potentially disastrous effects.
One way to think about this is that, when a traditional bomb explodes, its fuel is exhausted that payload cannot be collected and used again. However malware is not the same. Once it is deployed, and subsequently sampled and understood by the target, it’s tactics and techniques and can be copied. Essentially, you can’t use the weapon without giving a copy to your enemy. Another way to think about this is how a downed aircraft’s parts could be analysed, reverse engineered and used to design an improved weapon. This means that the use of cyber-weapons has high potential to be captured and used against the side that originally deployed it. While is is likely that the military infrastructure is effectively defended against its own cyber weapons, non-military infrastructure and the general public is not.
Anlaysis Of A Cyber Weapon Could Lead To Compromise Of Active Spy Weapons
Another consequence of having the attack vector of a military grade cyber weapon uncovered during the early stages of an active conflict is that the discovery would likely lead to increased resilience against similar malware attacks and potentially make any active spy weapons more visible. Think of this sort of like your immune system and how getting a COVID-19 infection makes you more resilient against immediate re-infection. Another way of thinking about this principle strategically is, don’t use your most effective plays at the start of the game.
Basically, discovery means existing cyber weapons in place could be found and removed or disabled more easily if they share some common attack vectors with a malware that has been collected and analyzed.
In short, this is not necessarily the time in a military conflict or war, that a side would likely benefit the most from offensive cyber attacks such as ones launched against critical infrastructure. Offensive attacks are potentially too revealing and lead to the compromise or disablement of in place espionage programs. In fact early in the conflict stage of an engagement is possibly the least beneficial time to use offensive cyber weapons. Before the invasion, highly covert offensive have likely been used to provide intel, and those assets are still in place undiscovered. At the later stages of a conflict, cyber attacks on critical infrastructure may serve to inflict some critical final damage, and support a larger death blow type of campaign. Therefore, now not the time that an offensive cyber campaign is going to be an effective counter-measure against Putin and the Russian military in the Ukraine.