Shall I Compare Thee to a Cyber Attack?

A U.S. Army cybersecurity analyst offers a lesson in explaining the impact of a cyber attack: use better metaphors.
Blog Post
Aug. 13, 2018

“Just throw some cyber at it,” the U.S. Army officer across the table suggested to me. We were talking about testing a potential new ground vehicle for the army, which needed to be connected to a network so it could speak to other vehicles and soldiers in theater. Before it could be used on the field, we would have to test it in simulations against realistic possible threats, including electronic warfare, cyber threats and conventional physical adversaries - like maneuver tanks and indirect artillery support.

My challenge was conveying the nature of those amorphous cyber threats to senior military leaders more accustomed to dealing with tangible threats they’ve experienced in the field. As a cybersecurity analyst working for the U.S. Army in a civilian capacity, my day-to-day involves translating technical cyber-speak into operational terms that are easier to conceptualize.

I looked back across the table at the officer and joked, “Yeah let’s just use some cyber bullets on it.” Something seemed to click for him: I had conceptualized cyber network exploitation in a way that made sense operationally.

This moment was about more than just semantics. Translating the language of cybersecurity into familiar ideas and metaphors helps all of us better understand the potential impact and effects of an attack, and how we need to prepare ourselves.

For me, it has been a particularly crucial effort in the military. In June 2016 NATO officially recognized cyberspace as a 5th domain of warfare. In 2018 this is a widely acknowledged reality; however, the world still struggles to conceptualize what the effects of this unconventional attack method could do while engaged in a physical conflict. We need a new metaphor to help traditional military strategists understand the potential effects of cyber network operations. This is where the metaphor of a cyber bullet comes into play and can help bridge this gap in traditional strategic thought.

Similarly to physical bullets, a “cyber bullet” can have disastrous effects. Targeted exploitation – think of these as the sniper shots of cyber – could render specific systems or personnel ineffective. And, like physical bullets, “cyber bullets” are not a one-size-fits-all solution. For example, a 5.56mm caliber ammunition would be ineffectual against Abrams tank armor; however, a .50 cal ammunition is effective as these larger bullets are designed specifically to target heavy artillery. Also comparable to its physical counterpart, “cyber bullets” can take months or years to develop into the most effective version. For example, take Stuxnet, a self-replicating virus, also known as a worm, which first emerged in 2010. It was designed to sabotage nuclear energy facilities and target the Iranian nuclear program. Stuxnet is an interesting case of a highly-targeted cyber bullet, as it did little to no harm on computers that weren’t involved in uranium enrichment. Although many specifics surrounding the initial development and implantation of Stuxnet are still unknown, we do know that the development of a virus like this – one that only altered a very specific part of a computer program, while continuing to report on the screen that everything was working properly – would have taken years to successfully research, test, and develop. It is estimated work began as early as 2005 on Stuxnet and that, because it was so difficult to detect, it set the nuclear program back approximately two years.

There’s no physical bullet that could behave quite like this and there are, of course, limitations to the bullet metaphor. Unlike a real bullet, a cyber bullet is not something you can physically see piercing armor. In fact, the most effective cyber bullets are the ones you don’t see until long after they’ve struck their target (like the Stuxnet example). In addition, cutting edge cyber network operations strive to exploit unknown, or zero-day vulnerabilities. In other words, vulnerabilities that governments or organizations don’t know their network has. This kind of exploitation may only work against a system for a short period of time before a government or organization realizes it’s being targeted, and develops a mitigation strategy. This means that these “cyber bullets” must be constantly evaluated and new ones need to be developed.

While this may be an imperfect metaphor, it makes bridging the communication and thought divide significantly easier. That’s critical because words that strategists use to describe military cyber capabilities can have a direct impact on how future conflicts may be fought. If leaders are more able to quickly see and conceptualize cyber as a form of warfare with direct physical consequences, it could help them develop a more nuanced view of its power and versatility so that their first response is not to “just throw some cyber” at a problem, but instead to integrate it thoughtfully into strategy, like any other military tool. Like a bullet, it is but one defensive arsenal - one that is not always suited for the problem at hand, and that can have unexpected or adverse impacts. For example, cutting off power or enabling selective censorship in a warzone may have unknown domestic and international consequences in the grander scheme of the fight.

As the world continues to move in a direction where more conflicts take place in an abstract space, the rhetoric used to describe attacks, peace, and weaponry will shape mindset and decisions. We will need more thoughtful ways to connect the abstract with the concrete, which includes thinking deeply about how to expand our current cybersecurity terminology. For instance, we talk about cyber attacks, cyber crime, cyber espionage and cyber threats - but where is our vocabulary around cyber peace?