Thoughts on Spectrum of Cyber Attack

By Maj David Musielewicz, USAF

Note: My notes are in the comments of the pdf linked above. I summarized most of my thoughts below. See the pdf for context.


Maj Musielewicz lays out a 5 level framework for categorizing the spectrum of cyber attack.

  1. Network Denial
  2. Enterprise Denial
  3. Enterprise Manipulation
  4. Mission Denial
  5. Mission Manipulation

He defines denial and manipulation from JP 3-12.
Denial: “prevent access to, operation of, or availability of a target function”
Manipulation: “controls or changes. . . to create physical denial effects, using deception, decoying, conditioning, spoofing, falsification and other similar techniques” noting that physical refers to non-cyber and manipulation should also include the cognitive layer (which I take to mean the moral and mental spheres)

The intent is to provide “a clear, executable cyber attack framework that allows commanders to achieve senior leader visions”. My question related to this is:
Do we want to be telling commanders how to achieve the senior leaders intent?
Isn’t the whole idea of Schwerpunkt that the senior leaders give their vision and intent to the commanders and they figure out how to execute the mission to achieve that intent?
I was also curious as to why there is such a focus on denial. What about degradation or partial denial?
What about using deception, decoy, spoofing, falsification or others to target the moral or mental spheres or to slow down the enemy? Manipulation to create mistrust in their systems.

Interesting point with regard to why they are considered levels:

The term level is best suited because of the compounding factor that exists between different attacks as they become more sophisticated. Once an actor can execute an attack at a higher level, they can also execute attacks at the lower levels. Conversely, conducting a denial attack at a lower level will likely cut off access to the systems required for higher-level attacks.

I was curious as to why there was no Network Manipulation level. Maybe there is no Network Manipulation because degrading is just selective or partial denial and with error checking if you change the traffic its recognized as changed and dropped so similar to denial?
Maybe you could make a case for manipulation of the timing by forcing different routes.

When talking about the manipulation levels, he makes a point to say “without being detected” and that is why they differ from the previous lower level.
Couldn’t you weaponize the manipulation of the decision-making of an organization’s users that have detected an attack?
You may be able to capitalize on the fear, uncertainty or paralysis caused from the discovery of an attack, especially if the full scope is unknown.

2 big points in the level 3 (Enterprise Manipulation) section:

Level 3 attacks must be performed in a manner that is not predictable nor widespread throughout the target organization. Enterprise users have been conditioned over time to be mistrusting of computers and software due to confusing
interfaces, technical user manuals, overall complexity, and frequent data loss. By introducing outside gremlins into the systems, end-users can further lose confidence in their ability to effectively perform tasks, thereby leading to loss in productivity
and organizational effectiveness.

Level 3 attacks also provide the ability to engage a target without the increased risks of retaliation or escalation because of their inherent stealth and plausible deniability. As long as level 3 attacks remain hidden, they allow the perpetrator to develop level 4 and level 5 attacks, all while the target simultaneously suffers negative impacts on efficiency and productivity.

When he discusses the effective downtime relying on the extent of physical damage I had the following question.
Do we focus too much on physical (and I guess cyber or software or data) damage because its the easiest to quantify?
This is likely what relates to downtime but what about the effects of shaking the people faith in the system or the extra regulations or defensive measures that now have to be created and put into place, etc. I guess it depends on what your objectives are and what your intent is.

He gives an interesting example of cyber warfare in the moral sphere:

The attack exacerbated financial burdens and according to a report by the Center for Security Studies, “likely culminated in an overall feeling of insecurity throughout Iranian society.”16 Even after the discovery of Stuxnet, Iran was not able to fully trust their systems—not knowing whether a failure was generated by human error or the actions of malicious code lurking in their systems.

At the end he makes another great point and I could see even more benefits when combining (or timing) with kinetic operations.

Using this framework as a prism, a focused examination of combined arms that uses both psychological and cyber operations could yield even more effective methods for influencing an adversary.

Overall, this is a very interesting paper and I can see this framework being put to good use. I think it achieves its goal of “a framework at the operational level that offers speed and flexibility, while also succinctly connecting strategic guidance to tactical employment”. I particularly like the inclusion of the moral and mental aspects of cyber warfare in the manipulation levels.

By Fitz

Developer

Leave a comment

Your email address will not be published. Required fields are marked *