One of the clearest examples of how the military wants to defeat adversaries using information warfare is by publicly disclosing what those enemies have been doing and what capabilities they have.
Information warfare can be abstract, combining cyber, intelligence, electronic warfare, information operations, psychological operations or military deception as a way to influence the information environment or change the way an adversary think.
“At our level, the most important thing we can do is to be able to expose what an adversary is doing that we consider to be malign activity, in a way that allows that to be put in the information environment so that now more scrutiny can be applied to it,” Lt. Gen. Timothy Haugh, commander 16th Air Force, the Air Force’s newly established information warfare organization, told reporters during a media round table in late February.
One of the first ways the Department of Defense has sought to test this is through U.S. Cyber Command’s posting of malware samples to the public resource VirusTotal. Malware samples discovered in the course of operations by the Cyber National Mission Force are posted to the site to inform network owners. It also helps antivirus organizations of the strains build patches against that code and helps identify the enemies’ tools being used in ongoing campaigns.
Haugh, who most recently led the Cyber National Mission Force, explained how these cyber teams, conducting what Cyber Command calls hunt forward operations, were able to expose Russian tactics.
U.S. military teams deploy to other nations to help them defend against malign cyber activity inside their networks. “Those defensive teams then were able to identify tools that were on networks and publicly disclose them, [and] industry later attributed to being Russian tools,” he said. “That was a means for us to use our unique authorities outside the United States to be able to then identify adversary activity and publicly disclose it.”
Officials have said this approach changes the calculus of adversaries while also taking their tools off the battlefield.
“Disclosure is more than just revealing adversary intent and capabilities. From a cyberspace perspective, disclosure is cost imposing as it removes adversary weapons from the ‘battlefield’ and forces them to expend resources to create new weapons,” Col. Brian Russell, the commander of II Marine Expeditionary Force Information Group, told C4ISRNET in June. “Disclosure forces the adversary to ask: ‘How were those capabilities discovered?’ It causes them to investigate the cause of the disclosure, forcing them to spend time on something other than attacking us. If I can plant a seed of doubt (messaging) that the disclosure might have been caused by someone working on the inside, it makes them question the system’s very nature, perhaps spending more time and resources to fix the system.”
The NSA has demonstrated a similar tactic when it created its cybersecurity directorate in late 2019. The entity was formed in part, due to the fact that adversaries were using cyberspace to achieve strategic objectives below the threshold of armed conflict. Now, the directorate uses its intelligence and cyber expertise to issue advisories to the network owners of cybersecurity threats so they can take the necessary steps to defend themselves.
One recent advisory had direct bearing on a nation state’s malicious activity, according to a senior intelligence official. In late May, the agency issued an advisory regarding a vulnerability in Exim mail transfer agent, which was being widely exploited by a potent entity of Russia’s military intelligence arm the GRU called Sandworm.
“Quickly thereafter, we saw five cybersecurity companies jumped on it and really used that to deepen and expand and publish information about the GRU’s infrastructure that they use to conduct their cyberattacks and further information as well,” the official told reporters in early July. “That was terrific because we felt that that had a direct impact on a major nation state in terms of exposing their infrastructure ... and we saw significant patch rates go up on a vulnerability that we knew they were using. That’s the kind of thing that we’re looking for.”
The military has had to think differently to combat for how adversaries are operating.
“A central challenge today is that our adversaries compete below the threshold of armed conflict, without triggering the hostilities for which DoD has traditionally prepared,” Gen. Paul Nakasone, commander of Cyber Command, wrote in prepared testimony before the House Armed Services Committee in early March. “That short-of-war competition features cyber and information operations employed by nations in ways that bypass America’s conventional military strengths.”
These disclosures or efforts to call out malign behavior have also taken the forms of media interviews and press releases.
For example, Gen. Jay Raymond, the head of U.S. Space Command and the commandant of Space Force, said in a February interview in which he detailed what he deemed unacceptable behavior by Russia in space, a surprising charge given how tight lipped the U.S. government typically is about its satellites.
“We view this behavior as unusual and disturbing,” he said of Russian satellites creeping up to American ones. “It has the potential to create a dangerous situation in space.”
Or consider that leaders from Africa Command on July 15 issued a press release detailing the activities of the Wagner Group, a Russian security company, as acting on behalf of the Russian state to undermine the security situation in Libya.
“U.S. Africa Command (AFRICOM) has clear evidence that Russian employed, state-sponsored Wagner Group laid landmines and improvised explosive devices (IEDs) in and around Tripoli, further violating the United Nations arms embargo and endangering the lives of innocent Libyans,” the release said. “Verified photographic evidence shows indiscriminately placed booby-traps and minefields around the outskirts of Tripoli down to Sirte since mid-June. These weapons are assessed to have been introduced into Libya by the Wagner Group.”
Moreover, Africa Command’s director of operations called out Russia, noting that country’s leaders have the power to stop the Wagner Group, but not the will.
Sixteenth Air Force, at the request of C4ISRNET, provided a vignette of such behavior from Russia in the form of how it covered up the explosion of a radioactive rocket, dubbed Skyfall.
According to the service, Russia took extreme steps to curb monitoring of the site where the explosion took place and sought to conceal the true nature of the explosion potentially hindering surrounding civilian populations from receiving adequate medical treatment and guidance.
With new forces integrated under a single commander, using unique authorities to collect intelligence and authorities to disclose, 16th Air Force is now better postured to expose this type of malign activity, which previously the U.S. government just didn’t do.
Top Pentagon leaders have explained that the dynamic information warfare space requires a new way of thinking.
“We’ve got to think differently. We’ve got to be proactive and not reactive with messaging,” Lt. Gen. Lori Reynolds, the Marine Corps’ deputy commandant for information, told C4ISRNET in an interview in March. “We have been very risk averse with regard to the information that we have. You can’t deter anybody if you’re the only one who knows that you have a capability.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.