Cybersecurity as Attack-Defense
What the French Election Taught Us About Fighting Back
It is common among strategists to analyze cybersecurity using metaphors that feel familiar, but we should do so with caution. Extended analogies, like one in an Atlantic Council text likening cyber deterrence to the nuclear concept of extended deterrence, often miss the underlying mechanics of cyber threats, which have little or nothing in common with weapons of mass destruction. Even though NATO recognizes cyber-attacks as grounds for invoking Article 5 (if critical military and civilian infrastructure were targeted), this threat remains abstract and limited. Retaliation in cyberspace is tricky: the origin of the attack is hard to prove, which generates plausible deniability, and those who are most likely to be deterred are not necessarily those conducting the attacks. Waging a physical war in response to a cyber-attack would also require a dodgy concept of proportionality. Simply put, deterrence works best where the weapons on both sides are apocalyptic in scope and their use is highly centralized in the hands of rational governments.
Without an effective deterrent, the next logical stop-gap would be to add, as in the U.S. 2014 Quadrennial Defense Review, the goal of “deterring and defeating” cyber threats. If you can’t prevent attacks, then find ways to minimize their effects once they occur. Yet even the notion of defeating hackers is problematic, because it wrongly suggests a possible end-point in sight. These approaches muddle what cyber is truly about: an ongoing and at times untraceable threat that must be managed and countered as it unfolds. Thinking one can act in ways that end hacking or prevent hacking from starting in the first place is a fantasy. In reality, the hackers have already started long before you realize it, and they do not fear your retaliation enough to disengage.
Many pearls of classical strategy do not apply to cybersecurity, because the metaphors required to link the two are tenuous. Networks don’t operate on Euclidean geometry. While it might be tempting to make the analogy that the internet connection between the hacker and hacking victim is a line of operation or a supply line, and the bandwidth one’s base, the abstraction breaks apart the reality. For example, unlike on the battlefield, where cutting one line or two might weaken the adversary and cutting all lines would place him in a dire situation, cutting a few lines in cyberspace is offset by the multitude of web-like lines that exist. And cutting all lines, which is to say going offline to break the attack in the case of DDOS (distributed denial of service) attacks, would not mean you have defeated the enemy by stopping the attack. Actually, you have been compelled into doing their will, since the goal of the attack was to take your services offline in the first place.
Moving away from metaphors, NATO’s position on cybersecurity states that prevention, detection, recovery, resilience, and training are key. It also recognizes “that cyber defense is as much about people as it is about technology.”This approach is far better suited to the task of warding off hackers than notions of deterrence and defeat. However, it is missing an important feature, which were at the heart of Emanuel Macron’s successful response to hacking attempts directed at his campaign during the 2017 French presidential elections: a successful cyber doctrine must epitomize Clausewitz’s argument in favor of an active or attack-based defense.
A SUCCESSFUL CYBER DOCTRINE MUST EPITOMIZE CLAUSEWITZ’S ARGUMENT IN FAVOR OF AN ACTIVE OR ATTACK-BASED DEFENSE...
Found in a relatively unknown but very rich section of On War entitled “Methods of Resistance,” the segment argues that the advantage of the defense is that its defining purpose is to ward off an attack, and this warding off has as its principal strength the idea of awaiting. Time, as we shall see below, is indeed one of the greatest tools at the disposition of the counter-cyber strategist, but it is by no means to be equated with waiting around idly. In fact, it’s quite the opposite. One must engage hackers as though in a duel: deflect, hit back, and in doing so, occupy their space and their time to limit their reach and contain the potential damage they might wreak. The goal does have to be victory per se, but is rather akin to keeping pirates at bay, not indefinitely or decisively, but at least until you’ve reached port, or in the case study below: election day.
An active approach to warding off cyber threats was at the heart of French President Emmanuel Macron’s success during the 2017 presidential election. In the run-up to the election, Macron’s team prevailed against ongoing hacking operations—similar in scope to those targeted at the Clinton campaign in 2016. All fingers pointed to Russia, but unlike in America, the hackers failed. Mounir Mahjoubi, who has since been named France’s State Secretary for Digital Affairs, led the campaign’s cyber team and outsmarted the hackers, beating them at their own game.
Russian meddling in French politics was a poorly kept secret that went back a few years, when the nearly bankrupt far-right party Front National (FN), led by Marine Le Pen, was propped up by two mysterious loans of 2 million and 9 million euro issued by questionable banks with close ties to the KGB and Russian investors. Le Pen and Putin warmed up, met for a summit, and the Front National was the only party in France to recognize the Crimean annexation, going further still and congratulating Russia on the achievement and calling the Crimean referendum “uncontestable.” As the Front National faced up to the liberal agenda and Atlanticist dispositions of Macron’s newly formed En Marche party, Russian interests were truly on the line.
The attacks against Macron’s political team, like those against the Clinton campaign, had Russia written all over them…or rather, Russian: the language in the metadata showed signs of having been coded and edited on Russian computers. And they were numerous. Trend Micro, a Japanese firm, produced a report that noted 160 attempts at electronic espionage directed at the Macron team.
The phishing strategies used by the hackers were textbook, but sophisticated in their design.
Pawn Storm would send official looking emails encouraging the recipients to sign in by clicking on a link that appeared to be exactly the same as usual—except the dots in the address had been replace by hyphens. “If you speed read the URL, you can’t make the distinction,” said Mahjoubi. And when the fake sign-in page came up it was “pixel perfect.”
In some cases, they included the actual names of members of the campaign staff to make the emails look like they were being sent by the cyber team, and even at times, by Mr. Mahjoubi himself.
“It was almost like a joke, like giving us all the finger,” Mahjoubi said in an interview. The final email encouraged recipients to download several files “to protect yourself.”
When the hackers did eventually break through, they released tens of thousands of internal emails and chose quite a moment to do so: overnight, when the midnight deadline to halt campaigning in the French election had passed. Five entire email mailboxes had been stolen. Yet, even though these attacks had been well-organized, well-designed, and numerous, they failed to destabilize Macron’s election hopes. The defense was just as systematic, but outmatched them in sophistication.
MANAGING RATHER THAN DEFEATING THE THREAT
Mahjoubi put in place a variety of tactics to hold down the hackers. However, for the plan to work, especially against phishing attempts, the staff on the receiving end of these attacks needed to be capable of recognize threats and trained to respond. Whenever they received requests to provide information, reset passwords, or to download anything, they knew to avoid the trap and immediately forwarded the request to the cyber team, who would then decide what to make of them.
Cyber-blurring strategies were put in place, analogous to how bank tellers regularly keep fake bills in the cash drawer in case of robbery. Instead of deleting the phishing requests, the cyber team accepted some of them and filled out their requests for passwords as though nibbling on the bait. “We created false accounts, with false content, as traps,” explained Mahjoubi, “We did this massively, to create the obligation for them to verify, to determine whether it was a real account.” Every minute a hacker is busying himself reeling in a counter-cyber agent, who might ask questions and engage in any form of back and forth with the hacker, is a minute the hacker has wasted.
Once the counter-phishing strategy is set-up and the hacker celebrates his or her catch, the files to which they gain access are decoys or honeypots, a trove of thousands of documents that are not only meaningless and/or fake, but are also designed for the hacker to busy themselves making sense of their haul. Adding low level encryption on every file might also redirect the hacker’s work for hours in a deflected direction. More significantly though, as the hacker works through the honeypot, tracking software and other malware can be delivered to gain more insight into who they are, who they work for, and what they are after. This is by no means a purely defensive move. The hacker is being hacked by the hackee, who is now fighting fire with fire and actively engaged in the duel.
MACRON WON AGAINST HIS ASSAILANTS, NOT BY STOPPING THEM, BUT BY DEFAULT... FOR SIMPLY NOT HAVING LOST TO THEM.
Among the authentic documents in the leak were “numerous false documents intended to sow doubt and disinformation.” Since many documents contained Russian characters and others were grossly fabricated, the bulk of the remaining documents were now of dubious validity. Even if any of it were true or damaging, they could easily be denied. Wikileaks saw its credibility crippled for having shared the dubious hack and, treading nervously, they reminded their followers the documents had not been listed on their website, merely shared on Twitter. The media suddenly refocused its attention not on the content of the trove, but the hacking incident itself. In trying to harm Macron, the hackers provided him with a sympathetic storyline to exploit: the victim who prevails. That is one of the key advantages of the defense, argues Clausewitz, that “the non-decision is in itself a success for the defensive.” Macron won against his assailants, not by stopping them, but by default...for simply not having lost to them.
The concept of investing the defense with an offensive element is explained in On War using a dialectical method, which consists of rigidly separating concepts and ideas so they might “acquire sufficient definitiveness to enable us conveniently to group our other ideas around them.” In this light, differentiating between attacking and defending must be understood first and foremost as a method of analysis or abstraction to better conceptualize war, as opposed to a suggestion the two are necessarily distinct objects in reality.
Clausewitz explains that while the principle of awaiting permeates the act of defense, because it is at the very center of the concept, defense should not be understood as something fixed and immutable, but rather something containing successive stages that spring from this awaiting. Were it not for the awaiting, there would be no such thing as defense, he explains; but were it not for the contrary active and reactive aspect of defense, there would be no such thing as war.
As he describes what he means by the coming together of offensive moves in the defense, Clausewitz clearly states he is not claiming the two suddenly dissolve and form a different, higher concept that would encompass both. Rather, he sees the two as having a tense paradoxical relationship, where successful defense requires that it should indeed await the opportunity, but also take the initiative by forcing the offense to assume a defensive role and to reverse the relationship. That the defender waited before pouncing at the right time and in the right conditions reaffirms that such offensive strategies can remain in the realm of the defensive.
What gave Macron’s team the ascendency over the hackers was precisely that, even in the defensive, they readily took the initiative and the offensive whenever it was possible to do so. They did not wait idly for attack; instead, they sought opportunities to engage the enemy. It is possible to be aggressive without being the aggressor.
The French word for hacker is pirate, which is fitting…if you will allow this one analogy. The ocean of cyberspace is wide, and where the next attack will come from and how damaging it will be are hard to predict. The so-called Golden Age of Piracy came to an end because a multi-pronged approach was adopted to defeat it. Boats were outfitted to resist. Laws were strict and applied. The seas were surveilled. And, most of all, the British Navy did not merely sit around and wait for next attack, but engaged pirates, chased them, caught them, and sentenced them. The defense strategy against pirates included, above all, an offensive set of tactics. It was this strategy that defeated them and deterred a subsequent generation from engaging in piracy.
Ultimately, Clausewitz concluded defense is the stronger form of warfare. While it seems correct, in the world of cyber-attacks, the offense has the advantage, it is only because we have seen many examples where the defense against them was weak. As we learn to embody tactics of direct engagement with cybercriminals and foreign entities trying to meddle with western liberalism by using our openness against us, it will be possible to deter them, not in the old Cold War concept of deterrence, but rather the one engaged on the high seas centuries ago. The deterrent element is not a threat; it is the opposite, a demonstration that the attackers pose no threat, that our defenses are stronger than they are.
AS WE LEARN TO EMBODY TACTICS OF DIRECT ENGAGEMENT...IT WILL BE POSSIBLE TO DETER THEM, NOT IN THE OLD COLD WAR CONCEPT OF DETERRENCE, BUT THE ONE ENGAGED ON THE HIGH SEAS CENTURIES AGO.
It will also be possible to defeat them, but not in the traditional sense. We do not need to necessarily take them out, but simply ward them off and deny the ability to harm us. This will require that we outfit ourselves to resist by raising awareness and better training both cyber teams and the population in general. It could even be taught in elementary school like any other lesson in health and safety. We must harmonize international law wherever possible to limit the space in which these pirates can maneuver. We must enhance bulk interception capacities, while framing its reach under the law to avoid the kind of breaches of privacy that were exposed by Edward Snowden. But most of all, it’s a numbers game. To manage and counter cyber-attacks in real time, we must see the ideal engagement as having a one-to-one ratio like the sword fights of old. It requires the cyber equivalent of investing in many hands-on-deck or, in this case, many fingers on keyboards.
Youri Cormier is and adjunct Assistant Professor at the Royal Military College of Canada and Associate Researcher at the International Centre for the Study of the Profession of Arms. He recently published the book War As Paradox: Clausewitz and Hegel on Fighting Doctrines and Ethics.
This article appeared originally at Strategy Bridge.
 Cormier, Youri. War As Paradox : Clausewitz and Hegel on Fighting Doctrines and Ethics, Montreal & Kingston, McGill-Queen’s University Press, 2016. P. 113.
 Clausewitz, Carl von. On War, tr. Jolles, Washington, Infantry Journal Press, 1950. p. 341.
 Clausewitz, p. 345.
 Clausewitz, p 341.
 Clausewitz p. 341-42.
 Clausewitz p. 341-42.
 Clausewitz p. 341.
 Clausewitz p. 34.