Section I
Cyber Operations Introduction

Cyber attacks can produce nightmare scenarios. For example, a 2015 Lloyd’s of London study, “Business Blackout,” showed a possible 93 million Americans, across 11 states and the District of Columbia, being without power due to a cyber attack, costing an estimated $243 Billion, $1 Trillion in the most stressing scenario (Trevor Maynard, 2015). This is a factor of 25 times more than the $10 billion NotPetya attack in 2017 that brought global trade to a standstill (Greenberg, 2017).

In addition to catastrophic scenarios, we now have ransomware gangs, criminals, attacking critical infrastructure targets, and holding them hostage. For example, Russian ransomware gangs became famous for attacking critical infrastructure in Brazil (JBS Foods), Costa Rica (Government IT), and the United States (Colonial Oil, NEW Cooperative) in 2021. These critical infrastructure targets are considered strategic due to the life sustaining necessity of keeping these services available.

In the following Section I chapters, we will cover cyber operations in terms of their phased development. This includes a brief history of ISIS operations, and then Russia, in an overview of the use of cyber operations for tactical and strategic effects (Chapter 1). Chapter 2 includes a look at ISIS using cyber as a maneuver space in transitioning through the phases of an insurgency, maturing to a Phase III insurgent with a firm base in Raqqa, Syria. And Chapter 3 includes a review of criminal cyber, including the development of ransomware.

Nation‐state operations are introduced in Chapter 4, including a description of the research, development, and clandestine operational resources applied to their cyber operations. This is followed by chapters on Russia, China, North Korea, and Iran in order to compare/contrast the different countries’ policy implementations of cyber operations. This Section’s examples span the current history and development of cyber operations. This progression spans from early hactivism to current political uses of social media platforms. Section I also includes examples from simple, experimental hacks, to nation‐state operators performing cyberspace espionage and information operations (IO) (Table I.1).

As shown in Table I.1, cyber operations have often included nation‐state interest, with “The Cuckoo’s Egg” (Stoll, 2005) documenting the Former Soviet Union (FSU) use of hackers to attempt to steal U.S. military secrets near the end of the Cold War (Chapter 4). The near success described in “The Cuckoo’s Egg,” in the late 1980s, likely inspired Russian operators to continue their cyber collection pursuits, eventually succeeding with Operation Moonlight Maze in the mid‐1990s.

Table I.1 Cyber Operations Development – 1980s to Present Day.

During this hacking and experimentation period of networked computers, we will also looked at potentially damaging hacks (Chapter 9). For example, the Jester Worm (1997), the Slammer Worm (2003), and the Sobig Worm (2003) were examples of critical infrastructure denial capabilities. These hacks produced effects that included shutting down telephony systems, nuclear reactors, trains, telephones, and air traffic control systems.

While hackers have provided worst‐case scenarios by literally shutting off critical parts of our infrastructure, nation‐states have also leveraged their hackers to develop cyber capabilities. For example, while Russia (Chapter 5) started with the use of cyber for espionage, China (Chapter 6) developed a little differently. Starting in the late 1990s, China’s hackers self‐organized to deface Indonesian Government web sites (in 1998) in order to protest attacks on ethnic Chinese (Nuttall, 1998). Similarly, in 1999, Chinese hackers attacked U.S. Government web sites in order to protest the bombing of the Chinese embassy in Serbia (Messmer, 1999). Chinese hackers also attacked U.S. Government web sites in 2001 to protest a PRC plane colliding with a U.S. spy plane (Tang, 2001). China then matured this capability for wide scale collection a few years later, in the form of Operation Titan Rain from 2003 to 2007.

And, while China was conducting its first widespread cyber collection campaign (i.e., Operation Titan Rain) Russia incorporated cyber into all‐domain operations, initially using Denial of Service (DoS) in Estonia (2007), and expanding the use of cyber to include information operations in Georgia (2008). Russia subsequently developed the Gerasimov doctrine (2013) and then integrated cyber kinetic operations in their 2014 annexation of Crimea (Greenberg, 2019).

As introduced in Chapter 4, and elaborated on in Chapters 5 through 8, there are approximately 50 nation‐state‐level advanced persistent threat (APT) teams that are currently accounted for (Mandiant). Within this number are crypto currency operators, ransomware group members, tool suppliers, and other support folks working for foreign intelligence services who are contributing to the cause. Independent cyber operators, discussed in Chapter 9, can also provide strategic effects. For example, we reviewed Wikileaks’ publishing classified U.S. military documents, State Department cables, Panamanian corporate charters, and Democratic National Committee e‐mails – each of which led to geopolitical change.

I.1 Phases of Cyber Operations

As discussed in the preceding chapters, cyber operations to date have transitioned in roughly three phases over the development from hackers to nation‐state and professional ransomware cyber operations. This includes Internet development (1980s–2002), operations experimentation (2003–2012), and professional cyber operations (2013 to present).

I.1.1 1980s–2002

Even before the roll out of personal computers, hacking was a game of wits between the hacker and machine. Early incarnations of the Internet (e.g., Arpanet) included thousands of networked computers. It was only a matter of time before a determined hacker would test the limits of this new, networked, cyber world. The popular movie “WarGames” (Badham, 1983) raised awareness about the dangers of computers and led to policy makers writing the Computer Fraud and Abuse Act (Congress, 1986). It was only a few years later, in 1988, that this law was used to prosecute Robert Tappan Morris for the damages that his “Morris Worm” perpetrated on the early Internet.

Due to the government’s use of the pre‐Internet to connect government and university computers, one of the first documented cyber operations included the KGB experimenting with the use of West German hackers to steal information on the U.S. Star Wars missile defense system in the 1980s.

In 1984, Judge Greene broke up the AT&T monopoly, decentralizing telecommunications initially into seven regional companies. This led to opportunities for developing operating system and routing companies to enter a new market space. A few years later Microsoft went public (1986). In addition, Cisco, one of the first big Internet routing companies, went public in 1990. These are the companies that provide the building blocks for the current Internet.

At the same time that telecommunications, personal computers, and networking were rapidly changing, the geopolitical order was also put in flux with the fall of the Soviet Union (1991). This included changes in the military/political landscape. While Russia started working its way toward a non‐Soviet system, client states (e.g., DPRK, Iraq) lost their super power sponsorship.

1991 was also the year that the United States, along with a coalition, expelled Saddam Hussein’s Iraq...