Charm_City said:
I believe it is worth distinguishing between Computer Network Attack/ CNA (i.e. D4 of networks and info) and Computer Network Exploitation/ CNE (i.e. espionage across and from networks), although there are obvious interdependencies â as there is between them and CND. CNE isnât, in my view, really part of CNA.
Okay - accepted - I'm having to be a bit careful what I say here because I know that a lot of what I know is not suitable for the open interwebby thing - and my memory doesn't come helpfully tagged with the PM of each item!
However, in a lot of cases, once you've hacked the network, you can decide what you do - break it, steal everything then break it, subtle integrity attacks, stupid poser attacks (i.e. web defacements) or use it as an int asset. Of course, you can also do attacks without hacks - DoS or DDoS, emails with malware etc.
And I'm not sure that practical CNA capability is as simple a matter as a few geeks and some COTS software.
No, it isn't - just as having an infantry battalion isn't as simple as giving a few fit guys guns. You need intel (which the geeks are generally trained to do to some extent - open-source exploitation - j0hnny's 'Google Hacking Database' is excellent), you need targeting etc. And there are some attacks which will take kit - breaking all bar the simplest encryption, for example. But my point was that it's not HMS Prince of Wales & F35-B expensive, certainly not Typhoon or Trident replacement expensive. I'd bet money that it's not infantry battalion expensive, either.
However, a lot of the tools for CNA are readily available, (some of) the geeks are already in uniform ...
CNA requires an adversary who is IT dependent and, of course, vulnerable to the available attacks - that seems to mean we are good CNA targets, while many of our current adversaries aren't.
Many of our current adversaries are IT users - they may not be as vulnerable as we are, however I'll admit that we aren't currently throwing millions at creating a Land Information Warfare Group ...
There is also a degree of legal asymmetry - you might have an adversary whose CNI is vulnerable to CNA target. But presumably CNA is subject to the same legal constraints as kinetic weapons, so quite a chunk of an adversary's CNI may be off limits.
A very good point and one that has occupied much lawyer effort. Especially as the risk of collateral damage to civilian targets and most especially to civilian targets outside the AOR is potentially quite large (malware, DDoS etc).
Those who seek to carry out CNA against our CNI may not have the same constraints. Assuming that cyber targeting would follow something like the same process as kinetic targeting, I can imagine that gain/loss, deconfliction, cyber space management, etc for CNA are going to be âchallengingâ - and even more so in coalition operations.
So if weâre going to be cyber ninjas we should think really hard about how the money is divvied up between CND/A/E ⦠actually Iâm never going to a cyber ninja so I donât have to think.
Currently, the money appears to be in CND and IA (design, audit, etc). Even if I knew about any efforts on the A and E front, I'd not talk about them here.