The evolution of deception tactics from traditional to cyber warfare

Admiral James A. Winnefeld, USN (Ret.), is the former vice chairman of the Joint Chiefs of Staff and is an advisor to Acalvio Technologies.

In this Help Net Security interview, he compares the strategies of traditional and cyber warfare, discusses the difficulty of determining the attack’s nature, addresses ethical dilemmas, and promotes collaboration and cooperation with allies, partners, and, in some cases, even adversaries.

Admiral Winnefeld, given your vast experience in military strategy and operations, can you shed light on how the principles of traditional warfare can be applied to the emerging cyber warfare domain?

Digital environments are the new battlefield in the 21st century. Cyber warfare and cyber attackers are an ever-present threat, as state-sponsored bad actors and individual cybercriminals alike continue to evolve their tactics. Organizations attempting to strengthen their cybersecurity controls under this mounting pressure will find that traditional and cyber warfare have unexpected similarities and complementary solutions.

To ensure a nation’s protection, as well as the protection of private data held by organizations across the globe, the implementation of robust defensive and offensive strategies is vital. Drawing parallels to the tactics and methods deployed to ward off adversaries on a physical battlefield in order to defend against those on a digital one provides us with a clear path forward.

One specific area of convergence between traditional and cyber warfare tactics is the art of deception. Throughout history, military forces have used deception to confuse and deter attackers by disseminating false and misleading information to throw adversaries off track.

In today’s digital landscape, this tried-and-true tactic has undergone a modern, digital transformation. With the advancement of artificial intelligence, deception technology has grown in both effectiveness to the point that it has the potential to flip the advantage back to the defense. Similar to its traditional use on battlefields, cyber deception technology creates false information or locations through a variety of methods that lure threat actors away from critical targets while giving defenders insight into their adversaries’ tactics and motivations.

Cyberattacks are often ambiguous in nature and harder to classify than traditional military attacks. What are the challenges faced by the military in classifying a cyberattack as an ‘armed attack’ or ‘imminent armed attack’?

Due to the changing nature of cyber threats and attack methods, defense strategists often struggle to discern whether a cyberattack is classified as an “armed attack” or an “imminent armed attack.” Unlike traditional military attacks, cyberattacks can originate from anywhere, and attackers often leverage sophisticated tactics to obscure the perpetrator’s identity. They also occur at light speed.

Attackers range from an individual, a group, a state-sponsored attacker, to some combination of the three. This obfuscation of identity creates complexities in associating an attack with a specific nation-state or entity, which is a crucial factor in determining the attack’s nature. Moreover, these attacks can originate from physical servers located in friendly or neutral countries, further complicating our readiness to respond.

Another complexity in classifying attacks arises from the ever-evolving tactics used by attackers. What was once considered a lone cyber incident may evolve into an ‘armed attack’ as the attacker’s intentions and capabilities shift when a network is breached, and they take advantage of their foothold. Additionally, deployment in certain cyber actions can be instantaneous, posing an immediate threat to national security, while others may unfold gradually, eluding detection for extended periods. This subtlety, combined with the constant evolution of cyber operations and capability, blurs the boundaries between random attacks, espionage, sabotage, and acts of warfare.

As the international community grapples with classifying cyberattacks under international law, how crucial is it for nations to reach a consensus? And what might the implications be if a universal classification isn’t established?

Because the digital landscape and the caliber of threats are constantly evolving, it’s crucial that we quickly establish governance and regulations that can mitigate potential catastrophic consequences. International laws bounding these attacks could help organizations worldwide better prepare to prevent attack escalation and have a clear response to threats.

Although not all countries or groups or individuals will adhere to international laws, having a clear understanding of the legal dimensions of cyber warfare will help clarify unacceptable parameters of attacks, including, for example, the loss of critical infrastructure systems that could harm large numbers of civilians. Moreover, the risk of misinterpreting cyber incidents as malicious attacks can inadvertently signal hostility, transitioning a digital conflict into traditional warfare. It is crucial to promptly address this issue and develop a framework that manages the complexities of modern cyber conflicts.

Can you discuss the ethical dilemmas faced by military and state cyber operators when considering “hack back” or “attack back” options, especially given the potential risks of misidentifying the original attacker?

There are many concerns when determining the next steps in responding to a cyber incident or attack that require careful navigation of ethics, further underscoring the importance of international governance and regulations. An escalatory response to a cyberattack, such as a “hack back” or “attack back,” raises legal and ethical questions if such action could lead to a larger conflict.

Because cyber attackers are becoming more skilled at hiding their true identities, there is indeed cause for concern about whether a response could lead to retaliatory actions and collateral damage against innocent parties. Additionally, the intentions of the original attacker could be misidentified by the victim, leading to disproportionate or unneeded attacks. It is also important to consider the unintended consequences retaliation would have on the nation’s citizens. For example, targeting critical infrastructure in a “hack back” could lead to massive outages that would harm civilians. This necessitates a cyber defense strategy that doesn’t just block or react, but one that is also designed to seek out attackers’ motives and identities. It’s a tale as old as time in the military world—if you understand your opponent’s motives, you have the upper hand.

Cybersecurity requires great collaboration, both internally within a nation and internationally. How vital is international cooperation in this domain, and how can we foster it?

Promoting collaboration and cooperation with allies and partners, and in some cases even adversaries, means we can better address the complexities of a changing cybersecurity landscape. By working together to create baseline standards for cybersecurity, international cooperation will demonstrate a united front to both state-sponsored and independent cyber attackers. Global conversations are already happening with organizations like the United Nations working to release cybersecurity initiatives over the misuse of technology by malicious entities.

While many countries have organizations dedicated to creating national regulations, like the United States’ Cybersecurity and Infrastructure Security Agency (CISA), there needs to be stronger efforts put toward creating similar organizations internationally. These organizations can then outline standards and systems that create cybersecurity-focused tactics and requirements, like information sharing, which foster cyber resiliency. This is another example of traditional military strategy translating to digital warfare: allies are important.

Automation is becoming increasingly prevalent in cyber defense strategies. Can you provide insights into the risks and rewards of automated responses in cybersecurity?

Automation—particularly AI-powered automation—empowers cybersecurity teams to implement cutting-edge security applications and use methods that used to require too much manual labor to be effective. For example, applying automation in Active Defense methods such as honey accounts or honey tokens makes the previously time-consuming task of building those tools much simpler. Automating information gathering and the deployment of these tools further increases their effectiveness and efficiency. Adversaries will be automating their attacks to do as much damage as possible, so defense strategies should follow suit.