The Hacker and the State

1. Cyber operations are powerful tools for shaping geopolitics

Hacking has earned its place in the playbook of statecraft.

Versatile and impactful. Cyber operations have become an essential tool for nations to gain advantages over their rivals. They offer a wide range of capabilities, from espionage and sabotage to destabilization and coercion. Unlike traditional military operations, cyber attacks can be carried out with relative stealth and deniability, making them an attractive option for states seeking to advance their interests without risking open conflict.

Evolving landscape. The cyber domain has seen rapid evolution over the past two decades. What began as primarily covert espionage operations has expanded to include:

• Targeted sabotage (e.g., Stuxnet attack on Iranian nuclear facilities)
• Overt attacks on infrastructure (e.g., Russian attacks on Ukrainian power grid)
• Large-scale information operations (e.g., Russian interference in the 2016 US election)
• Widespread disruption campaigns (e.g., NotPetya malware)

As cyber capabilities continue to advance, they are likely to play an increasingly central role in geopolitical strategy and conflict.

2. The "home-field advantage" in signals intelligence

The United States and its allies have what some in the NSA call a "home-field advantage" when it comes to cyber operations.

Geographic and technological edge. The US and its Five Eyes partners (UK, Canada, Australia, New Zealand) benefit from their strategic positions along key global communication routes and their control over major tech companies. This advantage allows them to:

• Tap into undersea cables and internet exchange points
• Access data stored by US tech giants like Google and Facebook
• Exploit their legal frameworks to compel cooperation from tech companies

Passive collection at scale. The NSA's Special Source Operations division leverages this advantage to conduct massive passive collection of global communications. Key programs include:

• PRISM: Direct access to user data from major internet companies
• Upstream collection: Tapping into the internet's backbone infrastructure
• Transit authority: Collecting foreign-to-foreign communications as they pass through US networks

This home-field advantage enables the US to gather intelligence on a scale that would be difficult or impossible for most other nations to match.

3. The ongoing battle to defeat encryption

Cryptography poses an obvious threat to espionage and some law enforcement efforts. It reduces intercepted communications to gibberish, preserving the secrets within.

Cryptographic arms race. As encryption becomes more widespread and sophisticated, intelligence agencies are engaged in a constant struggle to maintain their ability to access protected communications. Key strategies include:

• Exploiting weaknesses in encryption algorithms (e.g., the Dual_EC_DRBG backdoor)
• Compromising key generation and distribution systems
• Targeting the endpoints before encryption occurs
• Developing quantum computing capabilities to break current encryption methods

Balancing act. The push to defeat encryption creates tension between security agencies and tech companies, as well as raising concerns about privacy and civil liberties. The debate over "exceptional access" or "backdoors" for law enforcement remains contentious, with no clear resolution in sight.

4. Strategic espionage campaigns reshape global power dynamics

China had good reasons to undertake such an aggressive and multi-faceted espionage campaign. It had lagged behind the United States for decades in both business and geopolitical competition.

Massive scale and impact. China's cyber espionage efforts have been unprecedented in their breadth and depth. Key targets include:

• US government agencies and defense contractors
• Major technology and manufacturing companies
• Research institutions and universities
• Critical infrastructure operators

The economic impact of this campaign has been estimated in the hundreds of billions of dollars, representing what former NSA Director Keith Alexander called "the greatest transfer of wealth in history."

Strategic objectives. China's cyber espionage serves multiple goals:

• Accelerating technological development by stealing intellectual property
• Gaining military advantages through theft of defense secrets
• Enhancing economic competitiveness in key industries
• Supporting broader geopolitical ambitions (e.g., Belt and Road Initiative)

The success of these efforts has significantly altered the global balance of power, allowing China to rapidly close gaps with the US in various critical domains.

5. Counterintelligence in the digital age

To understand contemporary statecraft, one must understand these shaping operations and their cumulative strategic effects.

Proactive defense. Modern counterintelligence increasingly relies on offensive cyber operations to protect against and understand adversary activities. Key tactics include:

• Hacking the hackers: Compromising adversary infrastructure to observe their operations
• Fourth-party collection: Intercepting intelligence gathered by other nations
• Developing sophisticated malware detection and analysis capabilities

Strategic insights. Counterintelligence operations provide valuable information beyond just defending against attacks. They offer:

• Understanding of adversary capabilities and intentions
• Identification of intelligence targets and collection priorities
• Opportunities to feed disinformation to rival agencies

The NSA's Territorial Dispute (TeDi) program exemplifies this approach, tracking and categorizing the activities of dozens of foreign hacking groups to better defend US networks and exploit adversary operations.

6. From covert sabotage to overt cyber attacks

Whereas Stuxnet and Wiper sought to be silent and stealthy, Iran's operations aspired to be loud and disruptive.

Evolution of cyber conflict. The trajectory of cyber operations has moved from purely covert activities to increasingly overt and destructive attacks. This shift is exemplified by:

• Stuxnet (2010): Covert sabotage of Iranian nuclear facilities
• Shamoon (2012): Destructive attack on Saudi Aramco's computer systems
• Iranian attacks on US banks (2012-2013): Overt denial-of-service campaigns
• Sony Pictures hack (2014): Destructive attack with public data leaks

Signaling vs. shaping. While some cyber attacks attempt to send geopolitical signals, they often struggle to achieve clear communication of intent or credible threats of escalation. Instead, cyber operations are more effective at directly shaping the strategic environment through:

• Espionage and intelligence gathering
• Sabotage of key infrastructure or capabilities
• Economic damage to adversaries
• Undermining public trust in institutions

The difficulty in calibrating cyber attacks and controlling their spread (e.g., NotPetya) further complicates their use as precise signaling tools.

7. Election interference and the weaponization of information

The Russian operation in 2016 was an attempt to shift the ground beneath the feet of American democracy.

Multi-pronged approach. The Russian interference campaign combined multiple tactics:

• Hacking and leaking sensitive emails from the DNC and Clinton campaign
• Creating and amplifying divisive social media content
• Exploiting existing social and political tensions
• Targeting election infrastructure (though no evidence of vote tampering)

Lasting impact. While the exact effect on the election outcome remains debated, the operation had significant consequences:

• Undermining public trust in democratic institutions
• Exacerbating political polarization
• Exposing vulnerabilities in social media platforms and election systems
• Inspiring similar operations by other state and non-state actors

The 2016 election interference served as a wake-up call, highlighting the power of information operations and the need for improved cybersecurity in democratic processes.

8. The rise of widespread disruption and destabilization

NotPetya ranks as the costliest and possibly the most important cyber attack in history.

Indiscriminate damage. The NotPetya malware, attributed to Russia, marked a new era of cyber attacks designed for widespread disruption. Key features:

• Self-propagating worm utilizing stolen NSA exploits
• Masquerading as ransomware while actually destroying data
• Causing over $10 billion in damages to companies worldwide

Strategic implications. NotPetya and similar attacks demonstrate:

• The potential for cyber weapons to cause massive collateral damage
• The difficulty in containing and attributing such attacks
• The blurring of lines between targeted operations and acts of war
• The vulnerability of global supply chains and interconnected systems

These types of attacks raise challenging questions about deterrence, retaliation, and the norms of acceptable behavior in cyberspace.

9. Exposure as a weapon in cyber operations

Exposure does damage. Most significantly, as Panetta noted, the NSA must rebuild a great deal of its tooling and operational procedures in the aftermath of any serious breach.

The Shadow Brokers saga. The mysterious release of NSA hacking tools by the Shadow Brokers group illustrates the power of exposure as a weapon:

• Compromised valuable NSA capabilities
• Enabled other actors to conduct powerful attacks (e.g., WannaCry, NotPetya)
• Damaged the NSA's reputation and operational security

Strategic leaking. State actors increasingly use selective leaks and public disclosures as part of their cyber strategies:

• Revealing adversary operations to neutralize their effectiveness
• Embarrassing rival agencies and undermining their credibility
• Shaping public narratives around cyber conflict and espionage

The threat of exposure creates a constant tension in cyber operations, forcing agencies to balance the potential benefits of a capability against the risks of it being discovered and revealed.

Last updated: September 5, 2024