Deception has been standard military practice for millennia. Attackers and defenders employ deception for a variety of goals:
Deceive – Cause a person to believe what is not true
Degrade – Temporary reduction in effectiveness
Delay – Slow the time of arrival of forces or capabilities
Deny – Withhold information about capabilities
Destroy – Enemy capability cannot be restored
Disrupt – Interrupt or impede capabilities or systems
Divert – Force adversary to change course or direction
Exploit – Gain access to systems to collect or plant information
Neutralize – Render adversary incapable of interfering with activity
Suppress – Temporarily degrade adversary/tool below level to accomplish mission
The U.S. military uses what they call a “See, Think, Do” deception methodology.
The core idea is to manipulate the cognitive processes in the deception target’s mind that result in targeting decisions and in adversary actions that are advantageous to our operations, our tactical or strategic goals. This methodology tends to result in looping through the following three questions:
(1) What does the target of our deceptive activities see when they observe our operations?
(2) What conclusions does that target draw from those observations?
(3) What action may the target take as a result of the conclusions based upon those observations?
Successful deception operations are those that do more than make the target “believe” or “think” that the deception is true. Success also needs to result in action(s) or inaction that supports the our operational plan(s).
Deception tactics can target human attackers, their organizations, their code, or any set thereof.
It is standard practice across global financial services enterprise information security to implement layers of protections — never depending on only a single security device. We are at a stage in the battle with global cybercrime that may demand we introduce deception as a new layer of defense. When we architect, design, and implement our applications and systems, we may enhance our resistance to attack by employing tactics analogous to military deception to influence attackers and the hostile code they use. This will not be quick or easy.
Who might you assign to this task? Do not immediately regress to: “I wonder who is available.” Like many security tasks, deception planning requires a relatively unique skillset. We build and deploy our software in ways that expose a multitude of interfaces. That practice results in complex and often numerous abuse cases. Our worker will need to understand and analyze that matrix from a number of perspectives, and to project other’s thinking and actions into the future. We might expect them to:
- Understand each component’s deception and other information operations/influence capabilities.
- Be intimately familiar with their organization’s missions and focus.
- Understand the concepts of centers of gravity, calculated risk, initiative, security, and surprise.
- Understand friendly and adversary intelligence systems and how they function.
- Possess technical understanding of intelligence sensors, the platforms on which they deploy, their reporting capabilities, and associated processing methodologies.
- Understand the psychological and cultural factors that might influence the adversary’s planning and decision making.
- Understand potential adversaries’ planning and decision-making processes (both formal and informal).
- Understand the assets that are available to support the deception.
It is more difficult than just that. We live in a world of laws, regulations, contracts, and norms that will constrain our behaviors in ways that differ from what may be acceptable on other battlefields. Our leaders and practitioners need to understand those limits and manage their activities in ways that align with our obligations. This will require much more than technical and operational competence. It requires a high level of maturity and a finely calibrated moral & ethical compass. Superior deception campaigns will require careful planning, effective guard-rails, and serious management.
Darn! Another difficult staffing challenge…
Get use to it if you want to deliver your applications to a user-base anywhere on the Internet, and/or if you want to run your business in the cloud — especially if your are a global financial services enterprise — you need to expand and enhance your threat resistance using deception.
What do you think?
“Influence Operations and the Internet: A 21st Century Issue Legal, Doctrinal, and Policy Challenges in the Cyber World.”