A Cyber PSYOP Primer

By April 27, 2011 Cyber Security

COL (Retired) Lawrence D. Dietz http://psyopregiment.blogspot.com

I) Introduction/Executive Summary

Technology, to paraphrase Karx Marx, has in some ways become the opium of the masses. In this case the masses are often the educated and elite of nations or the perhaps majority of urban populations. The use of information technology as a means to influence selected targets and populations has been shown to be effective. This Cyber PSYOP is a nascent discipline, but one that requires our attention and a share of our scarce resources.

The purpose of this article is to provide an overview of Cyber PSYOP as a means for engaging the community. Regretfully the area of Computer Network Operations remains a nebulous and secretive arena notwithstanding the creation of the 4 star US Cyber Command.

History has shown that the US DOD has a strong tendency to favor kinetic operations even in the face of a nimble and capable opponent. The discipline of PSYOP has been ignored for years to its detriment. As we enter an era of uncertainty with respect to potential enemies and adversaries exacerbated by shrinking budgets, it is hoped that this article will aid in the understanding of and help foster attention to Cyber PSYOP.

II) Working Definition of Cyber PSYOP

Cyber PSYOP (CP) is defined as exploiting computer systems and networks in order to achieve a desired behavioral effect on a target. In this context computer systems and networks include computers of all types (laptops, desktops, servers, mainframes, etc.), the networks that connect systems and organizations, the Internet and telecommunications. Telecommunications includes smart phones, wireless devices, etc.

III) Target & Mission Analysis: Who is the target and how do you want to affect them?

CP operates at all levels: strategic, operational and tactical. The virtual nature of CP blurs the lines of deployment so that even the most tactical of attacks, say on a targeted individual, can spid r web out through cyber space and rise to the strategic level.

Targets can be divided into desired targets of individuals or groups as well as unintended or spillover targets that will be impacted by the same CP effort either directly or indirectly. In military parlance effects on these unintended targets can be considered second or third order effects.

Target analysis is critical in CP because CP can be employed with laser like focus against individual targets through their devices (e.g. smart phones), their social connections (e.g. Facebook, Linkedin, MySpace, etc.) or more broadly aimed at larger groups such as government bureaucrats who are on the same network or within the same department, agency or bureau.

IV) Intelligence Preparation of the Battlefield (IPB) for Cyber PSYOP

A. Target Profiling

Targeting profiling for CP means identification of the individuals and groups that the Commander wants to influence. Specificity is important in this phase. A basic tenet of CP is that the target must have access to and be highly reliant on technology. It is foolish to mount a Distributed Denial of Service (DDOS) attack against a tribe in Afghanistan that doesn’t even have a phone line in their village.

If the target is an individual and his followers, then all the intelligence disciplines should be employed to flesh out the characteristics of the target to include their personal technology (phones, computers, service providers, etc.). It is also important to determine their social connects as manifested through social networking. Analysis of Facebook “friends”, Linkedin Contacts and Twitter habits can yield significant targeting data.

B. Technology Profiling

Technology profiling includes determining the configurations, software packages, version numbers, hardware varieties, etc. of all systems and devices that the target and his affiliated and affinity groups will come into contact with.

Technology profiling will employ signals intelligence (SIGINT) collection and analysis to help shape networks and traffic patterns. Analysis of text messaging, web sites visited, Instant Message (IM) systems preferred along with networking analysis to see to whom they communicate with. Networking analysis will be extended to determine relationships – whether they are higher, lower or peers to the target. A bi-product of this analysis will be discovery of other key targets who in turn must be analyzed in the context of the present target and potential future targets.

Another aspect of technology profiling is determining where and how the target accesses IT. Planners can mount different campaigns depending on whether the target employs his own personal laptop or smart phone than when the target employs Internet cafes, equipment provided by friends or relatives or whether he uses office or public library access.

If there is a high dependence on internet cafes, then it will be prudent to determine how to confirm when a particular individual or specific group is present. This confirmation can from image intelligence (IMINT) such as the use of a covert video camera that web based or one that may be connected to a digital video recorder (DVR) which would allow secure remote access. These techniques are quite standard in criminal and civil investigations and are no longer the exclusive province of government agencies.

Of course it would be possible to employ agents to watch the cafes or the targets; however, this course of action can mean significant risk and should not be undertaken lightly.

No matter what methodology you consider, it is important to bear in mind the location and the laws of that nation. Laws are notoriously behind technology and the investigative area is no exception. Under some draconian governments it is possible that actions taken to observe others, especially those supportive of the regime might be interrupted as treason and subject to the same laws and punishment.

C. Attack Vector Alternative Courses of Action

Once sufficient target analysis is conducted, the nature of CP must be matched with appropriate attack and exploitation strategies. More likely than not the best course of action is to employ a period of Computer Network Exploitation (CNE).

During this period the friendly force can collect intelligence about the target which can be used to help formulate the attack plan. CNE can also include determining the exact nature of the information technology (IT) infrastructure surrounding the target. Noted as technology profiling above, this effort would seek to determine the exact configuration of hardware and software. The configuration would include the versions of each and would determine how up to date the software patches are for each major software application.

The timeliness of patches is important because a pure CNA would exploit the security vulnerabilities created by failure to install the latest patches, this is just one reason companies must look for employees able to test the security vulnerabilities of their network, devices, and software, or to look at third-party security solutions such as Parasoft can provide to take care of these security procedures to the highest of standards. The configuration analysis would also determine what CND mechanisms are in place such as anti-malicious code software, firewalls, authentication schemes, encryption, data leak protection (DLP), and intrusion detection/prevention. The detailed knowledge of the configuration will aid the operational planner in determining which attacks are best suited to exploit the vulnerabilities of the configurations.

V Operational Planning

A. General

CP requires considerable in-depth planning. The virtual nature of cyber attacks and exploitation multiplies the chances for something going wrong. Furthermore, by adding the variable of technology into the equation, especially as the primary delivery vehicle for your offensive actions adds complications that cannot be foreseen in many cases.

At its core CP requires developing an operational matrix which describes the target and the desired effect. This allows the operational planner to select the proper tools and craft the appropriate messaging and work product.

Target Desired Effect Candidate Tactics
Head of State Have population feel he has lost control. Deface website with messages from ‘opposition’
Head of State Imply acts of moral turpitude. Post photos on Facebook or other prominent pages.
Military Unit Sow confusion Employ covert bots to alter data and operations for key applications.
Hostile Government Influence mid-level managers to support ‘opposition’. Dedicated e-mail campaign, text messages to key political leaders.

B. Media and CP

This paper is not intended to be an encyclopedia of CP. Consequently we will not go into the fundamentals of PSYOP, suffice it to say that CP can be conducted by establishing one’s own Internet presence. However, this is not a universal solution. First of all, just as in print or broadcast, credibility is paramount. It doesn’t take long before the identity of the true owner of an on-line site is unearthed and broadcast.

CP can make use of other techniques. As with most media, it is possible to buy space or talent. Existing outlets can be convinced to run positive items or advertisements/commercials depending on the nature of the media environment.

Other techniques include commenting on Blogs, submitting comments to on-line entities via trusted agents, anonymously or perhaps even directly. However, caution must be taken to avoid compromises that will undo any of the positive efforts that have taken place.

C. Raw Denial Versus Exploitation

Having had the good fortune to enjoy a successful high tech oriented career as well as a military one, I’m always attracted to the elegant, rather than the brute force solution. In CP it is often possible to deny the enemy the use of his communications and elements of his IT infrastructure.

Low level attacks, those that fly ‘under the radar’ so to speak, are very difficult to identify and almost impossible to thwart. One may be able to achieve a PSYOP objective by covertly altering the enemy’s IT system, especially his software to produce incorrect results. It is also possible to attack in such a way to impact an IT infrastructure that its failure to function properly is attributed to the vagaries of computers and their progeny.

The point is that a combination of CP attacks is often the best approach. Some of the attacks will be easily observed such as website defacement or a DDOS attack resulting in crashes, while others, siphoning of data, altering databases, compromising algorithms, etc. are far more likely to be undetected.

The astute CP Planner will also have to consider the legal and political aspects of his endeavors. This means insuring that the diplomatic team is appropriately involved and that the proposed actions are legal under the nation’s laws. Failure to consider these aspects can render a technically successful mission into a political debacle.

VI) Future of Cyber PSYOP

CP is an important part of our influence operations arsenal. It’s importance is directly proportional to the technology reliance of the target. The more reliant the target is on technology, the more susceptible they will be to CP.

Tactics, Techniques and Procedures (TTP) for CP are very much the same as for other PSYOP or MISO. The key difference is the use of technological means as the principle delivery vehicle. It is almost certain that the nature of technology will change. Smart phones have already eclipsed personal computers in sales and even the entertainment business is responding to changes in electronic distribution through Internet based streaming and red point of sale machines in grocery stores.

CP TTP will have to adapt as the technology evolves and operators will have to maintain an up to the minute knowledge of this evolution. CP operators will also have to adopt a global perspective to appreciate the global implications of local tactical CP efforts and will have to be creative and innovating in order to develop the body of local knowledge required to exploit targets at the tactical level.

I believe that within the next few years CP will emerge as a mainstream discipline ahead of the employment of CNO as a warfighting systems. CP will prove itself in urban conflicts to come. However, the nature of CP also appeals to our enemies. They have shown themselves to be creative and adaptive and at times far more nimble then we are. Consequently part of our CP resources must be devoted to developing and executing counter CP operations to minimize the impact of enemy CP and insuring that we dominate the information battlefield.

Glossary

CNA – Computer Network Attack

CND – Computer Network Defense

CNE- Computer Network Exploitation

CP – Cyber PSYOP

DDOS – Distributed Denial of Service Attack

DLP – Data Leak Protection

DVR – Digital Video Recorder

IM – Instant Message

IMINT – Imagery Intelligence

IPB – Intelligence Preparation of the Battlefield

IT – Information Technology

MISO – Military Information Support Operations

PSYOP – Psychological Operations; now referred to as Military Information Support Operations (MISO)

SIGINT – Signals Intelligence

TTP – Tactics, Techniques and Procedures

© TAL Global, 2019