Cyber deception has been practiced for decades and electronic deception for a century. While, deception has been central to warfare for millennia. Cyber deception is established as best practice to the extent that it is mandated in policy and standards is supported in domestic and international law. Furthermore, cyber deception is critical to intelligence collection, adversarial management to actively defend, disrupt deter and deter, or creating effects on one’s opponent. A military can employ deception in a decisive engagement to disappear, re-spawn and maneuver within the domain. Any enterprise that has not fully operationalized cyber deception is strategically disadvantaged.
Resilience is important but sometimes it is best not to be in the line-of-fire, even if you think you are bulletproof.
Canada’s adversaries are adept at offensive cyber deception. We see daily evidence of cyber psychological operations, misinformation, influence and social engineering campaigns against Canadian’s and institutions by foreign intelligence services and militaries.
Russian military doctrine Maskirovka (disguise) covers a broad range of measures for military deception, from camouflage, concealment, imitation, manipulation, decoys, phishing, disinformation across all domains, and particularly cyber were Maskirovka is most effective. A goal of military deception is surprise (vnezapnost) so the two are naturally practiced together. Russia has a history of operating with a more complete (hybrid) inclusion of elements of military power and influence. Cyber deception enables Russia’s First Offset against the West that gives Russia new leverage on the battlefield.
Deception has been central calculus of warfare, diplomacy, business and sport since beginning of recorded history. Electronic deception was used to great effect since WW1 and cyber deception for the past 40 years. The cyber deception technology market is currently estimated to grow to $12 Billion by 2022. Global cyber threat intelligence services use deception infrastructures to extensively. Deception technology has also proven the most effective means of detecting zero-day exploits and advanced persistent threats. Thus, cyber deception has been established as best practice for cyber security for quite some time.
“All warfare is based on deception. Offer the enemy bait to lure him.” ― Sun tzu, The Art of War
Joint Doctrine for Military Deception says that “military deception is applicable at each level-of-war and across the range of military operations including cyber. It is defined as being those actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions and operations, thereby causing the adversary to take specific actions that will contribute to the accomplishment of the friendly mission.”
The Canadian Forces Information Warfare Conceptual Framework in 1994 discussed semantic warfare and cyber deception in-depth. The Interdepartmental Committee on Information Warfare established operational concepts for proactive defence, cyber psychological operations and deception that same year.
The United Kingdom established its first research unit focused solely on cyber deception in November 2019, reflecting growing awareness of the importance of deception in this domain. The National Cyber Deception Laboratory (NCDL) is administered by Cranfield University on behalf of the UK MoD and is based at the Ministry of Defence’s Cyber School, at the UK Defence Academy.
Deception is a hallmark of military and intelligence operations. - UK Cyber deception lab
NATO Best Practices in Computer Network Defence, published in 2014, re-enforced the need for cyber deception, forward-deployed intelligence collection and active defence. The Tallinn Manual International Law Cyber Warfare (Rule 61 – Ruses) permits cyber deception operations during both war and peace as an effective means of defence.
One would naturally expect the army, navy and air force to camouflage platforms from detection across the electromagnetic (EM) spectrum - from visible light to radio waves. We don't paint army vehicles bright orange. So why not camouflage vital cyber infrastructures?
All military campaigns require stealth and deception. Cyber is no difference.
CONCEALMENT AND MISDIRECTION
The Communication Security Establishment (CSE) has provided cyber security guidance to departments on the matter of cyber deception, concealment and misdirection.
Similarly, the UK National Cyber Deception Lab advises “Network defenders should take a proactive approach by using military deception tradecraft to effectively defend against and manipulate the activities of attackers operating within their networks. Cyber deception offered a significant asymmetric advantage to the network defender, because they own the terrain and adversaries lack the defenders’ situational awareness.”
CYBER DECEPTION TECHNOLOGY
Cyber deception for cyber security in three verticals: for detecting adversaries, eliciting intelligence and for adversary management. The efficacy of deception for defence in the cyber domain is well-established, with modern commercial services focused on detecting adversaries and collecting intelligence on their activities. Deception technology enables a more proactive security posture by seeking to deceive, detect and defeat threat actors before they can attack.
LAW, ETHICS AND RISK
The following are principal observations and findings with respect to legal use of active cyber deception in the Canadian context:
Cyber Deception Technologies have been operating for half-a-century without court challenges.
There is no express prohibition for cyber deception, domestically or internationally. Neither is there exclusivity to any parties or agencies.
An organization not only has the authority to conduct cyber deception to protect their networks and assure the mission, they are explicit obligated to do so in official security guidance, standards or regulations,
We have established that there is no prohibition on the use of cyber deception activities. To the contrary, it can be successful argued that cyber deception controls are mandatory given that they are well established as best practices and explicitly written into standards. They also make good business sense because cyber deception lowers threat risk and liability, while offering the best Return-on-Investment (ROI) for cyber defence. Moreover, cyber deception and intelligence are found to be very closely coupled.