Our information environment is increasingly dependent on the inescapable, largely unregulated cyberspace. Beyond national and geographical boundaries, however, this comes with its unique challenges ranging from information accuracy, integrity and relevancy to weaponizing information to influence a target audience in the pursuit of a diplomatic or economic goal.
tl;dr
This paper proposes the development and inclusion of Information Influence Operations (IIOs) in Cyberspace Operations. IIOs encompass the offensive and defensive use of cyberspace to influence a targeted population. This capability will enable the evolution of strategic messaging in cyberspace and allow response to near-peer efforts in information warfare.
Make sure to read the full paper titled Information Influence Operations: The Future of Information Dominance By Captain David Morin at https://cyberdefensereview.army.mil/CDR-Content/Articles/Article-View/Article/2537080/information-influence-operations-the-future-of-information-dominance/
The United States Cyber Command (USCYBERCOM) unifies the direction of cyber operations within the Department of Defense. This paper proposes to incorporate Information Influence Operations (IIOs) into its capability set. This influence will facilitate the exertion of soft power in the pursuit of US national interests. Moreover, IIOs will reduce the need for large-scale operations or use of critical cyber offensive operations.
A notable omission in the paper is a clear definition of IIOs. The ‘Introduction’ suggests that “the unrealized value of cyberspace, and what makes it so dangerous, is it allows direct access to the individual and to the public at large. This access, when used correctly, provides actors in cyberspace the ability to influence public opinion and shape the narrative of ongoing operations.” This, however, appears to be conflating cyberspace with the general, public media landscape while it implies an operator could just hack Twitter accounts and send out some tweets with a favorable narrative. Applying the lessons and learnings from its efforts to counter foreign influence operations, Facebook views all “coordinated efforts to manipulate or corrupt public debate for a strategic goal” as an influence operation. By definition in Joint Publication 3-13, information operations are described as “the integrated use of electronic warfare, computer network operations, psychological operations (PSYOP), military deception, and operations security to influence, disrupt, or corrupt adversarial decision making while protecting our own.” Therefore a suitable definition combining all of three concepts would define IIOs as “a capability to shape and direct public opinion in order to influence, disrupt, or corrupt adversarial decision making by leveraging soft- and hardware technology supported by psychological weapons and tactics in the pursuit of a strategic national interest.”
The author could have expanded more on the principles of US combatant command structures and its basic chain of command. This would have helped the reader to understand the current discrepancies in ownership of IIOs. As it stands, US combatant commands are structured by geographic focus and functional capabilities. USCYBERCOM falls into the latter category. A functional command unifies different military branches to achieve its mission. It remains unclear which military branch currently takes ownership of IIOs, if any. Taking it a step further out of the frame, the author comes out short on delivering a convincing rationale of when and where IIOs should be deployed and under whose authority. Cyberspace is predominantly civilian space created and maintained by privately held servers all across the world. Would USCYBERCOM install a permanent Information Influence Operations Center to execute IIOs spanning multiple months and years? Would such action require presidential or congressional approval? And would approved missions cease at servers operated on US soil or exclude US citizens from manipulation? Would it release a transparency report detailing the measures taken against foreign and domestic threats and under whose authority? These and other important questions need to be considered when thinking about consolidation of government power.
But not all is dark and gloomy. The author does detail his proposition with a few more insights. In revisiting Stuxnet, NotPetya or the Russian involvement in dividing the US electorate during the 2016 US Presidential elections the author builds a foundation to support the argument for a centralized command of IIOs. Two of these events were targeted cyber attacks on critical infrastructure, one allegedly driven by the US and Israel, and the third event was a carefully curated, multi-year effort to exploit vulnerabilities in the US democratic process. All of these events indeed demonstrate the power that can be wielded through cyberspace operations, but where I disagree with the author is the comparability of these unique events and a causality between cyberspace and influencing information. Combining cyber attacks to corrupt critical infrastructure with a targeted narrative to redirect the public’s attention is a serious threat to US national security. However, identifying the operator and the motive behind such an attack may reveal domestic, private actors with a mere criminal motive, if attribution is even possible. Take the coordinated social engineering attack on Twitter ahead of the 2020 US Presidential elections. Government accounts from Joe Biden to Barack Obama as well as the accounts of notable public figures such as Elon Musk or Jeff Bezos were hacked, hijacked and abused to distribute a bitcoin scam. Should USCYBERCOM have stepped in, take network control from Twitter, a private business, in order to mitigate and counter the attack?
In the section ‘Influencers’ the author does raise valid concerns when he states that “influencers are capable of wielding influence over millions and have used this influence for a multitude of purposes from philanthropy and advertising to political ends.” Online reach is tantamount to circulation of a print paper with the difference being longevity – the internet never forgets. Unchecked influence of influencers is something our society needs to review and decide upon. Perhaps private businesses will recognize the powers that be and increase checks and balances for this specific type of user or automatically guardrail reach to create equity among users.
In the section ‘Operationalizing IIOs’ the author states “There is little brand loyalty in the online world. Consumers will go elsewhere to find what they need if their preference is slow or unavailable. Influencing and controlling that “someplace else” yields the opportunity to wield influence.” In essence, the author suggests to take advantage of users impatience by increasing the time it takes to load a website. Once this latency or lag is in place, an operator may incentivice users to shift their attention to an alternative information source. This can be achieved through well-targeted advertising campaigns. As an example, the author offers the case of Amazon losing over $72 million due to a 63 minute outage on Prime Day 2018.
There is research to support an increased impatience during ecommerce transactions. However, there is an equal amount of research on brand loyalty, which across markets sees about 75% and higher retention rates once a customer relationship has been successfully established. For example, an Amazon Prime user, who pays for the privilege of Prime is unlikely to switch a book order to Barnes & Noble simply because there is a few milliseconds of delay when placing the order. It takes a contrast in price and shipping time to break the established brand loyalty with Amazon. Furthermore, in the author’s example the IIO appears to be directed at an ecommerce transaction. Even in the hypothetical foreign policy scenario of introducing latency to Alibaba to redirect users to Amazon to decrease economic output/revenue or other feasible US objectives, the author doesn’t really explain how it could favorably influence future behavior.
IIOs offer a tremendous potential to support diplomacy while strengthening our national security. Allocating the responsibility to exert and drive information influence to a military institution, however, raises constitutional concerns. It would likely undermine the trust of our allies but also chill diplomatic relations with non-allied nations. From a military perspective, an effort to centralize capabilities can reduce overall cost of cyberspace operations and increase transparency among military stakeholders. On the other hand, all centralized command structures are vulnerable to a single-point of failure, which can be devastating when USCYBERCOM is facing a sophisticated, superior adversary. In addition, an effort to centralize IIOs might increase the response rate to attacks in cyberspace or efforts to coordinate foreign influence operations by an adversary due to the extended chain of command.