John Chiment is a strategic threat intelligence analyst and has supported efforts across the Department of Defense and U.S. Intelligence Community. The views expressed herein are those of the author and do not reflect the official policy or position of the LinQuest Corporation, any of LinQuest’s subsidiaries or parents, or the U.S. Government. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
National Security Situation: Cognitive attacks target the defender’s ability to accurately perceive the battlespace and react appropriately. If successful, these attacks may permit an attacker to defeat better equipped or positioned defenders. Defenders who deploy defenses poorly matched against the incoming threat – either due to mischaracterizing that threat or by rushing to respond – likely will suffer greater losses. Mitigation strategies for cognitive attacks all carry risks.
Date Originally Written: January 31, 2022.
Date Originally Published: March 7, 2022.
Author and / or Article Point of View: The author is an American threat intelligence analyst with time in uniform, as a U.S. government civilian, and as a DoD contractor.
Background: Effectively countering an attack requires the defender to detect its existence, recognize the danger posed, decide on a course of action, and implement that action before the attack completes its engagement. An attacker can improve the odds of a successful strike by increasing the difficulty in each of these steps (via stealth, speed, deception, saturation, etc.) while defenders can improve their chances through preparation, awareness, and technical capabilities. Correct detection and characterization of a threat enables decision-makers to decide which available defense is the most appropriate.
Significance: A defender deploying a suboptimal or otherwise inappropriate defense benefits the attacker. Attackers who target the defender’s understanding of the incoming attack and their decision-making process may prompt defenders to select inappropriate defenses. Technological superiority – long a goal of western militaries – may be insufficient against such cognitive manipulations that target human decision-making processes rather than the capabilities the defender controls.
Option #1: Defenders increase their number of assets collecting Intelligence, Surveillance, and Reconnaissance (ISR) data in order to more rapidly detect threats.
Risk: Increasing ISR data collection consumes industrial and financial resources and may worsen relationships with other powers and the general public. Increasing collection may also overwhelm analytic capabilities by providing too much data [1].
Gain: Event detection begins the defender’s process and earlier detection permits the defender to develop more options in subsequent stages. By increasing the number of ISR assets that can begin the defender’s decision-making process, the defender increases their opportunities to select an appropriate defense.
Option #2: The defender increases the number of assets capable of analyzing information in order to more rapidly identify the threat.
Risk: Increasing the number of assets capable of accurately processing, exploiting, and disseminating (PED) information consumes intellectual and financial resources. Threat characterization decisions can also be targeted in the same ways as defense deployment decisions [2].
Gain: A larger network of available PED analysts may better address localized spikes in attacks, more evenly distribute stress among analysts and analytic networks within supporting agencies, and lower the risk of mischaracterizing threats, likely improving decision-maker’s chances of selecting an appropriate defense.
Option #3: The defender automates defense deployment decisions in order to rapidly respond with a defense.
Risk: Automated systems may possess exploitable logical flaws that can be targeted in much the same way as defender’s existing decision-making process. Automated systems operate at greater speeds, limiting opportunities for the defender to detect and correct inappropriate decisions [3].
Gain: Automated systems operate at high speed and may mitigate time lost to late detection or initial mischaracterization of threats. Automating decisions also reduces the immediate cognitive load on the defender by permitting defensive software designers to explore and plan for complex potentials without the stress of an incoming attack.
Option #4: The defender increases the number of assets authorized to make defense deployment decisions in order to more likely select an appropriate defense.
Risk: Increasing the available pool of authorized decision-makers consumes communication bandwidth and financial resources. Larger communication networks have larger attack surfaces and increase the risk of both data leaks and attackers maliciously influencing decisions into far-off engagements. Attacking the network segment may produce delays resulting in defenders not deploying appropriate defenses in time [4].
Gain: A larger network of authorized decision-makers may better address localized spikes in attacks, more evenly distribute stress among decision-making personnel, and lower the risk of rushed judgements that may prompt inappropriate defense deployments.
Option #5: The defender trains authorized decision-makers to operate at higher cognitive loads in order to more likely select an appropriate defense.
Risk: Attackers likely can increase attacks and overwhelm even extremely well-trained decision-makers. As such, this option is a short-term solution. Increasing the cognitive load on an already limited resource pool likely will increase burnout rates, lowering the overall supply of experienced decision-makers [5].
Gain: Improving decision-maker training can likely be achieved with minimal new investments as it focusses on better utilization of existing resources.
Option #6: The defender prepositions improved defenses and defense response options in order to better endure attacks regardless of decision-making timelines.
Risk: Prepositioned defenses and response options consume logistical and financial resources. Actions made prior to conflict risk being detected and planned for by adversaries, reducing their potential value. Rarely used defenses have maintenance costs that can be difficult to justify [6].
Gain: Prepositioned defenses may mitigate attacks not detected before impact by improving the targeted asset’s overall endurance, and attackers knowledgeable of the defender’s defensive capabilities and response options may be deterred or slowed when pursuing goals that will now have to contend with the defender’s assets.
Other Comments: Risks to the decision-making processes cannot be fully avoided. Options #3 and #6 attempt to make decisions before any cognitive attacks target decision-makers while Options #2 and #4 attempt to mitigate cognitive attack impact by spreading the load across a larger pool of assets. Options #1 and #2 may permit decision-makers to make better decisions earlier in an active attack while Option #5 attempts to improve the decision-making abilities of existing decision-makers.
Recommendation: None.
Endnotes:
[1] Krohley, N. (2017, 24 October). The Intelligence Cycle is Broken. Here’s How To Fix It. Modern Warfare Institute at West Point. https://mwi.usma.edu/intelligence-cycle-broken-heres-fix/
[2] Corona, I., Giancinto, G., & Roli, F. (2013, 1 August). Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues. Information Sciences, 239, 201-225. https://doi.org/10.1016/j.ins.2013.03.022
[3] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A. Xiao, C., Prakash, A., Kohno, T., & Song, D. (2018). Robust Physical-World Attacks on Deep Learning Visual Classification [Paper Presentation]. Conference on Computer Vision and Pattern Recognition. https://arxiv.org/abs/1707.08945v5
[4] Joint Chiefs of Staff. (2016, 21 December). Countering Threat Networks (JP 3-25). https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_25.pdf
[5] Larsen, R. P. (2001). Decision Making by Military Students Under Severe Stress. Military Psychology, 13(2), 89-98. https://doi.org/10.1207/S15327876MP1302_02
[6] Gerritz, C. (2018, 1 February). Special Report: Defense in Depth is a Flawed Cyber Strategy. Cyber Defense Magazine. https://www.cyberdefensemagazine.com/special-report-defense-in-depth-is-a-flawed-cyber-strategy/