Toward practical cyber counter deception.

• Author: Porter, Christopher
• Position: Report

Nation-states increasingly engage in strategic deception in cyberspace, frustrating traditional counter deception approaches. This paper evaluates and critiques the philosophical underpinnings and practical implications of existing military-political counter deception and computer forensic approaches. Analysts can better detect and expose strategic deception campaigns in cyberspace by focusing on the size and organizational strength threat actors need to conduct the operations.

**********

Detecting, countering, and deterring strategic deception in cyberspace remains reliant upon techniques and policies developed for countering deception in the physical world. Solid assumptions in a resource-constrained physical space are largely inapplicable to forensic examination of cyberspace, where resources are effectively limitless. Specifically, counter deception methods used by military and intelligence officers rely on the assumption that would-be deceivers either leave behind evidence incongruous with the reality they are attempting to present or incompletely simulate the physical properties of the reality they are attempting to mimic. Cyber threat actors, some probably sponsored by the Russian government, often exploit the reliance on these assumptions, as physical counter deception techniques do not apply to cyberspace. Ironically, the more trained and experienced an analyst is in detecting deception, the more ill-suited they may be to detecting cyber deception using current methods and training. Longstanding difficulties attributing cyber operations to a particular nation-state sponsor, compounded by a lack of reliable counter deception tools, have elevated cyber deception to a politically effective weapon unto itself.

This paper highlights the challenges inherent in cyber counter deception and provides specific questions that analysts can ask to overcome these challenges, particularly as part of an analysis-of-competing-hypotheses structured analytic exercise. The paper concludes with a short discussion of the importance public education could play in mitigating the effectiveness of cyber deception, as currently practiced when targeting democracies.

MEATSPACE COUNTER DECEPTION METHODS DO NOT HOLD UP IN CYBERSPACE

Barton Whaley has often been called the father of modern deception studies. So extensive is his influence over deception and counter deception scholarship that the Deception Research Center at CIA headquarters bears his name. Perhaps the most unexpected data source Whaley drew upon was the work of stage magicians. He studied the cognitive biases being exploited by magicians and their frequency across many tricks. The "second rule of every deception's weakness," credited jointly to Whaley and Jones, is as follows: "Creating a deception simultaneously creates all the clues (incongruities) needed for its detection." Whaley's own corollary to that rule is that "every deception creates at least two incongruities--one about the thing being hidden (dissimulated), the other about the thing being shown (simulated) in its place." (1) Although strategic counter deception practitioners do not directly consult his studies as a standard of care, Whaley presents ample evidence that the general trends he identifies are reasonable proxies for the frequency that various military and strategic political deception methods are employed.

The matrix of deception is arrayed in order of likely success, such that a trick that masks and mimics is thought to be more likely to succeed and remain in use than one that relies on dazzling and decoying.

* Masking hides the real by making it invisible.

* Repackaging hides the real by disguising.

* Dazzling hides the real by confusing.

* Mimicking shows the false by having one thing imitate another.

* Inventing shows the false by displaying another reality.

* Decoying shows the false by diverting attention.

These deceptions, and the means by which an audience member or fellow conjurer could detect them, were then applied to great military and strategic planning problems across history. While this line of inquiry bore a lifetime of fruit for Dr. Whaley, it rests on one uncomfortable premise: that the human mind's errors in processing physical phenomena like sight and sound can lead to strategic miscalculation, thereby opening the door to deception. Whaley found that, because of human weakness in discerning the direction from which sound is coming, many magicians' tricks relied on deceiving human hearing. However, there is no clear analogue to cyber operations for this observation, therefore, the data he collected may not give a representative sample of cyber deception operations. His work speaks for itself in terms of accurately describing historical military deception and useful application to myriad intelligence problems of the present (particularly for clandestine operatives), but the parallels it draws fall short in today's most important theater of deception: cyberspace. (2) This suggests that mistakes are being made writ large by national security practitioners attempting to apply concepts learned from historical military deception studies to a non-physical space.

Barton Whaley did consider the application of computers to counter deception. Building on the work of R.V. Jones's studies in practical joking and information processing, Dr. Whaley theorized that computers, because they are good at detecting incongruities, could be applied as "expert systems" to alert counter deception practitioners of suspicious patterns. Yet, despite the wide availability of increasingly advanced intrusion detection systems that automatically discover anomalous behavior on computer networks, cyber deception at the strategic level remains rife and is increasingly effective in many ways.

Even a cursory examination of cyber operations reveals that the proportions found in magicians' tricks and, according to Whaley, on the battlefield are warped compared to what one finds in the practice of counter deception in cyberspace. (3) For example, any stateful connection (Web traffic, e-mail, etc.) will require a two-way connection of some sort in order to succeed. While cyber operations can endeavor to hide the purpose or maliciousness of their traffic, the traffic...