The recent trend of the U.S. intelligence community declassifying intelligence to inform the global community of Russia’s actions in the run-up to and during its invasion of Ukraine also seeks to cause friction on the nation’s actions, according to a U.S. Cyber Command official.
“The U.S. and its allies are increasingly using intelligence itself as an instrument of power, as a spoiling attack against adversaries through the rapid declassification and release of timely, accurate and actionable intelligence,” Brig. Gen. Matteo Martemucci, director of intelligence at Cyber Command, said during an AFCEA DC event Wednesday.
Martemucci said the public release of information “throws our adversaries off their game” as they have to assess their operations in light of disclosures.
“They have to, in fact, perhaps abandon planned operations, considering the potential sources of our intelligence collection, conduct internal investigations and worry about what we’re going to release next,” he said.
Additionally, adversaries have to think about their longer-term plans given the disclosure of their activities.
“We’ve changed our willingness to share intelligence with our partners to include NATO and other allies, the private sector, industry and academia, as well as at the speed with which we can declassify and disseminate that intelligence in a way that our adversaries, frankly, did not anticipate,” Martemucci said. “When their ability, our adversaries, to protect their plans and intentions is outmatched by our ability to collect and share information about their plans, then we collectively have the advantage.”
While the recent campaign to declassify intelligence across the breadth of the intelligence community is a relatively new and uncomfortable activity, disclosure has been utilized as a new tactic in the information warfare salvo as a means of beating back how adversaries are operating in the so-called gray zone, or the competition phase short of armed conflict.
One such example is the years-long effort by Cyber Command to post malware samples to the public resource VirusTotal. Malware samples discovered in the course of operations by the Cyber National Mission Force are posted to the site to inform network owners. It also helps antivirus organizations build patches against that code and helps identify the enemies’ tools being used in ongoing campaigns.
“To date, CNMF has publicly disclosed more than 90 malware samples, many sourced from our hunt forward operations, and some with the first-ever U.S. attribution to nation-state actors,” Holly Baroody, deputy to the commander of the Cyber National Mission Force, said at Wednesday’s event. “We leverage the industry standard of VirusTotal to ensure the industry partners can strengthen their networks and that the tools our adversaries employee can be inoculated against essentially removing it from their arsenal.”
The military has begun to realize the friction such disclosures can place on adversaries.
“Disclosure is more than just revealing adversary intent and capabilities. From a cyberspace perspective, disclosure is cost-imposing as it removes adversary weapons from the ‘battlefield’ and forces them to expend resources to create new weapons,” Col. Brian Russell, the commander of II Marine Expeditionary Force Information Group, has said. “Disclosure forces the adversary to ask: ‘How were those capabilities discovered?’ It causes them to investigate the cause of the disclosure, forcing them to spend time on something other than attacking us. If I can plant a seed of doubt [messaging] that the disclosure might have been caused by someone working on the inside, it makes them question the system’s very nature, perhaps spending more time and resources to fix the system.”