U.S. Cyber Command’s Malware Inoculation: Linking Offense and Defense in Cyberspace
Erica D. Borghard is an Assistant Professor in the Army Cyber Institute at the United States Military Academy at West Point, and a Senior Director on the Cyberspace Solarium Commission. Shawn W. Lonergan is a Senior Advisor to the Cyberspace Solarium Commission, and a U.S. Army Reserve Officer assigned to 75th Innovation Command. Their views are personal and do not reflect the policy or position of the Army Cyber Institute, U.S. Military Academy, 75th Innovation Command, Department of the Army, Department of Defense, or U.S. Government.
There is a misperception (partly stemming from inconsistent government messaging) that the concept of “defend forward,” articulated in the 2018 Department of Defense (DOD) Cyber Strategy, is purely offensive and thus escalatory in nature. The DOD strategy defines defend forward as “disrupt[ing] or halt[ing] malicious cyber activity at its source, including activity that falls below the level of armed conflict.” In implementing this activity, U.S. military cyber forces must operate outside of what the U.S. military calls “blue space” (U.S. domestic cyberspace), in “red space” (adversary cyberspace) and “gray space” (everywhere else).
In effect, some have interpreted “defend forward” to mean “the best defense is a good offense.” This misinterpretation, however, misses both the inextricable links between offense and defense, as well as distinctions between strategic and operational levels of analysis. The Cyberspace Solarium Commission, enacted by the 2019 National Defense Authorization Act to develop a strategy to defend the United States against cyberattacks of significant consequences, made important strides in clarifying the offensive versus defensive nature of defend forward. The Commission’s March 2020 report articulates how actions by U.S. military cyber forces that could be defined as offensive at the operational level—gaining access to and maneuvering within and across non-U.S. cyberspace—nevertheless are meant to serve defensive strategic objectives—enhancing the defense and resilience of the United States in cyberspace. U.S. Cyber Command’s malware inoculation initiative (sometimes called “malware vaccination”) is a particularly illustrative example of how maneuvering in gray and red space can serve defensive objectives.
When Cyber Command engages in threat hunting, proactively searching for cyber threats against assets and networks in gray and red space, it discovers, among other things, adversary malware. With the malware inoculation initiative, Cyber Command, in partnership with the Department of the Treasury, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the private sector, exposes unclassified information about adversary malware by making it public in information-sharing venues, such as VirusTotal. This effort began in 2018 when Cyber Command shared adversary malware, including malware associated with APT28, linked to Russia’s Main Intelligence Directorate (GRU).
Publicizing information about adversary malware can help “inoculate” domestic networks by enabling network defenders to patch vulnerabilities that the malware exploits and craft signatures that alert defenders to the malware’s presence in their environment. Malware inoculation reduces the attack surface of potential U.S. targets, thereby making it harder for adversaries to achieve their objectives. This occurs without the need for the U.S. to conduct disruptive, destructive, or degrading cyber operations—it is simply through sharing useful information. Therefore, threat hunting operations outside of U.S. cyberspace can serve domestic defense at the strategic level. Moreover, there is also a temporal link between offense and defense. Over time, offensive cyber operations that directly contribute to domestic defense will increase the ability of the United States to prevent adversaries from holding it at risk in cyberspace. Of course, any strategy must consider how adversaries adapt to U.S. actions by improving tradecraft, changing target sets, or even shifting to different (including non-cyber) means to achieve their strategic objectives.
The Cyberspace Solarium Commission recommends that the United States should accelerate the pace of current malware inoculation efforts. This would provide the private sector with more opportunities to develop response plans and protect their systems. However, despite the value of malware inoculation efforts conducted to date, the timing and pace of release has been met with some frustration from the private sector. For instance, information may be stale by the time it is finally approved to be released, and some critical entities would prefer prior notification and coordination before large-scale public disclosure. Therefore, while expanding malware inoculation, Cyber Command should also coordinate better with the private sector, particularly with those entities most critical to the U.S. economy (what the commission has termed “systemically important critical infrastructure”). Information sharing should also be made more efficient across the interagency—the departments and agencies within the executive branch of the U.S. government—so that it can be used more effectively. Without a coherent framework for the release of threat information across agencies, the private sector is left to reconcile the disparate outputs of the various federal government entities without a clear picture of how information fits together or which pieces of information are important. There should also be a bias toward releasing data to the private sector as quickly as reasonably possible.
The timing of the release of adversary malware information could also play an important role in signaling. Signaling, discussed in depth in Robert Jervis’ book, The Logic of Images in International Relations, is defined as “statements or actions…issued mainly to influence the receiver’s image of the sender.” While not explicitly included in defend forward, as articulated in the 2018 DOD Cyber Strategy summary, if applied to U.S. cyber strategy, signaling can shape an adversary’s perception of the costs and risks of targeting the United States through cyberspace. Although signaling in cyberspace is challenging, malware inoculation could be a vehicle for signaling, particularly if its timing is deliberate and coupled with other actions or statements. A good example of this is Cyber Command’s November 2018 release of Russian government-linked malware samples. This release occurred in conjunction with the 2018 midterm elections and the concurrent campaign by Cyber Command to disrupt the Internet Research Agency’s efforts to conduct cyber-enabled information operations against the U.S. midterm elections. In being deliberate about the timing of disclosing information, the United States could signal to Russia that its networks are compromised, generating uncertainty about the viability of ongoing and future operations and campaigns. Given that cyber capabilities have a unique perishability and maintaining secrecy is important for operational success, the simple act of revealing meaningful information at an appropriate time can shape an adversary’s calculus.
Much of the discussion around the defend forward strategy focuses on cyber operations that disrupt, deny, or degrade adversary capabilities. While this is a critical part of operations conducted in support of defend forward, it neglects other important components of the strategy, such as malware inoculation. Activities of this nature play an essential role in supporting domestic defense and resilience and can be a tool of interstate signaling.