The Doctrine of Cyberinsurgency

Governments talk about “cyberwar” and spend large amounts of money protecting against unspecified attackers; that is window-dressing: what they really fear is insurgency. Cyberinsurgency.

As governments, the police state, and the corporate state are increasingly turning to computers to collect and manage the data that they need to inflict their will, they increasingly make themselves vulnerable to attack from within their own IT infrastructure. Beginning in the 1980s, government ceded control over even its own data management systems and critical electronic infrastructure. For “cost reasons” (mostly really as a way of funneling money from the public coffers to private sector contractors) governments increasingly came to depend on outside data sources, hired system administrators, cloud services, and private data-gathering systems. Every aspect of modern government or modern corporations now embed the tantalizing advantages of computerized automation, databases, or networks. Only now they begin to realize they have ingested poison.

The cyberinsurgent aims to weaken digital government’s control systems, make them less efficient, more expensive, leakier, more vulnerable, and – in general – turn them against their original purpose. Every database, if it’s useful, has the potential to be rendered useless. Every surveillance system can be blinded by being pointed at other parts of the system. Every feedback loop can be coaxed into going non-linear. Every cost-saving measure can be made to be more expensive than what it replaced. These are the weapons of the cyberinsurgent. Governments and corporations have turned to computing to allow them to scale, what they don’t realize is that those systems can just as easily be made to scale in terms of inefficiency and cost.

The doctrine of cyberinsurgency contained here is a set of moral justifications for why such actions are not only proper, they are necessary. Coupled to those justifications are strategic doctrines for how to reason about the type and cost of damage that you wish to cause, and tactical tropes representing the broad techniques for how to create innovative and expensive non-linear attacks.

In war colleges around the world, the militaries of governments are thinking how to win “4th generation warfare” – insurgency style special operations in which the insurgent attacker seeks to do disproportionate damage vis-a-vis the cost of doing that damage. Theorists call this “asymmetric warfare” – a single insurgent that is able to tie down a squad searching for them, has caused their opponent 1:20 in terms of logistical costs. Governments and militaries understand the principles of asymmetric warfare and are deeply concerned about insurgencies because they always lose asymmetric wars. The standard doctrines for counter-insurgency revolve around two philosophies:

  • Hold and Clear
  • Hearts and Minds

The hold and clear counterinsurgency doctrine is to massively occupy an area where insurgents are active, then weed them out, and move on. The hearts and minds approach is to befriend the locals and remove the logistical support and reservoirs of person-power the insurgents depend upon. Neither of those approaches has any meaning whatever in cyberspace. There is nothing to “hold” and the establishment has already lost the battle for “hearts and minds” otherwise there wouldn’t be an insurgency in the first place. The cyberinsurgent recognizes that 4th generation warfare is wonderfully effective against 3rd generation computing practices.

Governments and corporations are woefully under-prepared to deal with cyberinsurgency. They are barely able to keep joy-riding hackers out of their networks and systems, how do they expect to deal with attacks that are designed not to penetrate or steal but to degrade or obfuscate?