Lunch on The Record: Daniel Moore and Offensive Cyber Operations

I met Dr. Danny Moore on a wet midday in the heart of London’s West End, just outside of Meta's offices on Shaftesbury Avenue, where he works as a manager on the security team. Across the road the theaters were advertising shows for Jersey Boys and Harry Potter and the Cursed Child. It was a fitting location for Danny, who studied drama before being conscripted by the Israel Defence Forces and beginning a career that has made him one of the world’s most respected authorities on cybersecurity.

My first encounter with Danny — I struggle to call him Dr. Moore, although I should — took place five years ago in Tallinn, Estonia. I had been encouraged by everyone I’d asked for recommendations to attend his talk at CyCon, the NATO-sponsored cybersecurity conference. He was introducing a new way to describe military cyber operations, identifying each as either presence-based or event-based. The talk was a shakeup for the academic field. It brought a scientific taxonomy into a discussion otherwise dominated more by international relations experts and less by scholarship from people with his level of military and technological expertise.

The idea was a key part of the Ph.D. work he was then undertaking at King's College London and has now been explained in his book Offensive Cyber Operations, published by Hurst last May. Despite having been completed and sent to the printers well before the start of the Russian invasion of Ukraine in February 2022, the book's arguments about the role of cyber during warfare have been corroborated by much of what we have seen since.

From Shaftesbury Avenue, Danny and I walked to the Seven Dials Market where he took us to Yum Bun, one of the 19 different vendors inside the food hall, for this interview. We both got the same Bun Box — with a chicken and pork soft-steamed bun, two gyozas, and some asian coleslaw. Danny drank a Coke Zero while I ordered a full-fat Coke.

“I’m thinking of calling this segment ‘Lunch on The Record’,” I told him. “Maybe ‘Books and Bites’ if we're doing food and book reviews at the same time,” I said, to not much interest. “Maybe that isn't as good a name. What made you choose Yum Bun?”

Danny smiled and briefly said he has been here a couple of times before and that it's one of his favorite places in the marketplace. I realized we won't be talking much about the food.

We were given a small tablet which would vibrate when our order was ready and we found a table to sit at. I asked Danny about his childhood before our buns arrived and we could get into his analysis of Russia and Ukraine, a conflict which has been described as “probably the most sustained and intensive cyber campaign on record” by the head of the U.K.’s National Cyber Security Centre.

Danny credits his mother and brother as the two big reasons why he developed an interest in computers. His mother, a quantitative sociologist who completed her Ph.D. on punch cards, frequently used her research budget to get computers into their home. Whenever a newer device came in, the older ones were passed down, first to Moore’s older brother and then to Danny.

“That got me into computers at a really young age, like five maybe. That was a huge part of it. The second part is my brother. On the technological-mathematical side, he's infinitely more talented than I am. I got infected by his love for computers at a very, very young age, and that sort of drew me in.” [His brother now works for Meta as well, “on the machine learning side,” said Moore.]

“Throughout junior high in high school, I definitely took computer classes. And I did the equivalent of A-Levels [comparable to AP courses in the U.S.] in computer science.”

He finished these a year early thanks to an accelerated program, which included a class in the programming language Assembly.

Assembly refers to the low-level programming languages that resemble the actual processes taking place on a computing machine. But the directions in Moore’s class were meant to be introductory — the Assembly code students would write would be run on a simulator rather than actually executed directly. The intention was to gently introduce students to computer architecture concepts like instruction sets and memory addresses. But Moore, who grew up on punch-card computers, said writing something in simulated Assembly was “too limited, and so I just ignored it and wrote straight-up in Assembly.”

His graduation project was “essentially like MS Paint, but in Assembly” he said, with the “shitty title” of “Useless Draw.” It was, he acknowledged, a way of showing off.

Moore adds he was also the only kid in his high school who did computer science, math, and theater as subjects and laughs. “Because I just loved it. I loved theater. So I really enjoyed that unorthodox combo.”

Conscription

“As a nerd, conscription is a sword that hangs over your neck, because the last thing that you want to do is find yourself in infantry or in a tank somewhere,” Moore said. “Because as important as those things are, I am definitely not cut from that particular cloth.”

Fortunately he was headed in a different direction, partially because he went to “a school of socio-economically privileged nerds,” which had a strong relationship with Unit 8200, the Israel Defense Forces’s (IDF) signals intelligence and cyber operations corps.

After conscription, Danny was rapidly sorted as a recruit who had a special aptitude for Unit 8200’s kind of work. “That always takes precedence over the mandatory combat units. So I graciously accepted that position, and then found myself in military intel at a very young age,” he said.

The buzzer went off for our food and Danny didn’t miss a beat when he returned with our meals on plastic trays.

“They throw you into the deep end very quickly, no matter where you land, you instantly are responsible for something that is part of a much larger whole, an operational sequence where you are a part of it, but it's part of a massive, massive thing.”

The IDF offered Danny more than just the military knowledge and credentials that have informed his book, he said. “You are responsible for things that usually junior people just entering the industry would not be a part of. The significance of your work, as in the consequence of success and failure, are very different. The stakes are much higher. And the possibilities for leadership, both people leadership and subject-matter leadership, come at you so quick. A year into it you're not the junior anymore, so you're 19-years-old and you're like the expert at something, which is wild, right?

“Essentially, it compels you to either succeed or not. I went into the officers’ training course — I think I turned 20 while I was in that — so imagine then by the end of it, I essentially commanded a team of six or seven people by the time I was 22. So you get a lot of technical skills, you are surrounded by brilliant people, you are empowered to be a part of a bigger thing. And really, you're just, you know, you're ‘in it to win it’ at a very young age. That's why so many of those folks come out [of Unit 8200] and are like ‘I want to start something. I want to build a company,’ at age 23. And quite a few of them actually make it somehow.”

‘Appalled’ by the cybersecurity discussion in academia

After leaving military service Danny did an undergraduate degree — double majoring in political science and business management — and realized he enjoyed the intersection between his work life and academia. Having briefly lived in California as a child, he was keen to do his master's degree abroad, ending up at King’s College in London, where the War Studies Department was “a revelation.”

Danny's teacher was Thomas Rid, who would later become his Ph.D. supervisor and friend.

“I think he remembers how appalled I was by the quality of the academic discourse about the cybersecurity space,” he said.

The issue for Danny, as someone who had spent years in the field as a practitioner, was how the initial migration into academic cybersecurity of international relations scholars and strategists had shaped the discussion.

“It drew on a lot of deterrence theory and nuclear warfare and all of those things. And really, those things do not directly apply. They didn’t in 2012, and they certainly don't now either. And there was a decided lack of operational nuance and technical nuance that existed in that academic space from those days. Thomas Rid was one of the early people — and this is why I gravitated to his sphere of influence — who acknowledged that, he saw that and he sought to draw people into his sphere that could help round-out the space and contribute some on-the-ground analysis. And that really resonated with me.”

Danny and his wife moved back to Israel for a year after he completed his degree, but he remembered the potential for the kind of work he did under Thomas Rid and — even while working for IBM and doing research around financial cybercrime — he realized he missed both London and the academic space.

Rid had invited him to apply to be his doctoral student, so he did. But he knew he couldn’t limit himself to academia full time.

“I need this [academic work] to be a part of what I always do, but not the only thing that I do. Which is why I also went for a day job essentially. When I returned to London in 2014, it was both as a Ph.D. student and essentially as a technical lead on threat intel. So I needed that mix,” he said of his time working for the IT and consulting giant Accenture.

Russian cyber operations ‘always fail operationally, almost with 100% consistency, in almost every single thing that they do’

Moore's admiration for Rid is obvious: “He was always very grounded in the realities of the space. I was actively encouraged to have a diversity of sources that were cited, whether that's private sector threat intelligence reports, governments reports, leaked documents, of course academic sources as well. I think that diversity is essential and it was for a long time missing, because there's an academic expectation, especially when you're offered a Ph.D., to essentially pay your dues. Thomas is quite irreverent when it comes to those things.”

That dissertation forms the basis of this book, which in its own words aims to “address how offensive operations can best contribute to battlefield success at all levels of operation.” More pithily: “Rather than discussing the specter of cyberwar, the goal is to piece together the spectrum of cyber-warfare.”

The specter of cyberwar is a particularly tired debate in academic cybersecurity, but the concept of a spectrum of cyber-warfare is extremely timely in light of the Russian invasion of Ukraine — a kinetic offensive of armored vehicles and lethal military hardware that has taken place alongside dozens of cyber operations with varying degrees of integration.

“One of the things I talked about in the book is that the Russians don't have a real concept of cyber operations as their own thing [but view them] as a part of a much broader spectrum of influence and information operations meant to shape their adversary,” he said.

I told Danny I had heard Western military and intelligence officers explain that Russian doctrine described these operations as “information engagements” — a term that covers everything from hacking a power station through to spreading false stories suggesting someone else was responsible for it. Danny responded the name for them “depends on who you ask, but in general what they [the Russian government] would vastly prefer is to preemptively shape the adversary's actions in a way that would preempt war to begin with.

“So if you are able to theoretically influence the political climate in various countries, and that could be either things like Brexit, the European Union or U.S. elections, then that's vastly preferable in creating a positive narrative for them to achieve their objectives. It [the cyber operations and disinformation] is absolutely part of the same thing. I'm going to sort of hold off on commenting on the specific mechanics of this so it doesn't clash with my day job, but it's all part of the same strategy.”

In his day job, Moore is a senior security expert at Meta, which after our interview published a handful of reports, including on the growing challenge posed by spyware and covert information operations on a global scale.

Moore said: “Now, there is a difference in how clever and well thought out the Russians' decades-long strategy and doctrine are, and their actual capacity to implement it in consistently high quality… that's where it all falls apart.”

During a talk at the Royal United Services Institute in London, Danny was explicit: “The Russians always fail operationally, almost with 100% consistency, in almost every single thing that they do.”

It was a bold statement and followed Marcus Willett, the former director cyber at the British signals intelligence agency GCHQ, writing an engaging article for the International Institute for Strategic Studies arguing that the Russian Armed Forces have rarely attempted to integrate cyber operations into the overall military campaign against Ukraine, and that when they did so the integration was “inept” with “the ViaSat hack perhaps the single exception.”

Willett’s views about integration are not universally agreed on, and Moore is more specific and less generous regarding the ViaSat attack: “I think it's inconsistency. I think they lack holistic discipline to truly achieve their objectives. And it's not ineptitude, especially in comparison to some of the other threat actors that we see out there.”

The challenge is, he explains, “if you want to truly achieve your objectives, you have to consistently succeed on every single part of your operation, from start to the end, from the reconnaissance phase, all the way up to actually actioning on your objectives, and that is hard to do. And that's where they fall apart because the quality of their delivery is not consistent. From SolarWinds, to NotPetya, to the various critical infrastructure attacks — all of them show the same levels of inconsistency.

“ViaSat was one of the most corroborative pieces of evidence to my book that I've seen. It had layers of technical competence in how they compromise and action the modems, but then they massively overshot. It was not necessary for them to essentially blanket wipe all of those modems, including ones that are corresponding to some unrelated European entities, it's just completely unnecessary.”

Danny argues that the problem for Russia is that without that operational discipline they fail to control the cascade of effects that result from an attack. “Now I'm not saying that they will cause a nuclear accident — thankfully, most of those systems are engineered for safety, even if they're not engineered for security — but when you do a NotPeya and you end up crippling a shipping entity somewhere else in the world, and you keep doing this, you'll end up inviting more sanctions and more robust countermeasures.”

These activities undermine Russia’s own intentions to manipulate the way their adversaries actually perceive problems. “They essentially do things that are out of their control, they lose control of a narrative, they lose control of the circumstance, those cascades are sloppy, and they don't allow you to truly be successful. So even if they do achieve their objectives, if they overshoot, they risk the overarching strategy. And that's not healthy. And I think that's highly likely to continue, and that's what we're seeing so far. We've seen this in their kinetic behaviors as well, right? So it's not just in cyber, it's in everything.”

Cultural domination

As a book, Offensive Cyber Operations emphasizes how essential the cultural qualities of a country are to its military. Danny describes how the United States’ National Security Agency has been shaped by the military and national security history of the U.S. and its focus on putting things “in very neat doctrinal boxes.” This includes “air warfare and land warfare, and, when they had to put them together, there was ‘air land battle’ and then they went into ‘multi-domain battle’ and all those lovely terms, but they really have the need to over-architect doctrinal solutions to everything so that it fits the absolutely sprawling machine that is the Department of Defense.”

Alongside the U.S. dominance in the global technology ecosystem, this has shaped American cyber power into “a very competent, highly creative, NSA shackled by a whole bunch of bureaucracies.”

“For the Russians, it's very different,” he explained. As a national entity it also has an extensive signals intelligence background “alongside a very powerful combination of electronic warfare and information operations,” which lends itself “pretty naturally to the development of aggressive cyber operations as a means to achieve an end.”

But the security culture in Russia is profoundly different. “You see competition between different agencies, a wanton aggressiveness in attempting to achieve objectives in a way that often ends up compromising them because of some perceived real or invented pressures. And you see a different perception of threat that causes them to project operations differently. So for Russia, for example, the whole point about reflexive control is that they are in constant information engagement with their adversary, whether that's low-key or high-key, they're always trying to create long term favorable conditions. And that too, lends itself to the sort of gradual folding of cyber operations into the mix.”

In some respects this has been successful. Whether rightly or wrongly, Russia is viewed as a top-tier adversary. “They succeeded in positioning themselves as a threat, which matters because then you can potentially shape people's response to you, or shape their desire to operate against you through that sense. But whether they were actually able to achieve their objectives through the information landscape, I would say, probably yes, in the late ‘00s to the early 2010s, but not as much recently.”

Moore — it is easier to refer to him like that when we get into the meat of his academic work — argued that the invasion of Georgia in 2008 was a big lesson for the Russians in how they could effectively employ joint forces with an integrated information campaign.

“It clearly appears like they haven't implemented a lot of the lessons that they should have about joint force employments. And this is not just true for offensive cyber operations, it's true across the board with the military of Russia, particularly in this campaign. They have at least apparently come somewhat prepared to suppress the information landscape, whether or not they managed to execute on it, I think we see that it's not really going in their favor. But there was clearly an attempt to do so. Based on at least their original military plans, they wanted to avoid a lengthy campaign because they know that one essentially positions them in a rapidly escalating poorly positioning circumstance for them. And maintaining operational tempo is something that they don't want to do.”

From the “fairly limited visibility of an external observer” it appears that the initial strategy was to decapitate the Ukrainian leadership “in which case, they would have probably had a lot of measures to shape the narrative… diffuse some of their responsibility and diffuse the sense of Russia as the villain of the story,” as they had done around the cyberattack on Estonia in 2007 and the invasion of Georgia in 2008.

“They had made some attempts to do this in Ukraine, but everything was stacked so differently, that by the time the narratives came out of you know, ‘all Ukrainians are Nazis’ or ‘we’re just helping the Ukrainian people be liberated’ it felt really awkward, because it didn't land or resonate with the actual realities in the field. It looks like a set of narratives or a campaign that was prepared, were they to be successful in that early push. So they learned some of the lessons but they failed to implement them at a strategic scale.”

This is not to say that Russia has not learned. Danny notes the extremely sophisticated cyberattacks against critical infrastructure in Ukraine and describes the SolarWinds breach as showing “a lot of operational patience, commitment, and a long term investment in something that will only pay dividends down the road. This is not the Russia of 10 years ago, this is clearly something that we see them getting better at. But it still lacks that consistency, because as with Triton and as with SolarWinds, and with all the other ones, they still botch it at the final mile. And that’s the problem.”

This is true even of the wipers, the event-based attacks Russia has deployed in Ukraine. “For the event-based stuff, it doesn’t really do anything in a vacuum. If you fire off a bunch of wipers at some random corporate targets in Ukraine it will have an effect, but if it’s not facilitating something else, then they will just recover, right? They’re not war-time critical.”

Danny stresses he is not trying to advise the Russians, but he describes using wipers against municipal networks in areas in which Russian forces were about to step in as part of an integrated campaign — “therefore inducing chaos and preventing local forces from communicating effectively” — as something that would have served a joint purpose. “I think they made some attempts to coordinate this, but it’s also impossible to tell in this particular campaign whether there were other things attempted and were foiled or even succeeded because we lacked visibility.”

‘I think we are in a very bad place’

Moore took our trays away and we went a short walk around the West End in the drizzle, stopping at WatchHouse for a coffee; a double espresso for him and a flat white for me. We both agreed that the coffee is excellent. I ask him, half-joking, whether the good guys are winning.

“We need to acknowledge that this space is so nascent that what we have seen is, by design, not what we're going to see next. That's just how it is. We see a lot of Russia and Iran because they're the most aggressive players, but they are by no means the most capable. And at some point, we will see, unfortunately, the more capable players step into this in a more visible way. And then we will have what I call another Stuxnet moment, like, ‘Oh, no, I didn't know that was possible,’ and then it will, again, rewrite our thinking of the space,” he added.

“I still maintain that the offensive capabilities are far better in the West than they are in its adversaries. A proven track record of capacity to execute highly intricate offensive operations to achieve specific objectives is simply more in reach for entities like the UK, the U.S. — that's my personal opinion.

“Defensively, I think we are in a very bad place, especially the United States, but not exclusively. I think that very American design, to connect everything to everything, creates a massive vulnerability surface for any future campaign, one that our adversaries are very much aware of. And that is potentially exploitable in weirdly creative ways.

“If you think about how not only have we connected everything to everything, and how we like to put machine learning and networking and remote control into everything, but we then created a dependency on this and on overwhelming sensory data. And then we took all of that massive thing and offloaded half of it out to contractors, that is a massive risk for us to take. And I think we haven't yet paid the price for that. And we probably will at some point, at least to some capacity. I'm hoping that we won't, but that's my suspicion. So on offense, I think we're generally better positioned to achieve good, cohesive inclusive effects through offensive cyber operations. I worry on defense.”