WWII deception succeeded through ambiguity that paralyzed enemy decisions and false attractiveness that drew attention to the wrong plan. Modern honeypots, honeytokens, and decoy services rely on the same two effects, and they're more effective when deception is part of a broader defensive program.
I’ve been thinking about the role that deception can play in cybersecurity. Honeypots present an example of how data defenders can mislead or slow down attackers. Similarly, attackers can deceive defenders. For example, Nmap can spoof source IP addresses of network-scanning packets, so defenders have a hard time determining the true origin of the probes.
I stumbled upon a fascinating paper by Donald J. Bacon titled Second World War Deception: Lessons Learned for Today’s Joint Planner (PDF). Among its many examples, the paper mentions two types of deception operations employed by Allied Forces to confuse and misdirect the German military during World War II:
- Ambiguity-type deception operations “created uncertainty and inhibited accurate intelligence assessments, resulting in a German misallocation of forces.”
- Misleading-type deception operations aimed at reducing ambiguity by “building up the attractiveness of one wrong alternative.”
The Allies were able to use deception to gain “surprise for offensive operations and to provide increased security for forces by masking military objectives, planning, preparations, and operations.”
The paper also mentions that Soviet military’s deception efforts during World War II were used primarily to “conceal large troop movements and concentrations to attain surprise for offenses.” The Soviets’ greatest victories in the war can be traced to their success at fully integrating deception “into their operational planning and execution. The result was the Germans often knew only the frontline Soviet troop dispositions—everything behind the front line was a ‘blur.’” The paper quotes historian Charles Cruickshank, highlighting a critical aspect of successful deception:
“The perfect deception plan is like a jigsaw puzzle. Pieces of the information are allowed to reach the enemy in such a way as to convince him that he has discovered them by accident.”
One of my takeaways from this paper is that deception efforts cannot be one-off projects. To be successful, they have to be centrally managed and integrated into the fabric of operations. This is why the use of deception might only be practical for mature and well-funded parties.
To what extent can deception be used as part of offensive and defensive cybersecurity operations? The efforts by the Honeynet Project have been instrumental at helping the cybersecurity industry figure this out in a research setting. These ideas inform newer defensive techniques, such as honeytokens planted in everyday files and decoy services placed in AI agent configurations.
