ArchiveOODA Original

The Cybersecurity Infantry, Part II: “Underground” Operations

In the first post in this series, I highlighted the broad utility of the sensible and timely tactical retreat. In this post, I explore the power of operating “underground.” Once again, I turn to H. John Poole’s Phantom Soldier, where he describes the challenge of fighting an adversary who operates on a different plane.

His description of the assault on Iwo Jima is well worth reviewing. Drawing from a variety of sources, he sketches a picture of a not just an island under assault but of a highly engineered defensive warren, most of it underground (a situation Clint Eastwood portrayed with visceral power in both Flags of Our Fathers and, more particularly, Letters from Iwo Jima).

When the Americans landed on Iwo Jima, they did so confident that the preparatory bombing and shelling had routed the defenders. As one observer noted, “1,500 Marines of the first wave were now ashore on Iwo Jima moving inland to secure their objectives. Very few Japanese appeared to have survived the pre-invasion bombardment.” (Christ, p. 20.) Unfortunately for the Marines, “the Japanese knew they were coming, and they [the Japanese] had been preparing for over a year.” (Christ, p. 4.)

The Japanese sprung the trap once the first wave of Americans moved off the beach. From well-concealed positions the Japanese unleashed a hellish tsunami of artillery, mortar, and machine gun fire. The Americans couldn’t even hit back effectively; there was little shelter, and the enemy remained hidden. According to Christ, the Japanese “… had months to perfect their accuracy and had preplaced markers and aiming sticks all over the island. As the Americans moved inland by the thousands, [they passed] hundreds of hidden positions. Kuribayashi’s men were the best in the world at the art of camouflage, and the Americans walked unknowingly past almost all of them; bunkers covered in volcanic ash with firing slits only inches above ground; sand hummocks that looked like wind-blown mounds of dirt; buried pillboxes with fields of fire covering areas of likely movement; spider traps with lone snipers; concealed caves with rocks piled in front; and rapid-firing anti-aircraft guns dug in with only their barrels showing, aimed horizontally to rake landing craft on the beach. (Christ, p. 30.)”

This lyrical citation from Poole captures the radical nature of the situation:

Marine spotters in Maytag Messerschmitts watched the attack come to life in brilliant, chilly sunlight. Theirs was a familiar spectacle on Iwo, but totally foreign to anything else in military history. Below them was a battlefield where one army fought above ground and the other fought almost totally beneath it; where thousands of troops moved in the area at the same time. (Poole, Phantom Soldier, p. 77, quoting a 6 march 1945 Marine intelligence report.)

What does this have to do with cybersecurity? The cyber plane is—much like the underground emplacements, barracks, and strongpoints on Iwo Jima—invisible to the untrained, unsuspecting, or overconfident observer. Unless detected and countered, it offers a secure position for observation and attack. A clever adversary embedded on the cyber plane can operate “below” the metaphorical ground while the defender moves about “in the area at the same time.” The ultimate effects of this are similar to those the Americans initially experienced on Iwo Jima (and recall that the Americans enjoyed unchallenged air superiority and a massive advantage in firepower).

Drawing on the analogy, here are four ways that “underground” operations on both the physical and cyber planes can negate and undermine the traditional American way of war, which—by the way—informs and infects the Western culture of commercial cybersecurity. (And lest you think I totally undervalue the American way of war, it’s worth noting that we Americans exploit different planes to our advantage: the unmanned aerial vehicle plane, for example.)

1. Underground operations negate superior firepower. You might have air and naval superiority, but the weight of the ordnance you can drop on your opponent is immaterial if you are limited to fighting on the surface. The same goes for cybersecurity. You might enjoy the benefits of a well-funded security department, but if you’re overconfident and apply your resources in predictable ways, your opponent can tunnel through your defenses and move about “below” you at will.

2. Underground operations negate observation. You might assume your network is clean, but remember: the first Americans to land on Iwo Jima assumed the island had largely been swept clean of defenders.

3. Underground operations negate expectations. Facing light resistance, the Americans initially expected to secure the island within days. They assumed (or rather, hoped) that their firepower had pounded the Japanese defenses to dust. The Japanese shattered these expectations, caught the Americans on the ground wrong-footed, and sapped the Americans’ morale. Note that surprise is doubly devastating when the person surprised is knocked from a “superior” position.

4. Underground operations negate the perception of time. On Iwo Jima, the Japanese “would pop out of holes in the ground far behind our own lines.” (Poole, p. 78, quoting Time-Life correspondent Robert Sherrod.) When your opponent appears from territory that you believe you’ve already secured, your opponent in effect manipulates time and jerks you back to an earlier point in the contest.

The defense of Iwo Jima underscores another aspect of effective strategy: force your opponent to play your game. If your opponent wants you to meet them on the beach and it doesn’t suit your strengths—don’t. If your opponent wants to slug it out in a face-to-face, force-on-force contest and it doesn’t suit your strengths—don’t. Change the game to your advantage. Yes, it sounds absurdly trite, but good strategists do it while pretend strategists merely talk about it.

So how do you change your opponent’s underground position to your advantage? First, you must view things as they really are. You must “see” their underground position and acknowledge its advantages. Second, you must then conceptualize both the advantages and the disadvantages of your opponent’s plane. While operating underground conceals your opponent and allows him to move freely below ground, it also hinders his ability to see you just as it limits his freedom of movement above ground. In the case of Iwo Jima, another factor was at play: the Japanese had to make do with what they were able to secure within their caves and tunnels. “Island hopping” was one method changing the game, but when it was important to seize an island, passing it by wasn’t an option.

If the Americans had been able to conceive of the Japanese defense at Iwo Jima before the landing, perhaps they would have approached the invasion differently. Perhaps they wouldn’t have landed in force and immediately moved inland. Perhaps they would have engaged in some tactical probing and retreating, drawing the Japanese fire and sketching out the Japanese positions before landing in force. (And they might’ve reinforced this by running the recon before oh-so-predictably unleashing the big guns.) Perhaps they would have attempted to seize some of the warrens and tunnels themselves and operated more on the underground plane. We have the advantage of hindsight, but we also have the advantage of understanding the Eastern way of war more clearly, having subsequently fought in Korea and Vietnam.

While we can’t fight the battle of Iwo Jima again, we can turn these lessons to our advantage when fighting opponents who move more or less freely on the “underground” cyber plane. But how? If I had an easy answer to that, I’d tell you, but I can share the first step: do your best to acknowledge that (a) your opponent is operating “underground,” (b) there are inherent advantages in doing so, and (c) your traditional security worldview might be inadequate. In short, do your best to see things as they really are (and don’t forget to engage a red team to help you).


James F. Christ, Iwo: Assault on Hell (Marine Paratroopers Book 4), Battlefield Publishing, 2010.

H. John Poole, Phantom Soldier, Posterity Press, 2001.

Mark Mateski

Mark Mateski

As both an analyst and a manager at a number of defense and security organizations, Mark has directed wargames, conferences, studies, and assessments covering a range of topics. For well over a decade he has been a thought leader in the red teaming community and has pioneered the application of systems engineering principles, techniques, and tools to the practice of red teaming. Dr. Mateski has earned degrees in political science, national security studies, and systems engineering. He is currently an executive security and strategy consultant and teaches eight different graduate courses for the Department of Engineering Management and Systems Engineering at The George Washington University. Visit the Red Team Journal