“Cyber” as a field of study is riddled with poor analogies as takes on cyber strategy and statecraft continue to get hotter with no boiling point in sight. With the dawn of digitization, scholars and pundits alike began to predict a multipolar world in which digital interdependence of society and economy would hamstring great power competition. The truth is it only makes it uglier.
The United States maintains a posture in which persistent engagement and an ability to preemptively defend forward in cyberspace are vital, despite unknown answers to questions about cyber escalation and second-strike survivability. The idea is to curtail and diminish potential threats before a real attack. At the same time, there is a thriving global private sector for cybersecurity products and solutions which is increasingly lucrative and largely unregulated. As with anything based in technology, the largest hurdle for both is scalability.
At their core, cyber capabilities present individuals and nation-states with a fundamental cost-benefit analysis. For individuals, the benefits of good, bad, or in-between-motivated hacking (definition is dealers’ choice) might outweigh the costs or consequences. And for nation-states with full-spectrum offensive capabilities and plenty of resources, the potential for threat actors and adversaries to hold civilian infrastructure and private sector companies at risk has yet to cost or cause consequences that call into question the utility of those full-spectrum capabilities.
To date, one of the oldest analogies in cyber is to consider adversaries’ full-spectrum cyber weapons to be as destructive as nuclear weapons and other weapons of mass destruction. Theorists postulate the applicability of mutually assured destruction and deterrence within the nature of cyber conflict despite the invisibility of code and data transfers; its transnational, borderless theater; and the spectrum and crowdsourcing of actors involved. However, cyber is much more akin to the regulation of nuclear energy than the use of nuclear weapons.
The internet and digital infrastructure—websites, payments, applications, data centers, etc.—power services and benefit the world in the same way that nuclear reactors power cities. Certain tactics, tools, and procedures in cyberspace can grant unwarranted access into computer and information systems for research, reconnaissance, disruption, extortion, and destruction. Similarly, nuclear reactors are vastly used to produce electricity, and can also be used to enrich plutonium and uranium into weapons-grade fissile material.
In both cases, the technology is nearly identical, but the intent along with the tactics, tools, and procedures actualized are as different in practice as midnight and midday. In nuclear, however, the decision and intent to create a weapon is traceable and trackable, where the transfer and management of uranium and plutonium are inventoried, detected, counted, and monitored, and the building of reactors and weapons facilities is incredibly difficult to hide. In cyber, there is astonishingly less visibility and clarity into the decision and intent to both develop and deliver a cyber weapon, and what constitutes a destructive payload vs. a real cyber “weapon.”
Nuclear weapons policy is home to the “always, never” doctrine where weapons must be capable and effective to launch every hour of every day of every year but must never be triggered or launched by accident or miscalculation. The reason that nuclear weapons are the most well-secured technology on Earth is not because they are the most easily secured, but because they are the least tolerant of tampering and accidents. Throughout history, accidents have included a wrench falling through a silo, a warhead falling out of a plane, and sunlight messing with advanced warning sensors.
Nuclear energy, conversely, tolerates very little down time and prioritizes constant productivity, resilience, and redundancy of physical processes over the confidentiality, integrity, and availability of data in operations. These operations, like many adjacent critical infrastructure and industrial sectors, have evolved over time to introduce network connectivity, increased digitization, and internet connectivity for operations and back-office activities to drive new insights and efficiencies and boost productivity. Because they are not military targets, they have all become potential targets for cyber weapons.
Everything Is Cyber and Cyber Is Everything
Cyber policy today has created a world in which seemingly everything non-military can be held at risk—hospitals, trains, dams, energy, water—and nothing is off limits. The ubiquity of technology, devices, and data paired with the fluid and multi-agency nature of cyber exploitation have led to the targeting of sectors outside the historical boundaries of conflict.
The sixteen critical infrastructures in the United States represent everything from finance to communications to transportation to healthcare, electricity, manufacturing, food production, pharmaceuticals, and more. There are digital components and connectivity across each of these vital sectors and the potential for exploitation or accidents associated with each digital component directly or consequently. That includes hundreds of thousands of locations and entities at risk with millions of hardware and software components at play.
The nature of the risks associated with everything becoming cyber are simple and stagnant; Hardware and software vulnerabilities continue to manifest. Connecting critical assets, control systems, and devices to unmanaged or insecure networks continues unabated. Limited understanding of the threat landscape and outdated or static security policies are the rule rather than the exception. The incorporation of remote access without security controls, including by third-party providers of hardware and software for end users, is growing. And the widespread availability of tacit knowledge to effectively target and exploit hardware and software systems, either directly or in-part by attacking their supply chain, is vast.
Given this reality, the possible scenarios for catastrophe quickly become exponential. And given the cyber-physical nature of critical infrastructure—where data inputs and digital commands produce physical effects in the real world—the cybersecurity of industries we rely on to produce goods, resources, and services has come sharply into view. The question now is not how to reduce the threat landscape, but instead to introduce stop gaps in the places adversaries will likely exploit technologies, and to proactively fortify operations that are technically outside the realm of typical government oversight.
Messaging vs. Signaling
The credibility crisis that has faced American policy over the last two decades makes no exception when it comes to messaging vs. signaling in cyberspace. Messaging has taken on a larger-than-life doctrine of omnipresent willpower and capital to defend forward, with strong rhetoric to dissuade enemies and threat actors from crossing an imaginary red line in cyberspace. Economies that are heavily dependent on communications and digital transactions for banking and healthcare or airports and seaports for trade and transit continue to bolster their cybersecurity doctrine with determined rhetoric about threats and defense. In practice, however, the majority of sectors we consider critical are sitting ducks.
Signaling continues to transmit the perception that digital ecosystems and infrastructures all over the world are well understood, and fair game, even if unpoliced, while critical infrastructure anticipates its next ambush. This lack of credible definition and policing leads to a common operating picture of little actual understanding of threats, no real tripwire, and that the private sector must bear the brunt of attacks and pick up the pieces in the aftermath. At the same time, the material impacts of high-profile attacks—NotPetya, SolarWinds, TRISIS, the Colonial Pipeline—have become red herrings leading policymakers to fear hypothetical worse attacks instead of working back from the most realistic worst-case scenarios per sector. Cybersecurity in practice is just now shifting from conversations about the likelihood of being victimized, to the reduction of severity once attacked.
In the cybersecurity community, it is well understood that you cannot protect every piece of hardware, software, code, connectivity, privilege, and access at all times. Instead, security is baked into redundant compensating controls to thwart threat actors’ efforts in line with their overall objectives and cost/benefit calculations. Inventories of technologies, processes, and policies are analyzed against logged communications and security information from machines and platforms, sometimes automated, to identify gaps and address operational and functional risks.
Luckily, no payload in cyberspace is nearly as destructive as an atomic bomb. Unfortunately, the list of potentially devastating accidents or mishaps that overwhelm local resources and/or cause immense public panic is likely immeasurable. The targeting of nuclear weapons is extremely strategic, precise, and well understood. Experts argue that keeping missile silos operational is a net benefit because an adversary would need to target that silo in an attack to fend off a counterstrike, and that targeting would potentially save a city.
In cyberspace, there is and will continue to be constant probing and reconnaissance for target practice but gaining unadministered access does not directly correlate to malicious intent or attack. Adversaries in cyberspace do not simply throw darts at the wall to find and attack their next targets but do approach extortion and disruption in an ever-opportunistic fashion. The only solution is not to figure out the potential that a given target is the next victim, but to make the most critical targets continuously less attractive.
The next wave of cyber scholars and pundits will hopefully move away from the recent focus on cyber hygiene—which by definition is relative—to focus on the subjective nature of cybersecurity mechanism deployed to compensate for gaps and vectors in the massive cyber threat landscape. The only way to address cyber policy is with an overall effort to reduce the success or benefit of any cyberattack, and the government cannot do this alone. It is and should be demonstrably a shared responsibility across partner and vendor ecosystems. Creating less attractive and lucrative targets has a trickle-down effect across supply chains and interdependencies—rather than shifting liability and blame between technology developers and customers or operators. We should all take that responsibility very seriously.