We’re used to the move and countermove in the thriller-like games of spies and the tactics of warfare. However, increasing complexity and guile in tools of war isn’t limited to the physical world. If anything, it evolves even faster in a shadier environment in the world of cyber conflict. When nation states get past what Clausewitz said that “war is a continuation of politics by other means,” we see new means for that continuation of politics with cyber optionality. Once upon a time if nations reached an impasse, the alternative was war. Now there are more and more subtle options, and options are the name of the game.
If you’re a country with an agenda and no recourse, the ultimate form of asymmetric warfare that doesn’t leave a smoking gun is cyber. According to IIS, there are currently 15 countries with world-class cyber capabilities; and the club keeps getting bigger with some claiming dozens more investing in it. And what “optionality” do they develop? Three key elements: delivery mechanisms, damaging payloads, and footprint of already owned or compromised systems and machines. And right at the top of the target list is the services, agencies, and private sector organizations that are effectively the de facto critical infrastructure of a country.
Cyber attacks begin simply enough, exploiting human psychology or machine weaknesses. These days nation states and cybercriminals alike take the low-and-slow approach even if the payload portion might look very different. This means blending in with identities already present, using applications that are sanctioned, living off the cyber land, and gradually escalating privilege, spreading control, and identifying key points. Where the ransomware gang would then detonate encryption payloads, the nation state instead identifies the key figurative wires to cut and goes dormant waiting for the day when options are needed. What has changed is usually not visible to security software that is busy looking for 6 failed logins or malware because there were no failed logins and there is rarely malware. The load on a system changes, the behavior is altered, the mouse leaves few tracks as it moves through the house.
In the meantime, the men and women of security are spread as a thin, cyber line to protect an enormous IT footprint. Hamstrung by legitimate concerns of interrupting the flow of business, not enjoying the benefits the attackers have of a large and powerful development team to supply them with new tools, the average defender sits and waits on a quiet front that can erupt from infiltration at any moment. Best-in-class cyber security, which is still far too rare, is working with a DevSecOps team, or “yellow team,” is testing itself with a red team and is working to improve at a pace that meets or exceeds the attackers’. The most advanced teams aren’t concerned with the blocking and tackling because those functions and procedures are automated and run in partnership with IT. No, like any good defenders they are practicing their craft, focusing on efficiency and effectiveness, and honing their tools for when the cyber balloon goes up; and they can handle more than one incident at a time. This is why new tools that detect behavior or grant an unfair advantage to defenders are so welcome. There is no activity in cyber that doesn’t leave a digital wake, and most importantly there’s nothing in IT that doesn’t leave a physical wake that can be spotted from a vantage the attackers can’t see let alone reach.
The key to protecting critical infrastructure isn’t just deploying the decades old defenses or even simply honing cyber skills: it’s innovating and exceeding the pace of innovation and finding new forms of telemetry and perspectives from the domain that is least expected: the physical world. The marriage of using physics, radiation, electromagnetic field changes as a telemtry-outside-the-battlefield is the key to next practices and playing dirty and unfairly to protect critical infrastructure and deny the enemy the opportunity to have “optionality."