Winning against an asymmetric cyberattack first requires we recognize an attack is occurring
It has been given many names: soft war, non-linear war, unconventional hybrid warfare, cyber cold war, Cold War 2.0, Code War. Regardless of the name, one thing is certain: The way in which the internet is being used as a weapon is asymmetric, between western democracies and revisionist powers.
How is the conflict asymmetric? Do the West and its resurgent adversaries have the same capabilities? Probably yes. Has the West actually used cyberweapons? Again, yes. In the form of Stuxnet, there is an element of symmetry in this regard.
However, fundamentally there is a philosophical asymmetry in the methodology of intelligence collection and use of cyberattacks. The West’s historic view of intelligence gathering has been investments in a few very high-value espionage assets. The fictional spy James Bond, for example, exemplifies the West’s view of intelligence and counterintelligence assets. You may equate Stuxnet to a cyber007. Conversely, cyberattackers—China, in particular—have an opposite approach: a human wave, mosaic methodology to intel gathering, using thousands of low-value assets collecting any and all information, with a central analysis system then piecing together all the collected data.
What we are really seeing in cyberspace is the application and evolution of a wave, mosaic approach to intelligence gathering. Thousands upon thousands of diverse attacks that all in some way have an impact as an economic weapon and are now damaging Western GDP to the tune of trillions of dollars lost per year.
The economic damage to the West can be measured in three ways:
- The loss of intellectual property.
- The loss of regulatory controlled data.
- The loss of operational capacity.
A mosaic based strategy of cyberattacks has several advantages over a high-value decisive cyberattack strategy. Individually, each attack can appear insignificant and unrelated, with unattributable and confusing motivation. A mosaic approach essentially is better at “concealing their hand.” Because of the asymmetry in use at a philosophical and strategic level, we have not been very good at seeing the big picture impact from cyberattacks. This should come as no surprise: The mosaic nature makes it virtually impossible to see patterns in a sea of disinformation when each attack and intrusion surfaces randomly, like a fractured jigsaw piece from myriad threat actors.
It is this lack of a digital “Pearl Harbor” event that is responsible for the disorientation that results in many best practice guidelines going unchanged for over a decade. Only recently has new guidance come into existence, such as the National Aerospace Standard 9933, as a dynamic cyberdefense implementation framework to complement the more traditional static-based checklists.
Asymmetric warfare at a strategic level requires the true nature of the conflict to be unrecognized by the adversary to create disorientation. It must stay under the radar. This asymmetry in recognition will then expose a superior adversary to long-term aggressive systemic damage. Kept in the dark, unable to orient, the attacked simply fails to synchronize policy and adopt a strategic response to the unobserved risk.
At a functional level, though, just because something is asymmetric it doesn’t mean that it will be successful. To be successful as a weapon, an asymmetric warfare strategy needs to be asynchronous in its execution.
Being asynchronous is the requirement for cyberattacks to be effective as a weapon given that asynchronous, in the sense of “out of step,” fits perfectly with the idea of breaking into an enemy’s OODA-Loop and has high descriptive value for what happens in a conflict between conventional and unconventional actors. At the time of the attack there are no effective defenses, resulting in an initial infection point that then over time leads to further compromise of systems and data, which ultimately leads to the impact of the attack remaining unknown for months or years. Simply put, effective cyberattacks require a time lag between the attack and the mitigating response.
To achieve effective cyber-resilience under an asymmetric warfare condition, we must do three things.
Wake up to the situation
It is necessary to accept the fact that the economy has become a de-facto combatant in the ongoing conflict, and the conflict is on a global cyberwarfare scale. Corporations are used as pawns in the game to damage the population’s trust in the ability of the government to uphold order and guarantee societal function. Recognize the true severity of the threat you’re under.
Raise the bar for best practices and regulation
The side capable of introducing more sophisticated cybersecurity technology at a quicker pace will eventually win this conflict. IT security is costly, it is complicated and it demands continuous action. It is, therefore, on us to demand systematic efforts to implement the best possible information security.
Push For Evermore Sophisticated Defenses
Improving the sophistication and capabilities of IT systems and security capabilities is the best shot at getting ahead of the cyber warfare problem. Sophisticated defenses will eventually deny success to the rather large community of single hackers and non-state groups that have limited resources, which is a great deterrence. This, in addition, will reduce markedly the number of potential attackers and make attribution easier. The more sophisticated the attack, the easier it will be to find identifying patterns. As soon as attacks can be attributed with a relatively high degree of certainty, credible retaliation can take place. Therefore, make it a principle to constantly push for better and more sophisticated solutions. Constantly raising the bar of security and IT sophistication eventually can drain the swamp.