State Sponsored Cyber Threats – The Long View

With the increasing chatter regarding the targeting of critical infrastructure by sophisticated attackers, I thought it would be valuable to look at this issue not in the context of the current “tactical” attacks but from a strategic longer-term perspective.

Admittedly, a lot of the discussion surrounding private sector attacks these days is focused on the intellectual property theft problem. The analogy I like to use is it is the largest “I drink your milkshake” theft of intellectual property in human history. However, it is largely a short-term problem – meaning we’ll likely establish some sort of equilibrium in the next five to ten years.

So what should we be concerned with over the longer-term? If you’ve seen me present on cyber threats in the past five years, you’ve been exposed to a slide that says the most significant cyber threat that no-one likes to talk about can be summarized in one five word phrase:

Strategic Penetration for Future Exploitation

So, what is “strategic penetration or future exploitation”? It is an attack strategy that hedges long-term bets on two potential future worldviews, namely PROSPERITY and CONFLICT that allows for the pursuit of PROSPERITY while seeking out strategic advantage in the event of CONFLICT.

During these types of attacks, critical infrastructure and high-value targets are compromised not for the purpose of stealing intellectual property or engaging in traditional espionage and intelligence activity, but rather to establish a foothold to diminish the operation of those infrastructures in the event of future hostilities

It is the cyber equivalent of pre-positioning explosives within ball-bearing plants prior to World War II. It is not that the adversary has the current intent to take down power on the East Coast of the United States, only that they can envision a potential future conflict scenario where that type of capability could provide significant strategic advantage and they feel obligated to execute attacks that plan for that eventuality.

This type of attack offers the strategic and tactical capabilities of Stuxnet but without the requirement for the near-term disruption of the infrastructure. It suggests an approach to strategic cyberconflict (and conflict in general) that is generational and fixated on long-term opportunities over short-term disruption or intellectual property theft. It is compatible with a doctrine of Unrestricted Warfare, but not grounded by it and represents a much greater cyber threat to critical infrastructure and our national and economic security over the long-term than a majority of the attacks we are currently obsessed with.

Key components of a strategic compromise include:

Initial compromise via an undisclosed zero day, unpatched software vulnerability, insider, or by compromising the integrity of the supply chain.

Narrowly focused scope. A strategic penetration won’t look to expand any further on the network than is absolutely necessary. It won’t engage in aggressive beaconing and may not beacon at all (until a specified date well in the future). It won’t compromise intellectual property or exfiltrate data. It is uniquely and solely positioned to degrade the operation of the infrastructure in the future.

Time-shifted intent. A nation-state adversary doesn’t necessarily have the intent to disrupt U.S. critical infrastructure right now. Fear of escalation, global condemnation, economic interdependence, and other deterrence factors make such attacks unattractive. However, a strategic penetration is intent agnostic. It is about envisioning a world where intent can change and being strategically prepared within the cyber domain for that potential shift.

Long-term stealth and patience. The attacking adversary won’t engage in any activity that could compromise the capability, even if that means sacrificing the ability to continually verify the compromise still exists. Checking in creates an opportunity for detection and mitigation of the compromise. Capabilities may be verified immediately prior to utilization which could present an opportunity for indications and warning of a substantial imminent cyber attack.

A Team only – Strategic compromise is not conducted by the B Team and not outsourced to universities or other institutions. Compromises are tightly controlled within the intelligence and national security apparatus.

Strategic Penetrations have Strategic Implications

In an environment where existing security models are already broken, addressing this type of threat will be a persistent challenge. It requires us to think not only about how we are vulnerable now, but how we will be vulnerable in ten years or how today’s vulnerabilities could be time shifted for future strategic advantage. It requires new detection techniques focused on host security, supply chain integrity,and implementation and infrastructure management controls. It also requires a vibrant cyber intelligence capability that is not dependent exclusively on technical collection.

Most importantly, it requires a shift in our mindset of how we view the current threat space and breaking our cultural disposition to only think about these issues in a short-term context.