Start your day with intelligence. Get The OODA Daily Pulse.
The new National Cyber Director, Sean Cairncross wants to counter cyber adversaries, to “shift the burden of risk in cyberspace from Americans to them.”
Imposing more costs on adversaries is clearly the right answer, but success cannot just be measured by the number of adversary operations the U.S. government has frustrated, such as DarkSidev, Trickbot, REvil, or the Internet Research Agency.
In Vietnam, Iraq, and Afghanistan, the government tried to tie winning to successful tactical engagements. It didn’t work there, and it will not work better in cyberspace.
After all, it has been national policy since 2018 when the first administration of President Donald Trump included a full page of tasks to “[i]dentify, counter, disrupt, degrade, and deter behavior in cyberspace” Two years ago, the National Cybersecurity Strategy of President Joe Biden expanded this to five pages of tasks devoted to the goal to “make malicious actors incapable of mounting sustained cyber-enabled campaigns” against the United States.
Success requires defining what winning looks like, propositions of how adversaries should operate and organize differently after suffering the pressure of U.S. defensive improvements and counteroffensive operations.
Tracking Success of Disrupting Adversaries: Doing Better Than We Fear
Adversaries under pressure, for example, must shift from easier to harder tactics, techniques, and procedures (TTPs) and rapidly update their TTPs, as these are being routinely upended by defenders. They will have to constantly rebuild their infrastructure, burn through vulnerabilities faster, and use more zero-day vulnerabilities. They will be more quickly detected and ejected from their footholds within enterprises.
Defenders have high-quality metrics for nearly all of these areas and nearly all those metrics trending in the right direction. The Verizon Data Breach Investigations Report adversaries have shifted from easier to harder TTPs, a finding backed by Mandiant using different data.
Mandiant also reported a tremendous drop in the time it takes enterprises to detect and eject threat actors, from 400-plus days in 2011 to just a dozen or so today. This finding holds even when controlling for ransomware attacks (which want to be detected, at some point) and is confirmed by separate reporting from Verizon and SecureWorks.
Google reports that zero-days constitute a growing majority of vulnerabilities used in the wild (from roughly 62 percent in 2020 to 70 percent in 2023) and the total number of zero-days Google detected grew by 50 percent from 2022 to 2023 (to 92). Prices seem to have increased as well, according to Crowdfense.
Another positive sign is that, perhaps because companies are patching more quickly (see below), adversaries are being forced to exploit newly disclosed vulnerabilities far more quickly, dropping from 63 days in 2018 to just five days in 2023, according to Google.
But Still Not Good Enough
If those trends are all positive, why is the National Cyber Director double-down on disruption?
“Imposing costs,” first of all, seems to lead to a survival-of-the-fittest contest, leaving fewer but fiercer predators. The weakest adversaries, unable to compete, go “extinct,” forcing those remaining to become ever more agile and dangerous. Defenders, in what biologists call the Red Queen effect, must continue to adapt and accelerate just to keep pace.
Second and more importantly, despite these successes in imposing costs, the consequences of successful cyber campaigns continue to worsen.
For example, the experts on cyber metrics at Cyentia found that, since 2008, companies are reporting 6.5 times more incidents each quarter, a typical firm is 3.7 times more likely to have an incident, median losses per incident are 15.2 times higher, and median losses relative to a firm’s revenue are nearly eight times higher. Over the past 15 years, reported incidents each quarter have increased 650 percent.
Next Steps
Many threat actors are not just out for easy profit but are under orders by their government to relentlessly and remorselessly attack the United States. Imposing sufficient risk on them will be expensive and hard.
More fully developing these efforts to measure success is several orders of magnitude easier and less expensive. Much of the needed information has been collected by cybersecurity and technology companies and routinely reported, such as their annual threat reports.
Groups like Aspen Digital, the World Economic Forum, and my team at Columbia University are going farther, to find the patterns and insights across these data sources.
The most important next step could come from Director Cairncross and his office. As they develop the new cyber strategy, the Office of the National Cyber Director (ONCD) can intentionally consider how all the strategy’s many tasks, not just those on imposing risks, might be measured. Early outreach to the groups gathering these insights might refine those tasks and help them be implemented and tracked. These findings can then be included in the annual posture reports, demanded by Congress when they authorized creation of ONCD.
Success is possible. It’s more likely if we measure and build our strategies to be measurable.