Novel malware, computer code and clandestine digital access are some of the unconventional weapons various countries are currently amassing and deploying. Whether used as a force multiplier for disinformation operations, for stand-alone projections of power or carefully calibrated escalations of conflict, cyber weapon use is growing on the international stage.
Take as example the most recent cyber skirmishes between Israel and Iran: Iranians targeted a water treatment plant, caused a port shutdown, defaced websites and mounted influence operations. For every incident that makes headlines, we have to assume that many more are happening behind the scenes.
As global tensions continue to grow and cyber weapons mature, it seems evident that this digital iteration of international conflict is occurring with few to no agreed upon (or even informally understood) laws of cyber conflict, increasing uncertainty, the potential for collateral damage, and the likelihood of unintended escalation.
The complexity of attacker attribution further complicates existing geopolitical tensions. A third-party actor could conduct a false-flag attack to increase tensions between adversaries or to provoke an escalation of conflict. And as the world embraces 5G technology, the consequences, scale, and scope of digital assaults will only grow.
These are among a few of the issues that led the World Economic Forum to name cyber-attacks the greatest non-environmental threat to mankind. WEF’s 2018 Global Risks Report warned that “the use of cyber-attacks to target critical infrastructure and strategic industrial sectors (…) could trigger a breakdown in the systems that keep societies functioning,” and the warning was repeated in the 2019 and 2020 reports.
With cyber risks at a near all-time high, the unpredictable nature of digital threats has made traditional defensive paradigms nearly obsolete. This reality, along with the undefined parameters of cyber conflict, leaves nation-states in the dark when it comes to how best show cyber strength and superiority without losing the advantage. This means that all players default to offensive cyber operations and innovations, but at a time when everyone can launch an attack, it is the stronger defense that will determine the superior actor.
Defensive superiority will define the cyber superpower
While traditional conflicts and balances of power were defined by real-world offensive superiority – the number and size of military units and weapons systems and ability to deploy them – cyber conflicts will more likely be decided by defensive superiority and resilient critical infrastructure.
Cyber superpowers cannot easily or effectively showcase their cyber arsenal of zero-days or the cyber-physical attack points they have access to within an enemy’s critical infrastructure without significantly jeopardizing those same tools and access. In a cyber-driven conflict, the instant an actor shows their hand, revealing cyber tools or accesses, they are made moot – vulnerabilities are remediated, networks patched, and the strategic advantage effectively erased.
The key for both keeping and showcasing cyber superiority lies in defense. Nations can use key metrics around attack prevention and disruption, as well as advancements in key technologies, to project defensive prowess without giving up their strategic advantage, all while resourcing network and infrastructure resilience.
Unfortunately, as reflected in the recent Cyber Solarium Commission (CSC) report released this March, the United States and most other countries have continued to focus largely on cyber offense, without recognizing that the nature of cyber has changed the national security paradigm. And even when nations have focused on cyber defense, strategies and technologies are largely out of date considering the advances continually occurring in offense.
United States’ position of strength
“Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage. A major cyber-attack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”
This quote from the CSC report, drafted well before the most recent pandemic and resulting economic damage, leads one to wonder how it would compare. It does not take much imagination to envision how a cyber-attack would mimic many of the most recent economic disruptions. While current global economic instability was not nation-state generated or cyber-related, countries are learning a great deal about their adversaries’ societal and economic stress points to inform and target in future cyber operations.
The CSC report also states: “The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility.” Unfortunately, the U.S. does not have the same upper hand in cyber conflicts that it is enjoyed in other international conflicts for generations. It is not because the U.S. doesn’t have some of the most advanced cyber-attack tools on the planet, but because United States’ digital networks and environments are much more critical, expansive, and vulnerable. The steps and actions needed for the U.S. to achieve superiority on the international cyber battlefield are not easy and will certainly not occur in the short- or even mid-term, but are necessary.
The process will begin with resources, technology, and a sense of urgency. At the current moment it seems outrageous to discuss using resources or having any spare sense of urgency for anything other than today’s health, economic, and cultural crises. However, much like those that knew a pandemic was going to eventually occur, cyber security experts and critical infrastructure providers watching the number and advances in cyber-attacks over the last five years know it is only a matter of time until a major cyber disruption takes place.
The algorithmic arms race
Today’s cybersecurity approaches remain too focused on understanding and trying to predict the attacker, the potential vulnerability, and the attack tool. This threat-centric approach is especially flawed as attackers increase their scope, scale, and unpredictability.
The next generation of national cyber security defense should be inward looking, with a defensive center of gravity. This translates to understanding both the digital environment and critical networks with a detailed level of real-time situational awareness and visibility that identifies the smallest deviations from normal and steps in at machine speed to autonomously enforce what’s normal. A defender has a greater chance of predicting critical areas of their network with certainty and consistency than trying to predict attacks. However, a change in the national cyber security approach alone will not lead to success. Given the growing complexity of the national digital ecosystem and the speed and scale of cyber-attacks, it will require embracing emerging technologies, specifically artificial intelligence.
AI-enabled cyber defenses will be necessary to succeed in future cyber conflicts. Rather than mutually assured destruction preventing the ultimate escalation of conflicts to all-out war, it will be an understood inability to successfully conduct crippling cyber operations against your adversary. This will be true even as attackers employ AI for offense. This natural acceleration to AI attacks will create an algorithmic arms race in both the defensive and offensive aspects of warfare. However, even with the inevitable move to an AI vs. AI reality, the AI-powered defender will actually have the upper hand.
Within the traditional military conflict, in a win, lose, or tie scenario, a tie is actually a lose-lose result as both sides are destroyed. In a cyber conflict, the defender wins in a tie – no data is lost, no infrastructure compromised, no networks taken offline.
There are many geopolitical levers of soft and hard power – from kinetic to diplomatic to economic – that play into conflicts where cyber defense does not restrain all out military engagement. However, when kinetic actions are too escalatory, or diplomatic and economic not “tough” enough, cyber will be used in its own right or as a force multiplier. Security in the digital age hinges on the ability to harness AI to protect an increasingly connected world.