Moving towards defense in depth under the gray skies of conflict

The war in Ukraine is in the second month of bloodshed and the broader impact of the conflict is being felt across the globe, as markets react to increased fuel prices and the consequences of Russia’s growing political and economic isolation. Thus far, the anticipated reaction of Russia to Western sanctions and material support for the Ukrainian military within the cyber domain seems to have been muted. However, on March 21, 2022, President Biden issued another stark warning to private sector organizations that, in line with earlier advice from CISA under Alert AA22-011A, cybersecurity postures should be enhanced in readiness for potential Russian reprisals.

The statement by President Biden is aligned with other institutional warnings about the risks to critical infrastructure and concerns about the vulnerability of other the vital areas of Western socio-economic activity, such as banking, logistics, and healthcare.

A key characteristic of the crisis in Ukraine has been the resistance of NATO to calls for military intervention, such as the imposition of a “no-fly zone” over Ukrainian territory. The modus operandi of NATO leaders has been to contribute military and humanitarian aid to the Ukrainian government, while remaining below the threshold of direct engagement with Russia – a situation where the possibility of an escalation towards nuclear confrontation is evident in both the Kremlin’s rhetoric and Russian doctrinal support for the use of nuclear munitions to end conventional conflict. Russia already has nuclear-capable delivery platforms including the 2S7M Malka self-propelled gun and 9K720 Iskander short-range ballistic missile system deployed in the Ukrainian theater.

Although a rapid cessation of hostilities remains the fervent hope of the wider international community, the impact of Russia’s assault on Ukraine will carry with it significant consequences in terms of great power competition and the methods employed by Russia to ameliorate the punitive political and economic measures imposed upon it. In what has been referred to as the “gray zone” of nation state activity, between war and peace, cyberattacks are seen to represent a viable means of coercing an opponent towards adoption of a more favorable disposition or a change in tactics.

One advantage of hostile cyber operations is the ability of an adversary to either target specific vulnerabilities or cause mass disruption, using criminal proxies and potential allies to avoid attribution via a defense based upon plausible deniability. Russia has long recognized the tactical utility of cyberattacks as a low-cost method of degrading enemy capability and political resolve without the application of military means. As such, the Russian conceptualization of the gray zone renders cyberattack an effective tool with which to counter Western sanctions and support for Ukraine, while remaining below the threshold of armed conflict that would constitute expansion of the present war to include other states, including members of NATO.

If the premise that a persistent residual cyber threat must be countered until some future normalization of East-West relations in the wake of the war in Ukraine, it is beholden upon all cyber security professionals and business owners to consider the pragmatic steps necessary to protect their organizations and ensure systemic resilience against a motivated and sophisticated adversary. In addition to the enforcement of established network security protocols and the training of staff to prevent social engineering attacks, bolstering of current cyber security should be undertaken under a mantra of “defense in depth.”

Where sensitive data is being processed and applications form a critical path to service continuity in digital environments and the maintenance of cyber-physical systems, such as power grids, water and fuel distribution pipelines, manufacturing processes, and automated operations in logistics and agricultural production, consideration must be given to how to defeat cyberattacks intended to disrupt and deny these vital resources. Reliance upon a secure perimeter alone is insufficient.

To provide defense in depth, the principles of zero-trust architecture, as elaborated by NIST, need to be adopted in system design and operation. Data should be protected across all three phases of its lifecycle: at rest, in motion, and in use. Applications should also be shielded from compromised infrastructure and the risk of malicious users exploiting privilege escalation to attempt access. Verification of the integrity of applications between processes and the provenance of remote data is also central to a strong defense against potential network intrusion and lateral maneuver of an attacker once they have breached the perimeter.

As the commercial organizations and government institutions addressed by President Biden grapple with the new reality of their, albeit unwanted and unwitting, participation in the gray zone conflict that is set to endure beyond a hoped-for peace accord in Ukraine; a new, holistic, approach to cyber security, founded on true end-to-end encryption of data and robust verification of applications at runtime, is essential. While new strategic investments in cybersecurity will be made in response to the elevated threat posed by Russia and its various agents, this reinforcement and renewal should also be seen as a strategic opportunity to restrict the gray zone and impose stronger limitations on the ability of both nation state actors and criminal groups to do economic and physical harm by digital means.