Solorigate attack — the challenge to cyber deterrence

The exploitation of SolarWinds’ network tool at a grand scale, based on publicly disseminated information from Congress and media, represents not only a threat to national security — but also puts the concept of cyber deterrence in question. My concern: Is there a disconnect between the operational environment and the academic research that we generally assume supports the national security enterprise?

Apparently, whoever launched the Solorigate attack was undeterred, based on the publicly disclosed size and scope of the breach. If cyber deterrence is not to be a functional component to change potential adversaries’ behavior, why is cyber deterrence given so much attention?

Maybe it is because we want it to exist. We want there to be a silver bullet out there that will prevent future cyberattacks, and if we want it to exist, then any support for the existence of cyber deterrence feeds our confirmation bias.

Herman Kahn and Irwin Mann’s RAND memo “Ten Common Pitfalls” from 1957 points out the intellectual traps when trying to make military analysis in an uncertain world. That we listen to what is supporting our general belief is natural — it is in the human psyche to do so, but it can mislead.

Here is my main argument — there is a misalignment between civilian academic research and the cyber operational environment. There are at least a few hundred academic papers published on cyber deterrence, from different intellectual angles and a variety of venues, seeking to investigate, explain and create an intellectual model how cyber deterrence is achieved.

Many of these papers transpose traditional models from political science, security studies, behavioral science, criminology and other disciplines, and arrange these established models to fit a cyber narrative. The models were never designed for cyber; the models are designed to address other deviate behavior. I do not rule out their relevance in some form, but I also do not assume that they are relevant.

The root causes of this misalignment I would like to categorize in three different, hopefully plausible explanations. First, few of our university researchers have military experience, and with an increasingly narrower group that volunteer to the serve, the problem escalates. This divide between civilian academia and the military is a national vulnerability.

Decades ago, the Office of Net Assessment assessed that the U.S. had an advantage over the Soviets due to the skills of the U.S. force. Today in 2021, it might be reversed for cyber research when the academic researchers in potentially adversarial countries have a higher understanding of military operations than their U.S. counterpart.

Second, the funding mechanism in the way we fund civilian research gives a market-driven pursuit to satisfy the interest of the funding agency. By funding models of cyber deterrence, there is already an assumption that it exists, so any research that challenges that assumption will never be initiated. Should we not fund this research? Of course not, but the scope of the inquiry needs to be wide enough to challenge our own presumptions and potential biases at play. Right now, it pays too well to tell us what we want to hear, compared to presenting a radical rebuttal of our beliefs and perceptions of cyber.

Third, the defense enterprise is secretive about the inner workings of cyber operations and the operational environment (for a good reason!). However, what if it is too secretive, leaving civilian researchers to rely on commercial white papers, media, and commentators to shape the perception of the operational environment?

One of the reasons funded university research exists is to be a safeguard to help avoid strategic surprise. However, it becomes a grave concern when the civilian research community research misses the target on such a broad scale as it did in this case. This case also demonstrates that there is risk in assuming the civilian research will accurately understand the operational environment, which rather amplifies the potential for strategic surprise.

There are university research groups that are highly knowledgeable of the realities of military cyber operations, so one way to address this misalignment is to concentrate the effort. Alternatively, the defense establishment must increase the outreach and interaction with a larger group of research universities to mitigate the civilian-military research divide. Every breach, small and large, is data that supports understanding of what happened, so in my view, this is one of the lessons to be learned from Solorigate.

Jan Kallberg, Ph.D.

What COVID-19 can teach us about cyber resilience

The COVID pandemic is a challenge that will eventually create health risks to Americans and have long-lasting effects. For many, this is a tragedy, a threat to life, health, and finances. What draws our attention is what COVID-19 has meant our society, the economy, and how in an unprecedented way, family, corporations, schools, and government agencies quickly had to adjust to a new reality. Why does this matter from a cyber perspective?

COVID-19 has created increased stress on our logistic, digital, public, and financial systems and this could in fact resemble what a major cyber conflict would mean to the general public. It is also essential to assess what matters to the public during this time. COVID-19 has created a widespread disruption of work, transportation, logistics, distribution of food and necessities to the public, and increased stress on infrastructures, from Internet connectivity to just-in-time delivery. It has unleashed abnormal behaviors.

A potential adversary will likely not have the ability to take down an entire sector of our critical infrastructure, or business eco-system, for several reasons. First, awareness and investments in cybersecurity have drastically increased the last two decades. This in turn reduced the number of single points of failure and increased the number of built-in redundancies as well as the ability to maintain operations in a degraded environment.

Dr. Jan Kallberg and Col. Stephen Hamilton
March 23, 2020

The COVID pandemic is a challenge that will eventually create health risks to Americans and have long-lasting effects. For many, this is a tragedy, a threat to life, health, and finances. What draws our attention is what COVID-19 has meant our society, the economy, and how in an unprecedented way, family, corporations, schools, and government agencies quickly had to adjust to a new reality. Why does this matter from a cyber perspective?

COVID-19 has created increased stress on our logistic, digital, public, and financial systems and this could in fact resemble what a major cyber conflict would mean to the general public. It is also essential to assess what matters to the public during this time. COVID-19 has created a widespread disruption of work, transportation, logistics, distribution of food and necessities to the public, and increased stress on infrastructures, from Internet connectivity to just-in-time delivery. It has unleashed abnormal behaviors.

A potential adversary will likely not have the ability to take down an entire sector of our critical infrastructure, or business eco-system, for several reasons. First, awareness and investments in cybersecurity have drastically increased the last two decades. This in turn reduced the number of single points of failure and increased the number of built-in redundancies as well as the ability to maintain operations in a degraded environment.

Second, the time and resources required to create what was once referred to as a “Cyber Pearl Harbor” is beyond the reach of any near-peer nation. Decades of advancement, from increasing resilience, adding layered defense and the new ability to detect intrusion, have made it significantly harder to execute an attack of that size.

Instead, an adversary will likely focus their primary cyber capacity on what matters for their national strategic goals. For example, delaying the movement of the main U.S. force from the continental United States to theater by using a cyberattack on utilities, airports, railroads, and ports. That strategy has two clear goals: to deny United States and its allies options in theater due to a lack of strength and to strike a significant blow to the United States and allied forces early in the conflict. If an adversary can delay U.S. forces’ arrival in theater or create disturbances in thousands of groceries or wreak havoc on the commute for office workers, they will likely prioritize what matters to their military operations first.

That said, in a future conflict, the domestic businesses, local government, and services on which the general public rely on, will be targeted by cyberattacks. These second-tier operations are likely exploiting the vulnerabilities at scale in our society, but with less complexity and mainly opportunity exploitations.

The similarity with the COVID-19 outbreak to a cyber campaign is the disruption in logistics and services, how the population reacts, as well as the stress it puts on law enforcement and first responders. These events can lead to questions about the ability to maintain law and order and the ability to prevent destabilization of a distribution chain that is built for just-in-time operations with minimal margins of deviation before it falls apart.

The sheer nature of these second-tier attacks is unsystematic, opportunity-driven. The goal is to pursue disruption, confusion, and stress. An authoritarian regime would likely not be hindered by international norms to attack targets that jeopardize public health and create risks for the general population. Environmental hazards released by these attacks can lead to risks of loss of life and potential dramatic long-term loss of life quality for citizens. If the population questions the government’s ability to protect, the government’s legitimacy and authority will suffer. Health and environmental risks tend to appeal not only to our general public’s logic but also to emotions, particularly uncertainty and fear. This can be a tipping point if the population fears the future to the point it loses confidence in the government.

Therefore, as we see COVID-19 unfold, it could give us insights into how a broad cyber-disruption campaign could affect the U.S. population. Terrorist experts examine two effects of an attack – the attack itself and the consequences of how the target population reacts.

Likely, our potential adversaries study carefully how our society reacts to COVID-19. For example, if the population obeys the government, if our government maintains control and enforces its agenda and if the nation was prepared.

Lessons learned from COVID-19 are applicable for the strengthening U.S. cyberdefense and resilience. These unfortunate events increase our understanding of how a broad cyber campaign can disrupt and degrade the quality of life, government services, and business activity.

From the Adversary’s POV – Cyber Attacks to Delay CONUS Forces Movement to Port of Embarkation Pivotal to Success

We tend to see vulnerabilities and concerns about cyber threats to critical infrastructure from our own viewpoint. But an adversary will assess where and how a cyberattack on America will benefit the adversary’s strategy. I am not convinced attacks on critical infrastructure, in general, have the payoff that an adversary seeks.

The American reaction to Sept. 11 and any attack on U.S. soil gives a hint to an adversary that attacking critical infrastructure to create hardship for the population might work contrary to the intended softening of the will to resist foreign influence. It is more likely that attacks that affect the general population instead strengthen the will to resist and fight, similar to the British reaction to the German bombing campaign “Blitzen” in 1940. We can’t rule out attacks that affect the general population, but there are not enough offensive capabilities to attack all 16 sectors of critical infrastructure and gain a strategic momentum.
An adversary has limited cyberattack capabilities and needs to prioritize cyber targets that are aligned with the overall strategy. Trying to see what options, opportunities, and directions an adversary might take requires we change our point of view to the adversary’s outlook. One of my primary concerns is pinpointed cyber-attacks disrupting and delaying the movement of U.S. forces to theater.

We tend to see vulnerabilities and concerns about cyber threats to critical infrastructure from our own viewpoint. But an adversary will assess where and how a cyberattack on America will benefit the adversary’s strategy. I am not convinced attacks on critical infrastructure, in general, have the payoff that an adversary seeks.

The American reaction to Sept. 11 and any attack on U.S. soil gives a hint to an adversary that attacking critical infrastructure to create hardship for the population might work contrary to the intended softening of the will to resist foreign influence. It is more likely that attacks that affect the general population instead strengthen the will to resist and fight, similar to the British reaction to the German bombing campaign “Blitzen” in 1940. We can’t rule out attacks that affect the general population, but there are not enough offensive capabilities to attack all 16 sectors of critical infrastructure and gain a strategic momentum. An adversary has limited cyberattack capabilities and needs to prioritize cyber targets that are aligned with the overall strategy. Trying to see what options, opportunities, and directions an adversary might take requires we change our point of view to the adversary’s outlook. One of my primary concerns is pinpointed cyber-attacks disrupting and delaying the movement of U.S. forces to theater. 

Seen for the potential adversary’s point of view, bringing the cyber fight to our homeland – think delaying the transportation of U.S. forces to theater by attacking infrastructure and transportation networks from bases to the port of embarkation – is a low investment/high return operation. Why does it matter?

First, the bulk of the U.S. forces are not in the region where the conflict erupts. Instead, they are mainly based in the continental United States and must be transported to theater. From an adversary’s perspective, the delay of U.S. forces’ arrival might be the only opportunity. If the adversary can utilize an operational and tactical superiority in the initial phase of the conflict, by engaging our local allies and U.S. forces in the region swiftly, territorial gains can be made that are too costly to reverse later, leaving the adversary in a strong bargaining position.

Second, even if only partially successful, cyberattacks that delay U.S. forces’ arrival will create confusion. Such attacks would mean units might arrive at different ports, at different times and with only a fraction of the hardware or personnel while the rest is stuck in transit.

Third, an adversary that is convinced before a conflict that it can significantly delay the arrival of U.S. units from the continental U.S. to a theater will do a different assessment of the risks of a fait accompli attack. Training and Doctrine Command defines such an attack as one that “ is intended to achieve military and political objectives rapidly and then to quickly consolidate those gains so that any attempt to reverse the action by the U.S. would entail unacceptable cost and risk.” Even if an adversary is long-term strategically inferior, the window of opportunity due to assumed delay of moving units from the continental U.S. to theater might be enough for them to take military action seeking to establish a successful fait accompli-attack.

In designing a cyber defense for critical infrastructure, it is vital that what matters to the adversary is a part of the equation. In peacetime, cyberattacks probe systems across society, from waterworks, schools, social media, retail, all the way to sawmills. Cyberattacks in war time will have more explicit intent and seek a specific gain that supports the strategy. Therefore, it is essential to identify and prioritize the critical infrastructure that is pivotal at war, instead of attempting to spread out the defense to cover everything touched in peacetime.

Jan Kallberg, Ph.D., LL.M., is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy, or the Department of Defense.

How the Founding Fathers helped make the US cyber-resilient

The Founding Fathers have done more for U.S. strategic cyber resiliency than other modern initiatives. Their contribution is a stable society, that can absorb attacks without falling into chaos, mayhem, and entropy. Stable countries have a significant advantage in future nation-state cyber-information conflicts. If nation states seek to conduct decisive cyberwar, victory will not come from anecdotal exploits, but instead by launching systematic, destabilizing attacks on the targeted society that bring them down to the point that they are subject to foreign will. Societal stability is not created overnight, it is the product of decades and even centuries of good government, civil liberties, fairness, and trust building.

Why does it matter? Because the strategic tools to bring down and degrade a society will not provide the effects sought. That means for an adversary seeking strategic advantages by attacking U.S. critical infrastructure the risk of retribution can outweigh the benefit.

The blackout in the northeast in 2003 is an example of how an American population will react when a significant share of critical infrastructure is degraded by hostile cyberattacks. The reaction showed that instead of imploding into chaos and looting, the affected population acted orderly and helped strangers. They demonstrated a high degree of resiliency. The reason why Americans act orderly and have such resiliency is a product of how we have designed our society, which leads back to the Founding Fathers. Americans are invested in the success of their society. Therefore, they do not turn on each other in a crisis.

Historically, the tactic of attacking a stable society by generating hardship has failed more than it has succeeded. One example is the Blitz 1940, the German bombings of metropolitan areas and infrastructure, which only hardened the British resistance against Nazi-Germany. After Dunkirk, several British parliamentarians were in favor of a separate peace with Germany. After the blitz, British politicians were united against Germany and fought Nazi Germany single-handed until USSR and the United States entered the war.

A strategic cyber campaign will fail to destabilize the targeted society if the institutions remain intact following the assault or successfully operate in a degraded environment. From an American perspective, it is crucial for a defender to ensure the cyberattacks never reach the magnitude that forces society over the threshold to entropy. In America’s favor, the threshold is far higher than our potential adversaries’. By guarding what we believe in – fairness, opportunity, liberty, equality, and open and free democracy – America can become more resilient.

We generally underestimate how stable America is, especially compared to potential foreign adversaries. There is a deterrent embedded in that fact: the risks for an adversary might outweigh the potential gains.

Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy or the Department of Defense.

Cyber Attacks with Environmental Impact – High Impact on Societal Sentiment

In the cyber debate, there is a significant, if not totally over-shadowing, focus on the information systems themselves – the concerns don’t migrate to secondary and tertiary effects. For example, the problem with vulnerable industrial control systems in the management of water-reservoir dams is not limited to the digital conduit and systems. It is the fact that a massive release of water can create a flood that affects hundreds of thousands of citizens. It is important to look at the actual effects of a systematic or pinpoint-accurate cyberattack – and go beyond the limits of the actual information system.

As an example, a cascading effect of failing dams in a larger watershed would have a significant environmental impact. Hydroelectric dams and reservoirs are controlled using different forms of computer networks, either cable or wireless, and the control networks are connected to the Internet. A breach in the cyber defenses for the electric utility company leads all the way down to the logic controllers that instruct the electric machinery to open the floodgates. Many hydroelectric dams and reservoirs are designed as a chain of dams in a major watershed to create an even flow of water that is utilized to generate energy. A cyberattack on several upstream dams would release water that increases pressure on downstream dams. With rapidly diminishing storage capacity, downstream dams risk being breached by the oncoming water. Eventually, it can turn to a cascading effect through the river system which could result in a catastrophic flood event.

The traditional cyber security way to frame the problem is the loss of function and disruption in electricity generation, but that overlooks the potential environmental effect of an inland tsunami. This is especially troublesome in areas where the population and the industries are dense along a river; examples would include Pennsylvania, West Virginia and other areas with cities built around historic mills.

We have seen that events that are close to citizens’ near-environment affect them highly, which makes sense. If they perceive a threat to their immediate environment, it creates rapid public shifts of belief; erodes trust in government; generates extreme pressure under an intense, short time frame for government to act to stabilize the situation; and public vocal outcry.

One such example is the Three Mile Island accident, which created significant public turbulence and fear – an incident that still has a profound impact on how we view nuclear power. The Three Mile Island incident changed U.S. nuclear policy in a completely different direction and halted all new construction of nuclear plants even until today, forty years later.

For a covert state actor that seeks to cripple our society, embarrass the political leadership, change policy and project to the world that we cannot defend ourselves, environmental damages are inviting. An attack on the environment feels, for the general public, closer and scarier than a dozen servers malfunctioning in a server park. We are all dependent on clean drinking water and non-toxic air. Cyber attacks on these fundamentals for life could create panic and desperation in the public – even if the reacting citizens were not directly affected.

It is crucial for cyber resilience to look beyond the information systems. The societal effect is embedded in the secondary and tertiary effects that need to be addressed, understood and, to the limit of what we can do, mitigated. Cyber resilience goes beyond the digital realm.

Jan Kallberg, PhD