Critical infrastructure attacks aren’t all the same: Why it matters to CISOs – CSO Online

author
3 minutes, 21 seconds Read

The willingness of competitors to use cyber operations to generate strategic effects is dictated by four institutional factors:  

  1. Connectivity: Competitors are motivated by the degree of connectivity that exists to link them to adversaries. Given the ubiquity of cyber and cyber-physical systems today, this factor is consistently high.
  2. Vulnerability: Competitors are motivated by perceived vulnerability of an adversary.
  3. Organization: Competitors act based on assessments of adversary organization, which is essentially an ability to adapt to a given threat pattern of behavior.
  4. Discretion: Competitors are motivated by the potential for discretion in their attempt to generate strategic effects.

Together, these factors explain the strategic shift toward broad-scoped critical infrastructure intrusion by the PRC. Western critical infrastructures are densely networked apparatuses. They are also, unfortunately, exceptionally vulnerable to outside intrusion owing largely to the fragmentation of security efforts that come from diverse private ownership in the face of (mostly) limited national regulations. This same fragmentation, coupled with democratic expectations of freedom from government oversight, make the task of public sector defense of critical infrastructure incredibly challenging. This dynamic creates immense opportunity for clandestine intrusion at scale for a committed and well-coordinated aggressor.

Cyber apples and oranges: How global stakeholders should react to critical infrastructure threats

These factors also help security teams and strategic planners address the divergent challenges of combating malicious foreign cyber threats to critical infrastructure. The threat posed by recent Iranian activities is of a different nature than that posed by the Chinese government, their agents, and proxies. As I and others have addressed recently, the crisis logic of cyber operations should compel security teams to pay attention to their unique situational vulnerabilities. For critical infrastructure operators, it helps that the episodic value of cyber disruption pertains directly to the criticality of systems, as conventional risk assessments are well-placed to capture such potentiality.

The Chinese cyber capacity to inflict widespread and cascading effects on Western society is a much more difficult challenge to overcome, even if China’s intention is to inhibit the policy options of America and her partners. The likelihood that deterrent capacity is the objective of widespread access suggests an obvious strategic goal for security stakeholders in United States, Europe, and beyond: Limit the appeal of such intrusion activity for foreign adversaries and reduce existing access. The factors described here can act as a guide for accomplishing this.

Effectively restraining foreign adversaries would require limiting connectivity to critical infrastructure, which is only incrementally possible (via air-gapping, etc.). Better awareness of malign intentions, however, should dampen the sophistication of intrusion activity, and institutionalization of critical infrastructure preparedness and mitigation fundamentals should mitigate threat severity. From this perspective, Wray’s push to spread awareness of the PRC threat is wise, as is Canada’s attempt to pass stricter regulation of critical infrastructure operators’ security practices. One limits the discretionary conditions the Chinese need to build this capability; the other builds toward an inter-institutional apparatus that is more inherently adaptive, which should reduce the value of the capability.

Stakeholders in the United States and elsewhere should double-down on efforts that conform to these parameters. From more consistent de-classification of details of critical infrastructure attacks to the publicization of critical infrastructure operator security performance outcomes, public sector stakeholders can limit the conditions under which foreign activity can find strategic value. Private operators should embrace collaborative threat assessment and data-sharing opportunities, particularly where “hands-off” regulatory regimes exist to motivate government engagement under conditions of limited liability.

Perhaps the most significant step that Western societies could take is to encourage greater awareness of the strategic realities of cyber compromise of our critical infrastructures. Just as ideas of deterrence and mutually assured destruction (MAD) were introduce to general populations as a method of encouraging pragmatic discourse, so too does the context of threats to CI need to be communicated to broader populations. Not all CI threats are the same, and those that pose the greatest danger to national interests are also those that community coordination and common understanding stand the most to help resolve.

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts