Active Defense and Adversary Blowback

I previously recorded some thoughts on the new US government strategy in cyber defense known as “defend forward”. Recently, I had the pleasure and opportunity to take part in a Naval War College exercise implicitly testing this strategy’s implementation and execution in the context of civilian critical infrastructure cyber operations. My past statements expressed concern on this strategy given the risks it imposes in terms of escalation and loss of control over events – and my participation in this event has not only reinforced these earlier worries but added new, distressing items as well.

In the post-exercise discussion (or “hot wash”), representatives of the US government emphasized an element of defend forward that has the potential to lead to adversary escalation. Specifically, the  concept of “Deterring, preempting, or defeating malicious cyber activity targeting U.S. critical infrastructure that is likely to cause a significant cyber incident”, as stated in US Department of Defense documents, introduces a fundamental tension into supposedly defensive cyber operations. Namely, an active, public stance of preemptively disrupting attacks requires a combination of access, assessment, and capabilities that dramatically alters the landscape of cyber competition. 

In order to adequately position itself to take these actions, elements of the US government would need to penetrate perceived adversary networks; maintain sufficient intelligence collection to accurately gauge adversary intentions; and then preposition capabilities to execute disruption on first sign of offensive activity. Such actions – publicly communicated for presumably deterrence reasons – place adversaries in an undesirable situation: opposing forces (the US government) will infiltrate networks to ensure the capability to preempt attacks via unspecified, disruptive means. This situation mirrors offense-defense and strategic calculus disruption events similar to missile defense debates or even the “railroad analogy” in the run-up to World War I, where entities are forced into preemptive (or “pre-preemptive”) action as a result of possibly losing a capability or mechanism for defense or deterrence. As such, an action perceived as defensive by its executor is perceived as risk-inducing and escalatory by the parties against which such actions are directed.

Defend forward, requiring some degree of pre-positioning and intelligence collection to ensure information collection and ability to disrupt, is inherently destabilizing in this respect. For proper execution, defend forward all but demands all steps necessary in offensive cyber operations just short of final execution – which arrives when the intruder perceives an attack is about to begin in order to preempt. From the attacked party’s perspective, aside from working to prevent, mitigate, or defeat such preemption through cyber defenses, such actions essentially force them into a “use it or lose it” position – either execute operations that can inflict pain on the adversary (in this case, the United States), or lose this ability thus ceding strategic initiative.

Based on the above, defend forward as described (and likely to be implemented) already incentivizes entities that perceive themselves potentially subject to the policy to adopt a more aggressive stance relative to US goals. However, an additional concern arises in terms of where such escalation will most likely be felt. While US adversaries maintain access to US government networks, direct attacks (deny, degrade, destroy) either are not especially productive or align to objectives sufficiently sensitive (e.g., military networks) so that they are reserved only for wartime situations. Thus the most-likely remaining targets for action in retaliation for defend forward actions are those very entities supposedly protected by this aggressive approach: civilian critical infrastructure networks.

From a retaliation or preemptive strike position, the most likely victims will be sources of value already penetrated or easy to access and effect, covering civilian infrastructure from electric utilities to financial institutions to local water companies among other items. Such “soft” – but significant – targets (presumably) provide an easier objective than government networks while maximizing the potential pain and disruption on the overall US polity. The sad irony of this situation is that those entities presumably the subject of US government defense – civilian infrastructure – become victims of adversary actions in response to provocative preemptive actions.

Furthermore, as described and likely implemented, the US strategy of defend forward does little (if anything) to actually coordinate likely provocative actions with civilian infrastructure stakeholders in advance. Essentially, US government entities will escalate cyber operations vis a vis likely/perceived adversaries for the notional reason of defending civilian infrastructure, with the likely blowback effect of prompting adversaries to accelerate disruptive effects on the same networks. Within the scope of the wargaming exercise I participated in (as part of the Red cell), actual preparations and plans to disrupt Blue networks were not put in place until after Blue demonstrated an aggressive posture vis a vis Red – resulting in Red looking for existing, available pain-points to hold at risk for retaliation.

While some may point to recent, publicly-identified actions in reality such as on-going Russian-linked intrusions into US (and other) energy infrastructure as a sign that disruptive operations are already in motion – I would caution (as I’ve noted previously) that such operations be viewed in a broader strategic light. Given than – outside of limited exceptions – cyber-nexus disruptive events must be preceded and enabled by long-running information collection and access development, any rational adversary of the US will seek to build knowledge on and develop points of access into likely targets – such as civilian critical infrastructure. Thus, while defenders may observe (and should work diligently to thwart) such activity, the identification of such intrusions into critical sectors (such as energy) is not necessarily (nor likely) indicative of imminent attack.

Given defend forward positioning and implications, rational (if undesirable) adversary actions against US infrastructure can (and likely will) be perceived as attack preliminaries – prompting follow-on US intrusions (and potential disruptive effects) which could then accelerate adversary strategic planning to execute attacks which previously were only contingencies. Meanwhile, the entities receiving the most disruption and impact from events are excluded from the above exchange from the start – civilian critical infrastructure entities in the private sector – leaving them unprepared for and at the mercy of adversary accelerated disruptive operations.

Essentially, the US government has adopted and is in the process of implementing a strategy that escalates operations in the cyber realm while ignoring the needs and defensive requirements of civilian critical infrastructure providers. The perverse incentives involved will lead to manifestly suboptimal outcomes, and likely result in far more disruption and dislocation than the perceived benefits of a preemption-focused strategy. Civilian critical infrastructure stakeholders – from the financial sector through electric utilities – need to leverage access to government resources to ascertain precisely how the US government intends to implement this strategy and how it will work to ensure private sector entities will be kept apprised of developments to best ensure defense. Notably absent in discussions of defend forward methodology is a realization of how much critical infrastructure security depends on private sector activity, while taking an unrealistic view that government-directed efforts can solve (or prevent) all problems. As currently constructed and likely implemented, defend forward will not produce greater security and reliability within critical civilian infrastructure information systems – it will instead lead to greater instability, conflict, and unfortunate consequences.