One issue that came from my recent CYBERWARCON talk was an item of focus (or for others, limitation) when approaching the idea of what a “critical infrastructure attack” actually means. While I faced some (really good, topical) questions on my definition of “critical infrastructure”, a more public debate ensued over the conception of a cyber “attack”. Within the context of this talk, I used the same definition of “attack” I’ve used in several recent presentations and papers:
““attack” is narrowly defined to encompass only those actions that deny, degrade, or destroy either an IT system, ICS system, or a physical process controlled by such a system through cyber-nexus means“
The Past and Future of Integrity-Based ICS Attacks, Joe Slowik
For some, this may seem to be too narrow a definition though – as outlined above, phishing, scanning, theft, and espionage would all seem to lie outside the scope of “attacks”. Yet on closer examination, depending on adversary intent, such actions almost certainly do not qualify as “attacks”, or represent intermediate steps en route to attacks, thus falling into a murky realm of preparatory actions.
A concern in even exploring this topic is we find ourselves unintentionally embracing Humpty Dumpty from Through the Looking-Glass:
“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean—neither more nor less.” “The question is,” said Alice, “whether you can make words mean so many different things.” “The question is,” said Humpty Dumpty, “which is to be master—that’s all.”
Through the Looking-Glass, Lewis Carroll
This philosophy of language relies on the assertion of meaning, a meaning which – although it may be defined – carries weight and significance only insofar as it is understood and embraced by others. Such linguistic conventionalism may be perfectly acceptable, yet only insofar as a critical mass of others “buy in” to the proposed convention. Thus in setting out to define something such as “attack” in some fashion, the risk I face is that my definition, though publicly declared, is so far removed from “popular” conceptions as to either engender confusion or render the argument useless.
Yet “attack” within the cyber context is a slippery word, both in implications and repercussions. So while it may seem natural that any event meriting a defensive response or action – from a banking trojan phish to a vulnerability scan of public-facing infrastructure – may represent being “attacked”, there is a very real and significant difference between this activity and a wormable IT wiper (e.g., NotPetya) or an ICS disruptive event (e.g., Industroyer/CRASHOVERRIDE). The former circumstances certainly merit responses and actions, but the latter begin approaching thresholds of impact and political/military potential responses that a data theft campaign will almost never reach. Thus, while in conversational use “attack” appears to apply in both cases, deeper examination of what actually happened in an event and what potential responses exist (both for victim recovery and possible retaliation or consequences for perpetrators) reveal significant differences in meaning depending on the event described.
Thus, in my mind, I find it very valuable to pursue a discussion of just what “attack” means and to use this as a baseline to then investigate what we would then classify as “cyber” or “critical infrastructure” attacks. Furthermore, when every scan, phish, or other activity is presented as an “attack”, truly concerning, disruptive events (like the Ukraine power events or the 2007 Estonian DDoS event) are diminished in significance and severity as they become subsumed by so much additional noise. As audiences – from the greater public to political decision-makers – are exposed to an ever-more degraded and debased idea of “attack” due to either hype or ignorance, the ability to adequately process and respond to events becomes undermined.
Essentially, if both a potential cyber-physical destructive event and extensive scanning of Internet-facing resources are viewed as being the same activity only differing in degree or extent, we’ve hindered our ability to differentiate between truly concerning and alarming behavior (using cyber means to disrupt, degrade, or otherwise deny access to critical services vital to modern life) and items that represent something more like “computer network annoyance” in scope and impact. When attempting to establish norms and predictable consequences for “bad” behavior, a “debased” conception of attack risks either tying decision-makers in knots or bundling some less than ideal perception and judgment around a concept for which we seek some level of predictive certainty.
Thus, having a firm, clear definition of what a cyber attack truly is and means seems useful and vital. Absent such a distinction, effort, attention, and scarce resources are devoted to items that, though concerning, will never reach the threshold of actual disruption (let alone destruction), rendering overall defensive postures weaker for succumbing to a death by a thousand perceived, minor cuts. Clearly differentiating those events that meet the “deny, degrade, disrupt, destroy” threshold enables us to focus resources, effort, and attention on the most concerning and impactful events – both within the security field and in connecting legal and policy realms – while leaving “lower order” intrusions (data theft, bitcoin mining, etc.) in other categories largely reliant on security-only responses with occasional cooperation with legal resources.
Moving on from impacts, as we begin to consider what an “attack” represents or consists of, it rapidly becomes apparent that short of some unique instances (such as self-propagating malware, or worms), “attacks” rarely manifest themselves as “bolt from the blue” events. Instead, attacks progress through discrete, inter-dependent stages – typically visualized through several types of “kill chain” models. The significance of this presentation of attack pathways and methodologies is that multiple potential routes or paths exist for adversary behavior, many of which stop well short of a deny, disrupt, degrade, or destroy event. Events can move towards theft, espionage, or similar concerning, but not disruptive, activity. These items are definitely issues to address and defend against, but their nature still (typically) enables the victim entity to function and produce value.
Where matters get more interesting is when actors begin executing earlier stages of the kill chain and do not proceed to some final result or purpose. In these situations, adversary intent is typically unknown, but actions taken thus far can be used as prepositioning and preparation for a future disruptive event – such as Russia-sponsored activity in western electric sectors. These are the hardest cases to adjudicate, as it is very possible such activity could be utilized to execute an attack scenario, but also possible that such activity aims for lesser goals or even represents operational preparation for possible future activity, with no intention of reaching an “attack” state absent some triggering criteria.
Understanding “preparatory actions” – referred to as operational preparation of the environment (OPE) in US military terms – becomes confusing and difficult without perfect information. Essentially, actions become binned in potential dual (or multi) use categories – the phish to the electric utility may be a precursor for installing a Bitcoin miner or business email compromise (BEC) activity, or it could be the initial action designed to breach the utility’s control system network to produce a cyber physical effect – something of concern given ambiguous but provocative events such as the 2019 Lookback campaign. Unfortunately, absent absolute, perfect knowledge, we are unable to adequately disposition such events before they either reach or get close to their final intent. In such situations, we are best left leaving such items as concerning, but ambiguous, rather than calling any such intrusion or initial access activity as the potential precursor to a disruptive event absent information that would indicate such direction.
Given all these considerations, “attack” clearly becomes a messy term, rife with multiple interpretations, all of which may carry consequences for both defenders and perpetrators. Thus, in approaching the subject, clarity of language and specificity in terms are vital. A network scan or initial phish may be construed as an attack – but if so, our conception of adequate and justifiable responses to such an attack must also meet this definition. Thus, an “attack” in this case is not something meriting retribution (least of all physical retribution in, for example, a kinetic strike on the identified physical location of the perpetrators), but rather an item to be deflected, defended against, or recovered from after the fact. This may seem suitable and sensible, yet in the grander scheme of more ambitious, actually disruptive attacks (from Stuxnet to Olympic Destroyer to Norsk Hydro), such a response can be viewed as inadequate and inviting (or tacitly condoning) further action by other parties.
Yet, an astute observer will note, those events recognized clearly as attacks based on the “deny, degrade, destroy, disrupt” definition almost all featured no (publicly known) repercussions or consequences. For example, Russia faced no meaningful costs as a result of the 2015 and 2016 Ukraine power events, and only faced repercussions from NotPetya nearly a year after the fact in the form of economic sanctions. Although impossible to prove, I posit that some (although certainly not all) of this reticence (whether for Russia in Ukraine or the US in Iran or Iran in Saudi Arabia) stems from the ambiguity and uncertainty of what “attack” means in popular discourse. Thus, if one were to (rightfully) condemn the disruptions in Ukraine in 2015 and 2016 as a cyber attack on civilian infrastructure, one would also be (somewhat) logically obligated to extend this condemnation to scans, phishing, and other events that, while meeting the criteria of network intrusions, fall far short of network disruptive events (let alone events resulting in physical impacts) given current wording and understandings.
If something like a phishing campaign (with no discernible impact) is referred to as an “attack” by both journalists and (most importantly) politicians, then how can one justify not intervening in some level to either retaliate for or ameliorate the supposed impacts of that attack even if it was something with no visible disruptive element? I could certainly be wrong in this matter, but overuse and abuse of “attack” has placed discourse and decision-making on cyber events in a less than ideal state. While some may be bothered within the security field at such limitation to truly disruptive or destructive events, when taking a step out of our cyber security silo, the advantages of clearer, more precise language and narrow definitions become clear when articulating responses, establishing norms, and pursuing common understandings of what behavior is “acceptable” by actors in this space – and what actions merit a response (cyber or otherwise).