The United States’ Cybersecurity and Infrastructure Security Agency (CISA) launched a campaign roughly aligned with Russia’s horrific invasion of Ukraine in 2022 called “Shields Up.” At its core, “Shields Up” was designed as a set of relatively straightforward security best practices to prepare for expected increases in threat actor operations. Since its inception, the phrase has metastasized to cover all manner of persistent and perceived immediate cyber issues, from the ongoing ransomware epidemic to possible Iranian cyber responses to being bombed by Israel and the United States.
The result of persistent calls for “Shields Up” is the open question of, when (if ever) do they come down? While this can lead to interesting humor, the phrase nonetheless is problematic. The immediate concern with “Shields Up” is that presented in the previous link, of the baked-in sense of constant emergency that it entails as no entity has ever taken the brave step of saying shields may come “down” to some degree. This mirrors similar frameworks such as much derided terrorist “warning levels” that never appear to change or expire, but rather remain at vague elevated levels for prolonged periods of time.
While this is concerning, there are more egregious failings behind the”Shields Up” language with respect to information security and network defense. More worrying still is the shift in responsibility implicit in the phrase: where network owners retain primary responsibility for the safety and security of their networks against criminal and state-directed enterprises. Meanwhile, government entities (law enforcement and military) reside in a passive support and advisory role with respect to such threats. Such language is reflective of some realities in network defense, but realities that increasingly fail to capture the challenges inherent to securing networks in general (and critical infrastructure entities in particular) against cyber-nexus threats.
To illustrate this via example, in the realm of physical security there are a combination of requirements (for regulated entities or due to insurance or other considerations) and “best practices” for ensuring continued facility operations and security. Yet absence of such precautions—even when they are quite basic such as “doors have locks on them”—do not remove or reduce state responsibility for working to reduce criminal activity generally and responding to particular acts when they occur. There is no (legal) sense of “well, they deserved it” when it comes to such items, and failures in systems of physical security, whether crime related on local levels or national security related such as the success of terrorist attacks, result in calls for the state to take meaningful action.
We can root this in Weber’s concept of the state: as that entity which retains a monopoly on “legitimate” violence within its borders. States where privatized or non-state violence are rampant are considered failures, while those that retain this level of control avoid the Hobbesian war of all against all within their territory. Yet shift the nature of violence from physical to cyber, and the assumed bargain flips with private entities expected to not merely shoulder some of the burden for defense, but the majority of it (leading to the creation of a host of commercial defensive providers – a topic for a future discussion). In this sense, the cheeky marketing term of “Shields Up” is both intellectually dishonest in the sense we would not accept this premise in nearly any other realm of security, and morally bankrupt in that it represents the state almost absolving itself of responsibility for preventing or responding to such actions.
Take the most recent example of “possible” Iranian responses to its brief war with Israel (and the United States) for further examination. The core value proposition of this document is: “…CISA urges owners and operators of critical infrastructure organizations and other potentially targeted entities to review this fact sheet to learn more about the Iranian state-backed cyber threat and actionable mitigations to harden cyber defenses.” This may be valuable on its own, but in isolation as the contribution of US authorities to US network owners and operators represents a very curious state of affairs, especially given active US involvement in the physical attacks on Iranian entities.
Presumably, US authorities and resources would be involved in active defense of critical infrastructure entities in the event of “blowback” from US bombing actions. This was certainly the case with respect to physical security for the air base at al Udeid, where missile defense systems were at the ready to respond to and mitigate an Iranian response. Yet for cyber responses against the US homeland, the public and only observable response is to shunt responsibility for defense to asset owners and operators to prevent such activity on their own.
Admittedly, network owners can and should do a lot to better secure, harden, and reduce the attack surface of their networks. But the near abdication of responsibility for actively defending such networks or working to deter those who would attack them by providing advice such as “Shields Up!” is curious and almost disgusting. Yes, asset owners should do more to defend themselves, but against international (or even domestic) criminal syndicates and state-directed or -sponsored adversaries, Leviathan has a responsibility to do something beyond merely advocating for greater private sector action.
The dislocation between physical and cyber security postures in state defensive decision making is confounding in many ways. While the cyber problem may be “hard” for a variety of technical and attributive reasons, the dereliction of duty of state authorities in pushing back against criminal and external entities operating with malicious purpose in this domain is astounding. That so many have at minimum accepted “Shields Up” as “reasonable response” should be shocking on its own, yet remains the state of the now with respect to information security in the United States.
Note: This is an ongoing topic of research and analysis so expect more in the future on this subject!
