Continuity of Operations in Contested Cyberspace
SolarWinds. The Colonial Pipeline. What’s next?
The honest answer is “We don’t know.” One thing is certain: The next major infrastructure attack is already underway. Hackers are already present in our systems — we just don’t know where.
We were shocked earlier this year after discovering the full extent of the SolarWinds attack. Russian backed hackers used an innocuous IT tool to provide a back door into sensitive government computers. We woke up to a hostile actor in our systems, surveilling us — without our knowledge — for months. This week a related actor — the Russians are everywhere these days — hit America where it hurts the most: the pump.
“How do we protect ourselves from cyber threats?” is no longer a good enough question. We must ask something previously inconceivable: “How do we survive with unknown hostile adversaries operating in our midst?”
In the final months of my tenure as the Commander of the Air Force’s Test Pilot School, our military leadership asked us a seemingly innocuous question: “How do we prevent stealth fighters from getting hacked?” In those days, no one knew the answer. Traditional network security was insufficient for complex systems like stealth fighters, satellites, or spacecraft. We were living the IT/OT conundrum on steroids, and the stakes were huge: the defense and lethality of our most advanced weapon systems.
Instead of trying to keep an adversary out, we asked a different question. Could we still perform our mission even with an adversary inside our system, mucking up the works? The approach seemed silly. Conventional wisdom dictated keeping adversaries out was the definition of protecting any system. Yet many of us in the military differed. Adversaries had historically designed entire campaigns around long-dormant “sleepers” who sprung into action at the most inopportune times. Keeping an invisible, unknowable adversary out of our patched-together systems was difficult. We adapted a better methodology: ensure you could still do the mission, regardless of the threat. The disruptive approach was successful. Test organizations in the military continue to use similar heuristics, developing resilient systems which can operate in contested cyberspace.
There are many system similarities between a fifth generation stealth fighter and a power plant, hospital, or pipeline. The patchwork of operational technologies in those sprawling systems makes cyber protection difficult. Cyber solutions for these diverse systems may benefit by a mission-focused approach. Most powerful when implemented in design, these approaches are still effective for mature systems.
So what? Executive leaders would to well to spend time defining essential organizational objectives. Define data policy in terms of mission accomplishment instead of porous access control. Focus on deploying tools to ensure continuity of operations, instead of expansive (and expensive) “whack-a-mole” protection against unknown adversaries. Test the system regularly, evaluate on mission assurance, and repeat. An iterative approach will uncover previously unknown mission needs and allow organizations to deploy resources effectively. Focusing on mission accomplishment has a pleasant side effect: cost effective technology deployment. Our mantra: “There is not enough money in the world to protect from every conceivable cyber attack. Ensuring the mission is far less expensive.”
Ensuring continuity of operations in contested cyberspace is not about miracle cures — it takes hard work, focus, and disruptive thought. We live in a world where you are either the target of a cyber attack, or you don’t yet know you are the target of a cyber attack. Knowing this brutal fact allows us the freedom to think differently to ensure our society continues to function, no matter the next surprise.
