A few weeks ago I got a text from a good friend asking if I’d be willing to assist a client on how they could strike back against a set of hackers who were harassing their corporate sites. I politely declined the invitation but offered to help them with other ideas on deterrence.
But the request piqued my curiosity so I made some additional inquiries with other friends, companies, and past associates. As the barrier to entry for cyber continues to decline, coupled with the ability of individuals, or loosely confederated individuals, to act at nation-state levels, would there be a strong market for offensive cyber capabilities to help deter attackers? The answer is obviously yes, but creates an interesting set of questions about what a corporation would, could or should do in the face of relentless cyber attacks.
A bit of history
If we think back to the 1950’s and the Cold War, the strategy then was one of ‘Mutually Assured Destruction.’ Meaning, that the arms race in the kinetic world is based on the concept of deterrence- we have more weaponry that would survive a first strike and be able to hit back at a near equal level to ensure non-survivability. That meant that war had to be waged through intermediaries, or conflicts of containment, but that overall, nuclear war, while threatened, would not be a realistic option as the proportionality of the response would stop, or deter, anyone from making a first strike.
Cyber and the concept of ‘Mutually Assured Destruction’
There are several driving factors that are balancing the current Cyber conflict. One is the lack of deterrence. There is no ‘Mutually Assured Destruction’ for anyone launching or coordinating a cyber attack. In the commercial world this means that any company, or person, is an open target for hacking and there is no way to create the capacity to deter an adversary from launching a first, second or ‘nth’ strike against any target.
The second factor that exists is one of ‘destruction.’ To-date, there has been no cyber attack that has actually damaged a company beyond repair, or recoverability. The downside to cyber attacks is public embarrassment, people losing jobs, and a payout to help protect consumers. Lost Intellectual Property is a large issue, but this results in loss of margin, loss of business, and eventually, a slow death to competitors, but again, to-date, no company has gone immediately out of business as a result of a cyber attack, or least one that has been publicly acknowledged at scale.
Another factor is the concept of ‘proportionality.’ To-date, kinetic war in the modern era is about a proportional response that can be measured in specific ways. In the cyber world, there are many unforeseen circumstances that make ‘proportional’ difficult to assess. An example would be STUXNET. Once used, the virus was forensically contained, stripped, and new payloads added and re-directed at new attack vectors. In cyber, the result of an attack is that you automatically provide free research and development to any potential adversary and the idea of a contained, or targeted attack is highly difficult.
The last factor influencing the Cyber conflict is the ability to quickly and reasonably identify an adversary. Given the nature and the mutability of compute and identity, it is difficult to identify and attribute an attack to a single individual outside of State-sponsored attacks, and even there, it is difficult to provide 100% accuracy in the attribution if the attacker is highly competent.
Every company today has a slippery slope they must tread. In light of little deterrence factors, and the fact that few companies go out of business due to cyber attacks, should they use offensive cyber capabilities to defend the enterprise?
These capabilities exist, and a company could easily create an offensive cyber center if desired. The technology and knowledge to build cyber ‘weapons’ is easy to obtain, and you could find qualified people to research and ‘build’ these countermeasures, but should they be used?
Would the CEO or Board of a company authorize, or have the wherewithal to actually launch a cyber attack against a perceived adversary?
The risk of offensive Cyber
I think that the answer should be ‘no.’ First, attribution is difficult, and moving the target surface for an attacker is easier than the infrastructure of a known company. Hitting back would be fraught with danger and potential fall-out. Unlike kinetic weapons that have a specific ‘shelf-life’ (ie, the point of detonation), cyber weapons can have un-expected outcomes, like the aforementioned STUXNET that became a commonly used payload delivery exploit once launched. So, the first consideration for any CEO/Board would be dealing with unexpected outcomes that could be traced to your company. Would a Fortune 100, or Fortune anything, be willing to take that risk?
Second would be public impact should it become known that a company launched an offensive attack? In some cases, there could be sympathy, but if unexpected outcomes (an attack going viral) would occur, would the public raise an outcry?
Thirdly, there could be an increase in counter-attack by the initial adversary that could put a company out of business, or a CEO out of a job. In the end, the downside could be the opposite of the desired effect.
In the future, I would expect that every CEO and Board will have the discussion about utilizing offensive cyber capabilities to deter perceived attackers. However, given the asymmetric nature of cyber, the downside wouldn’t actually stop an attacker, but would increase the volume of attack against the company, and perhaps that would create the catastrophic event that could potentially put a company out of business.