Sunday, December 20, 2020

Call It What You Like - But Complete Access To Digital DNA Has No Precedent

 wired |  In terms of the SolarWinds incident, the deterrence game is not yet over. The breach is still ongoing, and the ultimate end game is still unknown. Information gleaned from the breach could be used for other detrimental foreign policy objectives outside of cyberspace, or the threat actor could exploit its access to US government networks to engage in follow-on disruptive or destructive actions (in other words, conduct a cyberattack).

But what about the Department of Defense’s new defend forward strategy, which was meant to fill in the gap where traditional deterrence mechanisms might not work? Some view this latest incident as a defend-forward failure because the Defense Department seemingly did not manage to stop this hack before it occurred. Introduced in the 2018 Defense Department Cyber Strategy, this strategy aims to “disrupt or halt malicious cyber activity at its source.” This represented a change in how the Defense Department conceptualized operating in cyberspace, going beyond maneuvering in networks it owns, to operating in those that others may control. There has been some controversy about this posture. In part, this may be because defend forward has been described in many different ways, making it hard to understand what the concept actually means and the conditions under which it is meant to apply.

Here’s our take on defend forward, which we see as two types of activities: The first is information gathering and sharing with allies, partner agencies, and critical infrastructure by maneuvering in networks where adversaries operate. These activities create more robust defense mechanisms, but largely leave the adversary alone. The second includes countering adversary offensive cyber capabilities and infrastructure within the adversaries’ own networks. In other words, launching cyberattacks against adversary hacking groups—like threat actors associated with the Russian government. It isn’t clear how much of this second category the Defense Department has been doing, but the SolarWinds incident suggests the US could be doing more.

How should the US cyber strategy adapt after SolarWinds? Deterrence may be an ineffective strategy for preventing espionage, but other options remain. To decrease the scope and severity of these intelligence breaches, the US must improve its defenses, conduct counterintelligence operations, and also conduct counter-cyber operations to degrade the capabilities and infrastructure that enable adversaries to conduct espionage. That’s where defend forward could be used more effectively.

This doesn’t mean deterrence is completely dead. Instead, the US should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect.