Cyber Security as Counter-Terrorism: Seeking a Better Debate
Earlier this month, a senior Justice Department official referred to ransomware as a potential “cyber weapon of mass destruction.” When hackers subsequently disabled the Colonial Pipeline, causing fuel shortages and disruptions along the East Coast, it seemed to validate this warning. But it would be a mistake for the policy establishment to double down on an outdated view of cyber conflict rooted in Cold War analogies. To improve U.S. cyber security, policymakers should draw instead on more relevant strategic lessons from the study of terrorism and counter-terrorism.
The tendency to draw simple comparisons between cyber and nuclear attacks has been repeatedly critiqued, but the residue of this thinking lingers. Debates over how to deter or punish cyber attacks still frame them as infrequent and catastrophic. In practice, though, cyber security looks more like counter-terrorism than nuclear strategy — with frequent and repeated interactions between antagonists, a continual contest for information, and multi-party engagements amidst a sea of unaligned parties. Approaching cyber security with reference to counter-terrorism strategy would offer benefits to policymakers, particularly by highlighting the importance of ruthlessly prioritizing risk, winning the intelligence competition, privileging detection over reaction, and promoting strong private sector cooperation.
Like cyber attacks, terrorist operations rarely resemble traditional military conflicts. Engagements are frequent and iterated rather than rare and catastrophic. Because terrorist organizations seek to cause fear and sow political discord, they can choose from a wide variety of targets. As a result, counter-terrorism organizations are often forced to defend against attacks that are difficult to predict because they have a range of potential civilian targets. For example, over a roughly seven-month period between 2015 and 2016, Palestinian groups perpetrated a wave of indiscriminate knife attacks against Israelis. These attacks, some premeditated and some spontaneous, were carried out in public by assailants ranging from adolescents to seniors, with the seeming arbitrariness instilling a particular sense of fear among Israelis. While defending against every attack would have been impractical, Israeli police installed metal detectors in strategic locations, such as the Old City of Jerusalem, to limit the risk of attacks in the locations where they would have the greatest consequences.
Approaching cyber security in similar terms means moving away from an all-or-nothing approach and recognizing that it is also a domain in which myriad engagements occur daily and adversaries will eventually find ways to get in. This is the compelling insight behind the idea of “constant contact.” A counter-terror approach to cyber security emphasizes that “success” is about competing more effectively, not creating an absolute guarantee against loss. This means that preparing for cyber attacks is not about defending an arbitrary perimeter. Rather, defensive efforts should emphasize the ruthless prioritization of risk by applying the most effective methods of defense and detection against points of greatest value to the attacker. In our recent report, “Broken Trust: Lessons from Sunburst,” the very first recommendation we make is for a “blast radius” assessment of U.S. government information networks. This would involve rigorously evaluating the risk associated with all of the systems and technologies in the .gov and .mil domains. By no means a small task, the process would help harden these networks at their most vulnerable points and kick off useful debates about how best to assess and rank the risks they face. This idea of blast radius is informed by the logic of physical risk management and emphasizes anticipation, speed of detection, and harm limitation. The latest executive order on cyber security, despite using the word risk 15 different times, says little about which risks merit more attention than others.
Thinking of cyber security in terms of counter-terrorism can also help draw attention to the fact that it is ultimately an intelligence contest. As in cyber security, “everything that is done in countering terrorism has to be based on intelligence,” often gathered from local sources who have intimate knowledge of the area and populations in which terrorist operatives hide. Consider the recent Sunburst hack in which an adversary gained access to SolarWinds’ Orion software. Once SolarWinds unknowingly distributed the compromised software to thousands of organizations, the adversary then homed in on a smaller subset of intended targets, ultimately compromising a number of U.S. government agencies. The adversary responsible for this campaign likely studied the target networks for a long period before launching their operation, learning SolarWinds’ vulnerabilities and how to hide from U.S. government defenders. The Sunburst campaign employed multiple techniques to hide the malware’s operation, meaning they were able to sit inside and collect data from government entities and leading technology companies for months without detection. The success of this campaign suggests the United States and its partners were already losing the intelligence contest in their own networks before the hack took place.
Among other things the United States government should do to respond to this intelligence challenge would be to share information with selected private sector partners with an eye towards operational collaboration. For example, the Cybersecurity and Infrastructure Security Agency’s new Joint Cyber Planning Office could coordinate information sharing between appropriate private and public intelligence entities, particularly core technology and platform vendors whose products provide the greatest points of leverage over America’s information domain.
Cyber security and counter-terrorism also share an inevitable focus on private actors — as targets and victims, as influential intermediaries, and as bystanders. Counter-terrorism organizations must be able to operate among these actors. They must be able to operate in familiar cities and social environments where they understand people’s baseline behavior but also confront massive amounts of disparate information. In fighting terrorism, then, security services face the challenge of finding something hostile in the familiar. Cyber security defenders face this same challenge, but they have an advantage in that cyberspace is a man-made domain that is subject to (some of) the whims of its designers. Focusing too much on response and retaliation fails to exploit this advantage. Instead, policymakers should help build up private sector capacity to more rapidly detect and respond to enemy operations. We recommend, for example, that the Cyber Security and Infrastructure Security Agency organize semi-annual “breach response hunger games” that pit agencies against one another in trying to detect and remedy simulated breaches in the shortest possible time. The goal in these competitions is less to implement idealized controls and more to drive innovation in detecting and ejecting attackers. The competition would reward speed with funding and help promote the most effective agencies as a model for others.
U.S. Cyber Command’s 2018 Defend Forward strategy makes progress away from the characterization of conflict in cyberspace as infrequent and catastrophic. Yet, the rhetorical logic of retaliation and deterrence still echoes loudly in calls for responding to the Sunburst campaign and even more recently after the Colonial pipeline ransomware incident. In response to Russia’s complicity in the Sunburst campaign, for example, Sen. Mitt Romney called the hack “an invasion” that “demands a response.”
There will and should be a U.S. response to these campaigns. But Washington would be best served by ensuring that this response is pragmatic and preventive rather than punitive. Despite overwhelming investments in security and decades of political rhetoric, there are no impregnable cyber castles and no practical guarantees of perfect cyber security. The reality is an ugly and iterative contest between asymmetric players where the measurement of success looks more like a better batting average rather than a transition from war to peace. Progress is incremental and “winning” is marginal. These cyber realities match the operational and strategic realities of counter-terrorism, defined by low-intensity conflict, dynamic intelligence contestation, and the centrality of private non-combatants. Recognizing and building upon the lessons of counter-terrorism is essential, therefore, if America hopes to improve its average and get more marginal wins going forward.
Simon Handler is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate, where he worked on foreign policy issues.
Emma Schroeder is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. Her focus is on developing statecraft and strategy for cyberspace that is useful for both policymakers and practitioners. Her research background is in military history, particularly the development of irregular warfare strategy.
Trey Herr, Ph.D., is the director of the Cyber Statecraft Initiative at the Atlantic Council. His team works on cyber security and geopolitics, including cloud computing, the security of the internet, supply chain policy, and cyber effects on the battlefield. Previously, he was a senior security strategist with Microsoft and a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School.