The world is in a contest for geopolitical advantage. Perhaps that has always been the case. We merely substituted the reconnaissance and surveillance of telegrams, telephones, signal flags, wigwags, and morse code for a continuous cycle of largely uninterrupted destruction, espionage, sabotage, and surveillance in cyberspace. What is certain is that cyberspace is now in the foreground for geopolitical competition.
Such uninterrupted destruction, espionage, sabotage, and surveillance require highly advanced and targeted cyber weapons, which in turn require knowledge of vulnerabilities. This is where zero-days enter the game. A zero-day vulnerability is unknown to those interested in mitigation, like a software vendor with zero days [hence the name] to repair a vulnerability once known. However, nowadays, vulnerabilities are primarily kept secret because reporting bugs to software vendors subverts the political objectives of nation-states, who are willing to pay the most for unknown vulnerabilities. In other words, preparing for offensive operations involves stockpiling vulnerabilities, making everyone less secure. It is mutually assured destruction without rational deterrence. As we obtain more of one, we all have less of the other.
Offensive cyber goals produce strange moral hazards and externalities. For example, it is widely known that US government agencies support weak or no encryption and work with technology companies to secure back-door access to software to surveil enemies. As they say, “knowing is half the battle.” However, these weaknesses and vulnerabilities are the same weaknesses and vulnerabilities hackers exploit to surveil their enemies. The result is that everyone is insecure. If your country benefits, you may feel ambivalence over these subversions if they create advantages for domestic military operations or better diplomatic and economic decisions. Unfortunately, the advantages are getting narrower for everyone, and the externalities are becoming more noticeable.
Countries like Iran, North Korea, China, and Russia can achieve geopolitical goals and avoid military provocation using cyber operations. The same is not true for deploying tanks to a foreign capital city. We can see elements of this in the Ukraine war, where seven years of provocation were not met with force, only sanctions. While other countries may not tolerate what Ukraine tolerated, all countries seem willing to accept some cyber warfare which is problematic for everyone with an internet connection. These countries want parity, and cyber enables a more competitive landscape.
Moreover, there are growing demands for everyone to build these capabilities, and the losers will be civilians, business owners, and infrastructure companies. Offensive cyber operations could even replace diplomacy. It may be very seductive for politicians and diplomats to turn to cyber operations when talking breaks down or because someone can’t get their way. The result may be a perpetual, slightly warmer than cold, but not warm global war.
To be sure, things can get worse. An attack on the pumps at a sewage treatment plant, the values on a gas pipeline, water control values on a dam, the robotic process automation on chemical plants, food and beverage manufacturers, or car assembly lines, the stock market, the electric grid, or bedside medical devices would all represent an escalation. What troubles me most is not that things can get worse. Things can always get worse. What bothers me is that it can’t get much better. As long as we subvert defense for offense, everyone will be insecure. It turns out that the best defense is not a good offense but a good defense.
Let’s discuss how we can safeguard against things getting worse. First, avoid offense. Instead of launching a counterattack, focus on defending systems and networks and responding to incidents to minimize damage and disruption. Aside from the moral hazards and the conflicting goals, companies must understand that launching a counterattack has severe legal and ethical implications, as many countries have rules and regulations prohibiting unauthorized computer system access, regardless of the circumstances. Additionally, a counterattack could cause unintended damage to third parties, leading to legal and financial repercussions.
It also includes the following: