Offensive Cyber: Moral Hazards and Externalities

The world is in a contest for geopolitical advantage. Perhaps that has always been the case. We merely substituted the reconnaissance and surveillance of telegrams, telephones, signal flags, wigwags, and morse code for a continuous cycle of largely uninterrupted destruction, espionage, sabotage, and surveillance in cyberspace. What is certain is that cyberspace is now in the foreground for geopolitical competition.

Such uninterrupted destruction, espionage, sabotage, and surveillance require highly advanced and targeted cyber weapons, which in turn require knowledge of vulnerabilities. This is where zero-days enter the game. A zero-day vulnerability is unknown to those interested in mitigation, like a software vendor with zero days [hence the name] to repair a vulnerability once known. However, nowadays, vulnerabilities are primarily kept secret because reporting bugs to software vendors subverts the political objectives of nation-states, who are willing to pay the most for unknown vulnerabilities. In other words, preparing for offensive operations involves stockpiling vulnerabilities, making everyone less secure. It is mutually assured destruction without rational deterrence. As we obtain more of one, we all have less of the other.

Offensive cyber goals produce strange moral hazards and externalities. For example, it is widely known that US government agencies support weak or no encryption and work with technology companies to secure back-door access to software to surveil enemies. As they say, “knowing is half the battle.” However, these weaknesses and vulnerabilities are the same weaknesses and vulnerabilities hackers exploit to surveil their enemies. The result is that everyone is insecure. If your country benefits, you may feel ambivalence over these subversions if they create advantages for domestic military operations or better diplomatic and economic decisions. Unfortunately, the advantages are getting narrower for everyone, and the externalities are becoming more noticeable.

Countries like Iran, North Korea, China, and Russia can achieve geopolitical goals and avoid military provocation using cyber operations. The same is not true for deploying tanks to a foreign capital city. We can see elements of this in the Ukraine war, where seven years of provocation were not met with force, only sanctions. While other countries may not tolerate what Ukraine tolerated, all countries seem willing to accept some cyber warfare which is problematic for everyone with an internet connection. These countries want parity, and cyber enables a more competitive landscape.

Moreover, there are growing demands for everyone to build these capabilities, and the losers will be civilians, business owners, and infrastructure companies. Offensive cyber operations could even replace diplomacy. It may be very seductive for politicians and diplomats to turn to cyber operations when talking breaks down or because someone can’t get their way. The result may be a perpetual, slightly warmer than cold, but not warm global war.

To be sure, things can get worse. An attack on the pumps at a sewage treatment plant, the values on a gas pipeline, water control values on a dam, the robotic process automation on chemical plants, food and beverage manufacturers, or car assembly lines, the stock market, the electric grid, or bedside medical devices would all represent an escalation. What troubles me most is not that things can get worse. Things can always get worse. What bothers me is that it can’t get much better. As long as we subvert defense for offense, everyone will be insecure. It turns out that the best defense is not a good offense but a good defense.

Let’s discuss how we can safeguard against things getting worse. First, avoid offense. Instead of launching a counterattack, focus on defending systems and networks and responding to incidents to minimize damage and disruption. Aside from the moral hazards and the conflicting goals, companies must understand that launching a counterattack has severe legal and ethical implications, as many countries have rules and regulations prohibiting unauthorized computer system access, regardless of the circumstances. Additionally, a counterattack could cause unintended damage to third parties, leading to legal and financial repercussions.

It also includes the following:

  • Use strong, unique passwords for all accounts that are easy to remember. Do not use password managers. If available, use two-factor authentication (2FA). If possible, implement 2FA at your company.
  • Ideally, secure your code and keep it in different locations. If securing code is impossible, keep your code repositories in multiple locations.
  • Back up data regularly. Don’t use decentralized backup methods. NotPetya showed that organizations could lose all their computers.
  • Keep all software and devices updated with the latest security patches.
  • Be paranoid (not just cautious) about clicking on links or downloading attachments from unknown sources. Otherwise, be aware of phishing scams and other social engineering tactics.
  • Use anti-virus and anti-malware software. They are sh!t, but they are guards against beginners and more advanced adversaries coming back around on old exploits.
  • Use threat intelligence not because it is a perfect tool but because it provides insight into the threat landscape and actors, along with their latest tactics, techniques, and procedures.
  • Use advanced threat detection. Ensure the vendor is using machine learning, understands why they are using machine learning, and can explain how their solution may impact the discovery of hygiene issues and zero-days.
  • Do not trust any advanced threat detection vendor that promises to find zero-days. It is not a promise that a vendor can make.
  • Have an incident response and disaster recovery plan and have a response and recovery team on speed dial. Otherwise, perform forensic analysis, patch vulnerabilities, and communicate with affected customers and stakeholders.
  • Review and update incident response and disaster recovery plan regularly.
  • Report bugs.