The big problem with bad cyber analogies

Because cybersecurity events are complicated, we rely on analogies to understand how they work. Analogies are useful, but certain oversimplifications are perpetuating inaccurate narratives. These inaccuracies misdirect productive discussion and as a result, proposed policy and solutions are being based on faulty assumptions. A faulty premise can only yield flawed results…and cyber national security is not an area in which the United States has margin for error.

The nature of both print and broadcast media require big ideas to be distilled down to hot takes and pull quotes for quick and easy ingestion. An accurate analogous explanation is helpful when laid out by skilled subject matter experts. However, most prime-time political pundits and self-proclaimed cyber authorities lack novel technical or strategic insight. As a result, off-based discussion is happening daily at a national level further perpetuating and amplifying inaccuracies on this critical subject.

For example, reports of companies ‘hit by cyberattacks’ suggests that cyberweapons are similar to ICBMs: Precision weapons, delivered with hypersonic speed from a long-distance adversary, that inevitably resolve with breach and explosion. This is not at all how offensive cyberweapons work.

A more accurate analogy: Special force operations. Significant cybersecurity events are long, incremental operations executed in three phases: insertion (getting inside the target’s perimeter), reconnaissance (orientation and target exploration) and operations (mission objective execution). Mission objectives vary by target and adversary priority, and could include encrypting a network for ransom, exfiltrating data, building backdoors for later access, or any number of other tactics designed to degrade, disrupt, surveille, or sabotage a target. Each phase requires a few days to a few months to execute without being discovered. Advanced persistent threat (APT) cyber operations are targeted, coordinated and executed in specialized military or intel agency teams that are often based here in the United States. Without a basic understanding of adversary capabilities and intent, any subsequent discussion is irrelevant.

Attribution in the cyber domain is also grossly misunderstood. While cyber aggression is not visible in the traditional sense, they are by no means anonymous. Conclusive attribution, provenance and step-by-step details of security events are always available through an industry-standard digital forensic process. Stating (incorrectly) otherwise grants the adversary the stealth cover and plausible deniability that they, in fact, do not actually have.

The proverbial ‘Cyber Pearl Harbor’ is almost always used in the wrong context. The attack on Pearl Harbor was an important pretext for entering WWII, but no cyber event has caused a declaration of war. Pearl Harbor was the first military aggression that targeted the US homeland, but the current scale and persistence of nation-state cyber aggression on domestic critical assets is hardly comparable to bombing one Hawaiian port. On any given day, thousands of American companies are subject to disruptive cybersecurity events. Over 85% of critical infrastructure is in the private sector and investor-owned companies prioritize keeping security events out of public discourse in order to maintain trust in their brands. A true Cyber Pearl Harbor event is unlikely to be overtly known because the victim will exercise their right to privacy.

Words matter. Especially when they lead to panic buying, market fluctuations and executive orders. Instead of characterizing cybersecurity events as terrifying, sudden attacks by shady perpetrators, reframe the narrative with an accurate analogy: death by a thousand papercuts. The major threat actors are independently pursuing their national interests, but the cumulative effect of their combined efforts is an effective campaign of erosion to both American critical infrastructure and intelligent discourse.

Adversaries are beyond testing the DoD’s commitment to defend American assets in the cyber domain. They are instead deftly exploiting the conflicting authorities and civilian-sector distrust of federal law enforcement and intelligence agencies that leave the cyber homeland perpetually vulnerable. Focusing on strategy that disrupts or deters adversary operations rather than preventing an inevitable breach is a better line of discussion. Changing the adversary’s cost benefit calculus and shifting the tactical advantage to the defense is key, but it is rarely discussed even in erudite circles.

Adjusting analogies to reflect reality more accurately will foster productive discourse toward viable solutions. A clear and common understanding of the threat is essential for designing a viable response. The resources and strategy required to defend against an ICMB strike would do nothing to stop or deter a special operations unit. The myopic focus on buzzword-laden, silver bullet solutions supported by inaccurate analogies are a detriment to U.S. national security.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.