Whenever the cybersecurity community — technical analysts, policy wonks, government officials, journalists on the beat, etc. — talk about how we perceive or interpret a threat publicly, we are providing material that could be exploited by the responsible adversary in a feedback loop. This feedback loop may inform how that adversary conducts its future operations, to include how it determines what goals and effects are attainable. This dynamic is not limited to cyber threats: the adage that “The enemy gets a vote” is as ubiquitous as it is old for a reason. But I believe in the case of state-nexus cyber threats, the manner in which some of the loudest voices in our field discuss threats currently is so distortive as to outright enable a degree of adversary advantage.
Just over two months ago, I said this in response to the tone of how a major outlet was covering a large-scale campaign of cyber espionage:
In that outlet’s latest reporting regarding U.S. government responses to multiple instances of malicious state-nexus cyber activity — none of which has involved a demonstrated attack component (i.e., disruption, denial, degradation, or destruction initiated and performed via cyber means) — two statements caught my eye: first, the current state of affairs was described as one of “escalating cyberconflict”; and second, recently disclosed China-nexus activity was characterized as potentially “a prelude to far more destructive activity”.
In short, both of these characterizations are — in my opinion — dangerously incorrect.
Despite high-profile disclosures related to supply chain compromise activity or the exploitation multiple zero-days in a key piece of software, neither of these things are signs of conflict escalation. What they are is reflections of what has been the state of play for quite some time, except now the mainstream discourse happens to be paying closer attention. Non-Five Eyes (FVEY) governments have and will continue to pursue espionage objectives through cyber operational means, often without the kind of target discrimination that Western audiences feel amounts to “playing fair” despite the fact that FVEY governments (including the U.S.) do similar things.
Certain hostile activity may be exceptionally sophisticated or large in scale and scope, but what we’ve seen over the last several months is by no means tactically unprecedented or even particularly vicious by existing standards. For example, neither of these developments involved denying critical infrastructure to human beings (see: Ukraine, 2015 & 2016) or disrupted a significant global event (see: the PyeongChang 2018 Olympics). Instead, media reporting and statements by political figures have sought to frame activity as escalatory — if not down right threatening — purely on the basis of scale. What has taken shape appears to be the pursuit of adversary parity in operational discrimination on the basis of histrionics.
Now take the recently-disclosed China-nexus activity, wherein multiple zero-day vulnerabilities were (and are) being exploited to compromise Microsoft Exchange servers. Here’s what that initial activity boils down to in terms of “escalation”:
Now, by no means do I intend to downplay the massive scale of recent Exchange server compromises, the general risks of such compromises (especially should an eCrime actor use one as a foothold for eventual ransomware delivery), or the time and effort that will go into remediating them — “F”s in the chat for the incident response community. But, at the time of this writing, I have seen nothing offered to support the idea that the state-nexus component of this malicious activity has particularly disruptive/destructive intent — latent or otherwise — aside from how large its victim pool is. While the precise reason for the speed with which this activity’s volume grew remains unclear, it is apparent to knowledgable cybersecurity practitioners that multiple actors are now at work and that not all of them necessarily appear to have a state-nexus.
As was the case of justifying likely sanctions related to recent supply chain compromise activity, I can only interpret the rush to characterize the Chinese state-nexus exploitation of these vulnerabilities as somehow laced with latent destructive intent as an attempt — yet again — to find a fig leaf with which to condemn something that we shouldn’t be necessarily surprised by.
And it is in the selection of that fig leaf that we give the adversary an extra vote in how future activity will be dealt with. In two cases of noteworthy intrusion sets, the breaking point by the U.S. government appears to have been defined as: “Absent target discrimination, state-nexus activity at a certain scale is automatically considered to pose a destructive effect risk — no matter what the activity itself actually looks like.” In the wake of events like NotPetya and WannaCry, such a (gasp) red line does not seem entirely surprising, but it sacrifices reality on the altar of political rationale while expecting adversaries’ ethics to mirror our own. This presents two risks:
- The U.S. government, itself a fan of cyber operations at scale, incentivizes reciprocal punishment against itself should foreign governments choose to pointedly attribute America cyber activities. Calling another nation hypocritical is something government spokespeople the world over relish, and could be a powerful narrative vehicle for hardliners abroad to justify actions that might actually be reasonably described as escalatory.
- As I’ve said before, the more we are seen wringing our hands and playing the victim in a game that FVEY nations play at scale regularly, the more we show our adversaries how to manipulate public narratives through future operations that are — in the grand scheme of things — business as usual. Mature threat actors not only pay attention to the collateral effects of their activity, but the responses to those effects, and incorporate those lessons into future operations.
This is the truest essence of the “extra vote”. Choosing hyperbolic outrage over nuanced analysis of what actually happened in response to an incident weakens our defense against future malicious activity while also reinforcing to adversaries that they can send us into a tailspin of FUD without having to engage in anything more than large volumes of non-disruptive activity. Having written about what that might look like, I am increasingly concerned that exploitation of exaggerated threat perceptions will be a powerful tactic for adversaries in the years to come.
The real threat in cybersecurity that I feel deserves more of a “Chicken Little” amount of urgency is the code quality problem that quietly persists, continuing to represent an ever-growing boon to state-nexus and eCrime adversaries alike. But that’s not something that can be sanctioned or is likely to sell digital newspaper subscriptions.