Saturday, November 23, 2024

Critical infrastructure attacks aren’t all the same: Why it matters to CISOs

Must read

Viewed this way, the more serious of the critical infrastructure threats that American officials describe – the one from Beijing – is counterintuitively tied to the most common of the activities we associate with critical infrastructure attack. Critical infrastructure operators in advanced economies see millions of intrusion attempts each year. These attempts are arguably to build capacity for widespread disruption rather than punctuated assaults on single points of national vulnerability. This complicates security planners’ attempts to predict and mitigate the most severe threats. How can we assign risk to counter critical infrastructure incidents in a world where punctuated disruption is rare and calamitous threats are among the most common?

Critical infrastructure attacks as strategic competition

The answer lies with treating national critical infrastructure threats as a dimension of strategic competition among nation-state actors and their proxies. This doesn’t only mean static alignment of threat profiles with high-level assessments of national interest. It’s easy to see pro-Iranian or pro-Chinese (or pro-American, pro-Israeli, pro-Turkish, etc.) motivations behind cyberattacks that make news headlines. Iran’s attack on Israeli industrial controls development suggests a desire to threaten Tel Aviv’s domestic base during the current conflict. Russia’s digital assault on Viasat during the opening hours of the 2022 invasion of Ukraine is a clear representation of Moscow’s need to create momentary vulnerabilities in Kyiv’s command-and-control apparatus.

These obvious linkages tend to be the stuff of crisis. Cyber operations deployed by state actors and their proxies occur in the context of competition that extends far beyond crisis moments. Strategic competition itself is a mutually constituted environment in which actors clash to secure favorable outcomes in line with their interests. It is mutually constituted because actors are connected to one another via numerous systems – social, political, economic, and (most significant for our purposes) cyber-physical infrastructure. This global environment is institutional in nature, as these political entities need organization to manage connectivity and manage vulnerability.

The result is a global landscape of cyber critical infrastructure attacks defined by the interaction of cybersecurity’s operational realities with the institutional quirks of national security establishments. Iran’s recent attacks and the Russia-backed attack on Viasat represent moments where institutional alignment with core geopolitical objectives neutralize the common argument against the utility of critical infrastructure disruption. Victories earned via cyberspace are almost always temporary and can be patched in relatively short order. Only in situations where momentary gain enables other national objectives or serves as a signal of intent are these kinds of attack common.

By contrast, the kind of threat that Wray and Easterly warned about – a slow-burn build-up of capacity for multi-faceted disruption – emerges when high connectivity and widespread vulnerability are married to opportunities for stealth and a limited organizational capacity for adaptive response. 

Severity as co-dependency

To understand this point, remember the distinction between reality and the common view of attacks against national critical infrastructures as one that emphasizes singular threat outcomes. An attack on electricity grid facilities may cut power to entire municipalities, leading to second-order hazards such as disrupted traffic regulation systems or limited access to medical services. A water treatment facility attack might introduce unsafe levels of lye into a local supply, causing illness or even fatalities at scale.

Latest article