Countercyberspace Operations

Harrowing Truth About the Current Condition

A well-known fact: Civilian critical infrastructure companies comprise the majority of the cyber theater. These noncombatants face persistent, focused aggression from enemy cyber combatant commands. They are the nation’s first line of defense…but they have no strategy, no military training, no leader, no timely intelligence, no common operating picture, no understanding of commander’s intent, no lateral communication abilities, no force synchronization, a myopic understanding of adversary objectives, and unequally-distributed, inadequate defenses.

You could not orchestrate a better strategy for certain defeat.

It’s no longer a secret that advanced persistent threats (APTs) have already breached top critical civilian targets. This overwhelming enemy presence in civilian critical infrastructure IT/OT systems means that the majority of the cyber terrain has already been ceded to the adversary.

For US policy makers, cyber aggression does not rise to the level of armed conflict. But for Russia and China, it does…and the adversary gets a vote. Because they think we’re fighting an armed conflict, we are fighting an armed conflict (regardless of label). And in this armed conflict adversaries are already deeply entrenched in American territory.

For now, they are winning.

Because we work, shop, communicate, manage finances, build and store our reputations online, it’s essential that all conflict stakeholders – noncombatants, warfighters and policy makers alike-- have an unequivocal understanding that adversary cyber aggression is a stealth invasion of the American homeland and that civilian IT/OT systems are contested environments.

Which begs the question: Who is leading the counterattack?

To me, the answer is harrowing: No one. No one is leading the counterattack and APTs relentlessly attack with impunity.

The JP 3-12 for Cyberspace Operations lays it out in detail, but the short explanation is that the US military only fights abroad. While the DoD is charged with protecting America writ large, they are not responsible for defending civilian institutions (especially investor-owned companies). And this civil-military delineation is not only a good thing, the lack of military presence in daily civilian life is a distinction that separates us from fascist and communist countries.

Yet, as established in the opening paragraph, it’s unreasonable to expect noncombatants to mount an adequate defense against well-trained major threat actors. Furthermore, noncombatants lack the authority (and ability) to effectuate offensive cyber operations. And no armed conflict has ever been won by resilience and unarmed defense alone.

...no armed conflict has ever been won by resilience and unarmed defense alone.

The cyber domain is a warfighting domain just like land, sea, air, and space. One that is inextricably enmeshed in noncombatant welfare and business continuity (crutial for the projection of economic power). Yet full spectrum dominance is an essential condition for victory in multi-domain military operations. And at minimum, domain decision advantage is essential for single domain warfare. Given the overwhelming adversary presence in a contested part of the domain over which the DoD has no authority during times of not-war, in the current condition, the US is unable to attain cyber domain superiority and cyber domain decision advantage on domestic networks.

Can there be a condition in which warfighting and noncombatant activity co-exist in domestic cyberspace?

I say yes and welcome the opportunity to further discuss this paradigm with leadership and other cyber strategists.

Wielding military cyberpower in and through civilian entities is an imperative. If thoughtfully and respectfully executed, civ-mil cyber fusion would mitigate risk for private companies, which in turn improves shareholder and consumer outcomes, while keeping belligerents out of the homeland, thus deterring further erosion to and maintaining the integrity of critical institutions. It could be a win-win.

I am not advocating that private companies fling open their lobby doors and let USCYBERCOM set up camp. Instead, my team and I spent the last three years developing a complex strategy and capability that bridges the civilian-military cyber divide and establishes the infrastructure for a mutually beneficial, privacy preserving civ-mil partnership.

Facilitating mission aligned with seemingly incongruous parties was not simple to reconcile. Developing a counterattack capability that respects the fiduciary interests and offensive limitations of the private sector and is imbued with the integrity and strategic/tactical/operational abilities of the most capable cyber combatant command in the world…again, not easy.

The solution to this quandary is not another cyber security product....so we didn’t build one. We developed a strategy to deter persistent cyber aggression on critical infrastructure and developed a global, interoperable software/hardware platform that delivers a suite of unexpected capabilities, bilaterally distributes timely, critical intelligence, synchronizes all stakeholders….while maintaining the privacy both sides require.

Our vision of a viable counterresponse to APT belligerence democratizes the burden of persistent defense among an allied coalition of civ-mil stakeholders and augments the maneuverability of cyber combattant commands.

The grave threat posed by the major threat actors is beyond the security capacity of any one CISO, SOC or security stack. But collectively, with synchronization, relevant intelligence and superior capabilities equally distributed, we can –and we must— deter cyber aggression on the critical companies that the world relies upon every day.

The days of adversarial advantage and triage/whack-a-mole as a strategy are finally over.

Private sector critical infrastructure companies: Reach out for a capability brief. I’d love to show you how we get you synchronized, trained, armed, and connected.

US and allied defense and IC agencies: Reach out to discuss.

PS. We changed our name. ANOVA Intelligence is now Nemesis Global. Nemesis is the Greek Goddess of retribution and distributor of implacable justice. Recalibrating the balance of cyberpower and deterring pernicious adversary aggression requires an act of God(dess).

Plus the snazzy new branding reflects our emergence from full stealth mode into semi-stealth mode.

As always, your respectful questions and comments are welcome below. I look forward to your thoughts and erudite discussion.