This Is Not Your Father’s Cold War

The Dawning of Asymmetric Cyber Warfare

Welcome to the age of asymmetric warfare. During the Cold War, the number of world powers possessing nuclear weapons was small. The United States doctrine during that period, known as Mutual Assured Destruction (MAD), worked well and continues to work well today in kinetic space. But cyber has changed everything. Bad actors, including nation-states, terrorist groups, criminal gangs, and disgruntled individuals either possess or can obtain access to sophisticated cyber weapons. They can use those weapons to launch destructive cyber-attacks on targets of opportunity such as government agencies, corporations, healthcare institutions, the defense industrial base, and the U.S. critical infrastructure—stealing information, holding companies hostage by deploying ransomware or, in the worst case, bringing down mission-essential capabilities [1].

In the digital era, whether we are talking about traditional Information Technology (IT) systems that populate enterprises, Operational Technology (OT) systems on manufacturing floors, Industrial Control Systems (ICS) in power plants and oil and gas pipeline distribution systems, or Internet of Things (IoT) smart devices that are found in many households, the common denominator is a powerful “computer” driven by complex software and firmware and connected everywhere through ubiquitous communications networks. Recent events demonstrate, once again, the fragility of our systems, networks, and critical infrastructure.

We know a lot about the threat space and the types of cyber-attacks that can be unleashed by adversaries on our critical systems and networks. But the important question is what do we do with that information? If we use threat information to focus only on developing better detection and response capabilities and information sharing opportunities, we will miss the central problems that continue to make the country vulnerable to ongoing cyber-attacks. These include overly complex systems, poorly designed or non-existent security architectures, the absence of a “security engineering” mindset in the systems development process [2][3], and the lack of “assurance” [4][5] in critical systems and system components. 

Systems and security engineers employ core security design principles such as mediated access, layering, isolation, least function, least privilege, and defense-in-depth to design and build systems with “mission assurance” as an important consideration—producing systems that can be defended. Such “principled design” approaches treat security as a “system property” and combined with strong policy enforcement can provide both necessary and sufficient protection for critical systems. In addition, systems and security engineers can create “what if” scenarios to predict new attack vectors that may be launched by adversaries and then “engineer” systems to withstand such attacks. The engineering effort is linked directly to the criticality of the system or asset being protected and stakeholder decisions on how much damage they are willing to sustain [6]. That is true “risk management” from the perspective of systems and security engineering.

If the foundation to your “cyber house” continues to be weak, then putting in additional locks on your “cyber” doors and windows will not affect your susceptibility to these destructive attacks. It’s time to pop the hood and take a look at the engine. It’s not about promoting fear, uncertainly, and doubt. It IS about a “commitment” to employing well-established systems engineering processes and security design principles to rearchitect and reengineer critical systems and high value assets so the nation cannot be held hostage to hostile entities [7][8]. A shift of this magnitude will take a determined and sustained effort over a long period of time. Let's roll...

[1]  R. Ross, “The Adversaries Live in the Cracks”

[2]  R. Ross, “The Mysterious Disappearance of Systems Security Engineering“

[3]  R. Ross, “Rethinking Our View of System Security“

[4]  R. Ross, “System Assurance: A Missing Component to Military Readiness?”

[5]  R. Ross, “The Anatomy of a Security Assessment“

[6]  R. Ross, “The Bureaucracy Can't Protect You…“

[7]  R. Ross, J. Oren, M. McEvilley, NIST SP 800-160, Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

[8]  R. Ross, V. Pillitteri, R. Graubart, D. Bodeau, R. McQuaid, NIST SP 800-160, Volume 2, Developing Cyber Resilient Systems: A Systems Security Engineering Approach

A special note of thanks to Mark Winstead and Greg Touhill, long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.