Commentary: Andrea Little Limbago, a principal social scientist at Endgame, argues for a new type of cyber framework to help public and private sector organizat...
By Andrea Little Limbago
Principal social scientist at Endgame
The term “cyber attack” has recently been used to describe events as disparate as the Sony breach, the CENTCOM Twitter hack, and the misdirection of $10 million into the wrong account as part of a digital intrusion at a Canadian mining company. The legal, financial and security implications of each of these, not to mention the digital capabilities deployed to initiate these attacks, vary significantly. The fuzziness surrounding the term “cyber” exacerbates this problem, thanks to its etymological roots that are quite distinct from modern interpretations, coupled with the inherently negative connotation that is associated with cyber.
The term cyber is often simply a prefix appended onto malicious activities, such as cyber- terrorism, cyber-vandalism or cyber-espionage, all of which are used interchangeably with cyber attacks. This intellectually lazy approach to the cyber domain fails to differentiate incidents based on the technique employed, the objective, or the attacker. In other words, current approaches to the cyber domain lack the ends, means and target identification that are essential to policy making, course of action decisions (including analysis of alternatives), planning and understanding the return on investments of the range of alternatives.
A means-ends framework that decomposes the various kinds of digital instruments of power and correlates them with the desired objectives is long overdue. What we need is a new kind of framework — one that breaks down the different types or methods of attacks, and connects them to a set of outcomes.
Over the two decades since some of the first digital operations occurred, the government still lacks a conceptual framework for categorizing and differentiating between the various digital instruments of power — relying on Cold War frameworks that are ill-suited for the challenges of the modern era, stagnating the strategic, operational and tactical approaches to the cyber domain.
A year ago, President Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which directs the National Institute of Standards and Technology to develop a cybersecurity framework to define best organizational practices for risk mitigation processes and responses. This is an important step by the government and reflects the growing concern over critical infrastructure protection.
Digital instruments of power
In the cyber realm, unlike in most areas of national security, organizations must protect themselves and cannot rely solely on the government to prevent breaches. While EO 13636 is necessary, it focuses on organizational responses to and preparations for the cyber threatscape, but does not provide a means-ends framework that conceptualizes, defines and distinguishes among the diversity of the digital instruments of power employed to achieve a wide range of objectives.
In fact, the 2011 Department of Defense Strategy for Operating in Cyberspace noted the employment of new concepts as a requirement, but it fails to articulate what some of these concepts might be. Just as diplomatic, information, military and economic (DIME) instruments of power have become codified within doctrine, policy and operations, so too must digital instruments of power.
A framework that categorizes the various kinds of digital instruments of power, correlated with the range of attackers’ objectives, would go a long way toward ameliorating what is currently an ad hoc and reactive approach to the cyber domain.
Digital instruments of power refer to digital techniques employed to achieve not only digital objectives, but non-digital objectives as well. A spear phishing campaign by a state- sponsored group aimed at defense contractors to extract blueprints for next-generation technologies has extraordinarily distinct implications from a transnational criminal organization’s spear phishing campaign aimed at stealing personal information to sell on the black market.
Similarly, a digital weapon that takes down a gas pipeline (as Russia conducted against Turkey in 2008) is distinct from a distributed denial of service attack, a favorite modus operandi by groups such as the Syrian Electronic Army.
These highly distinct digital instruments of power are often homogenized under the “cyber attack” umbrella, failing to distinguish the nuances and implications of each digital instrument of power. In each example, the digital instrument is employed to achieve a consequence, but there is no way to know which instrument is most likely to succeed when they are all viewed inter-changeably.
This framework must also distinguish the numerous objectives achieved by the use of digital instruments, such as propaganda, censorship, espionage, surveillance and destruction (physical destruction or the manipulation of data). A more formal ontology that, at the most basic level, distinguishes between socially-engineered digital instruments such as spear phishing and watering holes and those conducted by technical intrusions such as Botnets, implants and SCADA attacks, is critical to a proactive approach to the cyber domain.
Misdiagnosis leads to poor decisions
Categorizing the various digital instruments of power (means) employed to achieve objectives (ends) is essential and can inform a more effective approach to doctrine, cyber legislation, and even persecution and legal rulings, which at times have equated the posting of a link with an intrusive cyber breach, leading to fines and sentences that are extremely disproportionate to the activity conducted.
Absent greater conceptualization of these nuances, there is a great risk of misdiagnosis, producing ill-informed responses and solutions that address the wrong problem.
A failure to conceptualize the heterogeneous nature of digital instruments of power limits the marketplace of ideas when it comes to cybersecurity solutions and responses and intellectually constrains government and corporate leaders across the spectrum of policy, planning, assessments and operations.
A framework that decomposes and defines the spectrum of digital instruments of power can push the community toward proactive solutions, as well as targeted responses to the cyber threatscape.
The cyber domain is ripe for innovative solutions and forward-leaning strategies to tackle the range of challenges and opportunities inherent within it. A framework that starts at the nexus of each digital instrument of power and objective, and includes the range of state and non-state actors prevalent in this domain, could greatly advance both the private and public sector’s preparations and responses to one of the most pressing national security challenges.
Andrea Little Limbago is the principal social scientist at Endgame, a security intelligence and analytics software company. Andrea has previously worked at the Joint Warfare Analysis Center and taught in academia, and holds a Ph.D in political science.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.