We recently witnessed a monumental achievement as James Cameron successfully dived to the bottom of the Mariana Trench in the Pacific ocean. This was a stunning display of advanced engineering and pure courage. Cameron has created an amazing submarine that can dive deeper than any manned submersible in use. Which brings us to the topic of submarine warfare! It made me think how hunting for advanced persistent cyber threats is a little like hunting for nuclear submarines in deep water. The opponent is stealthy, and trying their best to hide all traces of their activity in a sea of data and net activity. Of course in the submarine domain we can use sonar to listen for enemy vessels, but in the cyber domain we have a more limited sensory capability. Yes we do have intrusion detection systems and network trip wires etc, but fundamentally we lack the ability to separate out the weak stealthy signal of an advanced attack.
In the Hunt for Red October, (my favourite submarine film with Sean Connery), the plot revolved around a defecting Russian submarine captain. So we had lots of shots of big submarines pinging each other with sonar and playing war games. But the real story was how the protagonists were trying to infer the intent of their respective opponents. Was the Russian captain really trying to defect? Or was it all a sophisticated double-bluff orchestrated by the Kremlin for a first-strike attack? The stakes were high and the information available to each side was very sparse.
We face exactly the same problem in handling cyber attacks. Some are weak feints that precede a later full-scale assault, some are just background noise in the malware sea. Specifically, how do we infer the intent of the malware source agency? And intent is everything in any combat scenario. People tend to focus on the possible technical capabilities of hackers, but this is increasingly irrelevant as sophisticated attack tools are now free and ubiquitous. What we should care about is the intent of each cyber adversary. Are they simply playing around, hunting for an easy credit card breach, or a serious state-backed group targeting a critical asset? The problem is that the online behaviour we can measure often looks exactly the same. Solving this problem is going to take a great deal of research and a broader psychological and sociological perspective. Compared to the military domain of submarine warfare it is also complicated by the broader range of objectives each adversary may have. These include economic interests, social hacking as political expression, (which I predicted some time ago would become a major problem), organised crime, and finally state actors and their offensive cyber operations. In the defence role we must infer intent and interests of the opponents.
Returning to the headline story, James Cameron also directed the movie Titanic, which is a great story of how human hubris can blind-side us to the risks we face when engineering large complex systems. There are some lessons from history we can learn from, as in this case the Titanic engineers built multiple transverse bulkheads within the vessel, and considered that as a result the vessel couldn’t sink as even in the worst case scenario only 1 or 2 of the bulkheads would be breached. Of course the worst case was even worse than planned and the iceberg ripped along the vessel breaching multiple bulkhead defences. As alluded to in previous blogs the most vital ingredient in engineering any defence is a vivid imagination.
Cyber threats like icebergs may only reveal a small percentage of their true scale and nature. Sensing what lies below the water is ultimately the real challenge in cyber defence.
