With COVID-19 prompting a major shift to remote work, education and entertainment, it seems almost everything is going virtual these days -- warfare included. And the future of cyber warfare is only just heating up.
Cyber warfare occurs when cyberspace and electronic means are used to conduct warfare operations. This means that, when civilian end users and corporate networks are connecting to cyberspace, they are essentially logging on to a digital battleground. To reflect this environment and its risks, a realistic enterprise security strategy takes measures to improve bullet resistance instead of pursuing a futile bulletproof ideal. After all, security incidents are not a matter of if but when.
"A bulletproof vest is only bulletproof for certain calibers. If you shoot somebody with a .50-caliber machine gun, it will go through a bulletproof vest like a hot knife through butter," said Chase Cunningham, retired U.S. Navy chief and author of Cyber Warfare -- Truth, Tactics and Strategies and current analyst at Forrester Research. The best way to stay out of the crosshairs, he said, is to be aware of the space in which you operate and of the capabilities of the adversary so the risk can be assessed and managed accordingly.
Here, Cunningham draws on more than 20 years of experience in cyber forensics and cyber analytics operations to explain what the future of cyber warfare may look like and why enterprise leaders should be paying attention.
Editor's note: This transcript has been edited for length and clarity.
Why is it important to talk about cyber warfare, and what do you hope readers will take away from your book?
Chase Cunningham: The crux of it is to remind people that cyberspace is not necessarily a friendly environment. It is a warfare-fighting domain that we just happen to be able to use because of the proliferation of the technology.
I'm very interested in military history. I'm retired military, and I did my time in Iraq. I observed a whole lot of corollaries between strategies and tactics that affected battle spaces and how that relates to cyberspace. But the hardest part for those of us who are knowledgeable about warfare is to try not to terrify everyone. We're just trying to be real about it and help folks understand that this is the reality of cyberspace. That's more the responsibility of us who are warfare-knowledgeable than it is on the general population to translate. I hope that people -- especially security leaders -- come away with new context from the historical examples and analysis in the book.
In Chapter 10 of Cyber Warfare -- Truths, Tactics and Strategies, you outline five 'laws' or best practices to improve enterprise survivability in cyber warfare. How will they help organizations survive cyber war?
Cunningham: That boils down to the truth side of Cyber Warfare -- Truths, Tactics and Strategies. If you look at the history of exploitation and the reality of the space, those five laws are the minimum viable standard for operating in an intelligent manner in the space. Now, it is not that case that, if you take care of those five things, then you are good to go. Those five things are the absolute base minimum required [to survive cyber warfare]. But they are also broadly applicable to most historical instances I could find in cyberspace.
If you look at the five laws in Chapter 10, they are very similar to the zero-trust approach. Zero trust is becoming the dominant security strategy in the space because it is in line with the reality of the space and the truth [about cyber warfare threats].
Assuming employees at all levels should be thinking about cyber warfare threats to some extent, how must C-suite executives and board members approach it, versus a security analyst?
Cunningham: For the board members and C-suite executives -- and this is where I do most of my work lately -- the goal is to make them understand the bigger picture. The reality is that their organization may not be the ultimate end target in cyber warfare, but it could be part of the kill chain. There is a larger, more strategic play that they can play a role in [to address cyber warfare threats].
As for analysts, it is about how they can defend against a particular cyber warfare tactic or stop an exploitation. When I was a red teamer, I witnessed how bad actors pursued the easy targets. At one time, the easy targets were the big companies, which would get [cybercriminals] a lot of return for their investment. Fast forward to today, where you have big companies and big verticals with big money invested heavily in security resources -- those are now hard targets. Today, adversaries go downstream to attack low-hanging fruit and slow gazelles. The adversary knows it is not worth it to pursue the hard target with a billion-dollar security budget, which is why all these third parties, vendors and contractors are often incorporated [into a supply chain attack].
What is the likelihood that a cyber equivalent of the Geneva Conventions or rules of engagement will be adopted in order to set material limits on the measures of cyber war?
Cunningham: It would be a nice gesture, but it wouldn't actually be enforceable. In fact, there's probably some legislation already drafted that's in line with that. It'll be signed, and everyone will wink at each other. But the very nature of cyberspace allows for clandestine operation to occur. While there may be a Geneva Conventions for cyber warfare, the clandestine and covert operations will never be an issue for organizations that are trying to gain an edge on the adversary.
Will the future of cyber warfare require collaboration between governments and enterprises?
Cunningham: Yes, I think there needs to be collaboration. There's a lot of that already taking place in the United States between the FBI and FS-ISAC [Financial Services Information Sharing and Analysis Center], as well as some other organizations. The one thing that will always [be to your detriment] in warfare is not sharing intelligence. But the reality of the space is that not everything is shared all the time. That's just how it operates. It is a continual challenge to get the right information to the right groups at the right time.
What would that partnership between government and enterprise look like in cyber warfare?
Cunningham: In a perfect world, there would be a nonattributable information sharing platform where individuals could contribute information without the fear of revealing their identities. That could be anyone, anywhere, at any organization, classified or unclassified information. But I don't think that's necessarily practical. Because, in the context of nation-state activity, there are reasons to not share information because it may be to one group a competitive advantage [to withhold intelligence]. To be perfectly honest, I think we're probably close to as good as it's going to get.
Do you see the future of cyber warfare as eventually replacing or eclipsing traditional kinetic warfare?
Cunningham: As the powers of the world continue to grow, you're going to see more clashes in cyberspace than you have in the past. For the longest time, they have been very clandestine, very covert. But, now, you're going to start to see systems be affected and bigger areas and populations be subjected to more overt tactics. These will ultimately be the early saber-rattling for actual engagements.
I don't think we're going to get to a space of hardcore kinetic action in cyberspace. But, if you're curious where the next kinetic conflict is going to occur, take a look at what's going on in cyberspace. You can predict that, because these two nations are going at it in cyber warfare and because of the saber-rattling, there may be some kinetic conflict in the future. I also like to remind people that I'm not only talking about China and Russia; the U.S. is a cyber warfare operator as well. We do operations just like everybody else.
About the author
Dr. Chase Cunningham focuses on helping senior technology executives with their plans to leverage comprehensive security controls and the use of a variety of standards, frameworks and tools to enable secure business operations. His work focuses on integrating security into operations, leveraging advanced security solutions, empowering operations through artificial intelligence and machine learning, and planning for future growth within secure systems.
Dr. Cunningham served as a director of cyber threat intelligence operations at Armor. He was the computer network exploitation lead for Telecommunication Systems and the chief of cyber analytics for Decisive Analytics. Dr. Cunningham is a retired U.S. Navy chief with more than 20 years' experience in cyber forensic and cyber analytic operations. He has past operations experience, stemming from time spent in work centers within the NSA, CIA, FBI and other government agencies. In those roles, he helped clients operationalize security controls, install and leverage encryption and analytic systems, and grow and optimize their security operations command systems and centers.
Chase holds a Ph.D. and M.S. in computer science from Colorado Technical University and a B.S. from American Military University focused on counterterrorism operations in cyberspace.