Category: Digital Security

Bryan Neilson is an experienced Cyberspace & Intelligence Operations professional who built his career supporting Cyberspace Operations, Intelligence Collection, and Counterintelligence for the U.S. Intelligence Community. Bryan’s work, which has spanned the globe, can be directly tied to saving the lives of countless officers and assets, enabling of kinetic military objectives, and helping to build and maintain the strategic advantage of the United States throughout Cyberspace and beyond. Fusing his proficiencies in Cyberspace Operations and Human Intelligence, Bryan has become a trailblazer in his industry and has brought his unique expertise to Check Point Software Technologies – where he serves as Regional Architect, Evangelist, and global Subject Matter Expert in Sophisticated Cyberspace and Intelligence Tradecraft.

In the last several days, the cyber security industry has been rocked by a rare acknowledgement from U.S. Government Officials regarding the likelihood of extensive compromise of U.S. Critical Infrastructure by specific state-sponsored hacking groups. In a rare public pronouncement, the United States’ National Security Agency (NSA) revealed the extent to which it (and other federal agencies) believes that specific Nation-State sponsored actors have been actively and successfully engaging in broad campaigns to compromise various systems controlling critical infrastructure components within the U.S.

It has been a long-held belief among many cyberspace professionals that sophisticated state-enabled offensive actors have been actively and covertly compromising various critical infrastructure systems and networks across the United States and its allies – activity that has been on-going for several years.  Nevertheless, these public statements from the NSA – an organization known for keeping such issues and ‘troubles’ concealed from the general public – suggest mounting concerns among U.S. intelligence, military, diplomacy, and congressional officials.

Furthermore, U.S. officials have noted how this observed ‘buildup’ is predominantly targeting critical infrastructure systems of little to no intelligence value; thus, raising alarm that the motivation behind this activity is for the sole purpose of gaining a strategic advantage (the ability to disrupt U.S. and allied critical infrastructure) in the event conflicts arise.

Since early 2023, when the NSA and Microsoft collaboratively identified and publicly-revealed the existence of China’s Volt Typhoon program and alluded to the extent to which this mission had gained strategic access among critical infrastructure, worry throughout Washington has been mounting. The primary concerns are three-fold: A) strategic pre-positioning and control over U.S. critical infrastructure represents a substantive threat to the United States government, economy, and society; B) such wide-ranging pre-positioning has the potential to fundamentally shift the balance of power and displace the United States’ strategic advantage and dominance within the Cyberspace Domain; and C) such pre-positioning activity positions adversarial nation states with a “first-strike” capacity against the United States. These concerns have been echoed by Air Force General Timothy Haugh (Commander of U.S. Cyber Command and the top military official in the United States for cyberspace), in a telling statement made to the Washington Times, “We see attempts to be latent in a network that is critical infrastructure, that has no intelligence value, which is why it is so concerning.”

Recent public statements from the NSA and the subsequent comments from the Commander of the U.S. Cyber Command paint a rather bleak picture for the continuing security of United States critical infrastructure – and in turn, the future stability and resiliency of the U.S. government, economy, and society. Nevertheless, it is imperative to remember that this pre-positioning activity some U.S. adversaries are being accused of is neither new, unprecedented, nor, legally speaking, an act of outright hostility. Many countries with cyberspace operations capacities that are at least moderately sophisticated are actively engaged in the premeditated, organized, nation-sanctioned, and clandestine compromise of systems and networks for the sole purpose of gaining a strategic advantage over their adversaries – the United States being no exception. Lacking the critical element of direct and overt hostility, such activity is predominantly viewed and handled in the same manner as espionage, rather than actions indicative of war.

Chartered, in part, with maintaining and increasing the strategic advantage and dominance the United States has long held throughout the cyberspace domain, U.S. Cyber Command actively engages in this same strategic pre-positioning targeting U.S. adversaries. Such maneuvers intend and ultimately result in the compromise of and surreptitious control over thousands of systems and networks deemed advantageous to the interest and strategic advantage of the United States (systems and networks critical to the governmental, military, economic, and societal functions of other nations). This type of activity neither intends nor results in any immediate denial effect and therefore, does not meet the legal standard of Cyberspace Attack – a hostile act.  Rather, this type of activity is more aligned with acts of Cyberspace Exploitation.

Understanding this subtle yet crucial nuance between cyberspace attack and cyberspace exploitation is paramount to properly framing the situation that the world now faces. Cyberspace attack and cyberspace exploitation are two sides of the same coin. While both seek the compromise of systems, networks, data, and other assets, they fundamentally differ in both execution and motivation.

Cyberspace Attack, being of more substantial concern, consists of acts carried out within or through the cyberspace domain that have either the intent or result of causing immediate denial effects (defined as any form of degradation, disruption, or destruction). Actions carried out in this manner are still classified as Cyberspace Attack, even if this denial effect impacts resources outside the cyberspace domain. Cyberspace Exploitation, on the other hand, does not arise from the motivation of causing an immediate denial effect. Rather, Cyberspace Exploitation consists of acts of espionage or enablement carried out within or through the cyberspace domain. Lacking any motivation or outcome of an immediate denial effect, acts of Cyberspace Exploitation are not considered directly hostile and, from a legal, military, and diplomatic perspective handled much differently – through espionage, military maneuvers, counterintelligence, international pressure, and diplomacy. Notable however, is the standard setting forth “Enablement Activity” as an act of cyberspace exploitation. Such enablement activity consists of actions carried out for the purpose of enabling future activity or operations within or outside the cyberspace domain – regardless of the intent, motivation, or ultimate outcome inherent to such future activity.

Cyberspace Operations (which includes the aforementioned Cyberspace Attack and Cyberspace Exploitation, along with Cyberspace Security and Cyberspace Defense) establishes the current legal, military, and diplomatic doctrine and framework adopted by a majority of countries. The pre-positioning activity that is now raising alarm within the United States, while concerning and notable, represents non-hostile enablement activity within the discipline of Cyberspace Exploitation. The inclusion of “enablement activity” under the umbrella of Cyberspace Exploitation is a direct causal factor in the increased targeting and successful compromise of critical infrastructure systems around the world.

The rapid expansion in actors capable and willing to engage in cyberspace exploitation combined with the relative ease by which many critical infrastructure components can be compromised has led to a new “Mutually Assured Destruction” (MAD) style buildup of offensive capabilities and strategically pre-compromised and controlled critical assets. Though not directly hostile, this enablement activity does tactically position an actor to have control over the critical infrastructure of another country – thus providing the actor the ability to cause substantial damage to the country’s government, military, economy, and society.

Today, the world finds itself again in the grips of a transformed Cold War – watching the proliferation, buildup, and strategic placement of weapons of mass destruction. Reminiscent of global issues faced in decades past, this race towards mutually assured destruction is now driven by computer code rather than fissile material – a new age of weapons known as Digital Weapons of Mass Destruction.

The implications go beyond the direct impacts these digital WMDs would have on the physical world to the social and psychological impacts that they could have on people. In his 1955 book titled, “The Sane Society” social psychologist Erich Fromm describes the “Socially Patterned Defect”: a systemic illness underlying and inherent to modern societies, that absent the distractions of modern technology, would present in clinical signs of neurosis, psychosis, and socially-deviant behaviors among the population. Though more than half a century has passed since originally theorized, the hypothesis of a Socially Patterned Defect has been tested and upheld throughout the decades – even in today’s modern world. The aggressive adoption by modern societies of technologies providing on-demand access to real-time communications and information represents a new social and public health threat posed by such Digital WMDs. Unfortunate, but true, is the fact that most societies and individuals within the modern world are ill-prepared and would be effectively unable to function in a world without the modern technologies they have come to rely on.

Consider, as one example, the very real possibility of disruption to a nation’s power and communications infrastructure. While undoubtedly damaging to the nation’s government, military, and economy, the impact such an event would have on the society could be far more substantial. The co-dependency and reliance most modern societies have on current technology creates an ideal comorbidity condition where, any unexpected, immediate, and long-term absence of such technology could have the potential of causing this Socially Patterned Defect to emerge – resulting in mass disorder, public health and law enforcement crises, and ultimately societal and government collapse within the impacted population(s). Such effects resulting from a population’s loss of modern technology are not simply theoretical but have been observed on numerous occasions (and in relatively small scale) in the aftermath of recent natural disasters. This scenario represents a simple and limited-in-scope example of what is possible and of interests to sophisticated actors today. Considering the enablement activity being observed intends to acquire control over the whole of a nation’s critical infrastructure (communications, energy, emergency services, healthcare, transportation, and water systems – to name a few), the outcomes could be even more grave.

While the totality of impact such Digital WMDs would have on society seems dire, there is hope on the horizon. In May 2024, the United States Department of State published the “International Cyberspace and Digital Policy Strategy”. Laying the foundation for a brighter, more secure, and more sustainable future, this policy seeks to set the cornerstone of a more diplomatic approach to cyberspace. Though seen as a watershed moment in the history of cyberspace, it is important to remember that these efforts are still very much in their infancy and will take years to fully formalize and canonize; and could be easily disrupted should tensions between key nations reach a point where conflict involving hostile actions within or through cyberspace seem warranted. Until such time, this new strategy is only complementary to and in no way contradicting or superseding the current military-minded doctrine of cyberspace operations.

With the stakes so high and any global realignment of doctrine so far off, it now rests on the shoulders of the global collective of cyberspace operations and cyber security professionals to help drive the world to this more secure reality – one where Digital WMDs are less prolific and the thought of triggering such weapons is considered a taboo in the same vein as the use of nuclear weapons. As an industry, the most powerful countermeasures are not the cyber security technologies – they have time and again proven inadequate and unable to stand up against sophisticated offensivecapabilities – but rather the knowledge, expertise, good nature, and voices of these unique professionals. In the interest of prevention, advocating for non-proliferation, disarmament, and international oversight and control of Digital WMDs is essential. Through this, governments can be pressured to ensure such weapons are rarely used; and if so, are employed in a restrained manner accounting for all reasonable measures to ensure societal stability.  While seeking prevention would be ideal, mutually agreed global disarmament and restraint among nations who possess (or who could easily develop) Digital WMDs is doubtful. Therefore, a measure of focus must be shifted to preparation and response rather than prevention.

With this new Cold War being fought out within a realm that is largely intangible and through actions rarely perceptible or considered, the seriousness and criticality of the situation the world now faces is often overlooked or not entirely comprehended. Just as populations around the world took measures in preparation for nuclear war throughout the mid-20^th century, the world once again must proactively prepare for the possibility of conflict involving actions taken through cyberspace intended to result in disruptions to critical infrastructure. Everyone, from individuals to the largest organizations and educational institutions, to governments must preemptively address these threats and plan for a reality where critical services are made unavailable for an extended period of time.

Organizations can take strategic and common-sense measures to help ensure they are better prepared for such possibilities. Building comprehensive Continuity of Operations Plans that include contingencies for loss of critical infrastructure is fundamental. Through this, organizations should identify resources and services that are deemed critical (those a company would be unable to function without) and identify alternative means of operations should these resources and services be made unavailable. Organizations should also seek to establish substitute communications strategies, alternate work site locations, and disaster-scenario personnel reporting requirements. Additionally, any continuity of operations program should account for identification and loss of human resources that provide or hold critical knowledge for the organization.

To be more proactive, organizations should build teams (or partner with services) to provide real-time monitoring, investigations, digital forensics, incident handling, cyber threat intelligence, and proactive threat hunting capabilities. Governments must also come to the table and lower the bar for entry to build strategic public-private partnerships for the purposes of sharing critical information and intelligence. While sophisticated offensive activity can very likely go unseen even with the latest incident response strategies, technologies, and intelligence, this remains the best method of identifying and curtailing the compromise of critical systems for the purpose of pre-positioning.  Furthermore, where employed, organizations should exercise restraint in the use and deployment of counteroffensive capabilities, actions, and services to avoid causing further escalation.

Lastly, while an uncomfortable conversations, all organizations and individuals must come to grips with the limitations and fallibility of many modern security technologies. Where most of these technologies are employed, a sobering fact must be acknowledged: no matter how robust a system is believed to be, the likelihood of previous, current, and ongoing compromise by a sophisticated actor is unquestionable – even more so for any system controlling or maintaining critical infrastructure. Nevertheless, there do exist some truly capable frameworks employing a consolidated and comprehensive approach coupled with AI-powered and cloud-delivered next-generation capabilities. Leveraging these advanced all-encompassing solutions (such as the Check Point Infinity Platform) remains the only method proven successful in preventing sophisticated offensive activity.