May 15, 2019 3:30 PM
For more than a decade, multiple near peer intrusion sets have demonstrated aspirations to acquire access to US and allied critical infrastructure networks. Increasingly, the extent to which such aspirations have been realized is now disclosed in commercial cyber threat intelligence reporting covering hostile reconnaissance, capabilities development and testing, and indications of effects intent across several different campaigns. While much uncertainty remains regarding the true strategic capability that may be instantiated in these compromises, some preliminary observations may be drawn that suggest the outlines of adversary operational logic. Among the most critical of adversary decisions involves reaction to detection, and the associated dynamics of prospectively pending or immediate public exposure. Increasingly, public disclosures of multiple intrusion campaigns targeting ICS networks pose a difficult paradox: in which it is necessary to inform and encourage defenders response, but where these actions also force the hostile operators to confront the impending loss of current OPE and attack options. We look at these “use or lose” moments, and the logic of adversary decisionmaker reaction.
Marine Corps University, and Columbia University
JD Work is former intelligence professional turned academic with over two decades experience working in analytic and operations roles for the private sector and US government. He currently holds appointments with Marine Corps University, Columbia University, and George Washington University.