Given the explosive (and thinly sourced) nature of Bill Gertz’s allegations (China! Carriers! Nukes!) in his latest Free Beacon post it is important to watch the story as it develops. At first glance, the story doesn’t quite seem to match the hype. A spear-phishing attack against an unclassified network is not exactly uncommon. But the uncertainty surrounding the story and the actual dynamics of the incident itself are rather unsettling.
Of course, formative cybersecurity incidents like Moonlight Maze have never really been conclusively resolved and are just as hazy. The post does highlight an emerging reality that will likely be incorporated into defense planning: presumption of breach. Within the cybersecurity industry, security planners assume that an determined attacker is capable of entering an opponent’s security system–air gap or not. Consequence management, forensics, and remediation become the focus, rather than an attempt to create an iron wall around one’s security system.
Given what we know about extensive Chinese and Russian targeting of our defense infrastructure and political-military communications, we must at some level assume breach when thinking of our general counterintelligence picture. Geopolitical competitors have acquired large amounts of data and penetrated some critical systems over the years. Open-source reporting has also consistently revealed a persistent People’s Liberation Army (PLA) doctrinal focus on American command, control, and communications. Although there are instrumental objectives at play, such as gaining information and/or controls that may be of use in a future crisis, one also wonders if the main effect is actually more complex.
Assumption of breach introduce an element of uncertainty into defense planning. How much does a potential opponent know about critical information, and what can they do in a potential crisis? While there has been a lot of speculation, there is very little hard analysis of what kinds of capabilities could be targeted and what a potential opponent could know about US command and control, intelligence, communication and logistics networks. This is without bringing up the issue of critical infrastructure, which may or may not be off-limits to a potential attacker depending on political motive. Nuclear command and control, however, would be an entirely different matter presuming Gertz’s account is true.
Either way, to assume breach is to acknowledge that penetration of very sensitive networks is not only possible but likely ongoing and undetected. Moonlight Maze, for example, was only accidentally discovered. This doesn’t mean that, Battlestar Galactica-like, an adversary would be able to disrupt and/or destroy US combat power in one full swoop with a cascade of computer network attacks and electronic warfare operations at the beginning of hostilities. It does mean that there is significant uncertainty about just how much penetration has happened and/or is ongoing, what has been learned, and what can be done.
Could such uncertainty over adversary information and capabilities itself induce caution, and perhaps a slackening of political will? Warfare is full of considerable uncertainty arising from the operation of one’s own complex military machine, that of the opponent, and third parties. Adding one more volatile element to the mix could be a tipping point. Of course, we’ve known about the weaknesses of US systems since Eligible Receiver and US strategic postures still remain the same. But assumption of breach in situations involving nuclear-armed great powers will inevitably be factored into defense planning.
How such uncertainty politically and organizationally manifests will be difficult to predict. Some political scientists studying military doctrine might say that it would result in a greater tendency towards offensive doctrines and weapons, but uncertainty and vulnerability has also motivated caution even in the face of institutional pressures. Only time will tell. There is little evidence to indicate that psychological uncertainty itself is an objective of espionage and long-range cyber recon, but it certainly could be a side effect.
UPDATE: The White House has confirmed that an spear-phishing attempt against an unclassified network did take place, but clarifies that it was isolated and no data exfil occurred. If that’s the end of the story, then that’s great news. But is it?