Hybrid Methods in the Grey Zone: Cyber Risks to Critical Infrastructure

Mitigation measures needed to respond to a cyber-attack must be broadly conceived, assess the true objective, and identify related tactics. An effective response will mobilise experts in the targeted infrastructure, and ensure coordination between government and private sectors. Restoring major infrastructure facilities, such as electric grids, will require coordination across international boundaries.

Key strategic rivals of the United States and Canada, chiefly China, Russia, Iran, and North Korea, are increasingly seeking and implementing activities that they believe can achieve relative gains without triggering escalation. These “grey zone” approaches, in the contested area between normal statecraft and open warfare, take many forms. They are sometimes referred to as hybrid threats, sharp power, political warfare, malign influence, or irregular warfare. Tools include information operations, political coercion, economic coercion, malicious cyber operations, space operations, use of proxies, and even provocation by state forces^{Footnote 91}. Most of these are not new, but even those that have been around for a very long time take on a new and more dangerous character with the help of rapidly evolving technology. This paper will focus on the area of cyber operations and managing the risks posed by this specific threat.

The Center for Strategic and International Studies (CSIS) recommends three key assumptions when considering how to counter grey zone activities:

• Campaign planning must be dynamic to be effective. Actors will adapt and opportunities will emerge;
• Concepts such as “winning” and “losing” will have less salience than measures of relative gain and loss, as assessed over time; and
• US laws, principles, and values are strategic advantages in grey zone competition. Even as the US engages in grey zone tactics, it should do so in accordance with its principles^{Footnote 92}.

Particularly with respect to cyber operations, this report contributes a fourth overarching admonition: think broadly. It describes ways to improve the ability to address cyber risks by applying this admonition. At the conclusion, this approach will be evaluated against the three recommended assumptions for countering grey zone activities.

Thinking broadly about cyber operations means remembering that cyber is almost always a tool to achieve a broader goal. What is the adversary’s goal and how might cyber be used to advance it? Understanding the actor’s goal is critical for assessing and mitigating risks from cyber operations. Given what one thinks the goal is, how likely is it that adversaries will decide cyber is an effective way to achieve it? Are there easier or cheaper ways for them to achieve the same outcome? How important does one think it is to the actor that they can muddle attribution? How can one change the actor’s cost/benefit analysis to reduce the risk? This analysis will differ for each actor and circumstance.

For example, in the immediate wake of the US assassination of Islamic Revolutionary Guard Corps, Quds Force commander Qasem Soleimani, many feared cyber retaliation from Iran. It was prudent for the US government to warn of this risk, particularly given past malicious cyber activity by Iran against American businesses and infrastructure. Iran, however, needed to demonstrate that it was imposing consequences for the attack on Soleimani; thus attribution was an imperative, making a kinetic attack more desirable and likely than a cyber operation. After the initial overt response, tailored to appear proportionate and avoid escalation, Iran can be expected to further its goal of deterring US action, and punishing voices or actions it does not like, by resuming clandestine cyber activity where the victim might assume Iran’s complicity but not be able to prove it. Assessing Iran’s shifting goals is important for prioritising our risk management efforts.

Working to understand the motivations of these actors can also help clarify the connection between cyber operations and other grey zone tools, such as information operations. Sometimes the connection becomes clear over time, as in the Russian hack-and-leak of the emails from the Democratic National Committee prior to the 2016 US Presidential election. Cyber activity was used to support narratives that were being pushed in broader information operations using multiple channels: social media, propaganda “news” outlets, and even official statements by Russian officials. These platforms promoted leaked emails that supported the pre-existing narratives that Hillary Clinton was corrupt and that “the system” was working unfairly against her Democratic challenger, Bernie Sanders. This furthered Russian President, Vladimir Putin’s tactical objective of weakening Clinton and depressing voter turnout. It also advanced his strategic objective of undermining public trust in democracy and its institutions, aimed at getting Americans to give up on notions of truth and disengage.

Russian efforts to access voter registration databases during the 2016 US election cycle also reflected the use of cyber activity to advance this information operation. It was less about gaining access to personal information than about being in a position to disrupt the election process. If Russia had deleted or altered voters’ information, people would have shown up to vote only to find they were not on the list. Long lines, people being denied the right to vote, confusion and chaos would have undermined confidence in the process, which could undermine the legitimacy of the outcome and, ultimately, the legitimacy of democracy.

Damage to reputation if often thought of as a collateral impact from malicious cyber activity. Thinking more broadly means recognising that damage to reputation or other information operation objectives may be the primary goal of a malicious actor. Thinking broadly also means not focusing only on threats and vulnerabilities, as is so often done in cyber, but also on the consequences of malicious activity and how to mitigate those consequences.

Cybersecurity is an exercise in risk management. To manage risk, one must first assess it. Prioritising risks requires understanding the likelihood that something will happen and the consequence that will result if it does. Likelihood is assessed by looking at threats (who or what might inflict harm) and vulnerabilities (what could be exploited to succeed). Therefore, risk is a factor of threat, vulnerability, and consequence. Once one has assessed the risk, one then considers all the ways to reduce that risk by mitigating the threat, the vulnerabilities, and/or the consequences. The sweet spot for action is those areas where one can achieve the greatest buy-down of risk.

The most common mistake in efforts to address cyber risks is focusing exclusively on the information technology network aspects, particularly threats to and vulnerabilities of those networks. Both are important, but what is ultimately important is not the computers but the real-world functions that are enabled by those networks, such as reliable electricity, safe water, secure banking, and real-time communications. Business owners are focused on consequences that impact their financial bottom-line, which might include reputational, legal, and operational issues. Their information technology (IT) staff can help determine which consequences could be brought about through malicious cyber activity, but the communications, legal, financial, and business operations teams need to be part of the conversation. The IT expert is no more likely to fully understand the impact of a cyber incident on a business—or the mission, if speaking to government—than an electrician can provide insight on the impact on the business if power is out for an extended period of time. Yet, far too often cyber risk management is ceded to the cyber techies.

Leaders in government trying to manage cyber risks to their own departments and agencies should start by looking at what the US government refers to as “mission-essential functions”. These functions have been identified through previous continuity of government planning. They are functions that are most crucial for delivering the core responsibilities of government, particularly in a time of crisis. Individuals in the organisation who are responsible for implementing those missions need to work with the IT experts to determine how these essential functions could be disrupted by lack of confidentiality, access, or integrity of data, including data used to control industrial systems. Knowing areas in which malicious cyber activity could cause the most significant disruption informs the prioritisation of cyber risks.

When critical functions and how they could be disrupted by cyber activity are identified, the next step is to look at all the ways to mitigate that disruption. Most discussions of cyber risk reduction, like those around assessing cyber risk, focus on reducing threats to, and vulnerabilities in, IT networks. Indeed, measures like two-factor authentication, intrusion defense, and continuous monitoring and patching of known vulnerabilities make it harder for adversaries to get into and move around inside your network without being detected and can dramatically reduce the number of successful intrusions. However, because 100 per cent security is unachievable, it is equally important to look at how to reduce the consequences of a successful cyber intrusion; how to be more resilient.

Sometimes the most cost-effective way to reduce the impact of a cyber incident will be non-technical. Using paper ballots to mitigate the potential consequence of an attack on election infrastructure is one example. Or ensuring there is a manual way to open or close valves in case an industrial control system is hacked. These “analogue” measures for reducing cyber risk are not likely to be developed by IT experts. Planning for resilience requires input from the entire enterprise.

When a cyber-attack knocked out power for a quarter of a million customers in Ukraine in the dead of winter in 2015, it was not the IT experts who returned power to Ukraine. It was the operators, who understood how the physical grid was laid out. They got into trucks, drove to the locations of the breakers that had been remotely tripped by the attack on the industrial control systems, and manually moved them back into place. This physical redundancy allowed them to get the power back on in 6 hours, blunting the impact of the cyber-attack. In the US and Canada, there is still a good deal of physical redundancy in the electric grid because much of it was built in the 1970s and the cyber aspects were integrated later. As that infrastructure reaches the end of its useful life and is replaced by “smart” technology, there is a risk of significantly increasing cyber vulnerability, absent careful planning.

Reducing dependency upon IT networks is a critical aspect of resilience. Effective planning for continuity of operations should include robust back-up plans that assume efforts to prevent a hack have failed. Moreover, if cyber dependency can be reduced, this will also reduce the benefits an adversary can expect to achieve through a cyber-attack. Altering bad actors’ cost/benefit analysis can deter malicious cyber activity.

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has the mission of strengthening the security and resilience of critical infrastructure against all threats and hazards, physical and virtual. This comprehensive approach to assessing and mitigating risks to critical functions is consistent with the enterprise risk management approach that infrastructure owners and operators were urged to adopt in order to effectively assess and reduce risks of disruption. It reflects the increasing interconnection between physical and cyber risks, that cyber incidents can have physical consequences, that physical security is an essential aspect of protecting IT networks, and that expertise from across the enterprise is necessary to understand and address cyber risks. Experience with disruptions caused by natural disasters, for example, can help illuminate dependencies and redundancies relevant for cyber risk planning.

It is also important to think broadly about the partnerships necessary to counter cyber operations targeting critical infrastructure. Government can play a key role but only if it operates in full partnership with the owners and operators of infrastructure, which can include local governments, along with others in the private sector. This “whole of nation” approach reflects the reality that no single player has all the capabilities, information, or resources necessary to address the risks. This is particularly true for cyber risks.

Discussion of public/private partnerships often turns to questions of who should do what. Rather than starting with debates about what is “fair”, however, the analysis should focus on comparative advantages. Begin with efforts to reach consensus about the nature of the risk and what should be done to address it. Then look at who has a comparative advantage in terms of providing what is needed. After assessing who is best positioned to take needed actions, then the analysis can turn to whether financial compensation or incentives are necessary or equitable. For example, the private sector often asserts that they should not have to defend their systems against nation-state cyber activity. Indeed, there are steps that only governments can take to reduce cyber threats from nation-states, including the use of instruments of national power. However, businesses may be in the best position to reduce the impact of a cyber-attack, for example, through contingency planning. If some of those measures exceed what would normally be done by a business to mitigate non-state cyber risks, it might be appropriate for the government to provide assistance or incentives.

Effectively managing cyber risks also requires international collaboration. Whether as part of the various Five-Eye groups or in bilateral efforts, sharing insights, experience, and intelligence benefits everyone. Moreover, the shared border with Canada creates dependencies, such as in the electrical grid or transportation networks, which make collaboration imperative. International cooperation on cyber is also important in less tangible efforts such as the development and enforcement of norms. Unfortunately, the international aspect of managing cyber risk is often overlooked, undervalued, and under-resourced.

So, how well does the approach described in this paper, based upon the admonition to think broadly, fit with three key assumptions for countering grey zone activities that were described in the introduction?

The first assumption is that planning must be dynamic to account for ways actors adapt and opportunities emerge. If adversaries are viewed one can better understand how changing circumstances affect the level and nature of the risk and adjust accordingly. Similarly, if you one is prepared to mitigate the consequences of cyber incidents, rather than focusing only on specific threats or vulnerabilities, one will be better prepared for a dynamic threat environment.

Second, focus less on “winning” or “losing” than on measures of relative gain and loss over time. It is precisely because there will never definitively be a “winner” in the competition in cyberspace that a focus on resilience becomes so important. Even actions to impose costs on cyber adversaries must be conceived broadly to include all instruments of power and be sustainable, providing a relative advantage over time.

Third, recognise that staying true to democratic values is not a weakness but a strategic advantage. Collaboration is essential for countering cyber operations. Trust is an essential foundation for effective collaboration, between government and businesses, between federal and local government, and between nations. Trust is built on shared values. Staying true to these values is the only way to sustain that essential trust. Working together, over time, adversaries will be forced to operate in the shadows, alone.