Joe Perry, Director of Education for Tetra Defense, and Python Programming instructor at TrainACE, offers an interesting perspective on modern cybersecurity and Nation-State cyber warfare.
Some Unexpected Daoism - a Metaphor for the Cybersecurity Landscape
Zhuangzi's Inner Chapters, one of the oldest and most significant Daoist texts, begins with a fish's story. There are three strange things about this fish, revealed by the purported author, Zhuang Zhou.
First, this fish is giant, with a bulk measured in the thousands of miles. Second, this fish has a curious habit of transforming into a bird of similarly massive proportion and flying for months at an altitude of ninety thousand miles. Third, smaller creatures often mock this fish-bird for flying so high when they can get any place they need without going higher than the treetops.
As with most Daoist writings, Zhuangzi tends to resist casual interpretation. However, one clear theme is that an entity with a short horizon views the world fundamentally differently than an entity with a long horizon. That is, big things have different problems than small things. The fish-bird knows that it needs to fly nearly a hundred thousand miles off of the ground for its unfathomably massive wings. In contrast, the doves and cicadas know nothing more than the next tree, and they regard the fish bird's fulfillment of need as a showy demonstration.
As is also the case with most Daoist writings, this fantastical and straightforward tale carries a remarkable depth of insight and applicability to modern cybersecurity.
Three Levels of Modern Cybersecurity
Modern cybersecurity exists at three levels. First, nation-states battle one another for supremacy over vast resources - with almost all of their power and bulk hidden from view, they strike through proxies without warning and enough force to level empires. Second, multinationals and major enterprises seek defenses at scale, always dealing on the level of statistics, opportunity cost, and annualized losses. Third, and most vulnerable, are users, for whom the most effective defense is almost always obscurity, and the horizon is no further than the next tree.
While much has been made of the differences in the classes of an attacker (e.g., APT, FIN, Hacktivist, etc.), very little ink has been devoted to the differences between these three groups. To properly understand cybersecurity, however, we must have at least a basic grasp of these three sub-industries, how they relate to one another, and the unique concerns of each. As is so often the case, our first task in understanding our adversary is understanding ourselves.
The Biggest Fish – What Does it Look Like When Nations Wage Cyberwar?
In this article, we examine nation-states, our thousand-mile fish swimming ponderously through the vast data oceans of the internet. The United States, United Kingdom, Australia, Canada, and New Zealand currently form the most technologically powerful confederation in human history, the FVEY partners.
These Five Eyes, and the dozens of smaller organizations that comprise them, process more data every second than an individual human being could interpret in a lifetime. The FBI, DIA, CIA, NGA, and NSA form most of the United States contingent and are headquartered in and around Washington DC. Their horizon is, from one perspective, almost infinite. Nation-states seek to exist indefinitely, that is to say in every time, but these five also seek to exist in every place as well.
What are the concerns of these vast, inscrutable entities? What can a thousand-mile fish like the FVEY possibly fear? What could prey upon a Goliath?
The answer is not one thing, but many. Parasites.
A Thousand Hungry Mouths – Russia's Cyber-Attack Strategy
Russia is a relatively minuscule power in the modern era, with a GDP approximately 5% the size of the US. Despite this, Russia has managed to wage a successful, near-silent war on the rest of civilization for decades. It has done so almost entirely through conflict in the domain of cyberspace.
Since the end of the Yeltsin regime, Russia's international relations have largely deteriorated, resulting eventually in their current state of absolute disrepair. For most nations of its economic size and international odor, there would be no significant international interest beyond the occasional showy condemnation for political points.
Putin, and his agents, have waged a brilliant and painfully successful guerilla war against this eventuality by focusing on pain points, economies of scale, and, strangely, community. Rather than attempting to create a modernized, technological infrastructure, Russia's leaders take advantage of the great strength of autocracy; exploitation. They leave municipal governments with outdated technology and shoddy equipment, then pocket the money which could be used to bring Russia's population into the modern era.
This massive wealth enables Russian leaders to engage the services of proxies. Rather than accepting the massive cost of building their infrastructure to compete with the Five Eyes, Russia creates, supports, and funds a myriad of small, independent actors.
Access to the tools and methods necessary to perform cybercrime is readily available and well protected (as partially evidenced by the prevalence of .ru links among malware distribution channels). So long as Threat Actors are wise enough not to draw the ire of their benefactor, they can act against others with near-total impunity.
Individually, none of these groups would be a threat. It is in the creation of a community that Russia's leaders show their genius for irregular warfare. Where the Five Eyes have massive bureaucratic security functions, with agencies thousands strong (their precise numbers, even to the order of magnitude, are not available to the public) and dozens or hundreds of divisions, political disagreements, organizational differences, and procedural hurdles, Russia acts more as one giant IRC server for the world's most ambitious cyber criminals.
They can communicate on methods, share undisclosed vulnerabilities, buy or sell exploits or the fruits of their use, and even hire more sophisticated or ruthless contractors to act on their behalf. Often, the Russian government has little or no actual involvement other than to tacitly approve by the simple fact of nonintervention. Nonetheless, the best of the worst understand the nature of Russia's tolerance and never hesitate to strike at Putin's enemies or give his agents first right to all the best attacks.
By facilitating this market, Russia gains a massively outsized advantage in cyberwarfare. They don't need the complex bureaucracy necessary to plan and validate missions, nor conceal their infrastructure and protect against retribution. Nor do they need to do any other costly, time-consuming tasks that take up so much of the Five Eyes' attention.
Russia's leaders provide a space for talented, ethically-stunted technologists to become fabulously wealthy by striking at their enemies and waiting for human nature to take its course. Each hacker or hacking group inflicts very little harm but requires no institutional effort at all.
When these groups collaborate, however, the picture changes dramatically. Let's imagine an example:
A crypto-mining operation distributes malware by offering an apparently legitimate web service that automatically downloads and runs its mining tool. Reviewing compromised systems, they notice that some have a .gov domain. After verification, the miners determine that they don't have the technical expertise to exploit that system directly, as the mining tool they distribute is one they purchased from a third party. None of them is proficient in exploitation.
A more sophisticated operation focusing on ransomware attacks purchases the exploit from the miners for a reasonable finder's fee and develops a customized variant of their malware that will work against those systems before deploying the malware and beginning their extortion. Whether it's a federal courthouse's data share or a VA patient record database, the affected system inflicts financial harm and prevents the operation of some critical service.
Russia's government had no hand in planning, no part in discovering the vulnerability or developing a tool to exploit it, yet their enemy is weakened just the same.
As these parasitic attackers draw more and more blood from the behemoth that is the Five Eyes partnership, it grows less able to respond. Some might be snatched up and utterly destroyed, but what matters is not any individual threat, but the sum of all those component threats which is greater than its parts. In just the same way that Amazon or Facebook have leveraged the flexibility, scalability, and speed of platforms to dominate international commerce, Russia has leveraged those same advantages to craft a weapon capable of frightening even the most massive of foes.
This method is highly effective, but it is not the only way the might of the Five Eyes is challenged. Another adversary, far more subtle and with a far longer view, lurks waiting in the depths, hiding its bulk until the time comes for a sudden lightning strike.
Casual and Economical – China's Patient and Methodical Cyber Strategy
It would be easy for an ignorant newcomer to assume China's presence on the world stage of cybersecurity is relatively small. After all, popular depictions of the country in the west tend toward the portrayal of a backward, agricultural peasant life. This is primarily due to racism. However, there is another view, one which complicates any discussion of China from an outside perspective. China is, to an extent largely unrivaled in the modern era, incredibly skilled at controlling information.
There's plenty already said and written about official state censorship, but the reality is far deeper and more complex than just a black marker and a good firewall.
Roughly once an hour, someone accuses a Chinese organization or the CCP of intellectual property theft, hacking, or similar data protection violation. There is a constant flow of information into China, a deep-sea current unlike any other, flowing into a bottomless chasm. Yet almost nothing goes the other direction. On average, the person reading this article knows absolutely nothing about actual life inside one of the most powerful economies ever to exist. Books, movies, television, and other cultural artifacts are one thing to hoard, but technology is quite another.
China's government steals blueprints, technical documents, and any other information that might be advantageous. Yet, it permits vanishingly little information to escape its borders, allowing the specifics of its capacity in basically every category of conflict to go unknown. While this comes with many advantages, it also precludes Chinese organizations from striking with the same force and impact as their Russian counterparts. After all, why waste an exploit on ransomware once when you can use it to passively and silently steal data forever?
This strategy creates a fascinating, if frustrating, dynamic. While China is engaged in a constant state of low-level cyberwarfare with basically every computer owner on earth, its actions seldom rise to the point of international reaction. Contrasting against the bloody, frenzied swarms of Russian-sponsored parasites, the great leviathan of China waits patiently on the ocean floor, content to let the smaller predators eat their fill.
How then does this great confederacy, the Five Eyes, deal with these foes? How can a behemoth fight a swarm? How can a strategist defeat an enemy who asks every question and offers no answer?
The solution comes in that second and strangest of facts about our great fish; it can transform.
Be Like Water – How Can Five Eyes Counter Nation-State Cyber Attacks?
What does all of this mean? What use is it to know the details of how each country wages cyberwar?
Well, to the random person on the street, probably not much. It's unlikely that any given ordinary citizen will be the subject of cyberwar or need to understand the nuances of each major actor. However, understanding the nature and scope of the threat posed by Russian and Chinese actions in cyberspace is critical to decision-makers and leaders in both civilian and military government institutions. This understanding creates a new option for dealing with the threats; rather than fighting as a single behemoth, attempting to conquer the entire ecosystem and hold it all under sway, we can learn from our adversaries, adapt their methods as our own.
It is unlikely that the United States will start paying hackers to take down Russian sites any time soon. While it's likely that there are espionage and counter-espionage efforts against Chinese incursions, you aren't likely to read about them on the internet. Instead, the US hires contractors to develop response capabilities and offers bounties on the most significant Russian proxies.
The Five Eyes nations share information rapidly among themselves, identifying and removing vulnerabilities, leaving no gap for the parasites to exploit. Rather than top-down missions, driven by a handful of powerful individuals directing the great bulk, these nations seek to build small, responsive teams with tightly focused goals.
Chinese incursions are answered with rapid dissemination, allowing the other confederacy members to respond and limit the amount of information collected, bringing average dwell times (how long attackers go unnoticed in a network) down from over a year to under a month.
Communication, Dissemination, Transformation
By sharing the information necessary to make critical changes, the Five Eyes, and the hundreds of organizations and uncounted masses of people who make them up, regain the ability to defend themselves and strike out at threats.
It's only by creating skilled, informed, educated workforces of cybersecurity professionals capable of independent action without the safety nets of bureaucracy and procedure that the Five Eyes will be able to answer the dangers posed by their adversaries.
Remove institutional communication barriers, develop high-quality training programs, and lower the minimum level of decision-making as far as is practicable.
Developing and publishing open-source security standards (e.g., NIST) allows enterprises and users to benefit from a common core of knowledge. It drives innovation and discovery by enabling communication across organizational lines. It is only by mastering themselves and learning to adapt to their environment that the world's great powers give themselves a chance for survival in this wild abyss.
How to get Started in Cybersecurity
Depending on your IT experience you can improve your chance of getting a cybersecurity role by earning professional certifications. Obtaining a computer science degree is great too, but organizations are increasingly looking for very specific skills, so even with a degree you are likely to need some professional certifications.
If you have very limited IT experience you can find some useful information on our Getting Started in IT page. If you have IT experience and are familiar with configuring networks, you should look at CompTIA Security+ or CEH training and certification. Security+ certainly opens many doors in the IT world.