All Sides Accept Some Level Of Compromise Of Critical Infrastructure For Reconnaissance and Pre-Positioning
If you want to understand US government cyber strategy, offense and defense, you need to master Cyber Persistence Theory. The US would argue they didn’t invent this, they responded to it. And they were years late to the game.
The best way to learn Cyber Persistence Theory is to read the same titled book by Fischerkeller, Gordon, and Harknett. The book’s Forward was written by Gen Paul Nakasone when he was Commander of US Cyber Command. The pull quote from the Forward:
By 2016, Michael Fischerkeller, Emily Goldman, and Richard Harknett were laying the foundation for the Command’s approach of Persistent Engagement.
The influence is not waning. Ms. Goldman is joining the Trump Administration’s National Security Council Cyber Office.
Volt Typhoon is a great example of Cyber Persistence Theory in action, both with the Chinese and United States. Particularly in the concept of a Fait Accompli. The book’s definition:
We define the fait accompli in the cyber strategic environment as a limited unilateral gain at a target’s expense where that gain is retained when the target is unaware of the loss or is unable or unwilling to respond. The immediate “gain” in or through cyberspace is the setting of security conditions in one’s favor, essentially a reconfiguration of cyberspace technically, tactically, operationally, or strategically.
The key is “unwilling to respond”, and I’d extend this to “unwilling to escalate”.
This ties into “cyber norms”. Cyber norms exist even if they are not explicitly defined. Even if both sides don’t completely agree. And cyber norms are in flux. Constantly being tested. What can be done without triggering an escalatory response. In Cyber Persistence Theory adversaries are trying to slowly and stealthily change “cyberspace”, the terrain.
Volt Typhoon is a great example of a fait accompli in Cyber Persistence Theory. The Chinese were able to gain a presence on US private sector critical infrastructure networks that allowed them to perform reconnaissance and be positioned to launch attacks on critical infrastructure OT if necessary. The US, the target, “was unaware of the loss”. And when the US became aware they were “unable or unwilling to respond”.
There were statements. Congressional hearings. But no action that would indicate either side thought a line had been crossed. We now will see a contest of who can better have a presence in the others electric, water, transportation and other critical infrastructure systems.
The next fait accompli could be penetration and deployment of attack code on OT. A nation state in position to send a command to turn out the lights. Yes, this happened in Ukraine without the world responding. Would that be something that China, Russia, the US or others would be “unable or unwilling to respond” to if it happened to them? Stay tuned.