There is a risk that we overanalyze attacks on critical infrastructure and try to find a strategic intent where there is none.

Our potential adversaries could attack critical American infrastructure for other reasons than executing a national strategy. In many cases, it can be as simple as hostile totalitarian nations that do not respect international humanitarian law using critical American infrastructure as a cyber range.

Naturally, the focus of their top-tier operators is on conducting missions within the strategic direction, but the lower echelon operators can use foreign critical infrastructure as a training ground. If the political elite sanctions these actions, nothing stops a rogue nation from attacking our power grid, waterworks and public utilities to train their future, advanced cyber operators. The end game is not critical infrastructure — but critical infrastructure provides an educational opportunity.

We have to defend critical infrastructure because, by doing so, we protect the welfare of the American people and the functions of our society. That said, just because it is vital for us doesn’t automatically mean it’s crucial for the adversary.

In reality, our knowledge of the strategic intent and goals of our potential adversaries is limited. We can study the adversary’s doctrine, published statements, tactics, techniques and events, but we are assessing the adversary’s strategic intent from the outside. This results in qualified guesses, with all the uncertainty that comes with them.

For a less able potential adversary, attacks on critical infrastructure can serve as a way to show their internal audience they can threaten the United States. In 2013, Iranian hackers broke into the control system of a dam in Rye Brook, New York. The actual damage was limited by maintenance procedures at the facility.

But the intrusion in the control system made national news, engaged the state of New York, elected officials, the Department of Justice, the Federal Bureau of Investigation, the Department of Homeland Security and several more agencies. Time Magazine published the headline “Iranian Cyber Attack on New York Dam Shows Future of War.”

For some adversaries, cyber-attacks seemingly become a way of picking a fight with the Americans without risking escalation.

Yet, these attacks are not entirely without risk because those seeking to maximize civilian hardship as a tool to bring down a targeted society have historically faced a reverse reaction. German bombings of civilian targets during the 1940s air campaign known as “the Blitz” only hardened the British resistance against the Nazis. The reactions to Pearl Harbor and Sept. 11, 2001 show such an attack might unify American society instead of injecting fear and forcing submission to foreign will.

Critical infrastructure is a significant attack vector to track and defend. Still, cyberattacks on U.S. critical infrastructure create reactions that might not be wholly predictable — creating risk for the adversary. For the U.S., the risk is that we try too hard to find strategic intent where there is none.

Jan Kallberg is a research scientist at the Army Cyber Institute. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute, U.S. Army or the Department of Defense.

Share:
More In Commentary
Commentary
It’s time for the defense industrial base to get vaccinated to ensure our security
This critical industrial base is now being tested in a way not experienced in our lifetime — not from an adversary, but from a virus. The industrial base is becoming our own worst adversary by delaying the research and production of systems vital to our national security due to employees delaying or objecting to protecting themselves and their fellow workers from COVID-19, an enemy that has already claimed more than 775,000 American lives.
Commentary
Prioritize NATO’s core task: collective defense
The risk of conflict by miscalculation or by escalation of an incident is greater today than at any time since the end of the Cold War. NATO’s deterrent posture needs to be strengthened in both the Baltic and Black Sea area to reduce this risk.
Commentary
For JADC2, the Pentagon should learn from the 5G community
The Department of Defense should take a lesson from the 5G community. Rather than spending years of committee work trying to reach consensus on exactly how JADC2 should be constructed, it should move out on delivering working joint capabilities from existing systems for key combatant command needs.