During a recent talk at The Chautauqua Institution, Denise Zheng held forth on the nature of cyber conflict: past, present, and future. A Senior Fellow and the Director of Technology Policy at the Center for Strategic and International Studies, Zheng has also worked as a senate staffer on the Homeland Security Committee, in the Computer Associates software engineering process, and, most recently, on cyber moonshots at DARPA. So her perspective on cyber reflects and informs those of consumers, governments, and leading edge developers.

In trying to define cyber warfare, she referenced the 2012 DDoS attacks on financial infrastructure, the 2013 Sony hack by North Korea, and even the 2015 Chinese hack of U.S. Government databases that breached sensitive information — including hers — from employees who had requested security clearances. The most telling thing about these scenarios, she suggested, is that none of them reached the level of warfare, a test which, for her at least, requires “disruption and destruction.”

But What About Stuxnet?

While Stuxnet “demonstrated that code could be weaponized,” at least through Title 50 or covert operations, the mechanisms have not proven “repeatable or scalable,” a task given to DARPA so that a battle space defined by industrial and infrastructure connectivity could be more readily mapped. You know, in case the next war begins with the destabilizing of the grid or something like that.

Why Is The Threat So Confounding?

Cyber seems to stump everybody. How we react or retaliate to obvious threats and breaches  must be tempered by some stark realities. Cyberattacks are borderless, can be conducted remotely, are asymmetrical (which gives the attackers an advantage), and attacks can be conducted anonymously.

So deterrence is our best hope. Or, as ICS likes to say: Prepare, Prevent, and Prevail. Part Two will look at Zheng’s view of the threat landscape going forward. In the meantime, call ICS, and let us help you keep your organization going forward.