In April 2021, based on a tip from the Federal Bureau of Investigation (FBI) and aided by public sanction data from US Department of Treasury, a social media company took down a massive cross-platform network. The network had been peddling mis- and disinformation, now recognised as a critical national cyber threat. The operation to take down the network is noteworthy not only for its scale—featuring more than 900 websites, social media accounts, groups and pages across multiple platforms—but also because of how it unfolded: The operation focussed on adversaries, not technology, and it took significant coordination to pull off.1
First, the takedown grew out of a focus on bad actors and not on content itself. Governments face a seemingly inconceivable number of threat vectors, but they can turn them into a manageable problem set by focussing on a small cohort of actors which are responsible for most attacks.2 Tailoring interventions to those bad actors can help push their decision calculus below the threshold of action, deterring attacks before they even occur.
Second, the operation relied on a significant amount of both government-to-government and government-to-industry collaboration. This type of collaboration is not new. Government agencies worked together to counter Soviet propaganda in the 1980s and ’90s, and government and industry have shared threat data with each other for years. But recent years have turned the need for that collaboration up to allow more players to coordinate, more information to share, less time to share it. That level of collaboration is often not possible for most government organisations on a day-to-day basis.
Traditional process-defined coordination forces government into a difficult position. It can be agile on a small scale or slow on a large one: Government can coordinate its actions to score a few key wins, but only in a few small areas, such as taking down Trickbot or Emotet botnets.3 Or government can move quickly in an uncoordinated fashion against more threats, but likely with limited effectiveness. Breaking this trade-off between agility and scale takes innovations based on greater technical and social coordination in government cyber operations.
Innovations for greater collaboration may not grab as many headlines as new technologies or big strategies, but they can help government overcome current barriers to taking a more effective approach to cyberthreats—one that is focussed on the adversary. And if successes such as the above operation or defence of the 2020 elections show, an adversary focus is a critical step toward something truly remarkable: a nation more secure from massive cyberattacks.
The cyber landscape is being pulled by two seemingly opposed forces: connection and splintering. On one hand, advances in technology are enabling greater connectivity than ever before. On the other hand, national interests such as technology dominance and independence are splintering that connectivity into balkanised zones.
The proliferation of smartphones has brought the internet to all of our pockets, but it is the explosion of small Internet of Things devices where the world’s growing connectivity can be most clearly seen. There are already more than 13 billion internet-connected devices on the planet, and this number is growing 10 times faster than the human population.4 These devices are bringing connectivity to previously disconnected items, such as water pumps and factory machine tools, allowing for previously unheard of agility and efficiency but also increasing the cyberattack surface of many organisations.
Greater connectivity is not only linking devices, it is also making organisations more intertwined than ever before. Take cloud as an example. Today, more than 94% of enterprises are in the cloud.5 And it is not just small-scale explorations; 83% of all enterprise workloads are estimated to be in the cloud today.6 The result is that many organisations are becoming increasingly reliant on not just their cloud service provider, but also the service and technology vendors on which their cloud provider relies.7 Technology is creating interdependencies that can introduce unseen vulnerabilities ripe for adversaries to exploit.
Pulling in the opposite direction of technology-driven connectivity is greater splintering. The balkanisation of the internet that has been underway for over a decade has resulted in different technical ecosystems cropping up. Russia and China, isolated by their Sovereign Internet Law and Great Firewall, respectively, have developed very different technical ecosystems.8 So when the trend toward centralisation takes place in these countries, the data is being centralised by a very different array of companies using different technologies than most of the world. For example, Amazon and Microsoft are the top two infrastructure-as-a-service providers, accounting for about 63% of the entire global market. Yet, they are nowhere to be found in Russia, where Softline, Rostelecom, and MTS lead the market; and in China, Amazon comes in a distant fourth, and Microsoft ninth, behind Alibaba, Tencent and China Telecom.9
The trend toward balkanisation of tech ecosystems appears to be changing the decision calculus of several US adversaries. With very different technical ecosystems, US adversaries can craft cyberattacks with greater—although not perfect—assurance that those attacks will not rebound and disrupt their own domestic networks.10 In other words, it is easier for an adversary to choose to attack a piece of software/hardware if it is not used on networks in their own country. So, balkanisation of technology increases the opportunities for cyberattacks while somewhat decreasing the risk of those attacks. Greater potential reward and less risk are likely drivers behind what the Office of the Director of National Intelligence called “states’ increasing use of cyber operations as a tool of national power.”11 Recent attacks on everything from water treatment plants to gasoline pipelines show just how powerful a tool those attacks can be.12 With such an attractive tool of national power, analysts in government and industry expect more attacks and more aggressive attacks that may even impact civilians. 13
The shifting technological landscape has fundamentally altered when and how adversaries decide to attack. Therefore, governments’ approaches to cyber defence needs to address this decision calculus if it hopes to create effective defences.
To defend against the most capable cyberthreats, defenders should focus on the actors with the greatest capability and intent to attack. Typically, those will be large, adversarial nation states.14For the rest of this paper, we will largely focus on the threat posed by adversarial nation states, but that does not mean that other bad actors such as cybercriminals, hacktivists, or others are ignored. Rather, once government adopts an adversary focussed approach to cyber defence, the same approach can be used on a variety of actors. For example, the self-shutdown of ransomware-as-a-service syndicate DarkSide amidst growing public pressure and law enforcement seizures shows just how the combination of enforcement actions and messaging can push even criminal decision-making in a positive direction.15
But the bottom line is to effectively counter today’s threats, governments need to be able shift the decision calculus of attackers: keep them below the threshold of deciding to attack. To do this, governments need to understand the criteria adversaries use to justify an offensive cyber operation.
If an adversary is debating whether to conduct a cyberattack, it needs three different factors to rise above its decision threshold (figure 1).16 There must be some need to attack. This can be pragmatic gain such as money or territory, punishment for a past wrong, or nearly anything else of value. Next, the actor must be satisfied that its actions are legitimate. This does not mean legal, but internally justifiable. After all, spies, by definition, break the laws of other countries, but they are typically quite careful to make sure their actions fall under domestic laws and their own individual morals. Finally, adversaries need to have confidence that the attack will succeed and not result in even worse consequences from unintentional bounce-back or retaliation.
This framework of adversary decision calculus is also incredibly useful to cyber defenders. To deter or prevent attacks, government needs to push an adversary’s thinking on any of those factors below the decision threshold (figure 2).17 Rather than playing “whack-a-mole” with the huge number of threats and vulnerabilities, governments can deploy several actions in advance to deter the most threatening adversaries from attacking in the first place. In some sense, the adversary focussed approach to cyber shifts much of the burden of cyber defence “left of click” to prevent the most devastating attacks.
An adversary focused approach seeks to shape behaviour, deny benefit and impose costs on an adversary to deter it from launching cyberattacks. If adversaries first require a need for an attack, government’s first action should be to use technology standards and other tools to shape behaviour. The core values baked into standards tend to become the norms of behaviour in a technological environment. The underlying beliefs of “free exchange of information” that underpinned the early days of the internet were codified in technology standards such as TCP/IP protocols, which, in turn, helped shape norms of real people’s information-sharing behaviour as the World Wide Web took shape. Governments can use similar standards and norm-setting bodies to encourage desirable and minimise negative behaviour in cyberspace. Of course, standards just set the “default” behaviour, so to speak, and adversaries are always free to act differently. In that case, cyber influence operations can promote messages that directly undercut an adversary’s motives. By removing the all-important sense of legitimacy, cyber influence can deny attackers the benefit of an attack. Finally, if the adversary still finds a need and a legitimate motive, cyber offence can preemptively degrade an adversary’s capability for attack or threaten to impose costs such that it no longer has confidence that it can get away with any attack unscathed.
The challenge is that, in most governments, these actions are often split across many different agencies and authorities (figure 3). For example, in the United States, standard- and norm-setting is the domain of agencies such as the National Institute of Standards and Technology, Department of State, Department of Commerce and others. Cyber influence and cyber offence can be within the domain of either the defence or intelligence communities, each operating with very different restrictions and authorities.
In an effective adversary focussed strategy, tech standards, norms, influence and offence all need to be calibrated to push a specific adversary’s decision calculus below the threshold of action. All this needs to happen at speed and while respecting the laws and liberties of each area where agencies operate. That level of coordination is hard for most government organisations. Achieving it at the speed and scale of cyberspace in the current system is near-impossible.
Intragovernmental coordination may seem like an obvious answer when adopting an adversary focussed approach to cyber, but it has one major challenge: it is difficult to do at the necessary scale. Intragovernmental coordination can be complex even at a small scale, so when issues grow in size and speed, the complexity of the coordination required increases exponentially.
Take the Active Measures Working Group (AMWG) as an example. Formed in the 1980s to counter Soviet propaganda, the AMWG brought together subject matter experts from the US State Department, the US Information Agency, the CIA, the FBI and even congressional staffs. The group worked as an information broker across the federal government to identify, track and develop strategies to successfully counter Soviet disinformation campaigns in the United States and abroad.18 This level of coordination across conference tables was sufficient to successfully counter the disinformation being spread through newspapers and media placements. While those media could achieve significant global reach, as seen in the Soviet misinformation campaign proffering that AIDS was created in US government labs, the spread of specific messages was slow. It took over a year from the first appearance of a falsified scientific report for the story to spread to its ultimate audience in 80 countries.19 Contrast that with the speed with which online conspiracy theories about COVID-19 spread, some of which reached audiences of more than 6 million in less than 24 hours after posting.20 The conference table coordination of AMWG simply would not be able to keep up with that pace. Add on top of that the growing number of participants would need to coordinate with tech companies, telecommunications regulators, and health and science experts, in addition to cyber and national security agencies, and it is nearly impossible in the current model to achieve the coordination necessary.
Nor are these issues with coordination limited only to the fight against mis- and disinformation. The same complexities hamper defending against cyber espionage and other purely cyber operations as well. Public reporting highlights how early offensive cyber operations such as Operation Glowing Symphony were hampered by slow decision-making and inefficient mechanisms of coordination.21 These challenges are not just historical accidents. Rather, they show that the scale of today’s cyber problems run into organisational barriers that keep government from fully adopting an adversary focussed approach to cyber. (See sidebar “The organisational barriers to an adversary focussed approach” for a fictional vignette about cyber operations in great power competition.)
Special Operations Task Force 427 has become the poster child for influence (or information) operations (IO). The team has built a string of tactical successes by focussing on the thinking of its adversaries and closely coordinating to make sure its actions can influence that thinking.
Master Sergeant Alonto is an often-cranky career Green Beret whose years of experience working in Southeast Asia have made him a human data centre with nuanced insights into certain Asian communities. MSG Alonto’s knowledge is invaluable to Captain Jessica Bluff, who must generate persuasive content as the leader of the task force’s tactical psychological operations team. A savvy cyber team is the final part of the dream team, delivering CPT Bluff’s content to specific individuals and groups through offensive cyber operations. The team merges individual capabilities to successfully shape local public perception in support of US and allied political, social and economic beliefs—most aptly shown in its most recent mission to rally support for Freedom of Navigation operations in the South China Sea within a small but important fishing community.
Hoping to replicate the team’s success across a larger swath of Southeast Asia, headquarters back in Hawaii orders the team to begin working on regional issues. The team quickly realises that in IO, success doesn’t scale as quickly as problems do. The team works hard, but, just as it is beginning to make headway in one small island chain, a crisis crops up in another set of islands. Faced with a relatively unknown target population and cyber situation, and unable to reshuffle resources quickly enough, the team can only fire off a few largely ineffective messages before the crisis has passed.
The after-action report identifies four main problems that limited how successful even a star tactical team could be when faced with challenges of larger scale:
These four factors represent key organisational barriers keeping government from adopting adversary focussed approaches at the scale needed.
In essence, what government faces is a trade-off between agility and scale. Agencies can be quick and responsive at a small scale, like the AMWG was, but growth often requires bureaucratic processes that stifle speed. The problem is that today’s cyber threats demand both agility and scale. Those threats operate on timescales that demand agility, and at the same time can touch so many aspects of life that they require significant coordination within and outside of government. An effective response to these threats may require input from law enforcement, intelligence agencies, telecommunications regulators, and private industry. Achieving that level of coordination on the timescales required to change the adversarial decision calculus puts government in a double bind: It can respond effectively, but late; or respond on time, but in a manner that is uncoordinated and likely ineffective.
The agility versus scale trade-off means that if government is to adopt an adversary focussed approach to cyber, it must first start with some internal innovations that can break that trade-off. Government agencies and commercial companies alike have found ways to break the trade-off and be agile at scale.22 Those innovations can allow government to coordinate at the speed and scale required by the adversary focussed approach.
Innovations are not restricted to merely new technologies. One textbook definition of an innovation is anything that breaks a trade-off.23 The innovations government needs to achieve coordination at the speed and scale required for adversary focussed cyber can be anything from new technologies to new strategies to new business practices.
Government has been slowly discovering some of those innovations as it tentatively explores scaling cyber missions. New doctrines such as “defend forward” and “persistent engagement” can be seen in the long tradition of doctrinal innovations in national security.24 Similarly, new organisations such as the Cybersecurity and Infrastructure Security Agency and US Department of Defence cyber mission teams helped to resolve difficult trade-offs as organisations assumed new cyber missions.
Yet, the innovations deployed so far don’t sufficiently address adversaries’ decision threshold. The adversary focussed approach to cyber demands coordination across all government agencies that exercise national cyber power. But since the challenges of scale—complexity, fragility, fixedness and vulnerability—stand in the way of achieving that coordination at the speed and scale required, government needs innovations that can tackle each one.
In older eras, commanders could use maps or spyglasses to easily see where their forces were and where the enemy was attacking. Today’s cyber leaders have the same need, but with billions of internet end points, no human mind can contain all of the information needed. What is needed is technological innovation bringing together artificial intelligence (AI) and data visualisation to make vast volumes of cyber data digestible to human leaders. Tools such as Project IKE, a tool developed by the Defense Advanced Research Projects Agency (DARPA) that is newly deployed to US Cyber Command, can collate and curate the right data, allowing 3D visualisation software such as Immersive Wisdom to literally ‘show’ human operators the nonphysical environment of cyberspace. With those tools, human operators can spend less time sifting through network data and more time making mission decisions much as intelligence analysts are beginning to do today with AI.25
Fragility is really a problem of agility. Highly efficient processes often cannot adapt quickly enough to changing circumstances. If government wishes to reduce fragility in cyber decision-making, it needs to speed the pace of its own decision-making, across all the agencies involved.
Countering fragility is really a two-step process: First, all agencies need a real-time shared picture of the world; and second, leaders need decision supports to help them formulate courses of action in such a complex world. Creating a real-time, shared picture of the cyber environment is difficult not only because of the complexity of the environment, as discussed above, but also because much of the data will be highly classified and hard to share. But solutions to these problems already exist. For example, cross-domain intelligence-sharing can help create an environment where agencies can seamlessly make data discoverable to those who need it and have a right to access it.26 Then, with a shared understanding of the operating environment, leaders need decision supports to help them understand how their actions will impact the adversary and even the plans of other agencies. For example, how will an offensive cyber operation impact the adversary or degrade ongoing influence operations? AI can again help with these questions, as demonstrated by DARPA’s Deep Green programme more than a decade ago, but ultimate success depends on all cyber leaders working from a common picture toward a shared goal.27
If faster decision-making depends on leaders sharing a common picture and common goals, technology can help with the common picture, but common goals can come only from unified leadership. Some central cyber leadership structure is necessary, whether on the national security council staff or as a stand-alone executive position. This central leadership can produce a coherent vision for the exercise of national cyber power so that each agency can act quickly on its own initiative but still stay assured that their collective actions are helping achieve larger ends.
More than just a strategy document, cohering around common goals is about creating common organisational culture. Government is no stranger to creating common cultures from many diverse organisations. Organisations such as the Office of the Director of National Intelligence and legislation such as the Goldwater-Nichols Act have helped create communities out of individual agencies. National cyber leadership can serve a similar role in building social coordination on cyber via rotational assignments, joint duties, common training curricula and more.28
A nation’s cyber vulnerabilities often arise from hidden interdependencies. Government may not be aware of who is making its technology, and companies may not be aware of whom they are depending on for their hardware and services. Making all of these interdependencies visible can help leaders in both government and industry take appropriate actions to mitigate the risk, essentially shaping the norms of the cyber environment.
Supply chain illumination tools can share details on government suppliers, and their suppliers in turn, down several tiers, to help see what is really going into their technology. Similarly, mandatory disclosure laws can help ensure that once vulnerabilities are identified in commercial products, they do not spread unseen and compromise even more organisations. These changes may be uncomfortable at first for both government and industry, but they represent the first steps toward a mindset of collective defence. The mindset that we are so interconnected we are all in this together is the cornerstone for reducing vulnerability in a complex cyber environment.
Technology is always advancing, and there will always be new vulnerabilities. What matters most is the capability and intent of adversaries to exploit those vulnerabilities. Therefore, long-term cybersecurity rests on government’s ability to coordinate all the functions of national power against the decision calculus of each adversary. But to do that coordination at the speed and scale required takes new innovations in government technology and organisation. With those innovations, governments can do what today seems impossible: live in a world free of massive cyberattacks.
Digital transformation, enabling technologies and connected communities are expanding and adding complexity to attack surfaces. Organisations should identify where cyber risks need to be addressed across mission ecosystems and elevate cyber programmes with new techniques. These approaches can better support and protect your mission. Deloitte collaborates with organisations to provide deeper insight into addressing cyber risks while promoting innovation and mission impact.