As threats multiply, defenders need to adopt the lateral thinking of attackers and adopt an ‘everything everywhere all at once’ mindset.

Nicole PerlrothMutually assured digital destruction (MADD) is not a phrase that has widespread currency beyond cybersecurity, but it might be the only thing still holding back major cyber attacks on critical infrastructure.

So argued Nicole Perlroth, the CISA advisor and former New York Times cybersecurity journalist, in her ISC2 Security Congress 2024 presentation in Las Vegas.

MAAD – borrowed from the world of superpower nuclear conflict – is the idea that enemies of the U.S. are already deeply buried in the country’s water, power grid, medical centers and even major companies. They could detonate a payload at any time but haven’t done so, even at moments where it might have been advantageous to do so. The reason is that the U.S. and its allies are, in turn, deeply buried in their critical systems and would retaliate. This uncertainty keeps a lid on the possibilities, for now at least.

A Digital Dependent World

What matters less is the detail of this argument than the fact that it highlights how the U.S. economy now depends on digital systems. Without them, it would be brought to a standstill in ways that don’t come with a convenient Plan B fallback.

According to Perlroth, this rather bleak world has snuck up on us over the last decade and a half. There have been major attacks during this time but, more significantly, a lot more small ones that have gradually pushed ever closer to an imaginary line nobody wants to cross.

“Each attack marked just a slight escalation of the attack before it,” Perlroth told delegates. “Testing, probing for that red line which never really came.”

Interestingly, threat types such as ransomware have plotted a similar course. People can see attacks are bad but without always appreciating the troubling pattern that attacks only get worse in an era where the barriers to entry into cybercrime keep getting lower.

Meanwhile, the blind spots keep expanding. Old-style hackers used to announce themselves, said Perlroth. Today, the same hackers hide inside systems and are often missed.

It’s a crime wave that eventually left Perlroth feeling burned out. “I had reached the point of diminishing returns. It was all the same old story. The code had become the critical infrastructure, and we hadn’t bothered to notice.”

AI’s Arrival

Today, nation states, especially China, have burrowed deep into targets that have little obvious value but could be part of sinister longer-term campaigns. “We’re likely in their systems so this is them getting into ours. Both holding guns to each other’s heads, daring each other to shoot.”

Another big change in the cyber threat landscape has been the sudden arrival of AI, argued Perlroth, who noted prompt injection attacks against popular tools such as the Hugging Face machine learning platform and Microsoft’s CoPilot.

“It gives me no pleasure in predicting that the next SolarWinds is very likely to be in AI.”

The good news is that AI is an incredibly effective way to reduce attack detection to hours in some cases. AI is a threat but also a godsend if defenders can deploy it efficiently.

Influence Operations

No cybersecurity discussion would be complete without mentioning disinformation. The enemies of the U.S. have invested heavily in this space and countering them will require a similar effort in return, said Perlroth. “They are playing chess and in too many ways we are still playing checkers.”

According to Perlroth, the U.S. is under attack from numerous disinformation campaigns that have the potential to reduce the willingness of populations to support policies that oppose Chinese, Russian and Iranian influence. Importantly, disinformation campaigns weren’t only about nation states. Russia, for one, has used them against Western business interests, including as part of a successful 2022 campaign to stop a Western mining company Rio Tinto from opening a lithium mine in Serbia.

Defending against this is not strictly in the cyber realm but Perlroth believed that making a distinction between cyber and influence operations would be an error. Influence operations were part of the ‘everything everywhere all at once’ cyber scenario.

“We need to start planning for defenses around influence operations. In this brave new world, the barrier between the physical and digital worlds have grown very thin.”

These attacks were no longer about targeting computers. That was a mere steppingstone. Today, attacks take down entire economic systems such as healthcare.

“In the old world we believed that we were protected by two vast oceans. The truth is those oceans don’t exist.”