In March, Kojima, a small factory in Japan, was hit with a ransomware attack. This small factory was responsible for supplying cupholders to Toyota Motor Company, and the disruption caused by the ransomware attack forced Toyota to shut down 28 production lines, causing nearly $400 million in economic impact. Some have speculated that the Russian government executed this cyberattack in retaliation against the Japanese government for its recent aid to Ukraine. Assuming the speculation is true, the Russians knew exactly where to apply the least amount of effort to cause the maximum amount of pain, all below the threshold for war.
We have entered a new era of cyber-enabled economic warfare, where nation-states are able to achieve national objectives through cyberattacks with minimal risk of kinetic response (e.g. boots on the ground).
The Colonial Pipeline attack first showed how cyberattacks can impact everyday citizens. Pipelines that supplied 45 percent of the East Coast’s fuel were shut, gas stations ran out of fuel and panic, hoarding and price gouging ensued. Had this attack been coordinated alongside attacks against refineries and maritime shipping, gas prices could have spiked 100-fold. Now imagine this attack occurring days before an election.
The new era of cyber warfare
We tend to think of cyberattacks as extortion-centric — a criminal organization seeking to extract a profit from a victim. In this new area, cyberattacks shift towards retaliation, business destruction and political gain.
These attackers don’t need to compromise organizations directly; rather, disrupting the supply chain, as we saw with Toyota Motor Company, can achieve the objective. Companies that embraced just-in-time logistics and lean manufacturing are especially susceptible. Within the U.S., the bulk of these industries and their suppliers reside within our central corridor — Georgia to Texas in the south, Wisconsin and Michigan to the north, the Heartland to the west and Pennsylvania to the east. This is also the most important geopolitical corridor in the world, which is home to the swing states that determined the last five presidential elections.
Key enablers
Three major problems, if left unsolved, will open the door to cyber-enabled economic warfare. All three can be addressed if we have the will to do so.
First, technology vendors are not sufficiently accountable for the security posture of software and solutions they now provide. They face no penalty for or consequences from exploitable vulnerabilities in their code. This requires legislation that introduces vendor accountability.
A second, similar accountability gap exists for products imported into the U.S. There are multiple documented examples of imported electronics collecting data and transmitting it to China.
Third, small and mid-sized businesses (companies with fewer than 250 employees) are critical suppliers for manufacturing, pharmaceutical, agriculture, aerospace and defense, and other important industries. But these smaller companies lack the technical expertise and funding required to effectively defend themselves.
Cyber warfare at machine speed
In maneuver warfare, the fighting unit that can make better decisions faster than their opponent holds an advantage. This equation of speed and intelligence hasn’t changed since Napoleon’s army in the 1800s. But today, computers can make decisions much faster than humans.
Artificial intelligence (AI) will have a profound effect on accelerating cyberattacks. AI-based attacks can make 100,000x more decisions per minute than a human defender, getting inside the defender’s OODA (observe–orient–decide–act) loop. In four minutes, an AI-based cyber attacker successfully compromised an organization. We should expect that to be less than 60 seconds soon. It is nearly impossible for a human to detect, characterize and take action to stifle an attack within that period. Therefore, the future of cyber warfare will run at machine speed – algorithms fighting algorithms – with humans by exception.
To succeed, organizations must switch to a ‘wartime’ mindset
If we continue to operate in “business as usual” mode, AI-assisted attacks will accelerate faster than defenders can improve their security effectiveness. We must shift from a peacetime to wartime cybersecurity mindset to change that outcome.
A wartime security mindset focuses on readiness and “training like you fight.” This switches the focus from implanting security controls and then waiting for an attack, to “red teaming” – probing one’s own security vulnerabilities and weaknesses just as our adversaries do – and proving that an attacker cannot compromise the organization’s defenses.
Our language should evolve beyond being “secure & compliant” – which is a point-in-time state – to being “defensible & resilient” — with defenses that rapidly adapt based on the enemy’s actions.
It takes a village
The Cybersecurity and Infrastructure Security Agency (CISA), led by Jen Easterly, has led the way in rallying the cybersecurity community into a national movement. Keith Krach pioneered the concept of “technology diplomacy” while at the State Department in the fight for 5G integrity. The White House, led by Ann Nueberger, alongside the National Security Agency, led by Rob Joyce, have helped deliver meaningful cyber policy at the national level. We rarely see this level of partisan-free collaboration among true experts and leaders in the field. These government leaders have helped cultivate actionable industry relationships and ecosystem partnerships, which are key building blocks for our collective success.
We have many of the puzzle pieces and a partial picture on the box, but what is needed is that final push to rally the security ecosystem: legislation that drives accountability among vendors; import controls that ensure cyber safety; overwatch of our small and medium-sized businesses; security awareness training for the masses; education programs to create a pipeline of security talent; and funding as the catalyst to mobilize our innovation ecosystem
Finally, in this new era we must shift to a “trust but verify” mindset regarding our cybersecurity posture. My former commanding general within special operations said, “Don’t tell me we’re secure, show me, then show me again tomorrow, and again next week, because our environment is constantly changing and the enemy is always evolving.” This is the way.
Snehal Antani is co-founder and CEO of Horizon3.ai. Prior to Horizon3.ai, he was CTO within U.S. Special Operations, CTO of Splunk and a CIO within GE Capital.