There is a risk that we overanalyze attacks on critical infrastructure and try to find a strategic intent where there is none.
Our potential adversaries could attack critical American infrastructure for other reasons than executing a national strategy. In many cases, it can be as simple as hostile totalitarian nations that do not respect international humanitarian law using critical American infrastructure as a cyber range.
Naturally, the focus of their top-tier operators is on conducting missions within the strategic direction, but the lower echelon operators can use foreign critical infrastructure as a training ground. If the political elite sanctions these actions, nothing stops a rogue nation from attacking our power grid, waterworks and public utilities to train their future, advanced cyber operators. The end game is not critical infrastructure — but critical infrastructure provides an educational opportunity.
We have to defend critical infrastructure because, by doing so, we protect the welfare of the American people and the functions of our society. That said, just because it is vital for us doesn’t automatically mean it’s crucial for the adversary.
In reality, our knowledge of the strategic intent and goals of our potential adversaries is limited. We can study the adversary’s doctrine, published statements, tactics, techniques and events, but we are assessing the adversary’s strategic intent from the outside. This results in qualified guesses, with all the uncertainty that comes with them.
For a less able potential adversary, attacks on critical infrastructure can serve as a way to show their internal audience they can threaten the United States. In 2013, Iranian hackers broke into the control system of a dam in Rye Brook, New York. The actual damage was limited by maintenance procedures at the facility.
But the intrusion in the control system made national news, engaged the state of New York, elected officials, the Department of Justice, the Federal Bureau of Investigation, the Department of Homeland Security and several more agencies. Time Magazine published the headline “Iranian Cyber Attack on New York Dam Shows Future of War.”
For some adversaries, cyber-attacks seemingly become a way of picking a fight with the Americans without risking escalation.
Yet, these attacks are not entirely without risk because those seeking to maximize civilian hardship as a tool to bring down a targeted society have historically faced a reverse reaction. German bombings of civilian targets during the 1940s air campaign known as “the Blitz” only hardened the British resistance against the Nazis. The reactions to Pearl Harbor and Sept. 11, 2001 show such an attack might unify American society instead of injecting fear and forcing submission to foreign will.
Critical infrastructure is a significant attack vector to track and defend. Still, cyberattacks on U.S. critical infrastructure create reactions that might not be wholly predictable — creating risk for the adversary. For the U.S., the risk is that we try too hard to find strategic intent where there is none.
Jan Kallberg is a research scientist at the Army Cyber Institute. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute, U.S. Army or the Department of Defense.