We have entered a new era of cyber-enabled economic warfare, where nation-states are able to achieve national objectives through cyberattacks with minimal risk of kinetic response (e.g. boots on the ground).

The Colonial Pipeline attack first showed how cyberattacks can impact everyday citizens. Pipelines that supplied 45 percent of the East Coast's fuel were shut, gas stations ran out of fuel and panic, hoarding and price gouging ensued. Had this attack been coordinated alongside attacks against refineries and maritime shipping, gas prices could have spiked 100-fold. Now imagine this attack occurring days before an election.  

The new era of cyber warfare

We tend to think of cyberattacks as extortion-centric — a criminal organization seeking to extract a profit from a victim. In this new area, cyberattacks shift towards retaliation, business destruction and political gain.

These attackers don’t need to compromise organizations directly; rather, disrupting the supply chain, as we saw with Toyota Motor Company, can achieve the objective. Companies that embraced just-in-time logistics and lean manufacturing are especially susceptible. Within the U.S., the bulk of these industries and their suppliers reside within our central corridor — Georgia to Texas in the south, Wisconsin and Michigan to the north, the Heartland to the west and Pennsylvania to the east. This is also the most important geopolitical corridor in the world, which is home to the swing states that determined the last five presidential elections.

Key enablers

Three major problems, if left unsolved, will open the door to cyber-enabled economic warfare. All three can be addressed if we have the will to do so.

First, technology vendors are not sufficiently accountable for the security posture of software and solutions they now provide. They face no penalty for or consequences from exploitable vulnerabilities in their code. This requires legislation that introduces vendor accountability.

A second, similar accountability gap exists for products imported into the U.S. There are multiple documented examples of imported electronics collecting data and transmitting it to China.

Third, small and mid-sized businesses (companies with fewer than 250 employees) are critical suppliers for manufacturing, pharmaceutical, agriculture, aerospace and defense, and other important industries. But these smaller companies lack the technical expertise and funding required to effectively defend themselves.

Cyber warfare at machine speed

In maneuver warfare, the fighting unit that can make better decisions faster than their opponent holds an advantage. This equation of speed and intelligence hasn’t changed since Napoleon’s army in the 1800s. But today, computers can make decisions much faster than humans.

Artificial intelligence (AI) will have a profound effect on accelerating cyberattacks. AI-based attacks can make 100,000x more decisions per minute than a human defender, getting inside the defender’s OODA (observe–orient–decide–act) loop. In four minutes, an AI-based cyber attacker successfully compromised an organization. We should expect that to be less than 60 seconds soon. It is nearly impossible for a human to detect, characterize and take action to stifle an attack within that period. Therefore, the future of cyber warfare will run at machine speed – algorithms fighting algorithms – with humans by exception.

To succeed, organizations must switch to a ‘wartime’ mindset

If we continue to operate in “business as usual” mode, AI-assisted attacks will accelerate faster than defenders can improve their security effectiveness. We must shift from a peacetime to wartime cybersecurity mindset to change that outcome.

A wartime security mindset focuses on readiness and “training like you fight.” This switches the focus from implanting security controls and then waiting for an attack, to “red teaming” – probing one’s own security vulnerabilities and weaknesses just as our adversaries do – and proving that an attacker cannot compromise the organization’s defenses.

Our language should evolve beyond being “secure & compliant” – which is a point-in-time state – to being “defensible & resilient” — with defenses that rapidly adapt based on the enemy’s actions.

It takes a village

The Cybersecurity and Infrastructure Security Agency (CISA), led by Jen Easterly, has led the way in rallying the cybersecurity community into a national movement. Keith Krach pioneered the concept of “technology diplomacy” while at the State Department in the fight for 5G integrity. The White House, led by Ann Nueberger, alongside the National Security Agency, led by Rob Joyce, have helped deliver meaningful cyber policy at the national level. We rarely see this level of partisan-free collaboration among true experts and leaders in the field. These government leaders have helped cultivate actionable industry relationships and ecosystem partnerships, which are key building blocks for our collective success.

We have many of the puzzle pieces and a partial picture on the box, but what is needed is that final push to rally the security ecosystem: legislation that drives accountability among vendors; import controls that ensure cyber safety; overwatch of our small and medium-sized businesses; security awareness training for the masses; education programs to create a pipeline of security talent; and funding as the catalyst to mobilize our innovation ecosystem  

Finally, in this new era we must shift to a “trust but verify” mindset regarding our cybersecurity posture. My former commanding general within special operations said, “Don’t tell me we’re secure, show me, then show me again tomorrow, and again next week, because our environment is constantly changing and the enemy is always evolving.” This is the way.

Snehal Antani is co-founder and CEO of Horizon3.ai. Prior to Horizon3.ai, he was CTO within U.S. Special Operations, CTO of Splunk and a CIO within GE Capital.

Of course, some very bad stuff has happened in our increasingly connected society. Criminals and nations have stolen billions of dollars; Russia took down parts of the Ukrainian power grid (at least twice); the East Coast had gasoline shortages when Colonial Pipeline shut down its operations after a ransomware attack; countless hospitals have been crippled for days or longer; Sony Pictures saw its deepest secrets published for the world. All of these incidents bring with them significant costs — physical, financial and psychological. Some are genuine disasters.

But there was no “Battle of Colonial Pipeline,” and the breach itself was not part of some grand conflict. In fact, Colonial was not specifically targeted; it was one of many companies that a relatively unsophisticated hacker tried to ransom, and he was only able to breach Colonial because it wasn’t using a basic security tool. If this was a battle in a grand cyber war, then our troops didn’t put up a fight. And if we continue to define “victory” as a complete absence of bad cyber things, then this is just another unwinnable war on a noun — like the “wars” on drugs, terrorism, and teen pregnancy. We continue down this path at our own peril.

All of us — individuals, governments and media (especially headline writers) — need to move past panic over cyber threats and accept that cyber incidents are endemic. Cyber insecurity will always be a significant problem, but it is one that we must work to manage, not eliminate. And the first step to managing the problem is to stop telling ourselves we’ve already failed. The next step is to recognize where we have made progress, whether managing cyber risk, stopping attacks, or punishing criminals. The constant evolution of cybercrime is perhaps the clearest example of our success — if the rampant “scareware” scams of ten years ago still worked, criminals would still use them. But they don’t, because defenses improved and potential victims wised up to them. So the criminals developed new attacks, which cost them time and resources (i.e., money). They spent those resources because we made them do it, not because they wanted to try something different. This cat-and-mouse game will continue, but cybercrime is a business, and we make progress when we drive up the criminals’ costs.

While a non-attack can be hard to prove (the classic dog that didn’t bark), it is noteworthy that Russia’s wartime efforts to cripple Ukraine via cyber-attack have been far less successful than most commentators expected, and the epidemic of high-profile ransomware attacks we saw in 2021 cooled in 2022. Improved defenses made a difference as governments, potential victims, and cybersecurity companies around the world stepped up to meet the threat. As for bringing criminals to justice, ask Denis Dubnikov, a cryptocurrency broker who recently pled guilty to laundering ransomware payments; or Yaroslav Vasinskyi, who is currently awaiting trial in Texas for allegedly launching the July, 2021 ransomware attack on Kaseya; or Vyacheslav “Tank” Penchukov, the leader of the “Zeus” cybercrime group, who was arrested in Geneva in November.

Recognizing our successes is about more than just feeling good — it shows that defenses can work, that individuals can protect their data and privacy, and that organizations can secure their systems and stop cybercriminals. It can be the foundation of a new message, one of empowerment and education. Cybersecurity will remain a priority for governments, companies, schools and individuals for the foreseeable future, which is why it’s essential our public conversation reflects the reality of the threats we face and the things we can do to counter them. Just as we cannot ignore the damage that attacks and data breaches can cause, we must also recognize that there are simple security steps that all of us can do to make those occurrences less frequent and less significant.

Jeff Greene is the Senior Director for Cybersecurity Programs at Aspen Digital; from March 2021 to June 2022 he was the Chief for Cyber Response & Policy in the National Security Council at the White House.