Non-kinetic critical infrastructure attacks are typically viewed as limited to the field of “cyber” by policy makers, defenders, and even most attackers. Yet this view is extremely limited and ignores multiple possibilities for attack amplification and propagation mechanisms using multiple aspects of information warfare beyond computer-enabled operations. Furthermore, even within the realm of cyber-induced impacts, potential (and desired) impact scenarios may stretch well beyond simple disruption (or even destruction) towards more subtle messaging and indirect effects. By exploring how other information warfare disciplines such as influence operations and deception can work in conjunction with cyber capabilities, attackers can devise powerful attacks with far greater scope for disruption than cyber capabilities alone.
Especially worrisome in this approach are opportunities for attackers to take advantage of systemic or endogenous risks within the targeted system (e.g., financial swings or natural power disruption events) to serve as triggers for positive-feedback loop attacks causing far wider effects. Adopting a wider, more creative view on how critical infrastructure operates and possible attacker touchpoints thus yields a diverse set of possible attack mechanisms with deeply concerning implications.
More importantly, from a defense and response perspective, such attacks done well and done properly present few good options for reactions. Especially in an offensive-focused response environment hinging on recent doctrine such as “defend forward” or “persistent engagement” with their implications for cyber deterrence and preemption, actions enabling this type of multi-spectrum critical infrastructure attack largely fall just beneath established, recognized conflict thresholds. Just as attackers can diversify their abilities through a multi-faceted information warfare approach, defenders must learn the implications behind such attacks and devise new mechanisms to defeat, counter, or respond to such attacks.
To explore the above concepts, two scenarios will be examined: Stuxnet (in brief), which continues to be misunderstood by many as a straightforward destruction event, and possible electric sector attack scenarios blending information operations with cyber disruption. Through this exploration, attendees will gain an understanding of how full-spectrum information operations capabilities can yield powerful results - including changing the behavior of an adversary national command authority - without resorting to traditional force-related actions. In closing, defenders and policymakers will be provided with suggestions for how such attacks might be either countered, or at least their effects minimized beyond traditional conceptions of cyber deterrence and response.