Standoff in cyberspace

Stewart K. Bertram | 29 June 2016

In physical security terminology, standoff is the term used to refer to the physical distance between a defender and a threat. For example, concrete barriers placed in front of a building create a standoff distance from ground-based threats such as vehicle bourn suicide bombers (Arsenal’s Emirates Stadium is a great example). Standoff distances can range from a few meters (small arms) to thousands of miles (intercontinental ballistic missiles), but the important point to note about the concept is that different defensive systems create different standoff ranges in relation to different threats. 

 Arsenal Emirates

It struck me that, given the importance of standoff distance in physical security strategies, it was unusual that the concept has had little consideration within the field of cybersecurity. While there are a number of conceptual areas to explore when applying the concept to the digital estate, given that cybersecurity is fundamentally about the relationship between an aggressor (hacker) and a defender (cybersecurity professional), an obvious first point of analysis seems to be finding the equivalent of physical distance within a cyber context.

After considering a number of prominent historic and ongoing case studies, it seems to me that the cyber equivalent of the physical distance element of standoff is actor attribution. That is, standoff is reduced, or closed, between the aggressor and the defender, the better the defender is able to attribute a cyber-attack to a defined actor.  

This assertion is based on observations around the use of cyber proxy forces and false flag operations by various nation states. Fictitious groups, such as the Guardians of Peace as a cover for the Sony hack of 2014, as well as the use of South Korean criminals to distribute malicious software that conducted DOS attacks against South Korean airport infrastructure, are both examples of attempts to create a digital standoff. In response forensic capabilities are often focused on attribution, closing the standoff distance between victim and target.

Apart from a novel way to visualize the relationship between defender and aggressor, the concept of cyber standoff can be more productively applied to considering the application of security to multiple systems enclosed within a single network. Many large modern networks have uneven security applied to them. For example, within a banking institution, externally facing email systems are inherently less secure than SWIFT system that would be naturally layered in more security protocols. Hence the maximum possible cyber standoff distance between an emails system is always going to be less than the standoff that can be achieved with a deeply nested internal system. At its core the concept of cyber standoff is a useful for measuring the appropriateness of deployed defences commensurate with the level of threat that they face.

A logical question to ask is ‘why is the concept of cyber standoff any different from other more established methods of measuring cybersecurity maturity level?’ The essential goal of the concept of standoff is to consider both the defences deployed and the capability that the threat possesses in a more holistic way that maturity and risk assessment currently do on their own.

Although not explicitly using standoff as a concept, schemes such as the UK CBEST initiative accredited by CREST and backed by the Bank of England, seek to capture the same interaction of aggressor and defender within their testing framework. These schemes are in their relative infancy and I think there is a place for more granular concepts, such cyber standoff, that could be used as more substantive elements to these initiatives.