Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

The magic of sophisticated cyber attacks

To truly measure sophistication, we need to look past the technical and consider the broader elements of cyber operations
Main Top Image
This image was created with the assistance of Midjourney

The term ‘sophistication’ is not new to cyber operations. It appears in media reports, victims’ testimonies, and commercial threat intelligence analyses. However, it is ill-defined and regularly misused. Even when basic security flaws and generic threats are behind a compromise, victim organisations will often describe it as a ‘sophisticated’ attack.

Nevertheless, its frequent use is not completely unfounded. Using the term ‘sophistication’ allows us to put cyber strategies in context, both offensive and defensive. It shapes our perceptions about the resources used, the intent behind attacks, and the anticipated outcomes. It is therefore important to get the concept right.

A technical term

Although attempts to understand the essence of cyber sophistication abound, they often oversimplify complexity by focusing only on technical metrics and disregarding the underlying operational activity and its nuances.

An influential post by Dave Aitel, a former US National Security Agency operator and cybersecurity expert, parses the sophistication of cyber operations into different components. He distinguishes between sourcing, usage, network, testing persistence, and operational security to shed light on the necessary tooling for cyber operations.

He argues that if an attacker develops their own customised tools instead of purchasing or using open-source ones, they are likely more sophisticated. Also, tools that are not tested or tested against third parties show less sophistication than those that are tested on cyber ranges, simulation platforms for cyberattacks. Furthermore, if attackers use a tightly connected toolset to hide their tracks well, they are likely more skilled than someone using just one toolset.

Ben Buchanan expands on Aitel’s methodology, adding to tools and procedures operational factors such as speed. Speed not only refers to the rapidity of an attack but also its timing and precision. Buchanan also points out that the intended scope of a mission is an indicator of sophistication. A complex mission, like disabling a power grid, would inherently require greater sophistication than a simple, short-term computer lockout.

Magic tricks

Although these frameworks provide a structured approach, they also have limitations. They ignore a core aspect of sophisticated cyber operations: the need to trick your opponent. As Jon Lindsay astutely notes, cyber operations pivot on deception. There is no “forced entry” in cyberspace. “If someone has gained access into a system from the outside, it is because that someone has persuaded the system to do what its users did not really want done and what its designers believed they had built the system to prevent,” describes Martin Libicki. The essence is to outwit and deceive the opponent.

A helpful analogy to help us understand sophistication is likening cyber operations to magic tricks (Herb Lin has explored this affinity extensively). Both rely heavily on the art of deception. Magic aims to “create illusions of the impossible.” Consider this: is a magic trick repeated hundreds of times as striking as the first time? The impressiveness and element of surprise diminish. Many magicians can replicate another’s tricks, but there is a vast difference between mere replication and original invention.

In the realm of cyber operations, repetition also dilutes sophistication. The technical frameworks in popular use today, though insightful, often miss this dynamic. Relying solely on technical metrics undervalues the critical role of creativity in cyber operations.

The analogy with magic also highlights that operational difficulty is just one facet of sophistication. Elements such as surprise, likelihood of success, and innovative tactics play equally important roles. Sometimes sophistication lies in the simplicity of deception.

More than novelty

This does not mean that novelty is the only thing that counts. The brilliance often lies in the judicious blend of old and new. Just as a magician might choose a classic trick because it fits the act, a cyber operator might lean on an older, proven technique because it is appropriate for the situation. For instance, if a simple phishing email grants an attacker access to a corporate network, there is no need to use more complex zero-day exploits.

The artistry in both domains lies in the practitioner’s discernment. Knowing when to ‘dial up’ and unveil a new trick or advanced technique is as important as recognising the moments when the old ways will shine. Success does not rely solely on the act; it also involves having a good strategy, knowing the intended audience (or victim), and seizing the opportune moment. The cyber operator must possess a deep understanding of the networks they are targeting.

The balancing act

Cyber sophistication is about balancing the bold with the subtle, the new with the old, and the seen with the unseen. The true mastery in cyber operations lies in this equilibrium – the seamless integration of technological skill with the art of illusion.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.