Adversaries have rapidly shifted operations from owned, hosted network infrastructure to compromised third party nodes to obfuscate operations, rapidly shift nodes, and evade defenses. The result has been the weaponization of a previously “neutral” space going well beyond traditional botnets to proxy networks and similar used for actions ranging from ecrime to offensive cyber operations.

This presentation will look at this neutral space and how devices like small office-home office routers and similar have been co-opted for malicious operations. As part of this investigation, we will also examine the unique policy implications of such operations, where remediation or response now impacts infrastructure owned by innocent third parties instead of adversary-owned and -operated infrastructure. From this discussion we will arrive at an interesting conclusion where a reexamination of authorities and “acceptable losses” is necessary to reshape the discussion of cyber defense and response as entities such as Volt Typhoon leverage these networks for potentially physically harmful cyber operations.