“The report, from the International Institute for Strategic Studies (IISS), looked to use new frameworks [seven categories] and analysis to assess 15 countries’ cyber power.
The two-year study was intended to assist decision makers by highlighting those cyber capabilities that make the greatest difference to national power. It also aimed to governments and corporations calculate strategic risk and investment.“
“As part of their work, the authors examined nation’s capabilities under seven categories:
• Strategy and doctrine
• Governance, command and control
• Cyber empowerment and dependence
*Core cyber-intelligence capability
• Cyber security and resilience
• Global leadership in cyberspace affairs
• Offensive cyber capability
The United States was the only nation that ranked in the top tier, meaning it possesses world leading strength in all categories.
Nations in the second tier have world-leading strengths in some categories. Those countries included Australia, Canada, China, France, Israel, Russia and the United Kingdom.
The third tier – which included India, Indonesia, Iran, Japan, Malaysia, North Korea and Vietnam – possess strengths or potential strengths in some categories, though significant weaknesses in others.
The U.S. remains the most capable cyber state, the report read, largely due to significant investments and “clear political direction for the pursuit of national cyber power” since the mid-1990s. Moreover, the U.S. possesses a world class cyber intelligence capability with global reach and is amplified by integrated partnerships with other highly cyber capable states.
However, the ubiquity of cyber tools, complexity of systems and the U.S.’s digital reliance has given an edge to adversaries and unsophisticated cyber techniques aimed to subvert U.S. power and companies.
“Doctrinal shifts such as persistent engagement and defend forward are designed to redress this imbalance,” the authors wrote. “Nevertheless, the US performs strongly across all categories of the methodology and is alone in Tier One.”
U.S. allies possess strong general cybersecurity across government and industry as well as strong intelligence capabilities and cyber tools with clear political direction.
U.S. adversaries – namely Russia, China, Iran and North Korea – while capable, still lag behind top U.S. allies. However, when it comes to purely offensive capability, the report notes that Russia and China probably surpass all other nations except the U.S. Moreover, the authors note key doctrinal differences between how Russia and China view “offensive cyber” versus western countries such as the U.S.
“For both China and Russia, what the West calls ‘offensive cyber’ is just the technical component of a wider information-operations capability. It is just one means of controlling their own information space, and subverting those of their adversaries, in what they see as an ongoing conflict of ideas with the West,” the report says. “It is therefore just as much an arm of those states’ propaganda machines, and a means of creating and delivering ‘fake news’, as it is a means of penetrating an adversary’s critical infrastructure.”
As a result, Russia and China may be devoting fewer resources than the U.S. in developing offensive military cyber capabilities, specifically that are designed to take out sophisticated critical infrastructure and networks during a conflict.
The report also notes that even the most powerful nations have struggled to shape durable policy frameworks for cyberspace.
“The dynamism of the cyber environment (in technologies, economics, politics and security affairs) has forced leading countries to undertake reappraisals and revisions to key strategy documents on an almost continuous basis,” the report says. “Our research confirms that all countries are still in the early stages of coming to terms with the strategic implications of cyberspace.”
Additionally, when it comes to military transformations, the authors state while several states have moved to reform their militaries, no state has yet made a transition into well-integrated and dispersed cyber capabilities for offense or defense.
The U.S. has probably gone the furthest in this pursuit, but potential military cyber power in the 2030s has yet to be demonstrated in practice.”
“The Navy is developing a follow-on small business contract to provide a variety technical support services for the cyber warfare efforts.
The contractor will also support research-and-development of production solutions to address cyber vulnerabilities and mitigation of vulnerabilities. Cyber test and evaluation and tool development is another requirement as is cyber support for intelligence operations.
According to Deltek, Mil Corp. is the current incumbent and won the $60 million contract in 2019. That contract is slated to end in 2023.
The solicitation for the new contract is expected in September, with an award coming in April.
Comments on the sources sought notice are due June 23.”
“As attack capabilities become more advanced, including the use of data with artificial intelligence, new crypto networks, and the wider adoption of quantum computing, collaboration will become more urgent. Countries will need to rely on each other more often for cyber defense and deterrence. We must build the framework of collaboration today.”
“The original promise of the internet was that the free exchange of information would support and encourage liberal democracy worldwide. Yet as our reliance on communication networks has grown, this global network has fractured into the “splinternet” — as many countries have carved out their own parts of the internet with their own rules.
Just as physical walls are built in an effort to keep intruders at bay, the splinternet is the result of defensive steps taken by countries determined to maintain their digital sovereignty. Our fractured internet was brought about by nations seeking to limit the influence of foreign adversaries and maintain order within their borders.
Of course, governments have a right to defend themselves. But, as even a cursory read of military history will tell you, walls have their limits. Eventually, walls are scaled — especially in cyberspace. There is no realistic “go at it alone” strategy when it comes to protecting a country from the array of threats in cyberspace. It’s why the next decade must be the decade of transformation from the status quo of a splintered response to cyberthreats to global alliances built on a consistent set of global cyber rules, information sharing, regulation and collective innovation.
Unlike natural domains — land, sea and air — where nations had centuries to build forms of national power and defense, cyberspace is a rapidly growing battlespace. Only about a dozen countries have the cyber capacity to adequately protect themselves and truly understand the strategic and operational initiatives required to defend themselves.
First, many lack a national cybersecurity framework that outlines roles and responsibilities, legal frameworks, and high-level, tailored strategies to drive cyber transformation, build resilience, and prepare for inevitable attacks in the future.
Second, very few have a central, advanced cyber center with end-to-end capabilities and a flexible architecture to adapt to changing threats like the National Cyber Security Centre in the United Kingdom or the Cybersecurity and Infrastructure Security Agency in the U.S. These hubs are necessary to house the cybersecurity incident response teams (CSIRTs or CERTs) that provide an agile defense and help proactively identify threats.
Third, they lack the ability to defend mission-critical systems — such as the electrical grid, the health system, and transportation infrastructure — with robust risk assessments and public-private communication between operators, regulators, and the myriad of companies that make up complex supply chains.
And finally, there’s the human factor: Very few countries have developed a sustainable, well-trained cyber workforce of mission-ready professionals.
This is not easy. To just take the last factor, the human one, it took Israel decades of investment into its education system, as well as marrying that with universal military service to nurture, identify and train talent.
To accelerate this process, then, will take global collaboration. Attribution alliances, global information sharing, joint investigations and a global signature repository are among the ways nations should support one another. This could even take the form of a “Cyber WHO,” a global body that could develop norms about behavior in cyberspace; share knowledge about threats and attacks, specifically their digital signatures; establish attribution where possible; establish protocols to share best practices; and provide technical support to countries at all stages of cyber building. This also will have the added benefit of supporting countries at earlier stages of cyber capacity building.
This will work if there are clear benefits to participation, including strategic and financial support to countries that are serious about addressing the four fundamental building blocks of cyber capacity. This can also create a new market of cyber rating mechanisms, similar to the S&P global credit ratings.
Countries that continue down a path of isolation and willingly break global cyber redlines established by a cyber WHO should have a clear understanding of the consequences, such as a poor cyber rating with economic implications, sanctions, or even removal from a newly formed global cyber defense arrangement.”
“A sophisticated exploit of SolarWinds network management software will take the Biden administration months to fully investigate, but will result in agencies “building back better” through IT modernization efforts, its lead investigator said Wednesday.
Anne Neuberger, the administration’s deputy national security advisor for cybersecurity and emerging technology, said in a White House press briefing that the breach compromised the networks of nine agencies and about 100 private-sector companies.
About 18,000 companies downloaded the malicious update that made the breach possible.
Neuberger, the National Security Agency’s former cybersecurity director, said the administration is still in the “beginning stages” of understanding the scope and scale of the compromise, and that the investigation may uncover additional compromises.
While the full cost and impact of the breach is not yet known, Neuberger said the cyber incident highlighted the investments the administration needs to make to increase network visibility and mitigate future cyber incidents.
“If you can’t see a network, you can’t defend a network, and federal networks’ cybersecurity need investment and more of an integrated approach to detect and block such threats,” she said.
Meanwhile, Neuberger said President Joe Biden is working on an executive action that will assist in agencies’ response to the incident.
Technology companies affected by the SolarWinds breach offer products that, if compromised, could be used to launch additional intrusions, Neuberger warned. In response to that threat, Neuberger added, the administration will need greater information sharing between the public and private sectors.
“There’s active sharing going on in both directions: government sharing its insights with private sector entities — both who have been compromised and those who have broader visibility — and private sector entities sharing their insights to ensure we can together scope and scale what occurred,” she said.
The Cybersecurity and Infrastructure Security Agency, through its National Risk Management Center, has built inroads with the private-sector owners of national infrastructure. However, Neuberger said the federal government is still limited to acting on threat information that companies provide.
“There are legal barriers and disincentives to the private sector sharing information with the government. That is something we need to overcome,” she said.
While the investigation remains ongoing, Neuberger said hackers likely of Russian origin launched the “broad and indiscriminate effort” to compromise government and private sector networks. The techniques used, she added, has led investigators to believe that files and emails on affected networks have been compromised.
Members of the House Homeland Security Committee recently expressed concern with CISA’s lack of “centralized visibility” into civilian federal networks, but Congress, through the National Defense Authorization Act, has given the agency new authorities.
Former CISA Director Chris Krebs told the committee that the agency could provide that cyber support as a shared service through its Quality Service Management Office.”
“To stay ahead of rapidly moving threats in the information space, 1st Special Forces Command is building an Information Warfare Center that will specialize in “influence artillery rounds.”
The center, to be based at Fort Bragg, will consolidate the command’s psychological operations capabilities and will wrap around other information related capabilities such as cyber and space, Col. Ed Croot, chief of staff at 1st Special Forces Command, said in a Feb. 17 virtual presentation for AFCEA TechNet Augusta.”
“Critical to Special Forces’ role is deploying to remote locations while still being able to effectively message portions of a population.
Ideally, the center will see, sense or detect adversary activity around the globe in physical and virtual spaces and within minutes, push that information to those that need it.
The team members will specialize in developing what Croot called influence artillery rounds, no easy task since in the influence world, they must tailor those “munitions” to each specific target, unlike a missile.
“There’s a unique threat audience, a unique friendly audience, a unique neutral audience that has to do with that influence and information piece. It’s extremely difficult to be able to move fast in that space,” Croot said.
The center will work with Special Operations Command’s Joint Military Information Support WebOps Center, which Croot said is delivers information through social media. The WebOps Center doesn’t build these digital rounds, so the Information Warfare Center will fill that role.
“Cyber is another delivery system. It’s a platform, like an artillery piece that you can deliver influence rounds through,” Croot said. “There’s an information revolution that has occurred, and things move faster than we’ve ever seen before, and it’s hard to change mindsets of people and systems and processes to be able to move at the speed of information.”
The geographic combatant commands are each building their own information warfare task forces, which act as forward extensions of the Information Warfare Center across 70 nations. The sensors in those 70 nations must be able to rapidly move information back and forth so the center can tailor the right influence campaigns in a timely manner.
Aside from the effort’s role to affect others within the information sphere, officials described the need to protect Green Berets from sophisticated snoops.
One’s digital footprint can easily be mapped in the modern connected world. As such, 1st Special Forces Command is looking for tools that can provide protection at the tactical edge.
This also includes training forces on how to reduce their digital attack surfaces while deployed and even in garrison in the U.S.
The dangers were demonstrated to great effect a few years ago during a unit exercise, Croot explained. Prior to deploying to the exercise in the U.S., the commander told his unit he wanted everyone off social media a full month prior.
One day into the exercise, the commander laid out how many people the unit had deployed, what base they came from, where they were going, what their mission was and where their families lived, all from their digital footprints, Croot said.
“If you want to be terrified, sit and see and watch a picture of a family member up on a Facebook post talking about you and where you work and where you’re going,” he said. “This is real, and it absolutely is something that we have got to take seriously from a from a home station force protection perspective, let alone at the edge.”
“C4ISRNET” By Maj. Jessica Dawson and Lt. Col. Todd Arnold
“The troves of intricately detailed information collected by online and social media companies were used to target disinformation campaigns (a.k.a., story weapons), and yet, much of the broader national defense strategy fails to acknowledge this actively exploited force protection vulnerability.
There are currently no provisions in law or force structure to actively assess this vulnerability, nor to defend against it.“
“Are algorithms destroying society, or are they merely revealing the schism which always existed? The increased granularity of highly detailed datasets combined with increasingly accurate microtargeted advertising make the question largely unanswerable but nonetheless, pose an unaddressed threat to the armed forces and a national security vulnerability.
Most military strategists only consider center of gravity as that area where the greatest concentration of enemy troops can be found,” and therefore, they concentrate their efforts on directing kinetic operations against physical forces. However, Clausewitz clearly drew parallels between physical forces and their cohesion — that is their ability to operate as a collective unit. “Where there is cohesion, the analogy of the center of gravity can be applied.” The bond between soldiers is at the center of the will to fight, and it is this bond that is currently under assault.
Several recent articles highlight the cognitive vulnerabilities exploited by the data social media companies and other data brokers collect.
The 2016 presidential election was the first great awakening of the American public to the ways in which political campaigns gathered data on potential voters, despite the fact that this data collection has occurred for years. Beyond voter registration data, the rise of social media and the app economy further increased the surveillance and data collection on the American population, including its military. A January 2021 article in Wired pointed out how servicemembers could be selected for targeted advertisement on Facebook by selecting their occupation as Air Force or U.S. Army. While Facebook has removed these detailed targeted categories, advertisers could still select military as an employment category. Even then, the ability to narrow the audience by selecting base locations, ages, incomes and other interests makes the military an easily targeted population through Facebook for disinformation campaigns.
Facebook’s advertising imperative is to allow advertisers — anyone who has a Facebook business account — to find the desired target audience. The feature would exist even if Facebook were to remove all military targeting and locations from their dashboard. Why? Any number of shell companies reportedly continue to use consumer lists, despite customers opting out. The detailed data collected on nearly every aspect of Americans’ daily lives by data brokers such as Axiom, Experian, Magellan and others includes mailing lists that are frequently bought and sold with zero oversight or visibility.
The plethora of detailed data generated in this data wholesale ecosystem creates a massive cognitive force protection vulnerability for the U.S. military. As stated by Kallberg and Hamilton, “We have to treat influence operations and cognitive attacks as serious as any violent threat in force protection.” There is evidence that foreign adversaries are influencing veterans through social media by impersonating veteran service organization and veterans themselves. Unfortunately, there is no mechanism within the military to identify, assess or defend against this threat – a threat that is not viewed as a vulnerability by security firms.
The algorithmic social media ecosystem and targeted advertising economy represent a national security threat, one that the Department of Defense should take seriously. While there are agencies that investigate allegations of criminal activity, there are many ways to damage the U.S. military well below the threshold of criminal activity. Understanding and defending against targeted and algorithmic manipulation must be addressed as a force protection critical vulnerability before the erosion of cohesion — already undermined by the current social media divisiveness over the COVID pandemic response, masks, the vaccines and the recent election turmoil — achieves our adversaries’ greatest victory: erosion of the United States from within.”
Maj. Jessica Dawson is a research scientist at the Army Cyber Institute at West Point and an academy professor (FA47) in the U.S. Military Academy’s Department of Behavioral Sciences and Leadership. Lt. Col. Todd Arnold is a research scientist in the Army Cyber Institute at West Point and an assistant professor in the U.S. Military Academy’s Department of Electrical Engineering and Computer Science. The views expressed are those of the authors and do not reflect the official policy or position of the Army Cyber Institute at West Point, the U.S. Military Academy, or the Department of Defense.
“Agencies have long relied on reactive security (compensating security controls) vs. preventive security (baseline security controls) to protect their information systems.
As an industry, we have largely ignored implementing baseline controls. They’ve proven very difficult to implement and manage at scale and even more difficult to retrofit into an environment in which poor baseline practices around access credentials and code execution restrictions have persisted over time. Instead, the industry has favored the myriad of compensating controls which promise to atone for the sins of these poor baseline practices and protect us from the inevitable.
This problem is greater today than ever before with the dramatic shift to a primarily remote workforce. As a result, the rise in cyber attacks, particularly ransomware, on government employees likewise makes the “reactive security status quo” a challenge.
Tools rationalization – taking stock of the tools currently employed across the enterprise and evaluating each – is the first step. This means identifying applications in use across an organization to determine which to keep, replace, retire, or merge. The process allows IT teams to reevaluate priorities, cut down on tools, and modernize those that remain – freeing up funds for strategic IT priorities and modernization.
The Reactive Security Reality
Compensating controls are mechanisms engineered to respond after a threat makes landing at the point of discovery or execution. This type of control intervenes in normal execution and seeks to determine the safety of the action being attempted at the time of action. Too often, IT teams often use compensating controls as a safety net, as they are easier to install and not nearly as complicated to manage as baseline controls. Furthermore, the sustainment of these controls is often automated as new signatures, heuristics, models, etc. are released from the respective vendors leaving little for the end user to do aside from investigating alerts.
It feels like a pretty good setup, but the news headlines show the reality. This approach fails. Often. In fact, the efficacy rate of these compensating controls falls off sharply when it comes to blocking new, never before encountered threats (vs. existing threats, for which you’ll often see efficacy claims in the high 90th percentile). Something will get through, and when it does, most organizations are poorly equipped to handle it.
Compensating controls should not be an agency’s primary defense. They should be treated as the name describes, compensating for the rare occasion in which proper baseline controls around privileged access and code execution don’t cover the threat (which is incredibly rare). Research has proven time and again that restricting elevated privilege access and not allowing code to execute from areas of risk which are writable by a non-privileged user means quite simply that any malware, ransomware, and otherwise malicious payload can land on an endpoint, but it simply will not function. Implement and preserve those controls on the baseline and these payloads are powerless.
Compensating controls are also extremely costly as there’s no finish line. Attackers simply tweak code or TTPs in order to circumvent detection. AI and machine learning seek to close this gap and while they will help tremendously, they can only narrow it, not close the door completely.
Another consideration agencies must account for is a reliance on legacy tools incapable of full functionality in a borderless environment. The location of context (physical, virtual, cloud, VDI, local, remote, VPN connected, etc.) should NOT make a difference in the efficacy of the protection and management mechanisms in use. One of the beauties of baseline controls is that context makes no difference. Baseline controls protect and secure endpoints regardless of context. The machine is in a naturally secure state.
The challenge is that as adversaries evolve, they lean on increasingly advanced tactics to infiltrate federal systems. With compensating controls, IT teams won’t know about a breach until it occurs. Instead, agencies should re-evaluate their approach to implementing and managing proper baseline controls as mandated by theNational Institute of Standards and Technology (NIST) to maintain good cyber hygiene.
If we’ve learned anything as an industry over the past 30+ years that IT has been a ubiquitous concern, it is bad habits. Chief among them is our propensity for continuing antiquated practices seemingly out of tradition. We build our processes, policies, and practices around the limitations of the tooling available at the time of authoring and then proceed to impose those limitations on modernized technologies as they’re adopted.
Take the measurement of risk as a prime example. There exists a pervasive idea that risk is something that is to be assessed with some periodicity. Time and money has been invested and strides have been made to increase the frequency and fidelity of such assessments, but the commonly held mindset still revolves around this idea of periodic, point in time measurement. Risk, in reality, is an ephemeral thing. It changes right along those changes within the devices that make up the enterprise for which the measurements are taken.
While we certainly understand the ephemerality of things such as process execution, user activity, and network connections, we tend to gloss over the idea as applied to the law of large numbers. In a large enough sample set, nearly everything about the IT estate becomes ephemeral. Even factors such as location, hardware configuration, software installed, and account credentials.
Yet the real time determination assessment of these billions upon billions of permutations and tracking of them over time has been written off as impossible. The only means by which this can be approached, the industry will tell you, is to harvest such data, store it in a central location, and do static analysis against it. This, by nature, is self-defeating as one is simply taking a snapshot in time of ephemeral data and pretending as though it’s static for the purposes of analysis. While not completely without value, it lacks the fidelity and timeliness, and therefore accuracy, to be meaningful for the purposes of real time risk assessment and mitigation. This guarantees a door left open, a crack in the defenses, and an opportunity for success that the adversary will most assuredly leverage successfully.
As agencies strengthen preventive security with baseline controls, they should adopt a holistic risk management approach that uses complete, accurate, and real time data to reduce risk and improve security. The two go hand-in-hand and one without the other is not a partial solution, it is no solution at all. As an added benefit, in doing so one also reduces the reliance on an ever increasing collection of point products and can reallocate budget and scarce resources to efforts that are guaranteed effective. This also aids in the justification of future budget requests for critical security activities – all while providing a more comprehensive view of the security landscape that enables more strategic business decisions.
Leveraging a single, ubiquitous, real time platform that integrates endpoint management and security unifies teams, effectively breaks down the data silos and closes the accountability, visibility, and resilience gaps that often exist between IT operations and security teams.
A truly unified endpoint management platform approach also gives agencies end-to-end visibility across end users, servers, and cloud endpoints, and the ability to identify assets, protect systems, detect threats, respond to attacks, and recover at scale. When agencies achieve complete visibility and control, it significantly reduces cyber attack risk and improves their ability to make good business decisions.”
With 30 years of federal and private sector industry experience, Egon Rinderer leads Tanium’s technology efforts as global vice president of technology as well chief technology officer of Tanium Federal. Joining Tanium at a time when the company numbered fewer than 20 employees, he has held roles ranging from technical account manager to federal pod lead to global vice president of the global TAM organization. Prior to joining Tanium, Egon was with Intel Corporation and served throughout the U.S. military and intelligence community in the United States and abroad in an operational capacity.”
“The scope and sophistication of the recent highly publicized cyber-attacks on our government’s software supply chain indicates highly skilled cyber adversaries, effective network reconnaissance and careful planning. These attacks by Russian actors demonstrate the real threats to our nation’s cyber infrastructure and the risks to the systems that keep our democracy running.
The departments of Energy, Treasury and even Homeland Security, the agency charged with protecting our critical infrastructure, were all breached in this wide-ranging attack. As the new administration looks to establish cybersecurity priorities and programs, it is critical that the U.S. government and private sector work together to ensure that the vulnerabilities in our supply chain systems are not further exploited. We need to fund and invest in capabilities to control and defend cyberspace by focusing on the people, processes and technology.
As our critical infrastructure systems evolve and incorporate new dispersed computing and 5G network infrastructure as operational technology, with a high degree of software defined functionality, the supply chain vulnerability challenges will increase dramatically. Safely deploying these rapidly evolving technologies into critical infrastructure requires effective cyber sensors, well-trained cyber defenders, and technical innovations that out-pace our adversaries. Meeting these challenges includes innovative modeling and simulation technologies and novel deep learning-based cyber sensors to create mission-scale solutions.
We must recognize the importance of realistic, high-fidelity training for network defenders, whether they are Enterprise IT network security staff or DoD Cyber Protection Teams. Skilled operators are essential to countering sophisticated nation-state adversaries. Building new environments for operational technology and industrial control system testing and training exercises, with both IT and OT networks, will enhance the experience and better prepare defenders for their mission. One scenario worth running would be to bring a power grid, access control system, building automation system, or other critical infrastructure to the trainee through an interactive augmented reality/virtual reality environment which can be used locally or used remotely and accessed across customer networks or the internet.
An effective system infrastructure uses OT to AR/VR adaptors that translate effects in the OT environment to effects in the AR/VR environment. It can be tailored and expanded by building 3D models and environments – military bases, a small city, or an electrical power grid. Users can conduct testing in accordance with industry standards that specifically address boundary security between IT and OT network enclaves.
The best tools will have representative industrial control system devices and software from across the industry to support training operators on how to operate, patch, backup, and restore ICS and how to respond to suspected intrusion.
The DoD’s Smart Bases initiatives are a great example of this approach. The rigorous requirements for development look to modernize infrastructure by building safe environments for testing of OT systems, including software patches and upgrades and the efficacy of control system isolation. Providers will support rigorous testing of intrusion detection and prevention systems and the safety of network scanning tools used by Cyber Protection / Mission Defense Teams. Relevant to the recent cyber intrusions, the project can enable Supply Chain Risk Management (SRCM) and System Authorization by supporting vulnerability assessments and penetration testing with a standardized process. This approach can validate ICS elements prior to fielding and conduct SCRM activities against foreign made chips, system components, and code.
Our national security and critical infrastructure systems are woefully vulnerable to the types of advanced persistent attacks we are seeing permeate our government systems. The attacks will continue to come. Next time we need to be ready.”
About the Author
Kevin McNeill Sr. directs research and development of next generation of advanced cyber science solutions and operations for complex defense and intelligence missions at CACI International. He is a senior member of IEEE, holds eight patents and has been extensively published.
“The most recent cyber incident reminds us once again that the emergence of the Cybersecurity Maturity Model Certification, which took effect through the interim rule on Nov. 30, is so much more than simply a check-the-box compliance requirement in order to do business with the federal government.
Never let a good crisis go to waste” is sage advice. Assemble your in-house team charged with managing cybersecurity for your organization and start the dialog. “
“On Dec. 7, the National Security Agency issued an advisory to the Department of Defense and its defense industrial base (DIB) stating that Russian state-sponsored groups have been actively attacking a number of remote-work platforms developed by VMWare in an attempt to gain privileged access to target data. The Cybersecurity and Infrastructure Security Agency has issued similar warnings about the need for government agencies and their supporting organizations to patch holes in various VPN solutions to keep unauthorized users off their networks.
But don’t just take my word for it.
If all these advisories and cyberattacks weren’t enough to call this a crisis, we are now learning that a recent hack of a widely distributed software patch from SolarWinds Corp. by nation-state threat actors. It is part of a much larger-scale attack on major U.S. government organizations (e.g., U.S. Treasury, Commerce, State Department, and reportedly the DoD) and companies within their ecosystems — the impacts of which we have yet to fully comprehend. This incident highlights how most supply chain organizations are not prepared to prevent these threats, as a CSO analysis outlined.
Members of the DIB grapple with how to best comply with the DoD’s interim rule to accelerate their contractors’ implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
Just as cybercriminals are increasing their deployment of malicious and destabilizing activities in cyberspace, so too must the DoD (and FedCiv, for that matter) and its supply chain reinvigorate their efforts and implement a more robust cybersecurity capability. At its very core, the objective behind CMMC is to help DoD’s supply chain better defend itself against these ever-increasing risks and impacts of cyberattacks.
For the DoD to achieve this mission objective, its contractors must embrace a complete and unwavering focus and commitment to implement the security controls and processes necessary to effectively defend their IT infrastructure(s). More importantly, they must operationalize their capability and provide continuous monitoring, awareness and response to potential cyber threats within their operating environments.
The DIB should understand that implementing the proper cyber policies and procedures to initially meet a target CMMC’s maturity level represents the first step to achieving the objective. To remain effective — and stay in compliance — organizations will need to continually monitor and maintain their own cyber risk posture and be positioned to respond effectively to any potential cyber incident, to include reporting it to the proper DoD authorities.
As this latest cyber incident has demonstrated, even having a robust cybersecurity capability does not mean we are fully protected against all cyber threats. FireEye, Microsoft, Cisco and Deloitte are among the companies that installed this recent SolarWinds hack. It is easy to think that if they were susceptible, then how do the rest of us think we will succeed? The point is that employing the sound cyber practices and techniques outlined in CMMC will not make us 100% protected against cyberattacks, but it was never ever meant to achieve that. CMMC was designed to provide the DIB with is a set of characteristics, attributes, processes and best practices that, if applied and adhered to, will provide an increased level of assurance that it can adequately protect government (CUI) data at a level commensurate with the risk.
CMMC is not a silver bullet, but it is an effective approach to improving the cyber protections and cyber resiliency of the DoD’s entire ecosystem. That is a huge improvement from where we are today. If you have not started your efforts to understand, assess and secure the CUI domain within your organization, you officially run the risk of losing opportunities to work with the DoD. More crucial is the potential security risk to the DoD, its mission and the war fighter.
Review, discuss and gain a full understanding of the interim rule, NIST 800-171, and the emerging CMMC framework as it applies to how you conduct business with the DoD. Develop a tactical plan to undergo an internal assessment and/or address any gaps. Finally, discuss how your organization will commit to operationalizing cybersecurity as a normal part of conducting business with the government. Institutionalize the cybersecurity activities within your organization to ensure they are constant, repeatable and effective.
And remember that as a member of the DIB, you are not alone. Seek guidance, confirmation and assistance from government (e.g., the Office of the Under Secretary of Defense for Acquisition and Sustainment, your DoD customers), industry (e.g., the CMMC Accreditation Body), and companies in the private sector specializing in helping companies develop a cybersecurity and data protection capability. The time to act is now.”
Les Buday is director of cybersecurity at HumanTouch LLC. He is also a member of the CMMC Accreditation Body.
“The ‘Einstein’ detection system, operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), was not equipped to find novel malware or Internet connections, despite a 2018 report from the Government Accountability Office suggesting that building such capability might be a wise investment.“
“When Russian hackers first slipped their digital Trojan horses into federal government computer systems, probably sometime in the spring, they sat dormant for days, doing nothing but hiding. Then the malicious code sprang into action and began communicating with the outside world.
At that moment — when the Russian malware began sending transmissions from federal servers to command-and-control computers operated by the hackers — an opportunity for detection arose, much as human spies behind enemy lines are particularly vulnerable when they radio home to report what they’ve found.
Why then, when computer networks at the State Department and other federal agencies started signaling to Russian servers, did nobody in the U.S. government notice that something odd was afoot?
The answer is part Russian skill, part federal government blind spot.
The Russians, whose operation was discovered this month by a cybersecurity firm that they hacked, were good. After initiating the hacks by corrupting patches of widely used network monitoring software, the hackers hid well, wiped away their tracks and communicated through IP addresses in the United States rather than ones in, say, Moscow to minimize suspicions.
The hackers also shrewdly used novel bits of malicious code that apparently evaded the U.S. government’s multibillion-dollar detection system, Einstein, which focuses on finding new uses of known malware and also detecting connections to parts of the Internet used in previous hacks.
Some private cybersecurity firms do this type of “hunting” for suspicious communications — maybe an IP address to which a server has never before connected — but Einstein doesn’t.
“It’s fair to say that Einstein wasn’t designed properly,” said Thomas Bossert, a top cybersecurity official in both the George W. Bush and Trump administrations. “But that’s a management failure.”
CISA spokeswoman Sara Sendek said the breaches stretch back to March and were not caught by any intrusion detection or prevention system. As soon as CISA received indicators of the activity it loaded them into Einstein to help identify breaches on agency networks, Sendek said.
CISA is providing technical assistance to affected agencies, she said.
But this year’s months-long hack of federal networks, discovered in recent days, has revealed new weaknesses and underscored some previously known ones, including the federal government’s reliance on widely used commercial software that provides potential attack vectors for nation-state hackers.
The FBI and DHS are investigating the scope and nature of the breaches, which intelligence officials believe were carried out by the Russian Foreign Intelligence Service (SVR). Sen. Richard Blumenthal (D-Conn.) on Tuesday publicly acknowledged as much, tweeting that the Senate received a “classified briefing on Russia’s cyberattack [that] left me deeply alarmed, in fact downright scared.”
The Russians reportedly found their way into federal systems by first hacking SolarWinds, a Texas-based maker of network-monitoring software, and then slipped the malware into automatic updates that network administrators, in the federal government and elsewhere, routinely install to keep their systems current. The company reported that nearly 18,000 of its customers may have been affected worldwide.
More broadly, the hack highlighted the struggles of the government’s network-monitoring systems to detect threats delivered through newly written malicious code communicating to servers not previously affiliated with known cyberattacks. This is something advanced nation-state hackers, including from Russia, sometimes do — presumably because it makes intrusions harder to detect.
The full scope of the hack remains unknown, though it’s already clear that a growing number of agencies have been penetrated, including the departments of State, Treasury, Homeland Security and Commerce, and the National Institutes of Health. They are among victims that include consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East.
The Pentagon was assessing Tuesday whether there had been intrusions at the sprawling department and if so what impact they may have had, a spokesman said.
Emails were one target of the hackers, officials said. Though it’s not yet clear what the Russians may be intending to do with the information, their victims, including a variety of State Department bureaus, suggest a range of motives.
At State, they may want to know what policymakers’ plans are with respect to regions and issues that affect Russia’s strategic interests. At Treasury, they may have sought insights into potential Russian targets of U.S. sanctions. At NIH, they may be interested in information related to coronavirus vaccine research.
As the investigative work continues, some lawmakers are focused on probing why and how federal cybersecurity efforts have fallen short despite years of damaging hacks by Russian and Chinese spies and major federal investments in defensive technologies.
Einstein, which was developed by DHS and is now operated by CISA, was supposed to be a backbone of federal protection of civilian agency computers, but the 2018 GAO report found significant weaknesses.
The capability to “identify any anomalies that may indicate a cybersecurity compromise” was planned for deployment by 2022, the report said. It also said that network monitoring by individual agencies is spotty. Of 23 federal agencies surveyed, five “were not monitoring inbound or outbound direct connections to outside entities,” and 11 “were not persistently monitoring inbound encrypted traffic.” Eight “were not persistently monitoring outbound encrypted traffic.”
“DHS spent billions of taxpayer dollars on cyber defenses and all it got in return was a lemon with a catchy name,” said Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee. “Despite warnings by government watchdogs, this administration failed to promptly deploy technology necessary to identify suspicious traffic and catch hackers using new tools and new servers.”
It wasn’t just this administration.
Bossert, who worked on the original Einstein concept in the George W. Bush administration, said the idea was to place active sensors at an agency’s Internet gateway that could recognize and neutralize malicious command-and-control traffic. “But the Bush, Obama and Trump administrations,” he said, “never designed Einstein to meet its full potential.”
CISA officials told congressional staff on a Monday evening call that the system did not have the capacity to flag the malware that was signaling back to its Russian masters.
The officials said federal agencies had not given CISA the information necessary to identify agency servers that should not be communicating with the outside world, said one congressional aide, who spoke on the condition of anonymity to discuss a sensitive matter.
“To CISA, all internal agency computers look the same, and so Einstein only flags samples of known malware or connections to ‘known bad’ IP addresses,” the aide said.
Other cybersecurity experts say the breaches highlight the “desperate” need for a government board that can conduct a deep investigation of an incident such as that involving SolarWinds, whose corrupted patches enabled the compromises — and crucially, make the report public.
“We need people to read the report, and say, ‘Oh, wow, we need to secure our [software development] pipeline,” said Alex Stamos, head of the Stanford Internet Observatory, a research group. He previously was chief security officer at Facebook and Yahoo.
He said there are “hundreds or thousands of companies” in this space that may have security flaws without knowing. These firms do network monitoring, IT management and log aggregation. “Enterprise IT is a $2 trillion market,” Stamos said. “There’s no agency in charge of ensuring its security.”