26 June 2019

Cyberspace is the new Cold War: ANALYSIS

DONALD J. MIHALEK

One of the most unsettling things about the Mueller report and Russian investigation concerning the 2016 presidential campaign was the depth and breadth of espionage committed by the Russian government against our electoral process. Many viewed this as not only an attack on our electoral process, but an attack on our national security and integrity. Imagine a foreign government manipulating one of its “agents” into our nation’s presidency? That story usually resides in spy novels.

These types of attacks aren’t limited to our enemies alone. Israel has been accused of -- and hasn’t denied -- cyberattacking the Iranian communications system. This type of attack, rightly or wrongly, would impact a nation’s security. If the communications system is compromised, a nation can’t protect itself.

Which brings us to this new type of “cold warfare” that many nations are participating in: cyber warfare.

As the world has become more and more connected -- and nations continue to communicate, manage national strategy and use cloud based platforms to effectively run nations -- the cyber world has become the new base of operations to attack, influence and disrupt a nation’s business. To do so, many nations including the United States have created military units with a focus on identifying national security vulnerabilities and launching attacks on adversaries. In China, the greatest cyber threat housed their force in the People's Liberation Army Strategic Support Force. The Iranians created the Iranian Cyber Army, composed mostly of hackers that try to interrupt their adversaries cyber platforms.

For the Russians, the Mueller report cited the Russian Military Intelligence unit known as the GRU (Glavnoye Razvedyvatelnoye Upravleniye) as responsible for conducting the Russian hacking operations into the “U.S. state and local entities, such as state boards of elections (SBOEs), secretaries of state, and county governments, as well as individuals who worked for those entities.” The report said, “The GRU also targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations.”

In the not too distant past, this level of corruption and crime would have only been possible by a large-scale conspiracy involving foreign operatives, money and resources. Now, as the Russians proved, these activities can occur from anywhere in the world, from behind a desk or even a cell phone, by one individual who has the know-how or a team of individuals with expertise in the cyber world.

Today, these nation states are actively working to hack, breach and disrupt their adversaries' cyber platforms. Unfortunately, these attacks by these governments are not limited to just state sponsored attacks. More often, we see nation states turning to criminal organizations to support or help with these attacks. In the cyber world, this close coordination allows criminal organizations to magnify their hacking efforts with some of the best cyber resources a nation state offers.

The Department of Homeland Security defines a cyber incident or “breach” as a “violation of an explicit or implied security policy." In general, types of activity that are commonly recognized as being in violation of a typical security policy include but are not limited to: attempts (either failed or successful) to gain unauthorized access to a system or its data, including incidents related to personally identifiable information; unwanted disruption or denial of service; the unauthorized use of a system for processing or storing data; and changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.

To date, we have seen breaches of government agencies and infrastructure cyber platforms continue to rise. According to the Center for Strategic and International Studies, in 2019 alone multiple attacks have occurred, all of which constitute major hacks and data breaches that are associated with foreign governments, which constitutes a national security threat.

To defend against this, the United States created a robust National Cyber Strategy, which breaks down our nation's priorities and who is responsible for implementing them. This layered approach gives each element of national power a given role in our nation’s cyber strategy that works cohesively together to protect America.

Under a presidential directive, the Department of Defense is responsible for U.S. Cyber Command and houses that command in its Cyber Mission Force. Cyber Mission Forces' main job is to identify adversary activity, block an attack and maneuver to defeat them. Think protection against nation state actors.

Cyber Command is also capable of offensive activity as a “combat unit” in cyber warfare, as shown in their recent efforts to breach Russia’s power grid.

Within Cyber Command's framework is our nation's intelligence agencies, which include the Office of the Director of National Intelligence, the CIA, the NSA and others who work closely with U.S. Cyber Command, which was widely credited with stopping another Russian attempt to interfere with our nation's last mid-term election.

If a breach or cyber threat occurs on the civilian side of the federal government or within private industry, such the 2014 NASDAQ breach, the FBI steps in and becomes the lead agency. The FBI’s Cyber Division coordinates the response with their National Cyber Investigative Joint Task Force, to not only identify but investigate and stop future breaches.

According to the FBI’s Internet Crime Complaint Center's 2018 report, "internet-enabled theft, fraud, and exploitation remain pervasive and were responsible for a staggering $2.7 billion in financial losses in 2018.” From 2014 to 2018, a short four-year period, that loss total exceeded $7.45 billion.

Most of this loss was the result of schemes related to auction fraud, credit card fraud, debt elimination, employment/business opportunities, escrow services fraud and identity theft, most of which are tied to transnational criminals and state actors.

For critical infrastructure protection, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) is responsible for protecting the nation’s critical infrastructure from physical and cyber threats. CISA’s top priorities are federal network protection, comprehensive cyber protection, infrastructure resilience, field operations and emergency communications. If a breach is detected and triage needs to occur to stop the threat, US CERT (United States Computer Emergency Readiness Team), which falls under CISA, steps in and is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.

The presidential directive also directed the Department of Homeland Security and the Department of Justice to develop a fact sheet outlining how private individuals and organizations can work with federal agencies in response to a cyber incident. The most important aspect of a breach is to report it immediately. Often private entities, in particular, wait to report a breach due to concerns about the public's perception. Unfortunately, as Target found out, failing to report a breach quickly can undermine consumer confidence and impact one's brand.

The lesson for everyone should be: When in doubt, report a breach immediately. Or, as the DNC found out with their delay in reporting their breach, the cyber information you save may be your own.

Donald J. Mihalek is an ABC News contributor, retired senior Secret Service agent and regional field training instructor who also serves as the executive vice president of the Federal Law Enforcement Officers Association Foundation.

Richard Frankel is an ABC News contributor and retired FBI special agent who was the special agent in charge of the FBI's Newark Division and prior to that, the FBI's NY Joint Terrorism Task force. He is currently the Vice President of Investigation for T&M Protection Resources.

No comments: