19 February 2021

We Must Reorient US Cyber Strategy Around the Only Safe Assumption

BY DMITRI ALPEROVITCH

This oped is adapted from Dmitri Alperovitch's Feb. 10, 2021, testimony to the House Homeland Security Committee.

Almost half a decade ago, I coined the phrase: “We do not have a cyber problem; we have a China-Russia-Iran-and-North Korea problem.”

Cyberspace is not a separate virtual world, immune from the forces that shape the broader geopolitical landscape. Instead, it is an extension of that landscape, and the threats we face in cyberspace are not fundamentally different from the threats we face in the non-cyber realm.

China, Russia, Iran and North Korea are the four primary strategic adversaries whose malignant activities in cyberspace we try to counter on a daily basis, as we do their more traditional tactics in the physical world. Often, these battles are joined by non-state actors, such as the most well-organized cybercriminals. These actors inflict enormous damage on our economy by launching ransomware attacks and stealing financial data from our businesses and citizens, and it is no coincidence that they operate with impunity from the safety of their homes in these very same countries.

These countries conduct a variety of cyber operations against us on a daily basis, ranging from cyber-enabled espionage against our government to the theft of intellectual property from our companies to destructive attacks that shutdown business operations to the interference in the foundation of our democracy: our elections.

The challenges we face were highlighted just over a month ago, in a supply-chain attack that has drawn attention to serious gaps in U.S. cybersecurity strategy. In December, we learned that multiple customers of SolarWinds, a network management company, had been compromised by a sophisticated supply chain attack by a nation-state adversary believed to be affiliated with one of Russia’s intelligence services.

As a threshold matter, I believe that it is misleading to refer to this most recent breach as “the SolarWinds hack.” Although SolarWinds was a prominent attack vector that received early attention in the press, we now know that it was only one of many supply-chain vectors that the adversary used to gain access to private networks. Because investigations into the scope of the attack are still ongoing, we cannot even say with confidence that SolarWinds was one of the largest or most significant vectors. Continuing to refer to the breach as “the SolarWinds attack” distracts from the reality that the breach went far, far beyond a single company. As a result, I, along with other security practitioners, have begun referring to this hack as the “Holiday Bear” operation.

Additionally, as we have learned more about the breach, I’ve come to believe that it is also misleading to refer to this incident as a singular attack, or even as a coordinated campaign with a defined end date. Simply put, the sort of sophisticated, long-term cyber-espionage enabled by supply chain vulnerabilities that came to light through this breach is not a discrete or self-contained occurrence; it is the new normal.

It is clear to me that the Russians have learned from their past operations. In 2014 and 2015, the Russian foreign intelligence agency believed to be responsible for this most recent activity, SVR, launched a broad campaign that gave them access to the networks of the White House, the Joint Chiefs of Staff, and the State Department, among others. The success, however, was short-lived, as U.S. defenders quickly detected the noisy campaign and ejected the adversary within weeks. I believe this led the SVR to change their approach, and begin to focus on compromising software supply chains in order to gain access to target networks in a much stealthier fashion and to remain in them for weeks, if not years. In some ways, this tradecraft is the cyber equivalent of the Russian illegals program, which has since the 1930s sent operatives to live and work among Americans and, over years, get close to powerful officials to steal our secrets. But =supply-chain based cyber intrusions are much easier and cheaper to scale to hundreds of high-profile victims, all without putting their human intelligence officers at risk.

I believe that this is the Russians’ new way of doing business in cyber operations, and I suspect we will continue to see this new approach for years to come. We have also seen China’s intelligence services leverage supply chain attacks in the past, and we can expect them to incorporate valuable lessons from this latest Russian action into their own operations.

This Holiday Bear operation further highlights the need for a broader shift in both the private sector’s and the government’s approaches to cyber strategy. Across the board, organizations should adopt an “assumption of breach” approach, where defenders operate on the basis that an adversary has already gained access to their sensitive networks. The logic is simple:
No cyberdefense system can prevent all breaches.
Human error will inevitably foil any defense strategy.
Adversaries quickly find ways to circumvent new defenses without being detected.

Therefore, the only safe assumption in the cyber battlespace is to assume that networks are never safe. Our competitors in this contest are highly sophisticated, well-resourced nation-state actors. We underestimate their capabilities at our own peril.

Incidentally, this is not any different from the approach we already take in the physical world. As a matter of practice, we assume that at any given moment there are people inside our sensitive government agencies who have been recruited by foreign intelligence services. Our counterintelligence approach is not merely focused on preventing such recruitment. Instead, we explicitly undertake significant efforts to identify spies and limit the damage they may be able to do to our national security. We need to adopt this same approach in cyberspace.

Five Recommendations

This shift in strategic paradigm necessitates a shift in practice. I have five recommendations for Congress’ consideration:

Appoint CISA as the government’s chief information security officer. Congress should set the Cybersecurity and Infrastructure Security Agency on a path to becoming the operational CISO, or Chief Information Security Officer, of the civilian federal government. Most of the executive branch’s 137 agencies lack the personnel, the knowhow, and the resources to execute a comprehensive cybersecurity strategy. Congress took an important step toward centralizing federal cybersecurity strategy by creating CISA in DHS in 2018, but the next step is to give CISA both the authority and the resources that it needs to effectively execute its mission. Ultimately, CISA should have the operational responsibility for defending civilian government networks, just as Cyber Command does for DoD networks. The recent defense authorization act, which vested CISA with the authority to hunt on agencies’ networks without the explicit permission of those agencies, was a critical move in that direction. CISA will now need additional funding to build a 24/7 threat-hunting center to handle that mission. Another important step would be to create incentives for federal agencies to outsource their cybersecurity operations to CISA, turning it into a cybersecurity shared service provider. Such incentives may include shifting responsibility for an agency’s FISMA compliance — that is, the Federal Information Security Management Act of 2002 — to CISA.

Measure agencies’ ability to respond quickly to cyber threats. In cyberspace, the only way to reliably defeat an adversary is to be faster than they are. Under an assumption-of-breach approach, the question is not, “Can we prevent an initial compromise?” The much better question is, “How long does it take us to find and eject them?” After an adversary has breached a network, there is a period of time before they move laterally across the environment and gain access to other sensitive resources. Once adversaries are able to do that, what would have been a minor security event turns into a full breach that requires a lengthy and complex incident response process and that puts defenders’ data and operations at risk. Stop the adversary quickly, and you have prevented them from accomplishing their objectives.

In the private sector, I developed the “1-10-60 rule”: on the average, organizations should aim to ​detect an intrusion within one minute, investigate it within 10 minutes, and isolate or remediate the problem within one hour. ​Congress should require agencies to report on the average time it takes to perform four fundamental defensive actions: detect an incident; investigate an incident; respond to an incident; and mitigate the risk of high-impact vulnerabilities. If the metrics prove effective in decreasing agencies’ response time to cyber threats, Congress should also consider models to extend their adoption by the private sector.

Pass a comprehensive breach notification law​. Major private companies, such as those in critical infrastructure, should be required to report technical indicators associated with breach attempts to CISA, including for breaches where no personal information is actually compromised. If there is a single overriding lesson from the recent supply chain attacks, it is that information-sharing between government and industry remains a serious challenge. Some victims have shared very little information about what took place inside their networks; others have not even publicly acknowledged that they were targeted.

At present, there is no comprehensive federal breach notification law, and state-level laws are too decentralized, too focused on personal information instead of risk to systemically important critical infrastructure, and sometimes create a perverse incentive for companies not to investigate attacks. In the case of complex supply chain attacks like “Holiday Bear,” one company’s failure to publicly report a breach can have wide-reaching implications. For example, if cybersecurity company FireEye had not voluntarily and publicly shared evidence of their own compromise and that SolarWinds was the attack vector, the public and the government may not have known about this highly impactful attack for many months to come. Yet, FireEye had no legal obligation to report this breach under existing law. They should be praised for their courageous decision, but unfortunately, not all other victims have followed their lead in transparency.

Increase security standards for vendors supplying high-risk software via government acquisition processes​. G​overnment agencies and private-sector businesses currently rely on a number of companies such as SolarWinds whose software runs with high levels of privilege on their networks. Yet these agencies and businesses have little to no sense of the security levels of that software. Borrowing from a widely used private-sector practice, Congress should compel these vendors to undergo annual, independent third-party audits of their source code and penetration exercises of their networks. The government could require that companies provide the results of these stress tests as part of the federal procurement process, or even require companies to publish the results of those audits publicly on their website. Not only would this process increase transparency for their customers, but it would also incentivize companies to quickly and efficiently patch vulnerabilities in their networks or source code and get a clean bill of health, as no one would want to publish a failed audit.

Require cryptocurrency exchanges to remember who uses them. It is no coincidence that the explosion of ransomware attacks — on municipal governments, on infrastructure, on private businesses, on hospitals — occurred only after the invention of cryptocurrency platforms, which allow ransomware criminals to collect hundreds of millions of dollars in payments without risk of disclosing their identities to victims or law enforcement. The international community has already taken some steps to strengthen “Know Your Customer” requirements. In June 2019, the intergovernmental Financial Action Task Force recommended that virtual asset service providers, including crypto exchanges, share information about their customers with one another when transferring funds between firms. In December 2020, the U.S. Treasury Department published an advance notice of proposed rulemaking that would require cryptocurrency exchanges to perform and store KYC information on their customers, just as required of banks and other players in the global financial system. If designed and implemented properly, these types of tools can starve ransomware threat actors of the oxygen they need to operate.

Congress should evaluate how stronger KYC requirements and other safeguards can be used to effectively stem ransomware threats and then propose legislation and support agency action that achieves those objectives.

The global competition between the United States and its adversaries has reached an inflection point. The nations that present bold, long-term strategies to advance their economic, technological, and strategic interests will shape the decades to come, and the nations that fail to act will fall behind. Modernizing America’s cyber strategy is a linchpin that makes all other efforts to ensure continued American leadership possible.

No comments: