sdecoret / Shutterstock

Ideas

We Must Reorient US Cyber Strategy Around the Only Safe Assumption

We should assume adversaries are already in our networks — and Congress should take these five steps to mitigate the damage.

Dmitri Alperovitch

|
Chairman, Silverado Policy Accelerator

This oped is adapted from Dmitri Alperovitch's Feb. 10, 2021, testimony to the House Homeland Security Committee.

Almost half a decade ago, I coined the phrase: “We do not have a cyber problem; we have a China-Russia-Iran-and-North Korea problem.”

Cyberspace is not a separate virtual world, immune from the forces that shape the broader geopolitical landscape. Instead, it is an extension of that landscape, and the threats we face in cyberspace are not fundamentally different from the threats we face in the non-cyber realm.

China, Russia, Iran and North Korea are the four primary strategic adversaries whose malignant activities in cyberspace we try to counter on a daily basis, as we do their more traditional tactics in the physical world. Often, these battles are joined by non-state actors, such as the most well-organized cybercriminals. These actors inflict enormous damage on our economy by launching ransomware attacks and stealing financial data from our businesses and citizens, and it is no coincidence that they operate with impunity from the safety of their homes in these very same countries.

These countries conduct a variety of cyber operations against us on a daily basis, ranging from cyber-enabled espionage against our government to the theft of intellectual property from our companies to destructive attacks that shutdown business operations to the interference in the foundation of our democracy: our elections.

The challenges we face were highlighted just over a month ago, in a supply-chain attack that has drawn attention to serious gaps in U.S. cybersecurity strategy. In December, we learned that multiple customers of SolarWinds, a network management company, had been compromised by a sophisticated supply chain attack by a nation-state adversary believed to be affiliated with one of Russia’s intelligence services.

As a threshold matter, I believe that it is misleading to refer to this most recent breach as “the SolarWinds hack.” Although SolarWinds was a prominent attack vector that received early attention in the press, we now know that it was only one of many supply-chain vectors that the adversary used to gain access to private networks. Because investigations into the scope of the attack are still ongoing, we cannot even say with confidence that SolarWinds was one of the largest or most significant vectors. Continuing to refer to the breach as “the SolarWinds attack” distracts from the reality that the breach went far, far beyond a single company. As a result, I, along with other security practitioners, have begun referring to this hack as the “Holiday Bear” operation.

Additionally, as we have learned more about the breach, I’ve come to believe that it is also misleading to refer to this incident as a singular attack, or even as a coordinated campaign with a defined end date. Simply put, the sort of sophisticated, long-term cyber-espionage enabled by supply chain vulnerabilities that came to light through this breach is not a discrete or self-contained occurrence; it is the new normal.

It is clear to me that the Russians have learned from their past operations. In 2014 and 2015, the Russian foreign intelligence agency believed to be responsible for this most recent activity, SVR, launched a broad campaign that gave them access to the networks of the White House, the Joint Chiefs of Staff, and the State Department, among others. The success, however, was short-lived, as U.S. defenders quickly detected the noisy campaign and ejected the adversary within weeks. I believe this led the SVR to change their approach, and begin to  focus on compromising software supply chains in order to gain access to target networks in a much stealthier fashion and to remain in them for weeks, if not years. In some ways, this tradecraft is the cyber equivalent of the Russian illegals program, which has since the 1930s sent operatives  to live and work among Americans and, over years, get close to powerful officials to steal our secrets. But =supply-chain based cyber intrusions are much easier and cheaper to scale to hundreds of high-profile victims, all without putting their human intelligence officers at risk.

I believe that this is the Russians’ new way of doing business in cyber operations, and I suspect we will continue to see this new approach for years to come. We have also seen China’s intelligence services leverage supply chain attacks in the past, and we can expect them to incorporate valuable lessons from this latest Russian action into their own operations.

This Holiday Bear operation further highlights the need for a broader shift in both the private sector’s and the government’s approaches to cyber strategy. Across the board, organizations should adopt an “assumption of breach” approach, where defenders operate on the basis that an adversary has already gained access to their sensitive networks. The logic is simple:

  • No cyberdefense system can prevent all breaches. 
  • Human error will inevitably foil any defense strategy.
  • Adversaries quickly find ways to circumvent new defenses without being detected.

Therefore, the only safe assumption in the cyber battlespace is to assume that networks are never safe. Our competitors in this contest are highly sophisticated, well-resourced nation-state actors. We underestimate their capabilities at our own peril.

Incidentally, this is not any different from the approach we already take in the physical world. As a matter of practice, we assume that at any given moment there are people inside our sensitive government agencies who have been recruited by foreign intelligence services. Our counterintelligence approach is not merely focused on preventing such recruitment. Instead, we explicitly undertake significant efforts to identify spies and limit the damage they may be able to do to our national security. We need to adopt this same approach in cyberspace.

Five Recommendations

This shift in strategic paradigm necessitates a shift in practice. I have five recommendations for Congress’ consideration:

Appoint CISA as the government’s chief information security officer. Congress should set the Cybersecurity and Infrastructure Security Agency  on a path to becoming the operational CISO, or Chief Information Security Officer, of the civilian federal government. Most of the executive branch’s 137 agencies lack the personnel, the knowhow, and the resources to execute a comprehensive cybersecurity strategy. Congress took an important step toward centralizing federal cybersecurity strategy by creating CISA in DHS in 2018, but the next step is to give CISA both the authority and the resources that it needs to effectively execute its mission. Ultimately, CISA should have the operational responsibility for defending civilian government networks, just as Cyber Command does for DoD networks. The recent defense authorization act, which vested CISA with the authority to hunt on agencies’ networks without the explicit permission of those agencies, was a critical move in that direction. CISA will now need additional funding to build a 24/7 threat-hunting center to handle that mission. Another important step would be to create incentives for federal agencies to outsource their cybersecurity operations to CISA, turning it into a cybersecurity shared service provider. Such incentives may include shifting responsibility for an agency’s FISMA compliance — that is, the Federal Information Security Management Act of 2002 — to CISA.

Measure agencies’ ability to respond quickly to cyber threats. In cyberspace, the only way to reliably defeat an adversary is to be faster than they are. Under an assumption-of-breach approach, the question is not, “Can we prevent an initial compromise?” The much better question is, “How long does it take us to find and eject them?” After an adversary has breached a network, there is a period of time before they move laterally across the environment and gain access to other sensitive resources. Once adversaries are able to do that, what would have been a minor security event turns into a full breach that requires a lengthy and complex incident response process and that puts defenders’ data and operations at risk. Stop the adversary quickly, and you have prevented them from accomplishing their objectives.

In the private sector, I developed the “1-10-60 rule”: on the average, organizations should aim to ​detect an intrusion within one minute, investigate it within 10 minutes, and isolate or remediate the problem within one hour. ​Congress should require agencies to report on the average time it takes to perform four fundamental defensive actions: detect an incident; investigate an incident; respond to an incident; and mitigate the risk of high-impact vulnerabilities. If the metrics prove effective in decreasing agencies’ response time to cyber threats, Congress should also consider models to extend their adoption by the private sector.

Pass a comprehensive breach notification law​. Major private companies, such as those in critical infrastructure, should be required to report technical indicators associated with breach attempts to CISA, including for breaches where no personal information is actually compromised. If there is a single overriding lesson from the recent supply chain attacks, it is that information-sharing between government and industry remains a serious challenge. Some victims have shared very little information about what took place inside their networks; others have not even publicly acknowledged that they were targeted.

At present, there is no comprehensive federal breach notification law, and state-level laws are too decentralized, too focused on personal information instead of risk to systemically important critical infrastructure, and sometimes create a perverse incentive for companies not to investigate attacks. In the case of complex supply chain attacks like “Holiday Bear,” one company’s failure to publicly report a breach can have wide-reaching implications. For example, if cybersecurity company FireEye had not voluntarily and publicly shared evidence of their own compromise and that SolarWinds was the attack vector, the public and the government may not have known about this highly impactful attack for many months to come. Yet, FireEye had no legal obligation to report this breach under existing law. They should be praised for their courageous decision, but unfortunately, not all other victims have followed their lead in transparency.

Increase security standards for vendors supplying high-risk software via government acquisition processes​. G​overnment agencies and private-sector businesses currently rely on a number of companies such as SolarWinds whose software runs with high levels of privilege on their networks. Yet these agencies and businesses have little to no sense of the security levels of that software. Borrowing from a widely used private-sector practice, Congress should compel these vendors to undergo annual, independent third-party audits of their source code and penetration exercises of their networks. The government could require that companies provide the results of these stress tests as part of the federal procurement process, or even require companies to publish the results of those audits publicly on their website. Not only would this process increase transparency for their customers, but it would also incentivize companies to quickly and efficiently patch vulnerabilities in their networks or source code and get a clean bill of health, as no one would want to publish a failed audit.

Require cryptocurrency exchanges to remember who uses them. It is no coincidence that the explosion of ransomware attacks — on municipal governments, on infrastructure, on private businesses, on hospitals — occurred only after the invention of cryptocurrency platforms, which allow ransomware criminals to collect hundreds of millions of dollars in payments without risk of disclosing their identities to victims or law enforcement. The international community has already taken some steps to strengthen “Know Your Customer” requirements. In June 2019, the intergovernmental Financial Action Task Force  recommended that virtual asset service providers, including crypto exchanges, share information about their customers with one another when transferring funds between firms. In December 2020, the U.S. Treasury Department published an advance notice of proposed rulemaking that would require cryptocurrency exchanges to perform and store KYC information on their customers, just as required of banks and other players in the global financial system. If designed and implemented properly, these types of tools can starve ransomware threat actors of the oxygen they need to operate.

Congress should evaluate how stronger KYC requirements and other safeguards can be used to effectively stem ransomware threats and then propose legislation and support agency action that achieves those objectives.

The global competition between the United States and its adversaries has reached an inflection point. The nations that present bold, long-term strategies to advance their economic, technological, and strategic interests will shape the decades to come, and the nations that fail to act will fall behind. Modernizing America’s cyber strategy is a linchpin that makes all other efforts to ensure continued American leadership possible.

Dmitri Alperovitch is the Co-Founder and Executive Chairman of Silverado Policy Accelerator.

NEXT STORY: America’s Stockpiles Are Hardly Strategic

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.