Spies In Cyberspace

The United States government is one amongst many that needs to radically improve their cyber security strategies following the the news  about the massive Russian cyber attack against the US affecting federal agencies and numerous private companies which came to light in December 2020. The impact of this disastrous and still unfolding attack using weaponised SolarWinds software is not yet fully understood

In international relations terms it wasn’t a cyber attack, it was espionage and the victim wasn’t just the US, it was the entire world order. 

Microsoft has said the UK and six other countries outside the US have been affected by a suspected Russian hacking attack that US authorities have warned poses a grave risk to government and private networks. As has been recently revealed SolarWinds hack was similar to a scene from a horror movie: Victims frantically barricaded the doors, only to discover that the enemy had been hiding inside the house the whole time. 

US Secretary of State Mike Pompeo has accused Russia for this cyber attack. "This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity," he said. For months, intruders have been roaming wild inside the nation’s government networks, nearly all of the Fortune 500, and thousands of other companies and organisations. The breach, believed to be the work of an elite Russian spy agency, penetrated the Pentagon, nuclear labs, the State Department, the Department of Homeland Security (DHS) and other offices that used network-monitoring software made by Texas-based SolarWinds. 

America’s intelligence agencies and cyber warriors never detected a problem. Instead, the breach was caught by the cyber security firm FireEye, which itself was a victim.

The full extent of the damage won’t be known for months, perhaps years. What’s clear is that it’s massive, “a grave risk to the federal government … as well as critical infrastructure entities and other private sector organisations,” declared DHS’s Cybersecurity and Infrastructure Security Agency, an organisation not known for hyperbole.

The immediate question is how to respond. President-elect Joe Biden has said to “disrupt and deter our adversaries from undertaking significant cyber-attacks in the first place” by “imposing substantial costs.” 

Deterrence

To assume that punishing Russia now will stop Russia later would be a mistake and cyber deterrence is likely to fail. The only thing universal about deterrence is a misguided faith in its applicability. Experience suggests that, deterrence works in very limited circumstances:

  • When the culprit can be identified quickly.
  • When the behavior has crossed clear red lines defining unacceptable behavior.
  • When the punishment for crossing them is credible and known in advance to would-be attackers.

These conditions are rare in cyberspace.

Like Russia, China and other nations, the United States engages in cyber espionage on a massive scale all the time. In 2015, after China hacked the Office of Personnel Management and stole 22 million highly classified security-clearance records, James Clapper, then the director of national intelligence, declared, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

US officials face intense domestic political pressures to talk tough now and figure out the details later, but empty threats can undermine credibility with future adversaries. 

A more effective approach for the incoming Biden administration is to get back to basics and focus on preventing cyber intrusions and bouncing back more easily from the ones that inevitably get through. Although cyber security efforts have greatly improved but they are still underpowered and fragmented.  The Cybersecurity and Infrastructure Security Agency (CISA) has enhanced the coordination of public-and private-sector cyber security, but this agency is only two years old and has just over two thousand employees to help secure vital American networks.

The Trump administration fired the head of CISA after first eliminating  the White House subdirector’s office, a move so ill-advised that a bipartisan commission and a recent bipartisan vote of Congress called for re-establishing it.

Better cyber security is urgently required and this includes prioritising counter intelligence efforts to penetrate adversary nations’ intelligence services and their cyber operations.Success requires not just technology but talent. The SolarWinds malware didn’t just make itself. Humans created it. And wherever there are humans, human intelligence can make a difference.

During the Cold War  spying was a constant activity and everyone knew they were playing what decision theorists call a “repeated game”: If one side violated Moscow rules this time, the other could reciprocate in the future, and the whole thing could unravel. In today’s world, Russians and Americans don’t share a strong interest in managing all their potential cyber conflicts. But one area stands out: computer systems related to nuclear weapons. Hacks that penetrate any such systems could change how they operate, making nuclear accidents more likely. And even if hacks didn’t change anything, the other side could never be sure. 

During the Cold War the offense had distinct advantages over the defense. Each side came to recognise that the other had an ability to annihilate its adversary no matter the defender’s efforts. But unlike in the nuclear arena, cyber vulnerabilities change over time, software flaws pop in and out of existence as they are created, discovered, exploited, and patched. Malware often must be custom-made to take advantage of specific flaws, and its effectiveness ends when the flaws and exploits are detected. 

Unlike a nuclear-tipped missile that retains its capabilities for decades, whose presence and potential are clear to all concerned, cyber weapons are ephemeral and easily camouflaged phenomena. They require an unending process of finding and exploiting ever more vulnerabilities on the other side, in the expectation that each exploit will eventually be discovered and neutralised. 

Neither side in the competition can ever be confident that its offensive capabilities have produced a stable state of mutual cyber deterrence. Cyber conflict is here to stay and policy makers need to be very clear about what steps will actually make us safer. 

Foreign Affairs:       DefenseOne:    The Atlantic:        Guardian:   The Hill:    National Interest:   

You Might Also Read:

Solving Mr. Biden’s Wicked Cyber Problem:

 

« The Coronavirus Is Increasing Investments In AI
New Zealand Central Bank Cyber Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Hack in the Box Security Conference (HitBSecConf)

Hack in the Box Security Conference (HitBSecConf)

HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events feature two days of training and a two-day multi-track conference

Security Audit Systems

Security Audit Systems

Security Audit Systems is a website security specialist providing website security audits and managed web security services.

Paladion

Paladion

Paladion is a provider of managed IT security services.

Riverside Research

Riverside Research

Riverside Research is a not-for-profit organization chartered to advance scientific research in areas including Trusted & Resilient Systems.

SKKU Security Lab (seclab)

SKKU Security Lab (seclab)

SKKU Security Lab supports research and education in information security engineering. The lab is a part of the College of Software, Sungkyunkwan University.

National Cyber Security Centre (NCSC) - New Zealand

National Cyber Security Centre (NCSC) - New Zealand

The role of the NCSC is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats.

Safetica

Safetica

Safetica Technologies is a Czech software company that delivers data protection solutions for businesses of all types and sizes.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

Stage2Data

Stage2Data

Stage2Data is one of Canada’s most trusted cloud solution providers offering hosted Backup and Disaster Recovery Services.

SearchInform

SearchInform

SearchInform is a leading risk management product developer, protecting business and government institutions against data theft, harmful human behavior, compliance breaches and incomplete audit.

INVISUS

INVISUS

INVISUS protects businesses against the latest cyber risks – including business and employee identity theft, data breaches, and cybersecurity compliance.

Secrutiny

Secrutiny

Scrutiny's core services include Cyber Maturity, Cyber Risk Analyser, Cyber Controls, Incident Response, SOC, Cyber Recovery and Assurance Testing.

Cloudflare

Cloudflare

Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable.

Cynical Technology

Cynical Technology

Cynical Technology is a Nepalese cybersecurity company with expertise in security consulting, auditing, testing and compliance.

Sec3

Sec3

Sec3 is a security and research firm providing bespoke audits and cutting edge tools to Web3 projects.

Gutsy

Gutsy

Gutsy uses process mining to help organizations visualize and analyze their complex security processes to understand how they actually run, based on observable event data.