The Clock is Ticking for a New Cyber Security Strategy
President Biden is walking into an embattled and in some ways grim cyber security picture. As we know, the end of 2020 brought to our attention a months-long global cyber-espionage campaign, The broader public will almost certainly never know the full scope of Solarwinds or its impact on national security. While we have seen ongoing cyber compromises and data breaches over the past decade, this most recent attack exposes more clearly than ever the frightening rise of cyber-attacks in geopolitical conflict and, crucially, the unique vulnerability of our government institutions in the face of well-resourced and creative cyber adversaries.
Attacks like Solarwinds—a perfectly selected attack vehicle to reach as many high-value victims in the supply chain by exerting the effort of infiltrating only one — are the level of planning, sophistication and subtlety we can increasingly expect. Beyond SolarWinds itself, is the lesson and insights it has given more mainstream attackers regarding the opportunity around supply chain tactics; as we have seen time and time again, cyber criminals quickly learn, leverage, adapt, and adopt nation state level techniques.
It’s not just that we should now expect more supply chain attacks; (we should by the way) but we are facing a future of increasingly innovative campaigns targeting critical infrastructure. As much as Solarwinds most likely was initiated as, and remained, an intelligence-gathering and espionage operation, the exact same access can lay the groundwork for disruption and sabotage operations. Nation state actors conduct malicious cyber activities in preparation of the battlefield for potential future conflict – to quickly retaliate or to maintain future strategic advantage. The public discovery and loss of this access for the SolarWinds attackers, does not force a ceasefire.
Cyber is now a commonly used lever of global strategic power across the full spectrum of conflict. Small countries are taking advantage of the asymmetric nature of cyber-activity and ease of access to sophisticated attack tools, while the superpowers increasingly are conducting operations to posture or gain strategic advantage on other apex adversaries. The reality…everyone can, and in many cases are, attacking.
Unfortunately, our existing approach to national cyber security, predominately focused on offensive operations and deterrence, is flawed and will continue to fall short in meeting today’s security challenges. We need to move past the presumption that the rules of conventional warfare directly apply the same way to cyber warfare. True cyber strategic advantage will be won through defensive superiority not offensive capability.
This means re-evaluating our approach to detecting and defending against nation state campaigns and prioritizing away from current prevention centric strategies. They are often reliant on rigid signatures and threat intelligence. Prevention and threat intelligence first strategies only provide context and the ability to disrupt known or perhaps recently emerged threats. Both prevention and threat intelligence serve important security roles, but as primary line of defense they are continually losing ground and the advantage to advanced attackers.
A modern cyber security strategy capable of identifying and stopping attacks at the earliest moment needs to be fully centered around the idea of active internal defenses. Active defense is the prioritization and deployment of intelligent detection, investigation, and response based on understanding an institutions digital environment, and not identifying the potential attacker or attack vector. Intelligent detection and response shifts organizational attention to the critical issue at hand: understanding and constantly enforcing ‘normal’ digital behaviour to ensure continuing operations and resilience. With an understanding of evolving ‘normal’ activity, organizations are equipped to disrupt and stop malicious activity at the earliest signs of compromise – whether that is data theft or sabotage.
This isn’t to say the Biden administration hasn’t taken any immediate and/or important actions. They have moved quickly to bring on seasoned cybersecurity experts and some efforts, spearheaded by the Cyberspace Solarium Commission, to prioritize cyber security were even underway prior to the administration’s arrival. One key example certainly is the recently passed 2021 National Defense Authorization Act (NDAA). The NDAA includes recommendations from government and industry experts and is one of the most important pieces of cyber security legislation passed in years. Of specific importance is the reinstitution of a national cyber director position in the White House, who will own the national cyber defense mission. There are also expanded authorities for the Cybersecurity and Infrastructure Security Agency (CISA), but even these need to go further and serious consideration should be given to establishing CISA as a stand-alone Department outside of the Department of Homeland Security (DHS).
These are good first steps, but a more foundational shift is needed. Even with an apparent increased sense of urgency, bringing in very strong cybersecurity leadership, and expanding critical cybersecurity roles and authorities, without a change to strategy and approach, the Biden administration is potentially doomed to at best keep playing catch-up against the current level of attacks and at worst end up dealing with an even more devastating one in the future.
Moving now may allow us to regain some strategic advantage, but the attackers are almost certainly already trying again from scratch, or accelerating already in progress efforts, to replace what they might have lost. That is the nature of the game. We have an opportunity to heed the true lessons of the growing attacks and prioritize national cybersecurity and embrace an active defense first approach using the right technologies, specifically artificial intelligence, to gain the advantage over innovative attackers – no matter who they are and more importantly however they attack.
Originally this article was published here.
About the Author
This article was written by Marcus Fowler the Director of Strategic Threat at Darktrace. Proven organizational leader with track record of leading cross functional teams in operations, cyber, and data science to solve complex problems and drive innovation. Marcus spent the last 15 years’ as a CIA officer developing global cyber and technical operations and strategies.