The Cycopalypse
Everyone has heard the old saw about the high school kid in the basement with a laptop, a $25 exploit kit, and an internet connection going up against Chase Bank and its billion-dollar cybersecurity organization … and winning. That is a metaphor for one of the four horsepersons of the Cycopalypse – the “economic” asymmetric advantage that our adversaries enjoy.
The other three are “education,” “information,” and “technology.” Combined, these four asymmetries constitute the reason we continue to lose ground against our adversaries.
But, there is a fifth horseperson now and it resides in Washington, DC. It manifests through our government’s inability to take control of operationally failed attempts at securing enterprise data against cybercrime. We have been talking about this issue for ten years now and nothing gets done. In the meantime, breaches like SolarWinds continue to accelerate and the rate of failure continues to increase.
If the president or DHS can’t create an enforceable national cybersecurity policy, then Congress certainly has the constitutional authority (Article I, Section 8, Clause 3) to do so, yet it continues to resist in the apparent hope that private enterprise will figure out a way to defeat this cyber octopus without any federal government intervention.
So far, no good.
While I am the last guy who would ever call for any government intervention in business, culture or society, it is clear that the targeted victims of cyberattacks will not, or cannot, do what it takes to protect themselves and their customers and put up a unified defense against their aggressors.
We have no national cybersecurity plan, policy or process that assures that each organization or business operating within the U.S. is required to adhere to any form of unified cybersecurity framework, implement any specific cyber defense platform, participate in any sort of intelligence or even information sharing or collectively band together to operate as a team in an attempt to defeat what is now the most serious threat to national security that we have ever witnessed at any time in our brief history.
Many other countries with much smaller GDPs have implemented at least a national cybersecurity policy that calls for specifics in component implementation. But not us. We’re apparently going to leave all that to companies like Equifax. Or Capital One. Or FireEye.
At least we’re consistent. The last time I looked at education, there were fewer than 100 accredited colleges in the U.S. that were offering NSA/CAE-certified cybersecurity degrees. Alternatively, North Korea, China, Iran, and Russia have been ushering tens of thousands of students through their advanced master level cybersecurity and hacking programs since 2012. And, in order to get into one of those elite programs, a student doesn’t just elect a major and sign up but rather must demonstrate exceptional subject scholarship, along with written and oral fluency in the English language.
North Korea for example is also cooperating with China, Russia, and Iran on improving its cyber capabilities by sending its best students to them for additional training. Russia sends professors from the Frunze Military Academy to North Korea to train professional hackers while Pyongyang and Teheran have signed scientific and technological cooperation agreements that include student exchanges and joint laboratories for information technology warfare and cyber hacking.
There are still fewer U.S. colleges offering undergraduate programs in cybersecurity than there are those offering degrees in anthropology. Smart graduates with anthropology degrees will undoubtedly improve their interconnected understanding of people and their cultures, thus preparing them for jobs in museums and ethnographic non-profits.
But while our adversaries have declared cyberspace as the new battlefield, we would apparently rather whistle through the graveyard.
Informational Asymmetry
The informational asymmetry is also growing. We continue to know virtually nothing about our attackers, yet they know everything about us. They continue to probe our defenses so that they can compile a comprehensive view of which technologies we are using to defend our government agencies, our critical infrastructures, and our financial ecosystem. Hackers can buy and test security products but we can’t pre-test targeted malware. We report continuously on government hacks, infrastructure, and banking assaults, yet we act as if this wave of activity is like the latest weather report – chance of showers, then partly cloudy through Thursday.
Our government entities argue that they should be entrusted with massive amounts of data on thousands of U.S. citizens, while a teenager who goes by the handle “penis” on Twitter dives into the servers of two of America’s most secure federal agencies in 2016 and plucks out the internal files of 20,000 FBI and DHS employees. After the fact, we find out that young Mr. Penis is part of the crew that socially engineered their way into the inboxes of former CIA director John Brennan, Director of National Intelligence, James Clapper, and the Obama administration’s senior advisor on science and technology, John Holdren.
A classic example of the result of this informational imbalance is the attack against the cyber-surveillance technology company Hacking Team. The outcome was the release of 400 GB of data which included email correspondence between employees at the company and their clients, proprietary source code, financial records, sensitive audio, and other files.
Although the attacker claimed the use of a zero-day exploit that he had developed himself, he also used off-the-shelf tools and provided guidance on using exploit kits to further compromise the victims. Moreover, the attacker provided detailed run-downs of the attack mechanics which should make for insightful reading for anyone concerned with network defense.
In just a matter of days after the disclosure of the breach, at least two exploit kits – Angler and Neutrino – had incorporated exploits revealed in the guide. The only problem is I have yet to meet anyone who either knows the identity of the hacker or has read the “how-to” guide.
The Messy World of Cyber Attribution
Beyond the forensic specifics involved with a particular investigation, cyber attribution today suffers from a variety of conflicting indicators including false flags, external motivators, and methodological disparities across the attack surface and the contents of the perpetrating packets. What we know for sure right now is that confident attributional analysis is far outside our present reach.
Imagine the odds of winning a global conflict like World War II without intel or counter-intel? We don’t know who our attackers are and we have limited ability to even identify exploitations of legitimacy let alone make proper attributions. When we have done so to date, we have been largely wrong. And even if we were able to pin attribution down, it is still illegal for an attack victim to mount a retribution attack.
Following the SolarWinds breach two weeks ago, most government officials, including Secretary of State Mike Pompeo along with both Democratic and Republican lawmakers were quick to accuse Russia. Then, another surprise attack on government networks a couple of days later called Supernova, showed up without a legitimate SolarWinds digital certificate, signaling that it was likely unrelated to the initial attack, leaving both politicians and analysts unsure as to the source of either or both.
Believe it or not, back in the geologic era of 2007 we had technology that would have told us everything we wanted to know about the Virginia Tech shooter before he ran out and killed thirty-two people, but we didn’t apply it. All of his troubled mental health history, his Facebook posts, his ammunition buys, his weapon descriptions, his ranting manifesto, and his videos were available on social media to anyone who bothered looking prior to the actual act.
That information would have saved thirty-two lives. We had the technology then and we have it now. But, as we continue to see school shootings from Florida to California, in spite of 69 K-12 incidents since 2018, we don’t use it.
The Final Horseperson of the Cycopolypse
This brings us to the final horseperson of the big four … technology. While it’s true that we have tons of defensive technology that can prevent conventional cyberattacks and detect many network intrusions, we have not successfully integrated these into a unified armament designed for active defense or for use in a defend-forward posture.
We have spent over $120 billion developing this stuff and almost all of it is used for perimeter, network or endpoint defense. We have a handful of products that can identify certain forms of anomalies on our networks and we have some that are trying to predict attacks before they occur. But the nature of all this technology is passively defensive.
The U.S. government is set to allocate $18.78 billion for cybersecurity spending in 2021. Of that total, the DoD will receive a majority of $9.85 billion, which will be used to defend from cyberattacks against U.S. forces and to develop abilities to conduct cyber warfare against existing and potential enemies.
DHS, on the other hand, gets a paltry $2.6 billion which is supposed to protect the federal government’s digital infrastructure against cyber intrusions via a 1.17% increase.
Between 2008 and 2010 under both Republican and Democrat administrations, the U.S. spent $479 B on the Iraq and Afghanistan wars.
Deloitte says we will spend 10% of our IT budget on cybersecurity in 2021. That’s approximately 0.2% to 0.9% of company revenue or $1,300 to $3,000 spent per full-time employee. The epidemic of cybercrime cost the world more than $1 trillion this year, a 50% increase from 2018. Another view is from RiskIQ whose analytics claim that cybercrime costs organizations $24.7, a year-over-year increase of more than $2 per minute, while cybercrime will cost $11.4 million a minute by 2021, twice as much as in 2015.
In no universe does any of this make any sense
After all of that spending, we don’t have an integrated and unified capability to mount a continual recon defense and we don’t seem to be able to successfully seek out intruders who have penetrated our perimeter. We have hundreds of point-specific products that can detect anomalies in various ways, yet most of them are holistically ineffective and have demonstrated that they can be bypassed with minimal skill.
The effect of today’s malware attacks is amplified by our increased connectivity and expanded attack surfaces while our current defense effect is not, so the result is a high degree of leverage in the hands of the attackers, with little or none in the technology of the defenders.
An Argument for Taking Charge
I would argue that the time has come for the federal government to step in and impose not just regulatory guidelines and penalties for non-compliance but also very specific organizational, technological, and process requirements that every registered business in the U.S. must follow. This architectural requirement should be a simple component of organizing and operating a business in the U.S., not unlike the act of incorporation itself, establishing a cap table, appointing officers, or the requirement to pay taxes on earnings according to a very specific code. Try entering an SEC-regulated domain sometime, getting your product approved for consumption by the FDA, or undergoing an OSHA audit.
There are rules and there are reasons.
All businesses should be forced to demonstrate that they have implemented a set of very specific fundamental cybersecurity protections. Not just guidelines, but an architectural framework that is not dissimilar to our building codes which require plumbing, electrical, foundations, and framing, all in accordance with very specific specs.
The framework should minimally include the elements of threat intelligence, analytics, distance, and competency, all of which are represented by known technologies and processes available today.
Threat intelligence needs to be sourced both internally and externally. Sharing would be nice but probably near impossible. Analytics needs to be based on technologies that can ingest, aggregate, and correlate disparate data and find connections that are undetectable by human analysts. Distance involves layers of security that guarantee cybersecurity battles are kept as far from the core as possible. Sometimes called defense-in-depth, distance is about putting multiple obstacles in between our core assets and the threat vectors that cyber attackers employ to penetrate. Competency involves educated, trained, and skilled human resources that should be required to certify in their sub-fields.
We don’t allow hospitals to operate without MDs, nor do we allow security brokers/dealers to function without licenses. You would think that the protection of privacy, intellectual property, and our electrical grid are somewhere in the value ballpark alongside healthcare and financial fraud.
There are many more components of a national cybersecurity architecture, but just getting these four in place would be an impressive start and a massive improvement over the current version of state-led initiatives that are based on vaguely defined guidelines attached to punitive fines for non-compliance which result in a check-box mentality and insufficient defenses for everyone concerned.
I also suspect a national cybersecurity program with specific architectural requirements would not encounter much pushback in light of the current cybercrime epidemic. Unlike taxes, S-1s, and 10-Ks, the incentives for cooperative participation would simply be national pride, increased security, and freedom.
Once upon a time, those were enough.