The US is at risk of a “catastrophic cyber attack” and the government needs to adopt sweeping structural changes to address cybersecurity challenges, according to a report from the US Cyberspace Solarium Commission following a year-long investigation.
“Our country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions, disrupting everything from financial transactions to the inner workings of our electoral system.” You can read the CSC’s full report here: https://t.co/zFmcBjJtG9
— CSC 2.0 (@CyberSolarium) March 11, 2020
With cybercriminals beginning to pivot their ransomware operations towards critical national infrastructures, including industrial control systems and operational technology, initiatives outlined here are imperative to our global economy.
In my prior role as Director of the ICS-CERT at the Department of Homeland Security, we often struggled with interagency cooperation and I am pleased to see such collaboration called out.
Industrial control systems and operational technology require very specific customized approaches to cybersecurity and the creation of a center dedicated to research in this area is applauded. We would be well served to leverage the knowledge of the National Laboratories in this effort.
It\’s also high time that a federal law is passed that puts the onus on updating vulnerable hardware and software on vendors and/or final goods assemblers. With the vast majority of cyberattacks and data breaches caused by known, but unpatched vulnerabilities, this is a step in the right direction towards a more secure global ecosystem.
While this is yet another in a long line of reports projecting digital disaster, I was pleased to see an emphasis on incident detection and response via threat hunting as one of the more prominent recommendations. I began arguing in 2007, before \’threat hunting\’ was a defined term, that federal security teams should be \’projecting friendly forces\’ on their networks, assuming that they were already compromised. The new report integrates these recommendations, but it remains to be seen if anything changes in the federal government.
Most of what we do as humans is on autopilot, saving precious computing resources in our minds for new challenges. This means that hacks and con men can often blend into the background, and to some degree suddenly having America or the world working from home has several implications. First, it is exhausting to have to learn new patterns. Second, changes in how we work and live are always opportunities for con men and hacks because our anomaly spotter has to be retrained to the ’new\’ normal. Finally, we have a window as we settle into the everyone-at-home paradigm to spot anomalies; but this too will become normal.
However, the larger issue isn’t whether we are at home or not or afraid of human contact or not in the cyber domain. We continue to have geopolitical triggers, low overall cyber maturity since this is still a world where attackers enjoy the advantage in attack and finally a larger, more distributed IT footprint. As we move beyond the perimeter and can see a globalised world doing more in the future, the cyber risks just continue to grow. It’s time to dust off risk registers, risk profiles, threat analysis and so on and redo those models and analyses even if you just finished the annual cycle of these. Perhaps especially if you just finished them.
The words of the day should be prepare, test and practice. There is no state of rest in cyber, but when the world is in flux around us it gets worse. As a final reminder, the answer neither the government nor the private sector is not to put more people on things or to increase the bureaucracy. On the contrary, it’s time to allow people to focus on cyber and get ruthlessly efficient. Gains in efficiency and focus trump gains in absolute spend and bureaucracy. Word to the wary: bloat and dumping money on the problem are no substitute for rolling up your sleeves, re-prioritising, going back to basics and focus. And in an age where expertise is generally denigrated and not valued, it’s time to listen to the experts regardless of politics, from medicine to cyber and let’s make sure we act from data, in a scientific way and listen to the true experts.
As more and more systems are put online the risk to our infrastructure inherently increases. The problem is that there are so few resources to help mitigate threats and that\’s only going to get worse. Organisations shouldn\’t wait for the government to make recommendations. There are a series of steps they can take to get on the right track. First, if they don\’t have a strong security team they should engage security firms with the extensive experience to consult on current and future needs. Secondly, they need to implement the recommended security changes based on findings right away; for example, conduct external pen testing and mitigate vulnerabilities. Finally, they need a formal software security initiative. That may require hiring trained staff, tools for automated testing, and regular training to make security part of their DNA.\”
The US Cyberspace Solarium Commission highlights the unfortunate reality of current cybersecurity practices – the attackers define the rules and defenders must react. It also recognises that from an attacker’s perspective collateral damage often doesn’t matter.
While increased investment in CISA is a prudent activity, addressing cybersecurity threats requires a level of agility that bureaucracies rarely exhibit.
The report accurately identifies that cyberthreats thrive in darkness and that reforms are required to increase the agility of response teams which may be hampered by information sharing restrictions. Solving the problem of information flow requires both governmental and private sector cybersecurity cooperation where the goal is a shared purpose of limiting the scope of damage associated by any attack.
Detailing how an attacker was able to successfully achieve their objectives with one attack enables cyber teams at all levels of society to identify weakness in their processes, practices and tooling which might enable future attacks.
The current climate where attacks are hidden away, or when an attack is disclosed without detailing the attack methods, only serves to enable attackers to replay their attack against others with the net result being any given attack model becomes a persistent threat. By sharing information surrounding attempted attacks, not only do our collective cybersecurity defences improve, but the cost to an attacker for a successful attack also increases.