At their Geneva summit in June, President Biden confronted Russian President Vladimir Putin over the Kremlin’s nefarious cyberattacks against the U.S., proposing 16 areas of mutually “off-limits” critical infrastructure and strongly hinting at specific countermeasures the U.S. could take to hold Russia accountable for future attacks.
Shortly after the meeting and the warning, however, the Russian-based cybercriminal group REvil used malware to launch a massive supply chain attack on American IT firm Kaseya.
The U.S. is under siege from China and Russia in the 21st century digital Cold War, and the private sector finds itself directly in its crosshairs.
Russia’s foreign intelligence service (SVR) penetrated the SolarWinds operating system, spread malware into its Orion security software, and obtained a backdoor into SolarWinds’ 30,000 customers’ information technology systems, allowing the hackers to steal sensitive information from a panoply of government and private U.s. organizations. Cyber hacking groups such as DarkSide and REvil operate with apparent impunity on Russian territory.
It was DarkSide that hacked into Colonial Pipeline’s network, shutting down gas stations across the East Coast and extorting $4.4 million from the company to restore services. REvil was responsible for a destructive cyberattack against Colorado-based JBS, the world’s largest meat processing company.
Last month, the Biden administration explicitly called out China’s Ministry of State Security for a cyber attack on Microsoft Exchange’s email server, through which China-based hackers penetrated thousands of networks worldwide.
We should not expect the Chinese and Russian attacks to abate anytime soon. There are no internationally recognized norms for conduct in cyberspace, and thus far the U.S. has been unable effectively to find and stop the rampant criminal hacking online.
All of which means that now more than ever, the U.S. private sector is on the hook to fend for itself.
Collecting intelligence is all about detecting hints and warnings to preempt threats before they are visited on our shores. Enterprises must recognize that no single solution is sufficient, and that diversified threat detection is the most effective means to protect the data and reputation on which commercial success and our national security rely.
Private-sector cybersecurity teams should seize the moment to improve their tools and processes. Defense-centric security models — where the onus is always on the defenders manually to respond to the attackers’ tactics — must evolve by extending the “secure perimeter” and forcing attackers to operate on the defender’s terms.
As my CIA and military colleagues used to say, it’s all about taking the fight to the enemy.
Putting cyber hackers on the defensive means forcing them to deal with the unexpected. Most standard operational processes too often leave residual data, which enables follow-on cyber attacks and forces enterprises to react to the attacker’s moves.
But what if the attackers were not always operating on real data, or could not easily harvest useful residual data? What if a nation-state or ransomware attacker wasted hours or days pursuing a dead-end, while unknowingly tipping off the defenders to their tactics, techniques, and points of origin?
Cyber defense should incorporate an offensive-focused security model, where the useful residual identity and connection information are concealed and most of what the hacker sees is actually deceptive. Deployment of authentic deceptive data creates an alternative reality, one which slows down the hacker and exposes them to detection. Consider the attacker’s new reality, where 10 possible entryways now appear as 100.
The concept is not new: Consider extraordinarily successful deception operations like D-Day, which featured fake Allied military units; rubber dummy aircraft, landing craft, and tanks; and a network of double agents, all of which saved countless lives by inducing the Nazis to focus on attack zones other than Normandy.
When an attacker guesses wrong and enters the wrong door, the defender is alerted and can collect data on the attacker’s tactics. The goal is to create a “fog of war” to confuse the enemy. Just making this strategy known deters the bad guys from attacking in the first place.
The May 2021 executive order to “modernize” cybersecurity called for “bold changes and significant investments to defend the vital institutions that underpin the American way of life.” The federal government might yet make cyberspace safe for business, but, for now, it’s up to the private sector to take the fight to the cyber adversaries who seek to do us harm.
• Daniel N. Hoffman is a retired clandestine services officer and former chief of station with the Central Intelligence Agency. His combined 30 years of government service included high-level overseas and domestic positions at the CIA. He has been a Fox News contributor since May 2018. Follow him on Twitter @DanielHoffmanDC.