Playing Defense
Playing Defense

Calls from around the United States pour into the White House Situation Room reporting power plants shutting down across the Northeast and Midwest, causing massive blackouts affecting tens of millions of people, with patients dying in hospitals and riots breaking out.

The president's advisors say local plant operators have been locked out of their control systems and have no way to restart the facilities, transfer power from other sections of the nation to the impacted areas and some nuclear power plants may even suffer catastrophic breakdowns if control is not recovered. A claim taking responsibility for the attack comes in from North Korea's Kim Jong-un saying the shutdown is in response to American interference on the Korean peninsula and an officer from Cyber Command confirms this, saying the Pentagon was able to trace the problem to a North Korean government-run hacking group.

The president slams his fist into the conference table, then turns to the Army colonel carrying the briefcase, known as the “football,” which contains America's nuclear launch codes and asks to start the procedure to counter North Korea's cyberattack with nuclear fire.

Far fetched? Perhaps, but the possibility of the United States responding to a massive cyberattack on its critical infrastructure took a step closer to reality last month when a draft of a plan called the Nuclear Posture Review was placed before President Trump. If implemented it would allow for a nuclear response to not only to a nuclear, biological or chemical attack upon America but to other types including cyber.

Other, less massively destructive methods, such as hacking back have also been brought up in government circles – for instance, Rep. Tom Graves, R-Ga., and Rep. Kyrsten Sinema, D-Ariz., last year introduced the Active Cyber Defense Certainty Act. While the U.S. bill is still languishing in the House and has not been acted upon, the U.K. has a similar piece of legislation, many have come out against the idea of hacking back as possibly doing more harm than good.

“Regardless, I've found that in the vast majority of cases, the risks associated with hacking back outweigh the rewards,” says Israel Barak, CISO at Cybereason, adding, “The main risks (although certainly not the only ones) are that: hacking back can quickly cross the fine line separating legal vs. illegal activities, and that you risk a high chance of inflicting collateral damage, mostly since attacker attribution is highly inaccurate in many cases.”

Troy Gill, manager of security research at AppRiver, partially disagrees saying one way to deter these sorts of attacks is to have an equally or perhaps more advanced offensive capability.

“In other words, hacking back is a necessary evil in maintaining the balance of power. This is very similar to the mutually assured destruction doctrine,” he says, quickly adding defensive measures are equally important.

Graves believes the bill, if passed, will help level the playing field between consumer, corporate and government victims and their attackers.

“The certainty the bill provides will empower individuals and companies to use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders,” Graves says.

Most cybersecurity executives believe Graves' methodology to tackle the problem is mistaken and a focus on counterattacking would be using our resources incorrectly and instead believe the best defense is to actually have a strong defense. Omri Moyal, co-Founder, vice president of research at Minerva Labs says that making it difficult and costly for an attacker to get into sensitive systems is the best road to take, especially at the state level.

“In cyber we never have a 100 percent ability to know where it [the attack] came from,” Moyal said, adding that the other issue is a bug used in a hacking counterattack can be grabbed by an adversary and then used against the attacker or another victim.

Kris Lovejoy, CEO of BluVector, places the blame for the government's vulnerability to cyberattacks squarely on the shoulders of those in charge and states that there is no reason to believe deterrence is a workable strategy.

“I would argue that we have to focus ourselves on putting in place controls that allow us to detect and disrupt attempted attacks. Cost effective, easy to implement, AI-based security solutions for both the network and endpoint exist. Perhaps if the U.S. government succeeded in passing a budget they could actually buy some of their own?” she says.

Scott Nelson, a vice president at SecureSet, and a U.S. Army Reserve colonel who just came off active duty as the national director for the USAR Cyber Public Private Partnership initiative and Deputy Commander of the Army Reserve Cyber Operations Group, says offensive weapons could be a useful tool, however, other areas need to be bolstered first. Such as attribution.

“Attribution is improving. The introduction of machine learning, big data and artificial intelligence will improve the ability to detect and discover signatures/ behavior of threat actors.  Humans and machines leave patterns so it is possible to identify Active persistent threats (APTs) from their patterns of behavior, normal targets and tools used,” he said.

Here are the other areas Nelson sees that need improvement:

Diplomacy: To improve the U.S.'s diplomatic efforts creating International norms and laws to create international standards for laws of war in cyberspace;

Active Defense: Creating a much stronger active defense of critical national infrastructure.  China has demonstrated some of this with its Great Firewall, where you can lock down the cyber nervous system from centralized command and control systems.

Cyber Response and recovery:  Stronger indicators and warnings against attacks to effectively respond.  As the military states; train as you fight.  Invest in organizational and sector exercises to discover risk options, resource decisions and exercise the system on how to respond across the organization/ sector.

Joseph Carson, Thycotic's chief security scientist, also backs the idea of diplomacy, but mainly to figure out who is behind a cyberattack and to make sure others are not harboring cybercriminals.

“To prevent such a major catastrophe from occurring, governments and nation states need to work together with full cooperation and transparency to ensure that cyber attribution is possible and hold each other responsible for the actions of criminal organizations carrying out cyber-attacks from within their borders.  It is important that governments do not provide a safe haven for cybercriminals to carry out such attacks especially when they are doing it for both financial, political gains and extreme aggression,” he says.

While the more robust sounding plans like hacking back and nuclear retaliation might grab headlines, additional legislation has been proposed to protect the American election process that take a less violent approach, but if triggered could result in sweeping economic countermeasures that could have a huge negative impact on world economies.

The highest profile of this type of bill is the Defending Elections from Threats by Establishing Redlines Act (DETER), unveiled by Sen. Marco Rubio, R-Fla. and Sen. Chris Van Hollen, D-Md., earlier this year. Its inspiration comes from the more subtle election altering tactics the Russians used during the last election cycle. This includes using social media platforms to push fake news that bolsters certain candidates or tries to place doubt in the minds of American voters that their electoral system is secure.

If any nation-state were discovered attempting to hinder or alter a U.S. election the government would then determine what retaliatory measures to take. Russia is also called out specifically for a separate line of penalties if it is again caught. These include sanctions on Russia's finance, energy and defense industries, and possibly blacklisting Russian political figures blocking access to their assets in the United States and a travel ban.

“We appreciate the temptation of threatening the financial equivalent of massive retaliation, but at this stage it is the wrong weapon,” wrote Daniel Fried, a senior fellow in the Atlantic Council's Future Europe Initiative and Eurasia Center, and Brian O'Toole, a nonresident senior fellow with the Atlantic Council's Global Business and Economics Program, wrote for the Atlantic Council. 

Planning a cyberdefense

While there is no way to be fully protected from these cyberthreats, a good defense must include a multitude of measures, says Troy Gill, manager of security research at AppRiver.

1. Keeping networks properly segmented and systems that can be kept in isolation of the internet.

2. Another obvious and simple, but often under-executed area, is keeping software and systems up to date. This helps defend against vulnerabilities that have been recently patched and otherwise could be exploited.

3. Knowing your vendors and software providers. Proper vetting in this area can prevent certain cases of insider threats from gaining access to systems.

4. When people think of insider threats, they often imagine an insider with sinister intentions. Nevertheless, more often, damage done by insiders is that of someone unwitting, who has good intentions. There are many factors to consider here, but practicing least privilege access is important. Companies should monitor and audit who is accessing any sensitive/critical data.  In addition, keeping employees trained on how to react to threats they may face should be a priority.

5. When it comes to critical infrastructures, such as power grids, we need to continue to harden these systems against cyber attack. Making them more secure is certainly a priority, but as all things in the cyber arena, nothing will ever be totally secure. That is why having detailed disaster preparedness plans both for cyber assets and in the physical world is an essential part of mitigating the fallout from this threat.