World War Three started years ago. The United States has been an unwitting participant in this war so far, and stands to lose decidedly if the federal government doesn’t make immediate, major priority shifts.
Offense as Defense Doesn't Work in Cyber Security
Throughout the history of the U.S., our primary defense strategy has been offense. Theodore Roosevelt’s famous statement, “...walk softly but carry a big stick,” was carried out in our military and defense strategy for over a century with measurable effectiveness. This offense-as-defense strategy makes sense when there are oceans dividing you from your immediate opponents. It is unlikely a foreign adversary will wade onto our beaches and wage traditional combat on our territory.
Unfortunately, the landscape shifted quickly, largely due to our own innovations, and our defense strategy hasn’t adapted quick enough. In the digital world, there are no oceans to protect us. Our critical systems are vulnerable to sneak attacks 24 hours a day, seven days a week, every single week of the year.
It is election season again and undoubtedly we will be flush with talking heads quibbling about the concerns of the nation. Among those concerns will be immigration, foreign wars, China’s rise, corrupt candidates, and finally…cyber security.
The White House has released two editions of its cyber security strategy document in the last year. While it is refreshing that our leadership in Washington is paying attention to “cyber,” this document misses the mark by a wide margin, and the end of 2023 is far, far too late to be in this state.
Our Adversaries Have Been Fighting and Winning for Years
For more than ten years, organized cyber criminals and state-sponsored threat actors have been attacking our economy. Cyber syndicates—colloquially known as “hackers”—backed by Russia, Iran, North Korea, and China have been successfully attacking, disrupting, extorting, and stealing from public and private enterprises in the U.S. with impunity, causing losses to the tune of hundreds of billions of dollars a year. When the talking heads pontificate about the economy, why are they not talking about this? Sure, we occasionally see them up in arms about a large enterprise or public sector victim, but nothing is said or done about the thousands of other victims that are attacked every. single. day.
What do these attacks look like? Let’s start with commercial companies. In a ransomware attack, the attackers gain access, then steal as much of that company's private data as possible; we call this “exfiltration.” After exfiltrating (i.e. stealing) the data, the threat actors launch the ransomware software, which locks the files of the target company so they can no longer do business. In order to unlock the files, the attackers demand a ransom;this typically plays out in a few ways.
If the company is lucky, they can restore their locked data from backups, but even these lucky institutions lose days, weeks, or months of productivity. Customers leave, employees quit, and the general public’s trust of this company is forever damaged. Further, if the company decides not to pay the ransom, the attackers often release the stolen data to the public, or sell the data—or give it away for free—on the dark web so it can be exploited by other attackers.
If the company pays the ransom and the files are unlocked, they return to business as usual. In this case, we have just transferred perhaps millions of dollars to foreign actors. Also, let’s not forget, they stole the data, and that data can now be used in future attacks or shared with the foreign host adversarial government. (Assume the FSB—Russia’s modern version of the KGB—has that data.)
If all goes wrong—and sometimes even when everything goes right—the company goes out of business.
None of these scenarios are good.
In Business Email Compromise (BEC) attacks, the threat actors gain access to the company’s email system and can email employees, partners, and customers apparently on behalf of the victim company. These attacks often play out like this:
The attackers send email invoices to customers asking for payments, redirecting them to an attacker’s accounts.
The attackers send emails to business partners asking for changes to their bank routing information; this will redirect future transactions to the attacker’s accounts.
The attackers email employees pretending to be executives, asking for wire transfers or changes in banking information that wire money to the attacker’s accounts.
In every case, the attackers have unfettered access to the email accounts of their victims, giving these criminals access to any private, confidential, or critical information. None of these scenarios are good.
Let’s shift from institutions both big and small to talk about individuals. By now, you have likely received a text message from a stranger pretending to know you. When you inform them that you are not the intended recipient, they engage with you anyway in a pleasant way and attempt to start a friendship. After they have secured your trust—or at least your complacency—these conversations often turn into scam attacks which can include anything from crypto scams (like pig butchering) to romance scams.. For every hundred potential American targets who delete those messages, one or two engage. Billions of dollars are being taken, much of it from our elderly and trusting citizens.
Maybe you received a text about a FedEx or USPS package that can’t be shipped or delivered because of some address discrepancy. If you click the link—and by the way, PLEASE do not click that link!—the likely outcome is malicious software (malware) being installed on your system. That malware is often used to watch your activity and steal your banking and account passwords. Once they have this data, the attackers can directly access your bank account and steal your money.
These attacks and many more like them have been blitzing American citizens, companies, organizations and institutions for over a decade. If you have experienced any of these, imagine how many others have, and how many others have been victimized.
As a reminder, let’s not forget where the money is going. Hundreds of billions of dollars are being transferred overseas to our adversaries. In addition to all this money, China, Iran, North Korea, and Russia are actively harvesting our data and have been doing so for. decades!
This is a clever war thinly veiled as “cyber crime” activity. It is conveniently swept under the proverbial rug by administration after administration. Only now, as our economy suffers, will we start to feel at an individual level the impact of these attacks. When our foreign adversaries tap the vast treasure trove of stolen U.S. corporate, public sector, and individual data to weaponize and use against us, we will truly feel what we have allowed to occur here.
To date, the U.S. federal government has treated this as an IT problem, a nuisance at best. Resources allocated to shore up our defenses against these campaigns pale in comparison to traditional defense spending. Yet, these attacks can be just as kinetic. We have repeatedly seen hospitals taken offline, oil pipelines shut down, and power grids disrupted.
The formation of the Cybersecurity Infrastructure and Security Agency (CISA) was a step in the right direction, but this organization remains grossly underfunded and underpowered . Much of what CISA does is advisory in nature. The time for advising is long gone; now we have to defend our country from having the digital rug pulled out from under us.
Much of the military’s cyber initiatives are offensive in nature. This makes sense, as it aligns with the overall philosophy of our defense strategy. As I mentioned above, the paradigm is shifting faster than the reaction. We cannot simply create an offensive cyber weapon like STUXNET, which was used to disrupt Iran’s nuclear program, and not shore up our own critical infrastructure’s cyber defenses. To make matters worse, the three-letter agencies and the military know about active vulnerabilities which can be used against our software and citizens, but they do not disclose those vulnerabilities because they intend to use them as a weapon against our adversaries.
If you are or have been a CISO, I am sure you have gotten those vague calls from the DOJ telling you to patch this system or carefully watch the logs of another. This would be akin to the U.S. government knowing about a flaw in bank vaults that allowed anyone to walk in and take the money out. Instead of telling U.S. banks or the bank vault manufacturers, they use it to steal money from foreign banks while leaving our money at risk.
A handful of states and large municipalities have taken responsibility for the cyber defense of their constituents. (I cannot mention these by name, as they are customers of GroupSense.) I applaud their initiative and creative use of tax dollars. Yet the federal government would not expect an individual state to stand against a foreign power alone.
Crafting a cohesive cyber defense policy at the national level needs to be priority one or we will bleed out, suffering death by a thousand cuts. What we need is a focused program around the defense of U.S. citizens, private and public sector organizations, and our infrastructure. Only a deliberately focused and well-resourced program will turn the tide.
You Should Join the Fight
I would be remiss if I didn’t speak to personal responsibility. I have been vocal about the need for the average American to make good cyber hygiene a part of their daily lives. In fact, it is a civic duty to do so. We continue to be sloppy and careless when it comes to our personal digital security. If we make a point to focus on good practices at the individual level, it would raise the bar significantly for our adversaries.
If you are a cyber security professional, volunteer. Speak at your local chamber of commerce and help local businesses shore up their defenses. Cyber students—please do the same. My friends at DefCon and attendees of BlackHat, you need to get out there and educate your lawmakers. Cyber vendors can and should get involved for the greater good by fostering volunteer and education programs for your staff and their families.
Do your part, and maybe—just maybe—the U.S. government will eventually do theirs.
Finally, #votecyber this election. If the candidates aren’t aware of this issue, then ask them—or better yet, tell them. Call your representatives and tell them you care deeply about the cyber protection of the United States of America, and your vote goes to candidates who prioritize it. #votecyber
Special Thank You to Jon DiMaggio, Heather Antoinetti, Chuka Eze, Wes Fleming, Jay Seaton, Erin West, and all who provided feedback and guidance.