Cyberwarfare: How the U.S. Can Confront This New Reality
By Baan Alsinawi, Founder and President of TalaTek, sharing cyberwarfare expertise as part of the #InfoSecInsightJam.
Cyberwarfare is the new frontier of international conflict. As a phenomenon, it is no more clearly defined than by the rising tensions between Iran and the US. In response to a rising number of attacks on federal workers by government-backed Iranian hackers, President Trump eliminated the Obama-era law against cyberwarfare to endow US federal security officials with the power to use computers as offensive weapons. While retaliation might seem a natural reaction to protecting federal agencies and America’s enterprises and organizations, this policy change could prove to be the ignition that lights the blue touch paper, causing a fire the US might not be capable of extinguishing.
If retaliation and antagonism aren’t the answer in this new age of diplomacy, it’s important to understand why this is the case and determine how else governments should approach it.
The centrality and susceptibility of computers
Cyberwarfare shines a harsh spotlight on the global community’s dependence on computers to manage key functions, such as government operations, defense, infrastructure, healthcare, and financial services. If a system is hijacked or infiltrated to destroy, disrupt, or compromise one of these functions, the susceptibility of entire cities, and even populations, is laid bare. If public transport infrastructure is halted, for instance, our ability to travel and work could be taken away.
When you consider this and leave politics aside, a calculated look at the potential impact of Trump’s policy change raises the specter of a massive escalation in cyberattacks and counterattacks between nation-states, which could prove disastrous. A 2019 Wall Street Journal article, “Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say,” reveals that America’s national infrastructure is replete with vulnerabilities. Although its military power remains dominant, the U.S. would likely be unprepared for the ramifications of a serious cyber-attack. To paraphrase the old idiom, those who live in glass houses should take care when throwing stones at their neighbors. Failure to do so could prove detrimental to national infrastructure and the people it serves and protects.
An Iranian government-linked cyber-espionage group referred to as APT34 has been associated with recent attacks on U.S. federal government employees. This threat vector, active since at least 2014, uses a mix of public and nonpublic tools, such as password-collecting tools and social engineering campaigns, to harvest strategic information that can further Iran’s geopolitical and economic needs. APT34, also known as OilRig and Greenbug, has conducted broad targeting across a variety of foreign industries and governments operating in the Middle East. Its strongest interest is gaining access to foreign corporations and governments’ financial and energy utilities.
As risk management experts, it’s our job to inform organizations operating in both the public and private sectors on how to take proactive cybersecurity precautions against current threats and prepare for future attacks. While the U.S. federal government has enacted certain measures to combat cyberwarfare attacks against its agencies, more needs to be done in the shape of a “whole-of-nation” approach. Government contractors, state and local governments, private industry, educational institutions, banks and other financial entities, retail chains, hospitals in cohesion with the federal government are well-advised to follow these measures as applicable to protect their assets and thwart hacking attempts.
The NIST Cyber Security Framework
The National Institute of Standards and Technology (NIST) is actively working on developing robust and effective frameworks for both government and industry. The NIST Cyber Security Framework—CSF—is designed to address the following:
- Monitoring access control: Organizations should adopt a stringent password policy, requiring complex passwords that change every 45 days. The Target hack in 2013 was the result of that company allowing an HVAC third-party vendor remote access without enforcing a 2-factor authentication. Hackers compromised the HVAC company, and through it, gained access to all of Target’s credit card data.
- Conducting awareness training: Training requires a relatively low financial outlay and provides an excellent return on investment. Educate employees on the basics of cybersecurity threats and outline best practices for securely navigating the internet.
- Implementing a layered approach to defense: Employ a variety of cybersecurity defensive processes, incorporating antivirus software, the encryption of employee laptops, implementation of encrypted secure communications in online exchanges and transactions, investment in security awareness, patched servers, and constantly monitored environments.
OMB and DHS Directives for Managing and Securing High-Value Assets
The Department of Homeland Security (DHS) issued a binding Operational Directive 16-01, Securing High-Value Assets, an immediate and compulsory directive for federal agencies that require they identify their high-value assets (HVAs) and assess their risk and security status.
Issued in December 2016, Office of Management and Budget (OMB) Memorandum 17-09: Management of Federal High-Value Assets, contains guidance for how to handle systems the government has deemed HVA, including handling information related to HVAs. The memo defines such assets as those that “enable the government to conduct essential functions and operations, provide services to citizens, generate and disseminate information, and facilitate greater productivity and economic prosperity.”
Implementing the HVA process enables agencies to better understand the specific security needs of their most critical assets. Agencies must identify their HVA inventory and update this list on an annual at a minimum, and report to OMB and DHS. Senior Privacy agency officials must also ensure required privacy documentation, including any Privacy Impact Assessments, are complete, accurate, and up to date for all HVAs that involve personally identifiable information.
Though mandated for government agencies, all organizations should adapt these steps to protect their high-value assets: includes specific actions:
- Plan: Prepare for the HVA process, including stakeholder engagement, governance and oversight, third-party engagement, and incorporation of HVA activities into broader agency IT planning.
- Identify: Examine systems from the agency’s perspective, adversary’s perspective, and enterprise-wide perspective to determine those assets which may be considered HVAs.
- Categorize: Organize information systems based on (among other things) system function, what kind of and how much information the system contains, the system’s importance to the agency’s mission, and the scale of impact from system loss or compromise.
- Prioritize: Rank HVA systems in terms of risk, considering the categories of threat, vulnerability, and consequence.
- Report: Keep internal HVA lists up to date and report HVAs to DHS on an annual basis.
- Assess: Report assessments via a Risk and Vulnerability Assessment, Security Architecture Review, and any additional services as deemed necessary.
- Remediate: Act on the findings and recommendations received in the detailed DHS report.
Securing Critical Infrastructure
In 2016 alone, the DHS Incident Response team investigated 290 incidents covering all 16 designated critical infrastructure (CI) sectors: chemical; communications; commercial facilities; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; IT; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems. Spear phishing accounted for 26 percent of the incidents, followed by weak authentication at 15 percent, and network scanning and probing at 12 percent.
Industrial control systems (ICS) are among the most challenging devices to update when it comes to security, as going offline for maintenance isn’t an option, and archaic operating systems are not able to be updated. Vulnerabilities are not easily addressed, as common countermeasures often don’t work. The increasing number of ICS-related incidents, including the 2015 attack on the Ukrainian Power Grid, blamed on Russia, and the Russian hacker attack on U.S. utilities, mentioned in the Wall Street Journal referenced above, underscores the importance of ensuring that ICSs have an integrated risk management plan.
Despite their unique nature, risk management and cybersecurity best practices apply when considering ICS devices:
- Define the risk appetite, goals, frameworks, regulations, processes, and metrics for the program
- Collect data and inventories of systems, users, interconnections, third-party partners, and more
- Analyze gaps in compliance with organizational goals, frameworks, and regulations
- Plan the action for each identified risk—accept, avoid, transfer, or mitigate
- Remediate known gaps, assigning the needed budget and resources
- Report risk metrics and calculations and overall status for the organization
- Assess progress toward goals and make timely, informed risk-based decisions
- Improve where needed for continuous enhancement to the risk posture and compliance status
Cybersecurity Maturity Model Certification
The Department of Defense (DoD) is creating a unified certification standard, the Cybersecurity Maturity Model Certification (CMMC), to ensure vendors that are a part of the defense industrial base (DIB) sector have the appropriate cybersecurity capabilities to protect DoD-shared and controlled classified.
DoD plans to have third-party assessment organizations conduct audits and assess the risk level for DIB vendors applying to do business with the department. This seems to be in keeping with the civilian Federal Risk and Authorization Management Program (FedRAMP), which uses authorized 3PAOs such as TalaTek to assess the readiness and security standards of cloud service providers’ solutions.
FedRAMP is a government program designed to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and products that do business with the government. Its goal is to ensure effective and repeatable cloud security for the government, and any cloud service that holds federal data must be FedRAMP authorized. Cloud service providers (CSPs) must go through a lengthy authorization process by a FedRAMP-certified third-party assessment organization.
Cyberwarfare Is the New Reality
Cyberwarfare is the new reality, and organizations of all sizes across all sectors need to anticipate, and arm themselves against, being attacked. In the face of Iran’s proclivity for, and ability, to attack inside the US teamed with a high tolerance for escalating risk, and the lack of clearly defined “red lines” in cyberspace, this needs to become a priority. The risk management and cybersecurity best practices outlined here present a crucial starting point for organizations of all kinds to prepare for this new age of conflict.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021