Pages

22 January 2023

‘No Big Bang’: Cyber successes in Ukraine are no cause for complacency in US

SYDNEY J. FREEDBERG JR.

WASHINGTON — In cyberspace, as on the ground, Ukraine has done a remarkable job fending off Russian attacks. That’s not because Russian cyber warfare is weak, warned officials and experts at a National Security Institute event here on Thursday. It’s because, after the shocking losses of Crimea and Eastern Donbas in 2014, Ukraine got serious about the threat and — with extensive US and European help — spent eight years preparing for an all-out Russian attack.

But has the US taken its own defenses as seriously? Has it prepared as well for an attack on critical public and private networks as Ukraine did before 2022? According to NSI founder Prof. Jamil Jaffer, no.

“Have we operationalized it [cyber defense] effectively, for real?” Jaffer told Breaking Defense during a sidebar interview after the public panel, which featured experts from the NSA, Homeland Security, State Department, and Google. “Of course not — and while we’ve made significant progress, without a crash effort and real commitment from both government and industry, we’re probably years away from that, maybe a decade away.”

“On the cyber front, I think the lesson to be learned is that we’ve actually done pretty decently in Ukraine, where we helped build resilience ahead of time,” he said. “And if we’d done that years earlier, we would have been even better — as is the case if we do so here at home.”

It’s crucial to realize that the Russian cyber attacks haven’t failed for lack of trying, but because of the strength of the Ukrainian defense backed by almost a decade of Western assistance.

“When people say, you know, ‘there was no Big Bang, therefore, there was no big effort’ [by Russia], I would take issue with that,” said panelist Jennifer Bachus, the State Department’s Principal Deputy Assistant Secretary for Cyberspace and Digital Policy. The audience erupted in rueful laughter.

“People in this room know there was a lot of effort,” she went on. “The reason it didn’t succeed was largely due to the public-private partnership” of Western government agencies and companies coming together to assist Ukraine, long before February’s invasion. Bachus added that the US then “redoubled” its ongoing support for Ukraine as the invasion looked imminent.

The good news: Cyber defense can work, despite decades of lamentation that the attacker always has the advantage in cyber space. “Defense matters,” said the Homeland Security representative on the panel, Eric Goldstein, who’s executive assistant director for cybersecurity at CISA, DHS’s Cybersecurity and Infrastructure Security Agency. “We look at the drumbeat of intrusion to throw up our hands and say this is really hard, [but] a lot of what we saw in Ukraine is Ukrainian defenders doing great work.”

Another panelist, NSA deputy cybersecurity director David Luber, attributed part of the success to the adoption of what the chief of NSA and Cyber Command — and rumored JCS chairman candidate — Gen. Paul Nakasone has called “persistent engagement” and “defend forward.” In this case, that means US cyber defenders should not just advise allies from a distance but actively operate on their networks, long before a crisis. That way American defenders are already on the allied systems when the adversary first attacks, rather than rushing to respond after the fact. Persistent engagement was at work in Ukraine, said Luber.

For example, Luber told the Rayburn Building audience, “as United States Cyber Command deployed their troops to train [Ukrainians] prior to the invasion, we worked very closely with them as they looked at that defense. And as they found malicious software and malicious activity, we worked with them to [ensure] that information is shared broadly with both government and industry, not only to protect Ukraine, but also to protect NATO, to protect other allies and the US.”

“This didn’t begin in February,” agreed DHS’s Goldstein. “The Ukrainian government, private sector and the whole of society over the past seven or eight years have really made concerted societal investments towards resilience.”

“The important lesson here is the focus on resilience and adaptation,” DHS’s Goldstein elaborated to Breaking Defense after the panel. “Even the most effective defenses are not invulnerable, and every organization needs to focus not only on strong security and progressing towards zero-trust models, but also insuring the resilience of the most critical functions — which the Ukrainians have demonstrated ably.”

In other words, yes, an ounce of prevention is worth a pound of cure — but cyber operators would also better be ready with the cure, because no preventive measure is foolproof. Hackers always seem to find a way, which puts a premium on the ability to recover after an attack.

“The one thing you can always count on in cyber is… constant change,” NSA’s Luber said on the panel. “Even as we’ve been sitting here today, new vulnerabilities have been exploited, new malware is on the internet. And that means that, as defenders… we always have to be ready for change.”

But NSI’s Prof. Jaffer worries most US organizations are still relearning old lessons. “How many times do we have to see these things happen?” he asked.

Viasat 1 (Viasat)

Consider the ViaSat hack, arguably Russia’s most dramatic cyber success of the war, which came the first day of the invasion. The attack temporarily crippled communications for the Ukrainian military, police, and intelligence services — as well 5,800 wind turbines in Germany and other users across Europe as the ripple effects spread. Fortunately, Elon Musk’s SpaceX rushed to the rescue with their Starlink system, which has adapted to Russian attacks with what one Pentagon official called “eyewatering” agility. But ViaSat suffered lasting damage, because the Russian hack “bricked” thousands of modems so they had to be physically replaced.

That shouldn’t have shocked anyone, Jaffer argued, because there is plenty of precedent for malware destroying data or compromising physical infrastructure. The most extreme and famous case is the Stuxnet virus, attributed to the US and Israel, overclocking centrifuges in Iranian nuclear labs. But Iran, North Korea, and even criminals have shown similar aggressiveness against private-sector targets in the US and around the world.

Las Vegas Sands and Sony Pictures happened here in the United States nearly nine years ago,” Jaffer said. “Prior to that, overseas, we saw Saudi Aramco in 2012. And more recently we saw the Colonial Pipeline hack here. When need to realize that our adversaries are going to come after our private industry in the cyber domain, and we are not adequately prepared to defend the nation in that space.”

Ukraine “should be a lesson for us domestically,” Jaffer told Breaking Defense. “We know the capabilities of the Chinese, the Russians, the Iranians, the North Koreans. We know where our vulnerabilities are. We know that we could do a better job and we know how reliant we are on our critical infrastructure. We know these things, and yet we’ve been talking for a decade about the need for better information sharing and collective and collaborative cyber defense, but haven’t yet effectively operationalized it.”

“Ninety-plus percent of our cyber infrastructure is owned and operated by the private sector,” he added. “So it’s got to be a real collaboration between the government and industry. That requires both sides to come to the table and put aside the nonsense and parochialism. The fact is that we’re not there yet — and it’s really important that we not have to try to get there in a crisis situation. It’s important that we work hard to tackle this problem now and not let the solution take a decade to get here… because the reality is that the threat is growing significantly day by day.”

No comments:

Post a Comment