According to Bryan Becker, an application security researcher at WhiteHat Security, the United States is “woefully behind the entire developed world in terms of cybersecurity.” Defensively, he insists, it would “easily take us a decade” and then some to catch up with allies and competitors alike. Does this mean that it’s up to the cybersecurity industry, rather than the military, to protect systems and data from nation-state attack? I’ve been exploring the role of cybersecurity vendors when it comes to cyberwarfare, and what business needs to do in order to prevent becoming a collateral damage statistic in the ongoing geopolitical cyber conflict.
Mention cyberwarfare and most businesses tend to sigh and move on to something less weighted down with the baggage of hyperbole. Which, truth be told, is a huge mistake. While there are plenty of opinions out there as to what is actually meant by cyberwarfare from the intellectual and theoretical perspective, in the real-world the distinctions between a cyberwar play and a cybercriminal attack are precious few. The cyberwarfare label can make a threat look far removed from something that a mainstream business might imagine being a target for. That relevancy disconnect is actually pretty damaging. Zeki Turedi, a technology strategist with CrowdStrike, told me that “the techniques and approaches used by state sponsored actors are often the same as used by cybercriminals, so the motivation is less important in many ways than the need to spot and deal with these incidents in a timely and proactive manner.”
This blurring of tactics used by nation states and cybercriminals alike is something that Turedi calls the ‘democratization of cyberwarfare.’ If evidence were required to show why business needs to take this stuff seriously, then the CrowdStrike Observations From The Front Line Of Threat Hunting report published earlier this month is it. This highlighted that China was the most prolific nation-state actor, actively engaging in persistent and highly targeted intrusion campaigns against economic sectors including mining, pharmaceutical, professional services and transportation amongst others. Which isn’t to say that China is necessarily the biggest threat in this attack realm. “Russia clearly poses the largest threat, both immediate, and long term” says Becker. He told me that both Russia and North Korea have been investing in and growing their cyber-operations continually since the cold war and are now decades ahead of the rest of the world in terms of their experience. This conflicts somewhat with the view of Trevor Reschke, head of threat intelligence at Trusted Knight, who I mentioned in my earlier analysis of likely cyberwar outcomes as saying North Korea doesn’t possess any real cyberwarfare capabilities but rents these from others. “North Korea tends to focus their efforts on stealing money for the regime” Becker says, while Russia is more focused on destabilizing the liberal West. Part of the problem in attributing attack capabilities is that false flags are so commonplace. From the perspective of the security researcher, attributions requires the discovery of artefacts such as time zones where the code was created, language specific keywords buried deep within it and so on. “However, these artefacts can also be deliberately planted to throw researchers off track” according to Liviu Arsene, senior e-threat analyst at Bitdefender who continues “which is why attributing a cyberattack to a declaration of war is something much more than just a technical analysis of the malware itself.”
So what is the role of the cybersecurity industry in protecting the West from geopolitical attack and ultimately our nation states in times of cyberwar? Trevor Reschke pulls no punches with his answer to that question. “The security industry is essentially the new mercenary force” Reschke told me “as governments expend next to no effort in protecting their country’s citizens. It’s on the back of the security industry that all the countries are mounting their defense.” Isidoros Monogioudis, a retired colonel from the Hellenic defense forces with a background in cyber-defense and now senior security architect at Digital Shadows, agrees that it is “widely accepted by the Western militaries that industry has the edge in terms of expertise, both on the offensive and defensive.” He goes on to explain that Critical National Infrastructure (CNI) might be regulated by the national authorities but is frequently operated by the private sector, and more broadly speaking defensive technology is almost exclusively developed by the private sector. Within the CNI space the physical and virtual are converging, resulting in legacy machinery now being connected to the internet. This, says Justin Fier, director for cyber intelligence and analysis at Darktrace, “creates new entry points for well-resourced nation-state attackers.” The worrying thing is that geopolitical attacks increasingly cause collateral damage with victims along the exploit chain from small organizations right to those companies providing CNI. “This means security has to be a board level priority for all organizations” Fier warns, adding that “cybersecurity vendors will have to be able to keep up with this demand and develop solutions that can protect all kinds of digital infrastructure.”
All of which means that cooperation between the cybersecurity industry and the public sector is increasingly critical when it comes to protecting CNI, but also rebounds back into the realm of protecting business itself. “Information sharing in this partnership has been too slow while our adversaries are sharing information much faster and attack us at network speed” according to Arno Robbertse, cyber security director at ITC Secure. A collective defense strategy needs to extend into the supply chain, says Robbertse as this is a space where “the integrity of our operations rely on the cyber security of others, and where industry and government need to come together in a unified message and awareness of the risk.” Once you accept the inevitability of a cyberwar scenario being far broader than just a military versus military concept, and that the soft targets most at risk are within a mostly commercially operated infrastructure space, the challenges become clear. Not least that when these commercial organizations are effectively on the frontline of any cyber-conflict the notion that ‘if state-sponsored hackers wants to get into your network then they will’ has to be confronted. “That simply is not true” says Henry Harrison, co-founder and CTO at Garrison, one of the participating companies in the UK-US cyber security Atlantic Future Forum on-board HMS Queen Elizabeth, adding “private businesses need to step up and recognize they need to play their role in keeping our nations and our way of life secure.” A sentiment echoed by Tom Huckle, and ex-Royal Marines captain and now lead cyber security consultant at Crucial Academy. “The cybersecurity industry in the UK is developing talent who, in the future, will be guarding our critical national infrastructure, building the next generation of monitoring tools, and educating future incident managers” he told me, adding “whether enough businesses are taking this responsibility to heart is another question.”
Not that this vision of cybersec vendors as heroic defenders of the nation seen through rose-tinted spectacles is a universal one. While most vendors I spoke to agreed that the industry has a huge role to play in terms of national defense against a potential cyberwar threat, some were franker than others regarding how that role is working right now. Take Rick McElroy, a security strategist at Carbon Black, who thinks that vendors need to make products that actually tip the advantage to defenders by allowing them to proactively hunt the adversary in their own environments. He cites Google Project Zero as having had a massive impact in decreasing vendor and consumer patch cycles for example. Carbon Black has a user community that talks on a daily basis about new attacks and how to better detect and respond to them; bringing the power of crowds and community into the data defense equation. “The industry needs more of this” McElroy insists, “more cooperation from vendors and less fighting amongst competitors. We need to refocus on the adversary and less on taking shots at each other.” Gary McGraw, vice president of security technology at Synopsys, agrees there needs to be what he calls a focus on information users instead of plumbing. “Civilian, government and military systems are deeply entangled as the WikiLeaks episode demonstrates in no uncertain terms” McGraw told me, continuing “the nature of the entanglement is the people who interact with the systems, not the technology, sets of wires, or physical infrastructure.”
Defensive capabilities are one thing, but what about the role of the cybersecurity industry when it comes to attack? Should cybersecurity vendors be involved on the offensive frontline as well? This whole subject is a very scary topic according to Chris Stoneff, VP of security solutions at Bomgar. “Not even taking into account legal aspects, where something as benign as a honey pot could be considered entrapment and thus illegal, actively attacking your attackers is often a good way to escalate a problem or show the would be attacker another route into your network” Stoneff says. He’s happier letting the government and “other clandestine organizations” create and deploy the offensive tools on the basis that “their reputation for behaving well and being concerned with fallout is already low.” Not everyone agrees that offensive has to mean unethical within the cybersecurity space. Some point out that with attackers seeing increasingly successful conclusions to their operations there is a renewed interest in offensive solutions. “The US has recently passed new cyber security legislation that gives more focus and powers to offensive cyber security” Tom Huckle argues, adding that “the Industry is currently researching and testing the market with offensive capabilities and it won’t be long until this becomes the norm.”
Talking of norms, some nation-states are known to enlist what you might call cyber-militias in order to provide plausible deniability for their attacks. The line between cybercriminal and state-sponsored threat actor is increasingly blurred when looking in the direction of China, North Korea or Russia for example. Although the West isn’t thought to follow this particular strategic lead, Rick McElroy told me that there are discussions underway in the US to create “a reserve force of responders that can be called up in the event of a major cyber disaster.” Outside of the cyberwar scenario, and therefore inside the business of defending systems and data against all threats, any ‘hacking back’ strategy is tricky to say the least. “This practice would need a lot of clarification first” McElroy warns, concluding “companies should focus on defense and getting the basics right before considering launching offensive cyberattacks against nation-states or another organization…”