How the government can protect itself from the cyber warfare?
Somewhat surprisingly, the 2020 Presidential Election blew over without any serious cybersecurity incident and without any interference from foreign, politically motivated hacker groups. Apart from the post-election procedures (like recounting ballots and the expected dispute over the election outcome), the election was almost uneventful. Even CISA, the Cybersecurity and Infrastructure Security Agency emphasized in a joint statement that “[t]he November 3rd election was the most secure in American history. […] There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
This restfulness is quite remarkable considering the 2016 election process and the last four years, in which government assets and nationwide critical infrastructure were under cyberattacks constantly, that came on the top of an unceasing, high precision disinformation campaign on the popular social media platforms.
In fact, if we look into the last year’s cyber incidents, we can see that the number of cyberattacks is rapidly growing, and not only in the private sector but in the federal and government sector too. Most of these adversary operations came from state sponsored actors, primarily from Iran, China, Russia and North Korea, while the most frequent targets are the industrial infrastructure, the local and federal government networks, healthcare providers and the financial sector.
What are they after?
When the target is the government or something that belongs to the government, usually their goal is to gain access to sensitive information for strategic purposes, to undermine public confidence using breaches and data leaks, to establish key narratives in the current common talk, and to disarray the current political climate on the long run. When it comes to the private sector, the attackers goal is simply to cause damage and loss to the targets: manufacturers, service providers – the economy itself, by shutting down factories for weeks, compromising infrastructure, production or transportation, or by leaking corporate or private user credentials.
Just a few days ago Microsoft warned that it detected three different cyberattacks targeting at least seven prominent companies involved in COVID-19 vaccines research and treatments. Given that these companies are trying to resolve a public health crisis and they are private health providers (in many cases with military-related research programs) these attacks have directly harmed state and private interests.
We also learned in the recent days that the Vermont Army National Guard’s Combined Cyber Response Team was called in after several rounds of cyberattacks crippled six hospitals’ network in Vermont and New York, while according to FBI officials, the ransomware used in these attacks has already affected at least five U.S. hospitals and could potentially affect hundreds more.
While hundreds and hundreds of examples could be found in this week’s news, it is obvious that the direction of these attacks is pointed more are more to the security of the state, since many defense and military related assets were targeted in the recent years.
How to protect ourselves against the cyberwarfare?
A few weeks ago, the Department of Justice announced in a press release that six Russian hackers were charged “in connection with worldwide deployment of destructive malware and other disruptive actions in Cyberspace”. These hackers were officers of the GRU, the Russian Main Intelligence Directorate, that is a military intelligence agency of the General Staff of the Russian Armed Forces. Among these charges there are “computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize Ukraine, Georgia, elections in France, efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.” The hackers also attacked worldwide businesses and critical infrastructure with the virus known as NotPetya, including hospitals, medical facilities, pharmaceutical manufacturers and other businesses, which together suffered nearly $1 billion in losses from the attacks.
Shifting from Defense to Intelligence
The Justice Department’s recent indictment is the juridical solution. Pointing out what foreign governments, groups and individuals are responsible for the attacks is an important part of the job, but rather an ineffective one, since the responsible hackers will never be prosecuted. Or stopped.
Of course, defending the industry against long-term adversary operations begins at established security tools like firewalls, tight network traffic monitoring, SOC and SIEM solutions, and physical defense. But after the recent years of government asset targeting cyberattacks, all these techniques proved insufficient against APT groups that are capable of using multi-faceted attacks unfolding over a long period of time, backed by sophisticated social engineering and considerable resources. It seems that what the protection of critical infrastructure lacks, is something only state level players have access to: active Intelligence on malicious actors, Counter-Intelligence and Offensive Security.
This is what the CMMC Model, proposed by the Department of Defense and other cybersecurity agencies recognized: the industrial standard for defense against cyberattacks, and the current regulations like FIPS (Federal Information Processing Standards) and NIST SP-800 are outdated and inefficient. While the more developed capabilities earlier characterized only the Federal Agencies, CMMC Level 4 and 5 actually requires an established Intelligence-based strategy against APT groups. This means, suppliers of the DoD must have an Intelligence capability to detect adversary activities and to monitor any discussion about known attacker Tactics, Techniques, and Procedures on the available online media platforms and other Intelligence sources. In practice, they must gather and utilize bulk data from Dark Web and Deep Web Monitoring, forum discussions and multiple Honeypot Networks in order to set up adequate APT defense mechanisms and to safeguard Controlled Unclassified Information.
You can read more on the CMMC requirements at The Cybersecurity Maturity Model Certification (CMMC) in Practice.