Leading-edge technologies, a globalized economy, and instability across the economic and political landscape have washed away once previously easy-to-define national borders. Cyberthreats and challenges now target the doorsteps of our state, local, tribal, and municipal communities. This shift emboldens increased attacks on our schools, hospitals, small businesses, local governments, and critical infrastructure.
In truth, the subtle convergence of homeland security with our broader national security foreshadows a required seismic shift in how we view cybersecurity – one that emphasizes a greater sensitivity to the volatility of ubiquitous cyber in a digitally interconnected world while returning to the simplicity of foundational cybersecurity practices that are minimized, forgotten, or often ignored.
Nothing has brought that reality more to the forefront than Russia’s war on Ukraine and China’s escalating tensions with Taiwan.
As 2022 dawned, Russian cyber forces launched dozens of cyberattacks against Ukrainian infrastructure with an intent to cripple key economic, political, and military targets in advance of Russia’s massive ground assault. Although Russia has not executed a significant cyber strike against the United States to date, malicious cyber actors and their proxies that support the Kremlin continue to amplify their attacks.
Just weeks ago, pro-Russian hackers were able to take down the websites of 14 hospitals across the U.S., including Stanford Healthcare, Duke University Hospital and Cedars-Sinai. In our education sector, the Federal Bureau of Investigation (FBI) discovered the widespread sharing of more than 36,000 leaked U.S. college VPN credentials that surfaced on Russian cybercrime forums this past May. Sources in the banking industry reported intensified cyber assaults on the sector’s technology infrastructure after U.S. sanctions over Russia’s invasion of Ukraine took place.
On the other side of the world, China’s escalatory language, ongoing military exercises, and political bantering continue to build a pretext for a possible invasion of Taiwan. Yet, according to Dyadic Cyber Incident and Campaign Data (DCID), China’s use of cyber espionage is well-founded and in active use. Since May 2021, Mandiant reported at least six U.S. state governments were compromised by Chinese state-sponsored hacking groups.
Any single attack on any one country can have global ramifications. Even before the current conflict, Russia’s NotPetya cyber-attack against Ukraine in 2017 caused indiscriminate damage across governments and critical infrastructure worldwide, including Pennsylvania’s Heritage Valley Health System. The effects of Russia’s cyberattack against satellite company Viasat just hours before the country’s invasion of Ukraine disrupted critical infrastructure well beyond Ukraine’s borders.
In this climate, every organization – including businesses critical to supply chains and local governments that administer critical services to their residents – are at a higher risk profile for targeting by sophisticated nation-state threats.
Taking Action Through Partnership, Domestically and Abroad
On the threshold of Russia’s invasion, U.S. federal government agencies mobilized state and local governments, as well as the private sector, to proactively prepare cyber defenses in every organization. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency’s (CISA) “Shields Up” campaign offered solid guidance to all organizations on implementing baseline cybersecurity practices that would counteract disruptive cyber incidents.
DHS activated law enforcement partnerships around the world to share critical information and build partners’ capacity to help identify threats well before they reached American borders. According to the U.S. State Department, agencies across the federal government including CISA, the FBI, U.S. Agency for International Development (USAID), Department of Energy, and the Department of Defense, as well as industry, academic, and foreign allies, have come together to exchange intelligence and ideas.
Additionally, U.S. Cyber Command deployed a Cyber National Mission Force (CNMF) hunt forward team directly to Ukraine’s capital city of Kyiv reinforcing its cyber defenses and providing reassurance. CNMF’s flexible approach to cyber defense creates unique opportunities to continually refine their cybersecurity skillsets, assist allies in shoring up cyber defenses, and collaborate on threats and intelligence insights.
The results of these collaborative efforts have thus far paid off. According to CISA Director Jen Easterly, “Russia miscalculated the war effort, underestimating both the resilience, capability and courage of the Ukrainian army it would face and the united front the U.S. and other allies would put up against Russia.”
The global collective strides abroad are reflective of the same level of effort the U.S. must strive for domestically by expanding measures to protect its critical infrastructures at home and continuing national dialogue on the importance of appropriately funding organizational cyber hygiene efforts. The previously mentioned healthcare, education, and financial services incidents indicate there is still so much more to do.
A Proactive and Effective Cyber Defense Begins at Home
Currently, the Biden administration is pressing forward with plans for additional mandatory safeguards on industry sectors in an ongoing paradigm shift toward stricter regulations in its national cybersecurity directive. This overall approach will lean more heavily on agencies with specific industry sectors, such as aviation, chemical, water, and dam industries, as well as increased CISA leadership to support these efforts.
At the state and local levels of government, collaboration is even more essential. Smaller organizations struggle with a fragmented governance structure, siloed directorates, lack of streamlined policies, and procedures with little certainty of how to truly validate the level of cyber hygiene at scale – especially while operating under tight budgets for tools and talent to keep up with ongoing cyber threats.
To counter these disadvantages, states like Arizona are turning to a whole-of-state approach to cybersecurity which expands support for cybersecurity management to smaller local government entities – whether by offering key threat intelligence and secure reporting, pre-approved tools, training, or funding in the form of grants – to help bolster cyber defenses across all levels of government. Other states like California are starting at the statewide agency level first with initiatives like Cal-Secure to create ubiquity across state-level agencies before expanding to local and tribal.
These highly collaborative and forward-thinking initiatives hope to stem the rising concern for cyber ubiquity throughout our lives. When combined with the continued dissolution of homeland security and national security boundaries, our nation’s foundation – the people – are now the target of nation-state backed malicious cyber actors who exploit our hardware and software vulnerabilities while social engineering us for their benefit.
Addressing the threats of today and tomorrow requires all of us working together across global, federal, state, and local governments, the private sector, nonprofits, academia and, indeed, the contribution of every individual. The need for collaborative public-private partnerships, capabilities, and tools will only continue to grow as we confront the threats of tomorrow.
Staying Vigilant Through Individual Mitigation, Detection, Response and Resilience
On the frontlines of cyber defense, all organizations have a role to play – across every sector – to stay ahead of cyber threats from adversarial nation-states and their proxies.
An organization’s absolute first line of defense to reduce the likelihood of a cyber intrusion begins with a proactive security posture and cyber hygiene measures that prevent access in the first place.
It’s important that organizations validate all remote access points to their networks along with enabling multi-factor authentication. Software should be frequently updated to address known exploits and vulnerabilities.
Hardware asset and software application inventories must be accurate. Recent OpenSSL and Log4J vulnerabilities highlight the importance of continuously updating your organization’s software bill of materials (SBOM) to ensure all of your software and its dependencies are known and updated immediately, rather than in days or weeks. SBOMs are analogous to the ingredients list on a food label. It is common for current applications (a food) to integrate software libraries (ingredients) from other developers (reducing developer engineering using normalized blocks of functional code).
Real-time, accurate visibility of every organizational endpoint is critical because you can’t protect what you can’t see. This means a converged strategy that brings together tools, workflows, and teams to achieve visibility, control, and remediation at scale, in real-time. And baseline your normal configuration so anomalies readily surface.
Big data platform analytics help to highlight historical trends and analyze attacker vectors, but their use must be balanced against their high data storage and transport costs.
Effective incident response and threat hunting requires real-time awareness and the ability to action at enterprise scale. Maximizing speed of response actions (in seconds not days) significantly reduces vulnerability windows and malicious cyber actor impacts.
Streamlining and deconflicting detection resources like antivirus, antimalware, and cybersecurity software to ensure that operations security personnel can swiftly identify and assess unusual network behavior and, therefore, respond to intrusions as they happen. Without this, cybersecurity software will battle each other for endpoint resources believing the other is an actual threat.
How organizations respond when an attack occurs is just as paramount. No matter the scale or scope of an organization, IT security professionals should assume that a threat will inevitably occur at some point. As such, it’s important to designate crisis response teams – including technology, communications, and legal – with roles and responsibilities geared toward handling a suspected cybersecurity incident.
When that incident inevitably occurs, it’s important to maximize your organization’s resiliency in the event of a breach. That makes data recovery best practices your last line of defense. Organizations should isolate backups from network connections, regularly test backup procedures, and apply “air gap” technology best practices to ensure that any data impacted by a breach can be restored with limited disruption.
How often an organization should back up its data depends on its mission. For instance, archival data that isn’t critical to mission operations falls under less frequent needs. But backups for systems that are essential to our critical infrastructure – like public safety, healthcare, financial services, and corrections – should be maintained as frequently as possible. If those systems are not available, the impact on society-at-large can be dire – especially at a time when threats from adversarial nation-states are more prominent and heightened than ever before.
Organizational cyber hygiene is fundamental to national security. Now, more than ever, there are no cyber borders. The examples of Russia’s and China’s continued aggression require cybersecurity vigilance but our determination and focus to apply these defensive cyber measures will shore up our organizations and secure our nation.
