by Davey Winder | www.forbes.com »
A year-long analysis of threats to the U.S. has concluded that the country is dangerously insecure in cyber. So, what needs to be done to make America safe again?
The federal Cyberspace Solarium Commission, chaired by Senator Angus King and Rep. Mike Gallagher, has published the results of a year-long analysis of the cyber-threat facing the U.S.
It makes for very uncomfortable reading, very uncomfortable indeed. The co-chairs warned that the U.S. at risk from a catastrophic cyber-attack and is “dangerously insecure in cyber.” While also warning that “millions of daily intrusions” disrupt everything from financial transactions to the democratic electoral process, it’s the doomsday scenario of a significant cyber-attack on U.S. critical infrastructure and economic systems that raises the most worrying of red flags. This would, the report stated, “create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”
Threat actors have subverted American power and security
In an urgent call to action, the Cyberspace Solarium Commission detailed how threat actors, including nation-states, have subverted American power, security and even way of life through cyber-attacks. This, the commission said, happened as the perpetrators saw the damage being caused “without triggering a significant retaliation.”
That the U.S. has such an advanced digital landscape, with citizens, businesses, and government increasingly dependent upon this connectivity, creates a digital dilemma. The more connectivity there is, the Commission concluded, the more opportunity there is to impact upon private lives, disrupt essential infrastructure, and damage both democratic and economic institutions. Neither the U.S. government nor the private sector, it said, are equipped to provide the levels of data security, resilience, and trustworthiness required properly defend this new cyber landscape reality. It blamed, in part, the shortfalls in technical expertise, a lack of agility, and poor “unity of effort” within the U.S. government itself but also between public and private sectors. Shortfalls, it warned, that are growing.
It’s not hard to see how the Commission came to this conclusion when, week after week, I am reporting on ransomware that brings U.S. cities to an information technology service provision standstill, or catches companies such as Lockheed Martin, SpaceX and Tesla in third-party attack crossfire. At a nation-state level, rather than purely money-motivated cyber criminals, espionage campaigns targeting government, energy and security sectors, such as the Iranian “Fox Kitten” one, have been ongoing for years. The 2020 CrowdStrike Global Threat Report revealed how state-affiliated cyber-attack groups are developing and employing a multitude of new tactics, techniques, and procedures to achieve their end goals. Meanwhile, reports suggest that far from improving as a cyber-defender, the U.S. has moved backward in the “most cyber-secure country” ratings. One recent study found the U.S. had dropped from the 5th most cyber-secure country to 17th over the last year.
A strategic call to action
The analysis by the Cyberspace Solarium Commission doesn’t just paint a depressing portrait of the cyber-reality facing the U.S.; it also has a painting by numbers solution to producing a brighter and more cyber-secure landscape for the future. Mostly, this goes back to the security 101 of taking a multi-layered approach to cyber defense and deterrence. “The desired end state of layered cyber deterrence,” the report said, “is a reduced probability and impact of cyber-attacks of significant consequence.” There are, it said, three ways in which this end-state can be achieved:
- Working with allies to promote responsible behavior in cyberspace. The strategic shaping of behavior, in other words.
- Working with the private sector to better secure critical networks to deny the benefits of attack, and so demotivate the attackers.
- Maintaining a credible capability to retaliate against those threat actors who target the U.S.
How has the cybersecurity sector responded to this report?
“It is a positive step that government-funded bodies like The Cyberspace Solarium Commission are prioritizing time and resources to improve cybersecurity, and hopefully correct security practices and protocols will be prioritized,” Saryu Nayyar, CEO of Gurucul, said. “Organizations should be heavily investing in modern cybersecurity technology with machine learning algorithms that can identify anomalous behaviors in real-time before an attacker can strike,” she concluded.
“The U.S. Cyberspace Solarium Commission highlights the unfortunate reality of current cybersecurity practices,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC), said, “the attackers define the rules and defenders must react. It also recognizes that from an attacker’s perspective, collateral damage often doesn’t matter.” While agreeing that increased investment in the Cybersecurity and Infrastructure Security Agency (CISA) is a prudent activity, Mackey said, “addressing cybersecurity threats requires a level of agility that bureaucracies rarely exhibit.”
“The words of the day should be prepare, test and practice,” Sam Curry, the chief security officer at Cybereason, said, “it’s time to allow people to focus on cyber and get ruthlessly efficient.” Meanwhile, Richard Bejtlich, principal security strategist at Corelight, said: “While this is yet another in a long line of reports projecting digital disaster, I was pleased to see an emphasis on incident detection and response via threat hunting as one of the more prominent recommendations.”
I will leave the final words with Marty Edwards, vice-president of OT security at Tenable, who said, “In my prior role as Director of the ICS-CERT at the Department of Homeland Security, we often struggled with inter-agency cooperation and I am pleased to see such collaboration called out. Industrial control systems and operational technology require very specific customized approaches to cybersecurity, and the creation of a center dedicated to research in this area is applauded. We would be well served to leverage the knowledge of the National Laboratories in this effort.”