Russian Cyber Attacks: Is the West Vulnerable?
Following a string of high profile Russian cyber attacks, is Western cyber defence up to the task? Cyber security experts say we could be doing so much more
Cyber Security in 2018
The US Federal Government is the largest consumer of and disseminator of data in the world. It entrusts vital information to third parties every day, from military secrets to critical infrastructure details.
The cyber threat is complex and constantly changing, and a number of high profile cyber attacks in 2017 and 2018 demonstrate the need for companies and governments to shore up their defences. New regulation, weak supply chains, and an increasing number of endpoints and IoT devices are presenting new avenues for state-sanctioned attacks and cybercriminals alike.
Is warfare shifting from the physical world to online?
It is no secret that Russia is one of the most capable countries when it comes to state-sponsored cyber attacks and espionage.
Recently, four Russian intelligence officials were expelled from the Netherlands after an attempted hack on the global chemical weapons watchdog. The Dutch organisation was conducting an investigation on the Salisbury Novichock attack, as well as the use of chemical weapons in Syria.
This is just one instance in a spate of recent spate of Russian cyber attacks which has resulted in coordinated international action. The UK foreign secretary recently said, "the GRU's actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens."
Meanwhile, the US State Department released information about severe data breach last month. According to some reports, employees had their personal information exposed by a breach of an unclassified email system. This attack is not attributed to Russia, but it does highlight the gaping holes in Western cyber defence.
Is Western cyber defence lacking?
In 2016, NATO officially recognised cybersecurity as a domain of war, and as such, applies international law to cyberspace. However, can western governments do a lot more to ensure that cyber defences adhere to the best practices?
Government is woefully underinvested in cybersecurity, according to Ross Rustici, Senior Director of Intelligence Services at Cybereason. “While there are exceptions, mostly in the defence/national security apparatus, the vast majority of agencies are lacking in basic cyber hygiene let alone best practices.”
The government is not willfully negligent, but rather, the government is faced with enormous obstacles to overcome. Obstacles can come in the form of procurement, culture and expenses, explains Rustici.
Today security is about wider technology and systems being used across society that is increasingly digital, and that are all operated in a very competitive and increasingly connected world.
“The government procurement cycle guarantees that state of the art for a federal agency is at least 2 years old.” Ultimately, this means that large-scale infrastructure upgrades are not only time consuming, but also costly with the size of most government organisations.
"Government is woefully underinvested in cybersecurity"
That cost is the single largest inhibitor of good cybersecurity, according to Rustici. In an environment of sequestration, continuing resolutions, and budget uncertainty, the different bureaucracies are left with hard decisions between investing in securing or replacing technology and performing their mandated responsibilities.
Rustici says that the U.S Federal Government and the OPM breech lays bare this mindset. Despite the worst loss of Personally Identifiable Information (PIII) in government history, the agency still has not implemented cybersecurity recommendations that have been given by a myriad of organisations post-breach.
"The US Government Accountability Office (GAO) released yet another scathing report documenting the massive amount of deficiencies in the Federal IT systems. The odds that a year from now, the next GAO report will have less to raise their alarms about is very unlikely.”
A vulnerability being exposed at the federal level is so much costlier than at the enterprise level, says Sherban Naum, SVP, Corporate Strategy and Technology at Bromium. "We can replace credit card records or restore customer loyalty. We can’t undo a rival nation-state potentially roaming undetected inside weapons systems because there were insufficient security investments in modular, run-time security."
Ultimately, until cybersecurity is mandated in a manner akin to physical security it will continue to be ignored by agencies that are overextended and focused on their respective missions.
“No amount of public-private partnerships or explaining and expanding the understanding of the threat will fix this fundamental problem. When priorities are ranked, defending against the intangible hacker is usually very low on people's lists.”
Indeed, the State Department has shown a history of refusing help from other agencies.
There are a lot of reasons for this, one of the most prominent is they don’t want national security agencies snooping through their networks. However, considering the immense target that government departments represent, it is not a very compelling case. One of the other challenges they face is the government procurement process, according to Rustici.
RELATED: Europe's drone conundrum
Sam Curry, Chief Security Officer at Cybereason echoes these views, "It is very difficult for the State to buy new technology and continually improve the way the Global 1000 companies do and fundamentally this is likely a hack that led to a breach and not some type of insider issue."
Gary McGraw, Vice President of Security Technology at Synopsys, also believes the US government is lagging behind when it comes to cybersecurity, highlighting the slow introduction of basic cybersecurity procedure.
"If the State Department has trouble rolling out two-factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure? The State Department breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector."
If you enjoy this article, be sure to check out this interview with Owl Cyber Security's Scott Coleman here.
Is Western cyber security lacking in the defence sector?
Digitisation has transformed the resources available to the government and the military, while simultaneously opening the doors to new challenges. Defence capabilities are becoming more interconnected, with assets in the army, navy and, air force all making use of digitisation.
With platforms such as pilotless aircraft, autonomous weapons systems, and increased connectivity just over the horizon, cyber defence should be incorporated into all defence work, and at the program concept stage.
Easier said than done. The largest concern for the defence industry is the aggregate vulnerability that is created by vendor relationships.
While large defence companies can maintain capable defences against most threats, except the most determined adversary, these capabilities break down due to the extended supply chains and relationships that are now required to conduct business.
RELATED: Defence supply chain: Top tips for keeping your warehouse in order
In January and February 2018, hackers based in China stole highly sensitive security data from a US Navy contractor. The data involved research and development plans for US submarines and underwater weaponry, including anti-ship submarine missiles that are to be installed on submarines by 2020.
"The military failed to take action despite continued warnings from the Government Accountability Office"
Is this a one-off incident, and could stronger cyber procedures have prevented it?
Edgard Capdevielle, CEO at Nozomi Networks says that the Pentagon's multibillion-dollar weapons systems are riddled with cybersecurity vulnerabilities. "And yet military leaders have ignored the problem for years, turning a blind eye to security weaknesses in newly developed systems that could potentially thwart military missions."
It does demonstrate the pervasive attitude that overlooks the real dangers of not building cybersecurity in from the beginning, highlights Edgard. Addressing cybersecurity vulnerabilities post attack is a mammoth task and should be taken in haste, "so it’s unfortunate that the military failed to take action despite continued warnings from the Government Accountability Office."
A recent report from the government watchdog revealed that attackers could have exploited these weaknesses quite easily – and wouldn’t need sophisticated tools to do so. According to Edgard, we’re seeing more and more attackers nowadays no longer needing the resources or skill of a nation-state to pull off a successful attack.
"The current threat landscape is quickly expanding as attackers with various levels of sophistication are more easily finding the tools and tactics needed to be successful and government organisations need to sit up and take action.”
Indeed, a massive overhaul is needed for public/private partnership in the areas of threat detection and information sharing without the fear of penalty or legal recourse.
Given the links that exist between government and defence providers and it’s supply base, all parties need the ability to identify threats and mitigate risks in real time as today, as defence industry preparation for cyber threats is a temporary state.
RELATED: Defence firms need 'simpler' cyber security solutions
As we move into 2019, it is clear that the defence industry and government will have to shore up its cybersecurity defences.
Countries all over the world will face unprecedented threats on their computer infrastructure. New threats will emerge – with AI technology being a likely feature of cyber attacks in the years to come, as attackers seek to thwart defences and predict how their victims will react. Modernisation, as antiquated legacy systems, will prove to be a roadblock to airtight security procedures.
For more defence insight, check out this article