“Do Something!” Identifying the Obstacles to More Effectively Countering Nation-State Cyberespionage
Since December, the bottom has fallen out the United States government’s capacity to assure that the computer networks and infrastructure it uses to do business are in any way secure. It is unable to protect itself, or the rest of the country, and we have been reminded of that on a regular basis for better than a decade. December’s revelation of the cyber operation carried out against network management goliath SolarWinds and the more recent news of a major compromise of Microsoft’s Exchange messaging infrastructure in tandem offer irrefutable evidence that most of the U.S. government and thousands of major companies have been thoroughly compromised by the intelligence services of Russia and China, which have been blamed for the SolarWinds and Exchange operations, respectively.
SolarWinds and Exchange are now firmly in the sights of Congress, an organization with its own cybersecurity issues. Doubtlessly there will be much hand wringing and a clamor for government to, “Do something.” Doing something falls squarely on the Department of Homeland Security and its newest sub-component, the Cybersecurity and Infrastructure Security Agency (CISA). As an observer of DHS since its creation, I will argue that its record on meeting cybersecurity problems appears decidedly mixed. Despite all that it has done in building a civilian cybersecurity organization in the federal government, it remains difficult to understand how DHS and elements of the Department of Defense, including the National Security Agency and Cyber Command, work to protect U.S. computer networks from nation-state cyber-espionage campaigns.
Next month, my colleague Art Conklin and I will be giving a paper on the complex tangle of public policy that is cyber defense in this country. In it, we argue that the nation’s cyber defenses are woefully deficient. Worse, many or most builders of our digital infrastructure are bad at security. This has necessitated the rise of companies that do much of the defending. Allow me to explain. Fundamental to its failure is that DHS does not appear to have the ability to function at “cybersecurity speed.”
Although DHS maintains a large intelligence sharing and coordination apparatus, an entire parallel cyber intelligence industry has flourished because entities in the private sector deliver cybersecurity products far more expeditiously than the federal government does. Despite DHS growing its cybersecurity functions, there are growing number of cyber intelligence firms, some with increasing specialization drawn from considerable work in responding to incidents including major data breaches. FireEye is one such top company, which markets its hardware and software, designed to identify indicators of compromise on the networks of its clients. It also has made acquisitions in both incident response and cyber intelligence. FireEye now boasts having, “250 experts in 17 countries tracking about 16,000 adversaries,” via the iSight service, a Dallas, Texas company FireEye purchased in 2016. As such, FireEye and others — from BAE Systems to IBM — may be viewed as DHS competitors in providing cyber intelligence products for consumption by private firms. Certainly, the question of why a cyber intelligence business exists when a U.S. government agency performs the same function is worth asking.
Before its acquisition by FireEye in 2013, security consultancy Mandiant, the “go-to responder for cyber-espionage attacks,” produced its APT1 report regarding Chinese state cyber‑espionage perpetrated against U.S. firms. APT1 looked as much like an intelligence product as anything out of the Office of the Director of National Intelligence. Mandiant’s business was in cybersecurity incident response. Assumedly, the company’s incident response activities may yield information for its intelligence offerings and software products, including its Helix Security Incident and Event Management (SIEM) tool, an overarching platform for detecting cyber incidents as they happen. Products like Helix are designed to defeat cyberattacks in organizational networks with direct system impact for customers. The key metric for success in this activity is the time elapsed between initial compromise and discovery of compromise. Only once compromise is detected can an incident response be mounted to eject intruders from the compromised systems of an organization.
How effective is FireEye at detecting compromise? It was the first entity to publicly acknowledge discovery of the SolarWinds breach (on its own network no less). This incident, in which network management software provider SolarWinds development environment was compromised and a subverted version of the company’s Orion product was pushed out through its continuous integration/continuous deployment (CICD) update server to at least 18,000 of its customers. Among the organizations to implement the Trojanized version of Orion were hundreds of major multinational corporations and federal agencies including the Departments of Commerce, Defense, Energy, Homeland Security, Justice, State, and Treasury as well as the National Institutes of Health.
Response to the SolarWinds breach has varied among commentators in cybersecurity from ho-hum to extreme concern. That cyber agents of an adversary nation state could compromise software employed by so many organizations was a significant intelligence win (and its discovery seemingly a big blow). That CISA apparently had no idea of the breach (nor the National Security Agency and Cyber Command) is disappointing. Even DHS’s statement on the case is underwhelming. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.” Granted, the SolarWinds case is one of cyberespionage, but the God’s eye view provided by the Orion product would doubtlessly provide ample intelligence for targeting critical infrastructure computing targets.
The SolarWinds episode raises an important question as to what CISA and the rest of the federal government are able to do in protecting U.S. critical infrastructure from cyberattack. While FireEye and similar firms have continuously made advancements in intelligence capability through research and acquisitions, the same cannot be said for DHS, or perhaps it is that DHS cannot show its efficacy due to the burdensome classification of cybersecurity data. Quality of information shared with external parties represented within the National Cybersecurity and Communications Integration Center, a sort of clearinghouse for security information, has not met expectations, despite the creation of the Automated Indicator Sharing platform for passing critical cybersecurity intelligence in a form that may be integrated with automated defense systems, such as firewalls or intrusion detection/prevention systems. One DHS employee stated to DHS Inspector General investigators “that although DHS provided 11,447 cyber threat indicators in 2016, only 2 or 3 [emphasis added] of these indicators were found to be malicious and related to cyber incidents.”
In addition to these quality issues concerning information sharing, DHS also faces problems in delivering information in a timely fashion, likely due to complications arising from sharing classified information. Timely delivery of intelligence products has also not been a forte of DHS’s NCCIC. This stumbling block was acknowledged by the DHS OIG in the Biennial Report on DHS’s Implementation of the Cybersecurity Act of 2015, which stated, “Without acquiring a cross-domain information processing solution and automated tools, DHS cannot analyze and share threat information timely.”
DHS’s timeliness (or lack thereof) was particularly evident after reports emerged of a significant cyberattack against Ukraine’s electrical grid that briefly cut power for some 225,000 Ukrainians in December 2015. In late February 2016, two months after the incident, DHS finally released its report on the incident — and with the stunning caveat that it was “based entirely on interviews as the cyber‑response team ha[d] not been able to independently review technical evidence.” For two months, the U.S. government essentially held no position on the Ukraine electricity hack. Analytic work in Ukraine was performed by contractors from security firms working under the auspices of the Department of Energy. It was later shared with DHS before becoming mired in bureaucratic delays over wording and publication issues. Meanwhile in the private sector, weeks before DHS released its interview-based report, future FireEye acquisition iSight offered valuable research that mapped the Ukraine activity to the Russian Sandworm cyber operation and its BlackEnergy malware, presenting a credible theory on attribution of the attack.
Beyond delays in releasing cyberattack information to stakeholders, DHS also appears to be coming up short on outreach beyond the Washington, D.C. area. DHS’s lack of presence in major cities across the United States is a problem for maintaining relationships with its “customers” outside Washington, D.C. True, DHS’s CISA opened 10 regional offices of its Infrastructure Security Division (ISD) as well a regional service delivery model for their engagement on critical infrastructure issues. The ISD’s, which are aligned with FEMA regional office locations, will host advisors in protective, chemical, and cyber security as well as other DHS personnel. A much broader program exists for communicating between the federal government and operators and owners of critical infrastructure, but it is Infragard, which has 82 chapters across the United States and is managed by the FBI, a component of the Department of Justice.
As of April 2018, the DHS also had not developed the means to measure its risk mitigation efforts or even establish a baseline for the cybersecurity posture for the eight critical infrastructure sectors for which the agency is directly responsible. One Senate report questioned whether it was even possible for DHS to achieve success in meeting its mandates, stating that there are “serious challenges that [DHS] must overcome before it will succeed in executing its responsibilities or making a measurable difference in the security of the nation’s information systems.”
As such, DHS’s performance in its cyber portfolio has understandably been shaped to some degree by its weaknesses in delivering timely and useful intelligence to other organizations, especially outside of the federal government. However, its problems do not end there. A second fault lies in its inability to provide actionable responses. That so much of the information CISA processes is likely classified at the Top Secret-level and in highly restrictive, compartmentalized programs, makes it hard to move around to normal corporations outside of the defense industrial base. This means that US government cybersecurity policy and action are largely hobbled by a sclerotic set of processes that likely do not exist in China or Russia.
Finally, there is the issue of impediments in joining the federal workforce. For nearly a decade, I have taught in a nationally recognized graduate cybersecurity program. Our students go on to work in places far beyond the local oil and gas business, often to companies such as JP Morgan Chase, Microsoft, Deloitte, Citibank, and IBM. Many of these students are American citizens and hold keen interest in federal employment, however the headwinds they face in landing those jobs are considerable. Alumni of the U.S. government’s Scholarship for Service (SFS) program, who are required to enter public service in return for the government’s provision of cybersecurity education, often find it incredibly difficult to land federal jobs. Numerous companies have gone so far as to buy out SFS obligations to land good candidates while they await federal offers.
What this all adds up to is a national cybersecurity effort that is both deeply fragmented and inefficient. The United States should take cyber counterespionage and defense seriously, as it appears to be the greatest of growth areas in Gray Zone or Hybrid Warfare models of international conflict. The United States’ defenses need to be agile, dynamic, and well-resourced to the cyber threats that it faces. Unfortunately, operationalizing a strategic founded on these three pillars remains dismaying. How the Biden Administration can change this will require a hard look at operationalizing superb ideas generated by a number of my colleagues on the Cyberspace Solarium Commission rather than simply leaving them on the shelf.