There have been three major cyber attacks in the past year: Solar Winds, the Microsoft Exchange attack, and the Pulse Secure VPN attack. These attacks all appear to have been (a) state sponsored, (b) long lasting, (c) high impact, and (d) carefully engineered.
What can be learn from what seems to be a new level of active cyber operations? Here are some of the lessons:
- The fact that such consequential targets exist (and are vulnerable) is the result of natural but dangerous incentives to develop monocultures. It’s a truism that convenience trumps security. And one consequence is that it’s always easier to piggyback on something that’s already been done than to develop a new solution. So we have only a few processor technologies, a few operating systems, a few transport protocols, a few cloud providers; and now only a few large-scale systems management environments. Choosing to use the existing systems is almost always cost effective, but the hidden cost is the loss of resilience that comes from putting all of our computatonal eggs in one basket.
Those who build these pervasive systems have failed to appreciate that with great power comes great vulnerability, and so great requirements for security. Instead these systems rely on the same barely workable mechanisms that are used in the rest of cyberspace. - Government cybsersecurity orgainsations have, with the best of intentions, worked themselves into an untenable situation with respect to protecting against such attacks. It was natural in, say, the Five Eyes countries to give the responsibility for cybersecurity to the signals intelligence organisations (NSA, GCHQ, ASD, CSE). After all, they had the expertise with digital communication of all kinds, and they used cyber tools for their own surveillance and espionage purposes, and so they were experts in many of the issues and technologies.
However, these signals intelligence agencies are constrained to act only against those outside the countries they belong to (with some brief exceptions post 9/11). When they spun off cybersecurity centres, to protect their domestic environments against cyber attacks, they found themselves in a legal and procedural no-mans-land where they, in general, didn’t have the ability to act in any meaningful way, and were reduced to an educational mandate. So we have the (interesting and novel) spectacle of remediation of systems affected by the Microsoft Exchange hack by the FBI, not the NSA (although surely rhe NSA was involved).
Western countries need to (re)think the role that their cybersecurity centres will play in the face of serious, large-scale, state-driven cyber attacks — not just practically but legislatively.
Finding Bad Guys in Data 