On April 19, 1775, the American Revolutionary War began at Middlesex County in the Province of Massachusetts Bay. While it’s actually hard to define a specific “first shot”, Ralph Waldo Emerson immortalized his view of the event in the “Concord Hymn” which begins with the following familiar stanza:
By the rude bridge that arched the flood,
Their flag to April’s breeze unfurled,
Here once the embattled farmers stood,
And fired the shot heard round the world.
And so, with one loud retort, the author tells us, began the American War of Independence. The history books tell us the rest.
The narrative fallacy tells us that history is easy to understand when looking backward, as we never quite know what the future hold. However, as an expert in offensive cybersecurity, I do know that the next war will likely start with a simple mouse click rather than with a bang. The eve of battle may well be filled with the soft tip-tap of fingers on keyboards rather than the ominous rumbling of artillery – and the “shots” fired may be just as deadly.
The Potential Conflict in the Ukraine
Against this backdrop, we continue to hear very worrying news from the Ukraine in the Cyber realm. For the last few weeks, we’ve been seeing reports of website defacement of government sites, as well as a campaign of so-called “ransomware”. I say so-called because the malware in question is more correctly described as a “wiper”, designed to destroy data. The promise of a decryption key that will bring it all back is just posturing. As Microsoft’s Threat Intelligence Center (MSTIC) put it “MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.”
Couple this with the claimed defacement of more than 70 Ukrainian state websites, and things don’t look so good. The Computer Emergency Response Team of Ukraine (CERT-UA) has stated that a possible attack vector is https://www.cvedetails.com/cve/CVE-2021-32648/. Elsewhere, it’s been reported fairly widely that the initial attack vector was in fact 3rd party compromise – essentially a supply chain attack. The fact that details vary is not a surprise – as noted above, when you’re a participant in history, it’s never quite as clean as when you look back. What’s obvious is that the Ukrainians are facing a fairly sustained Cyberattack, which continues unabated even at the time of writing. CISA (the US Government’s Cybersecurity & Infrastructure Agency) has even gone so far as to push out an alert, warning US entities that businesses there are also potential spillover targets as international tensions rise.
Deny, Discount, Deceive, Divide…
Regardless of the claims made, determining exactly who did what raises the challenge of attribution in Cyberspace – and this runs into the perfect storm of social media and misinformation. Essentially, if we cannot societally agree on observable facts, there is little to no chance we can ferret out the truth when attribution is best left of government intelligence agencies. Instead, we end up dealing with the so-called “ten D’s of opposition tactics”, now all too familiar: Deny, Discount, Deceive, Divide… While certain governments do have the assets in place to know exactly what is going on, that information isn’t going to be public for a while, and so we are left either taking the word of anonymous sources or simply guessing based on part of a picture. With no trustworthy attribution, how can we decide which “facts” are actually that: facts?
Accept Reality and Deal with it
If the above paints a pretty bleak picture, so be it. As Ray Dalio wrote though we must “accept reality and deal with it”. So, here are the three things we need to do as a community right now to stave off a whole raft of negative outcomes.
The first, and most shocking, reality to accept is that there exist no meaningful standards for cybersecurity solutions. I could literally market a Magic Eight Ball, and as long as my claims weren’t completely fraudulent, have it a completely legal “cyber control” that I could sell if my marketing was good enough. In a domain as contested as Cyberspace, we need – no, must – have some minimal standards of efficacy for defensive solutions. Let’s have some perspective here: everything from the electrical sockets in your office to your car have standards to which they must adhere in terms of being safe. Why, then, is there no effective measure of security efficacy enforced in solutions that are being deployed today? The state of cybersecurity testing is pretty miserable, and there is a lot of snake oil here. For a price, there are testers who will give you your “passing test”, no questions asked. We desperately need some kind of minimum standards in this space. The days of buying products based on hearsay have to end. This needs to be science, not opinion.
Second, it seems indisputable that there is a Nation State (with many intelligence groups stating flatly it is Russia) operating in the Ukrainian Cyber landscape. Frankly, it would be incredible to think otherwise. The question is what state and for what purpose, and it’s here that we end up having to either trust government sources or simply make up our own minds on partial information. The post-truth world that we find ourselves in means that coming to an accord here will be nigh on impossible. The Escher-like spin cycle of 2022 makes clarity hard to come by. As such, we should proactively address the question of trustworthy attribution. By trustworthy, I do not mean that we (as defenders) need to know; that problem is basically solved in certain government agencies but how do those same agencies communicate that attribution to a population that will seemingly believe what they read on Social Media over a “so-called expert”? Given that the next war will likely start online, it seems that having a transparent and trusted way of communicating these truths to the broader population would make sense. If we fail to do so, we put ourselves at the mercy of the person who is controlling the narrative, regardless of whether it is true or not.
Finally, we need to dramatically increase our investment in broadening the availability of training for jobs in the Cybersecurity industry. These are high paying jobs that provide a positive benefit to the nation. Moreover, they are jobs that could easily work well for a diverse set of candidates. We need to be more inclusive, and we need paths for workers with non-traditional backgrounds to enter an industry that actively wants them! While we have made progress here, there’s lots of room for improvement; for example, women remain a minority in the cybersecurity workforce, and still suffer from a gender wage gap (according to a recent (ISC)2 Cybersecurity Workforce Study).
The stakes are now so high that change needs to happen – and happen fast. Testing of product efficacy to ensure security products adhere to certain minimal standards, developing a trusted transparent source for communicating information on adversaries in Cyberspace, and opening up the Cyber workforce are all critical steps we need to take. It’s not a matter of “before the next conflict comes”; the “cold war” in Cyberspace is anything but, with a range of Nation States conducting offensive operations against each other every day. With every machine online being in the crossfire, we must act now.