By Wayne Lloyd
After both the first and second Gulf wars, nation states such as North Korea, Iran, China and others came to the same conclusion: under no circumstances get into a shooting war with the United States military. The sole superpower in the world had a military so advanced and superior on the battlefield it left little doubt about the outcome.
But nation states wanted a way to level the playing field when confronting the United States. If they couldn’t realistically win a kinetic war, how could they advance their interests? Ironically, the U.S. military, itself, provided the means: a globally interconnected network created by the Defense Advanced Research Projects Agency (DARPA), initially called the ARPANET, and now known as the Internet. Because of this network, countries have been able to leverage technology they can use to remotely influence, deter or attack another nation.
For example, when the United States government chooses to level sanctions against a nation that violates international norms, the nation has a very limited ability to respond militarily. But it can use cyber-attacks to deter a sanction or get retribution.
Deterrence could take the form of probing industrial control systems and leaving back doors for future access to utility companies’ IT systems. At another time, the nation could leverage those systems to reach operating technology (OT) networks and disrupt critical infrastructure.
Cybersecurity experts suspect that the damaging NotPetya worm was in part a warning to the world that anyone who supports Ukraine in its conflict with Russia will suffer dire consequences.
This kind of deterrence is not simple to execute. It takes advanced capabilities to be able to impact critical U.S. infrastructure such as the power grid.
Again, we may have given our adversaries the weapons they need to accomplish their goals. When the U.S. bombed Nagasaki and Hiroshima, we weren’t concerned that the Japanese would pick up the bomb and throw it right back at us. The research and development costs were too high.
However, in cyber warfare, malicious weaponized code can be picked up, modified and sent right back to the creators of the code. This happened when Saudi Aramco (a Saudi Arabian petroleum and natural gas company) was attacked in August of 2012 by Iran. An NSA document leaked by Edward Snowden shows that the NSA believed the Iranians learned how to conduct the attack after their own oil and gas infrastructure was attacked. Their attack leveraged what some researchers believe had the hallmarks of malicious code from the U.S. and its allies. The leaked document indicates that the Iranians have learned how to use Stuxnet, Flame, and Duqu malware as well. Many also attribute these to the U.S. and its ally, Israel, though neither nation has claimed them.
As we see, organizations or nation states with much smaller militaries than the United States can further ideological or geopolitical goals by using technology. But we aren’t powerless. Good cyber hygiene and digital resilience can serve as a foundation for us to withstand a cyber event and/or recover quickly.
Our organizations can take the following actions:
Pick a cybersecurity framework from organizations like NIST or CIS to help you build your cybersecurity program or enhance your existing one.
Continuously educate your users about good cyber practices such as creating strong passwords, avoiding phishing attacks, and securing the personal devices they connect to your network.
Have an inventory of what network equipment, devices and software are within your network. Establish a robust patch management process, taking network risk into account rather than just chasing down high, medium and low findings from your security tools.
Understand what partner networks are connected to your network. Continuously ensure that compensating security controls and network segmentation are in place in case a partner network is compromised.
Have an up-to-date call list of people who can respond to events detected in your network. This is invaluable for geographically dispersed organizations spread across different time zones.
Limit the number of users with administrator access to your network.
Have an incident response plan in place, then practice it or follow it regularly. After each practice or incident, conduct reviews to improve your future responses, further harden your network and educate your workforce.
Finally, measure the effectiveness of your network’s ability to maintain digital resilience with metrics that don’t just track the busyness of your cyber teams, but the effectiveness of what they are doing.
About Wayne Lloyd
Wayne Lloyd is Federal CTO and Technical Director at RedSeal. He has over 25 years of field experience in information technology with the last 15 years directly focusing in cyber security including computer and network security, advanced threat analysis, intrusion detection and operations, vulnerability risk assessment and policy and compliance.