Confronting the Russian cyber threats

Jan. 20, 2017
U.S. intelligence agencies face challenges meeting Russian threats and new administration’s doubts

Perhaps no time in the history of the United States has its national security sat poised at such a precarious crossroad. While recent events have demonstrated how vulnerable national networks are to foreign cyber-attacks, they have also provided us a window into the new administration’s unique relationship with U.S. intelligence agencies.

As Donald Trump is sworn in today as the nation’s 45th president, the allegations of Russian hacks into the Democratic National Committee’s server and the emails of John Podesta, the chairman of Hillary Clinton’s campaign, have created a firestorm of controversy among the U.S. intelligence community and the new president. The FBI, CIA and 15 other U.S. intelligent agencies have all agreed with a high-level of confidence that Russia was the instigator of the 2016 election hacks. But up until last week, Trump had openly disparaged the intelligent agencies for providing faulty information and acting like Nazis trying to discredit his election victory, insisting allegations that Russia was the culprit were bogus and that attacks may have been propagated by the Chinese or a bed-bound 400-pound hacker.

In what may turn out to be the only bipartisan reaction in Washington this year, Republicans and Democrats alike were taken aback by Trump’s public assault on the U.S. intelligence community, which many feared would weaken the American public’s confidence in a future national crisis and shake international trust in our country’s leadership.

“This absolutely creates a potential security crisis, as the leader of the free world he must be able to objectively review, understand and process the intelligence information that the security agencies are able to provide. It's well understood that the reliability of intelligence data can vary (and thus, why these reports include the level of confidence the agencies have for each finding), and this likelihood must be taken into account so that proper, rational and sound decisions are made for the best interests of the nation as a whole,” contends  Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company. “The public dismissal and denigration of the intelligence community and its information by Mr. Trump undermines the credibility of these organizations and sets the groundwork for an administration that may be ‘flying blind’ with many foreign policy decisions if they do not use these agencies for their designated purposes. Eroding the confidence in these agencies creates levels of risk that we may not be able to fully understand, considering the secretive nature of the type and extent of the work done to gather intelligence information, but this is absolutely a dangerous, irresponsible precedent that creates a number of concerns.”

Wenzler is not alone among those in the cybersecurity community that are critical of Trump’s public feud with U.S. intelligence agencies and his apparent indifference towards the Russian hacking.  Joseph Carson, Head of Global Strategic Alliances at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions says he believes that Russia had a major role in the hack of the DNC, although he is hesitant to blame the Kremlin directly. But he has little doubt Trump’s ambiguity regarding the Russians will have consequences.

“This means any action in the near future based on the information collected by the intelligence community that is deemed questionable or creates doubt in the public opinion, will make it difficult for the president to validate any action taken based on the agencies' information or briefings including any act of war or action on foreign policies and even terrorism.  If you decrease the credibility of the agencies as untrustworthy, how can you take actions or make critical decisions based on future intelligence?” says Carson.      

Yet, not everyone is quick to condemn the new president. There is some that feel the intelligence agencies might need a new perspective and have become a bit too politicized to provide objective views.

“It’s never good when the POTUS and the intelligence community are not aligned. However, there is also the argument that the intelligence community is too inwardly focused. The infighting and the poor-man/rich-man views that each agency has of the others at times might benefit from a kick in the rear from the new POTUS,” chides Chris Roberts, chief security architect at Acalvio, a Santa Clara, a Calif.-based provider of advanced threat detection and defense solutions.

Richard Helms, CEO of Ntrepid, who spent 30 years working in the CIA and as a result has extensive experience dealing with national security matters, says the new president just needs time with his newly formed national security team to understand the value of the national security community’s contribution to his future decision-making.

“I believe he has come to accept the findings on Russian covert action attempted to influence the election. Whether that covert action, in fact, changed any votes is open to question. I know of no metrics for measuring the effectiveness of that covert action campaign and doubt any could be developed that would be convincing about whether it was or was not impactful,” adds Helms, who believes that it is critical to go beyond the current public display of animosity between the president and intel community and focus on the issues of U.S. cyber vulnerabilities.

“Everyone is vulnerable. Until we encourage, if not reward, and enable enterprises to provide digital protections these problems will not diminish. The government is a victim of its own lack of clarification of who is responsible for our security. It is not law enforcement. It is not DOD. Since its establishment, DHS has slowly moved forward with protecting critical infrastructure but that is a long-negotiated process with the owners of that infrastructure and one step away from the average victims,” insists Helms.

Kasey Cross, Director of Product Management at LightCyber, a Los Altos, a Calif.-based provider of behavioral attack detection solutions says that protecting data and critical infrastructure requires a re-thinking of security.

“First, you have to accept the fact that a motivated, competent attacker will get into any given network. Both Gartner and the FBI agree with this fact. Preventative security is still essential, and it will likely defeat the vast majority of attempted attacks, but it simply is not possible to defeat all of them all of the time. There are too many ways to compromise a user’s computer or network account,” Cross says. “Second, given that an attacker will get in, an organization must have the ability to detect the attacker early in the process. Very few organizations, including government agencies, have this ability. Most organizations are still focused on Cold War security that is bounded by taller and thicker walls. Organizations must step into the modern world and ask, ‘Do we have the ability to find a malicious insider or external attacker at work on our network?’ If they don’t, as most will not, it is critical to take on those capabilities as soon as possible. New behavioral detection tools in combination with new procedures and strategies will turn the tables on attackers.”

Thycotic’s Carson also states that the U.S. government, agencies, representatives, and military are highly vulnerable to both nation-state and cybercriminal attacks because of their aging, legacy and complex technology, systems, and infrastructure. 

“Several steps have been recently taken to address these major risks and vulnerabilities. For example, the NIST standards are a good framework though it should have been mandatory or better enforced, the appointment of the first Federal CISO Brigadier General Gregory J. Touhill in September 2016, the nonpartisan Commission on Enhancing National Cybersecurity with assessing the current state of cybersecurity that has recently been released, and the increased budget proposal which included $19 billion to improve cybersecurity.  However, in my opinion, this is all good but it is extremely late and will take time to be able to mitigate much of the current vulnerabilities.  An area that is still not been effectively addressed is the importance of cybersecurity hygiene and education to ensure the current and future workforce are better aware and prepared to be less exposed to cyber-attacks,” Carson concludes.

For John Dickson, who has nearly 20 years hands-on experience in network and application security in the commercial, public and military sectors and is the Principal of the Denim Group, believes that vulnerabilities vary from government agency to agency.

“I suspect most of the DoD and intelligence community have their security acts together, although the insider attack performed by Edward Snowden against NSA proves that even the most paranoid have weaknesses,” Dickson says. “I think the government agencies face two problems. First, they run a ton of legacy systems and have various constraints that limit their flexibility to adapt.  Second, their biggest challenge, in my opinion, is the Federal Acquisitions Regulation themselves, or the ‘FAR’ to .gov types.  The FAR has become so bureaucratic that it prevents IT leaders from having the flexibility they need to adapt to rapidly changing cyber threats. I’ve said this publicly, and I firmly believe it.  If there is a ‘cyber war’ and we lose, the FAR will be a large factor in that loss.”

So has the past Obama administration done enough to shore us cybersecurity and provide a path forward? The security experts we talked with didn’t think so.

“The government does not do enough to protect its own networks as we saw with the OPM breach. It provides little to no help in protecting outside data and networks, even those closely connected to government like the national political party organizations. Right now the main tool in the hands of the government is to investigate and respond to attacks. That process has been incredibly slow allowing maximum damage to occur with an eventual reaction that is so little and so late it will do nothing to deter future similar activities,” says Lance Cottrell, Chief Scientist of Passages at Ntrepid. Cottrell is an internet security and privacy expert who started developing internet anonymity tools in 1992. “Attacks like that against John Podesta’s emails show just how easy it can be to compromise computers and accounts to access huge amounts of sensitive information. Often this information is being accessed remotely or from personal devices. Our conception of the security perimeter must be extended to include these attack surfaces.”

Dana Louise Simberkoff is the Chief Compliance and Risk Officer at AvePoint, Inc. She is responsible for AvePoint’s global Compliance team of subject matter experts and for executive level consulting, research and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts and solutions for risk management and compliance.  She points out the evolution of cyber-attacks has drastically changed as the explosion of data has increased.

“The cybersecurity landscape has dramatically changed over the last eight years of the Obama administration – in some ways that no one might have reasonably anticipated. This is due to many factors, including a true data explosion worldwide. According to a study by IBM, 90 percent of the data in the world has been created in the last two years alone,” Simberkoff admits. “Cybersecurity, hacking and the threat of data breaches are topics that have moved from the dark shadows of the halls of government agencies to the evening news and front page headlines. Beginning years ago with the revelations of NSA data mining in the wake of Edward Snowden, all the way through to the recent concerns about foreign governments hacking the Democratic National Committee (DNC) to impact the presidential election, there has never been a time where sensitive data and its protection has been a hotter topic. In fact, the 2017 federal budget allocates more than $19 billion for cybersecurity – an increase of more than 35 percent over the 2016 enacted level.”

Despite the looming threat of renegade hackers and the incessant headlines spotlighting corporate and institutional breaches, most security practitioners admit there are steps organizations can take to help reduce their own vulnerabilities. According to Nathan Wenzler, the following simple policy and procedural steps can help:

  • Encrypt data as much as possible, both at rest and while in transit. Especially for email, instant messaging, and other human communication tools. Database encryption is a common security tool, but access to those databases can more easily be hand by compromising other services deemed to be not as critical and gleaning information from those transmissions to be used to attack the critical infrastructure components.
  • Protect and secure administrator credentials. The ultimate goal of any attack is to gain administrator-level credentials, which will provide unfettered access to anything and everything they may want to steal. Too many organizations do a poor job of protecting these proverbial "keys to the kingdom". 
  • Keep systems and applications patched. This seems like a no-brainer, but too many organizations still do not perform this most basic of security functions, which would close known vulnerabilities and prevent simple, well-known attacks from being successful. The simple step of keeping all systems and applications patched and up-to-date means that an attacker will have to use more difficult and likely complex attacks to breach a network, which should also give the organization more time and probability they can detect such an attack and respond to it.
  • Maintain and promote good security practices among employees, contractors and any other people involved in working with your organization. Social engineering attacks are becoming more and more common, primarily because it's becoming easier to "hack" the people in an organization than it is to breach the technical systems. Make sure staff is well-trained to understand suspicious behavior, to operate on your systems in a secure manner (ex. not clicking on links in suspicious phishing emails), and have strong policies and procedures in place to support your people to perform all of their tasks securely. The more those technical controls are put in place to strengthen the security posture of the network, the more that the human side of your security program becomes more critical.

About the Author: Steve Lasky is a 30-year veteran of the security industry and the editorial/conference director for SouthComm Security Media Group.