Adversaries appear to launch attacks with impunity, and their newfound speed and aggression has had a damaging impact on our national security.
Over the past year, cyberattacks on the supply chain and critical infrastructure have not only shown adversaries are expanding their capability and sophistication but also revealed an increasing level of overt arrogance that has not been seen before.
The supply chain attacks on SolarWinds and Kaseya, attributed by many—including U.S. intelligence—to Russian intelligence services, were incredibly sophisticated, complex and successful. Large scale ransomware attacks like those targeting Colonial Pipeline and JBS Foods used to happen once or twice a year. Now they occur much more regularly. Adversaries are not hiding what they are doing—they’re being outright brazen about it.
There will be more of these attacks because they involve a low level of investment with huge returns. The lack of caution we’ve recently seen among adversaries creates a precarious position for the government. When adversaries were concerned about anonymity, their apprehension slowed their attack posture. Now, they appear to launch attacks with impunity, and this newfound speed and aggression has a damaging impact on our national security.
The president’s Executive Order on Improving the Nation’s Cybersecurity is an important component to countering this new wave of adversary behavior.
The cybersecurity EO aims to help make infrastructure more secure by adopting new principles, policies and technologies, while packaging together several cyber programs and initiatives to strengthen the nation’s cybersecurity posture. The EO champions capabilities the commercial sector has embraced over the past several years and will add resiliency, defense in-depth and next-generation technology to proactively protect government networks.
While implementation of the EO, which was released on May 12, 2021, is ongoing, here are some important areas to consider:
1) Removing barriers to sharing threat information is key to proactively protecting U.S. government networks.
I call this “actionable intelligence” instead of simply “information” because information is often noise that obscures the importance of intelligence. Intelligence gives cyber defense teams the ability to look around the corner and understand adversaries’ objectives and motives. In today’s world of emerging and ever-changing risks, every second counts. For instance, as noted in the CrowdStrike Falcon OverWatch 2021 Threat Hunting Report, Nowhere to Hide, eCrime adversaries are moving with greater speed through victim environments. The average time it takes for an adversary to move laterally from an initially compromised host to another host within a victim’s environment is one hour and 32 minutes—slightly longer than a meeting or two.
2) Modernize the government’s cybersecurity posture.
The EO prioritizes the move to cloud infrastructure—Software-as-a Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS). It is imperative to adopt cloud-based models, shift toward zero trust architectures and move forward with technologies that provide the visibility and speed to stop adversaries.
3) Enhance software supply chain security.
Adversaries will continue to exploit the supply chain because it offers a high return on investment. Organizations need to proactively hunt for threats on their network and build better detection and prevention capabilities around their production environment. This is where zero trust and identity management will be essential to constantly challenge adversary movement, including that which is facilitated through a supply chain compromise.
4) Standardize the federal government playbook for responding to cybersecurity vulnerabilities and incidents.
The government is a behemoth with many moving parts, so organizations must learn from each other and adopt responses that work. After developing a playbook, exercise it regularly. Responders need to keep their skills sharp. Make sure the lessons that are learned from an exercise are incorporated in day-to-day capabilities and share them with partners across other government agencies. This last piece of sharing capabilities is critical and cannot be emphasized enough to ensure success.
5) Improve the federal government’s investigation and remediation capability.
Consistency, coordination and collaboration are essential. Centralization of policies and practices will make the government more resilient. Failure to coordinate and collaborate is what the adversary is counting on. They are practicing right now. In short, the EO demonstrates leadership, and the federal government should be leading the way instead of monitoring what industry is doing from the sidelines.
Creating a Culture of Innovation
How can the government create a culture of innovation to support these efforts? It starts with hiring the right people. Agencies can incentivize an employee to be innovative, but the reality is innovative nature is a natural trait. People’s curiosity, interests, passions, enthusiasm, sense of adventure—those qualities are inherent in individuals. Innovation begins with hiring the right people. Having the right people with the right characteristics is critical, but equally important is creating the proper environment that allows them to flourish. Involve them in the business processes and seek their feedback. People need to know that they have contributed to the mission and that they are valued.
The battles we are in require a capable, resilient and determined workforce. Agency leaders need to ensure they create the environment to sustain that. Government and industry need to be one unified team fighting a global team of adversaries. That is why we are partnering with the Cybersecurity and Infrastructure Security Agency (CISA) and other organizations on the Joint Cyber Defense Collaborative (JCDC), which is bringing together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans. We cannot afford to stay static in a constantly changing and dynamic threat landscape.
Shawn Henry is chief security officer and president of services at CrowdStrike