SOLAR WINDS PROVES US NEEDS TO RETHINK CYBER POLICY — NDAA NOT ENOUGH

December 21, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

If the dramatic Solar Winds hack of multiple critical US government and key private sector, systems proves anything, it is that we need to substantially rethink our approach to cyber security.

We don’t yet know how damaging the attack was – and won’t for some time — notwithstanding “assurances” of little damage from some –- but we do know that multiple key organizations have been successfully compromised for months without our knowing about, let alone stopping, it.

And we have seen this movie before. In 2015 the US Office of Personnel Management was successfully hacked releasing the personal files of over 22 million American federal government employees.  That same year the Pentagon’s own Annual Report asserted that DoD cyber systems were open to compromise by low to mid-level attackers who could compromise DoD Missions when and if they choose.

The US is one of, if not the, most innovative and sophisticated cyber nation’s in the world and we have spent billions on cyber defense. Yet virtually every aspect of the US government has been successfully compromised.

How is it that, with years of warning? is our federal government  —  with the largest, best funded, most sophisticated military in the history of the world —  is not only unable to defend itself, its unable to understand it’s under attack?

In their book the Fifth Domain last year Dick Clarke and Bob Knake noted that the US basic strategy on cybersecurity hasn’t changed since the Clinton Administration.

Maybe it’s time to rethink our approach.

Amid the publicity generated by the breach there is increased attention to the new cybersecurity provisions in the pending National Defense Authorization Act which recently passed both Houses with veto-proof majorities. President Trump has threatened a veto over unrelated items in the bill, which could delay but probably not sink the bill.

There are, no doubt, some helpful provisions in the new NDAA, recommended by the Congressionally mandated Solarium Commission, such as the creation of a cybersecurity Director in the White House and an office to coordinate government response in case of a cyber-attack of national significance. ISA has long supported the creation of a more senior position in the White House to direct cyber policy (we proposed such a provision in our 2015 Cybersecurity Social Contract book) and certainly we need to have a more strategic plan to address massive cyber-attacks.

However, we are kidding ourselves if we think the new NDAA provisions, if they are enacted, are anywhere near enough to provide ample defense against the sorts of sophisticated cyber-attacks that are becoming increasingly common against both industry and government.   And make no mistake about it, the sophisticated cyber-attack tools used (perhaps stolen from the US) will inevitably be filtered down through the well-organized cyber-attack community and be used for all manner of attacks by criminals, nation states and less well-defined others.

Positive though they are, the NDAA provisions are far too narrow.  They are focused primarily on government and follow a traditionally limited vulnerability prevention model.

Thinking of government as separate from the private sector, as our traditional policies do, or thinking that better technical management of cyber vulnerabilities is the answer to our cyber insecurity is an antiquated and inadequate way to understand cyber threats. We have repeated proof of that.

The center of the attack, Solar Winds, is a private organization that serves both the public and private sector.  It is an example of a growing number of core elements of the Internet who’s compromise creates systemic issues. To date virtually all cyber policy has been focused on protecting entities – government or private companies – not the system as a whole.

Despite the fact that government systems were primary targets of the Solar Winds attacks it wasn’t DHS’s CISA operation, or DoD or Cyber Command that discovered this very serious  attack that had been going on  for months.  It was a private company. 

No less an authority than Congressman Mike Gallagher, Co-Chair of the Solarium Commission that crafted the new NDAA  provisions has emphasized this point noting it is critical to remember that a private company, FireEye, discovered the Russian attack. “This went undetected for months and months by the US Government agencies…I think this shows the weakness of the federal defense,” Gallagher told the New York Times.

There will also probably be all sorts of calls for “accountability” finding who is the person – in government or industry or both – who is “responsible” for not addressing the vulnerability that was exploited enabling the attack. There may even be calls, ironically enough, for greater government control over cyber systems even though it was the government systems that were attacked and the government couldn’t even detect the attacks on their own systems – yet some will call for more government authority.

These are all stale replays of the inadequate process we have gone through for years – bad attack followed by finger pointing and quick easy solutions – off with their heads!

We need less finger pointing and more creative thinking. Cyber-attacks are being launched against industry, government and private citizens.  We are all on the same side.  We need to evolve policies, structures and support mechanisms that are not just warmed-over versions of what was mapped out in the Clinton Administration.

We need a much more fulsome partnership model that encourages government and industry to work together as equals.  For example, the WH office envisioned to define a strategy to respond to a cyber-attack of national significance needs to be expanded and repurposed to design a full national digital strategy. This broader perspective would include cybersecurity as one aspect of that overall strategy but not be artificially limited to government systems as though they were independent from private systems (they aren’t). 

The overall strategy would not just cover how the government would respond to an attack of “national significance” but one that would also consider how we are to compete with the Chinese who are cross subsidizing their technology companies and creating an inequitable playing field with serious national security implications.  The strategy would consider how to fund the needed national security obligations private sector companies are inheriting in the digital age but are clearly incompatible supporting with the economic business models designed for the analog economy.  Such a strategy would include practical answers as to  how to protect hospitals and local governments  from ransomware attacks, how to assure the safety of intellectual property that is the basis of our economic vitality, how to effectively address the cyber-crime epidemic that is funding many of the most serious infrastructure cyber-attacks.

Unlike some of our major adversaries, we do not have the sort of coordinated, integrated and funded effort to address these issues. Instead, we have an antiquated, disparate set of policies and tactics – not truly a strategy in the true sense, which let’s face it, isn’t working. 

And by the way, this – strategy, innovation, creative pro-social strategic partnerships are what we are supposed to be good at.  How are we losing so badly?

We need a creative, mutual and egalitarian industry government consortium modeled on the New Deal, and the original NASA and 1980s Seme-Tech program. We can do this without compromising our core values or our free market economy.  Indeed, these characteristics can and should be the catalyses for this effort.

Are the details of these proposals fully mapped out? No not yet, but we need our government working in a far more egalitarian partnership (not “stake-holders) with industry and go through the sorts of institutional reevaluation and reform that virtually every private sector organization has already gone through – it’s called digital transformation.  This means we need to rethink our approach to the digital age, inclusive of but not just cyber defense. 

If the Solar Winds can blow away our old notions of cybersecurity and leave a new landscape for us to build a true 21st century strategy then we might eventually see a calm after the cyber storms we are suffering through now.  

Join the Rethink Cybersecurity Community click here