RSAC 2019: International cyber conflict.

Both the US Department of Defense, represented by NSA, and the US Department of Homeland Security, represented by CISA, were at RSA this week to discuss the state of cyber conflict, both now and in the future. Here are some observations on presentations by NSA's Rob Joyce and CISA's Christopher Krebs.

Cyber conflict, as seen from Fort Meade.

Yesterday we were able to attend a breakfast sponsored by Maryland’s Department of Commerce. Their speaker was Rob Joyce, who currently serves as Senior Advisor for Cybersecurity Strategy to the Director of the US National Security Agency. Joyce outlined a shift in cyberattcks: they’ve moved from theft of secrets, cyber espionage, toward becoming a means of imposing national will. He sees four trends manifested in this shift.

First, high-end threat activity has become more sophisticated. Second, the level of expertise needed to operate as a significant threat is declining. These trends might seem to be in tension with one another, but they in fact they represent complementary tendencies. As threat actors become better at their craft, their tools become easier to use, effectively becoming commodities.

Third, Joyce argued, we’re seeing cyber conflict move from exploitation to disruption. The Notpetya attack provides a good example of that progression. And fourth, information operations increasingly leverage what Joyce called a “cyber grey space.” Thus an attacker might compromise emails with a view to using their contents in the service of a larger attempt to persuade and influence a target. And there need be no deception or distortion, except perhaps contextually, in the content the attacker releases.

To survive in this emerging world, Joyce advocated building on a sound, solid foundation of the basics. We need good at cyber hygiene, sound configuration, effective patching, those sorts of things. And laying this kind of foundation is in his view a long-term investment that requires coordinated investment in education and training.

He concluded with a discussion of coming inflection points. The development and adoption of the smartphone a little more than ten years ago was one such inflection point. It was essentially a triumph of integration, and it enabled the growth of industries and ways of life that few expected or anticipated. He thinks that the fielding of 5G networks in the near future will represent a similar inflection point. 5G’s higher density, greater speed, and lower latency will make things possible that we don’t yet, because we cannot, fully envision.

To a question about offensive cyber operations, Joyce said that in his view offensive cyber operations are and must remain an inherently governmental responsibility. Their ramifications and possible consequences are simply too serious to open to private actors. Talk of letters of marque and reprisal is in his view idle. He did note that the US Government has now taken what he called a “more proactive, aggressive” stance with its doctrine of continuous engagement. We’re now willing to introduce some friction into the adversaries’ operations, and we’ve shown the ability to do so.

Cyber conflict, as seen from CISA.

Christopher Krebs, who leads the Cybersecurity and Infrastructure Security Agency (CISA) at the US Department of Homeland Security shared his agency’s perspective on the current state of the threat nation-state adversaries pose in cyberspace. CISA is focused on (“of course,” as Krebs said) on the big four actors: Russia, China, Iran, and North Korea. Russian attempts to run information operations against the US 2016 elections represented the "Sputnik moment" for cybersecurity. "That's when people realized," Krebs said, "that the cyber domain wasn't about PII, or about some movie the North Koreans don't like. It was about disrupting democracy."

CISA functions, Krebs explained, as “the nation’s risk advisor,” not its risk manager, because most infrastructure in the US is owned by the private sector. CISA seeks to “understand, share, and act." He's an advocate of defense in depth, but also an advocate of not adding layers. "We look for where we can add most value," he said. To that point, CISA asks "So what? What's the risk?" and "What do we do about it?" He sees CISA's automated indicator program as making an important contribution to helping participating organizations answer those questions, and he emphasized the importance of feedback, which serve to provide essential context for using such indicators.

It's impossible to do everything, and Krebs cited industrial control system security, election security, supply chain security, and a strategic risk assessment for coming 5G networks as the areas that merited the closest attention.

In a follow-on discussion with Auburn University's Frank Cilluffo, Krebs discussed some of the implications and positive results of CISA's formation. The name itself has been useful for recruiting, and the reorganization also afforded the Department of Homeland Security to "streamline the legacy" of CISA's predecessor, NPPD (National Protections and Programs Directorate).

He also addressed the banning of Kaspersky security products from US Federal systems. Information, including information derived from root access, was going back to the company in Moscow, and that's simply too much risk for Federal networks.

With respect to election security, Krebs noted the value of the training CISA has helped organize for state, local, tribal, and territorial election authorities. The Department of Defense, with its forward engagement, is focused on deterrence, and the Department of Homeland Security is focused on collective defense. The tabletop exercises they've conducted seem to have been particularly valuable. In looking toward making elections as a whole more resilient in the face of attempts at disruption, Krebs said that auditability of results will be a key focus. Looking toward the 2020 elections, Krebs said he thought the European Union's Parliamentary elections later this year would provide some important indicators and lessons. Russia is already an active player in this space. Trust in elections is vital. "Different actors have different goals. China wants to manipulate the system. Russia wants to disrupt the system. Our role is to raise awareness about what the bad guy is trying to do." To Cilluffo's question about whether other countries are following Russia's lead, Krebs said that "Russia put the playbook out there. It's there for anyone to use."

And the difference between a hurricane and climate change.

There is no shortage of warnings about all four of the major nation-state adversaries, but both NSA’s Joyce and CISA’s Krebs were agreed on which of them was the biggest threat to the US. It’s China, they said at a joint appearance moderated by Columbia University’s Jason Healey.

We worry about Russia using its cyber power to degrade others, Joyce said. But China projects power to build itself up. If Russian cyber operations are like a hurricane, China’s are like climate change. Beijing is playing a long game, and we know its goals: Made in China 2025 has outlined them with some clarity.

The US and China are now clearly competitors, having moved beyond several decades of economic engagement in which both countries perceived advantages. “Forty years of engagement,” Krebs said, “have just expanded the attack surface.” The threat to the US is poised to increase with the coming deployment of 5G technology and the pervasive connectivity it will bring. The risk that will accompany 5G, Joyce said, isn’t fundamentally a risk of the confidentiality of the information that technology will carry. It’s much more extensive: the risk lies in all the devices we’ll connect to it, and the way in which we’ll innovate in unforeseeable ways on that new fabric.