At a glance.
- Responding to cyber espionage.
- US Defense Department tasking not a hack-back order.
- Complexities of retaliation against nation-states for cyber operations.
- Thoughts on securing water utilities.
Responding to Holiday Bear, Hafnium, et al.
Axios describes the current state of affairs as a “new era of mass-scale cyber war,” following Holiday Bear’s romp and what former Cybersecurity and Infrastructure Security Agency Director Krebs called “a crazy huge hack” of Microsoft Exchange servers. The trend seems to be that state-sponsored cyber espionage campaigns are going the way of traditional warfare, in that they are no longer narrowly bounded and targeted.
Nevertheless a Kremlin spokesperson warned that the Biden Administration’s planned retaliation is "cause for extreme concern,” the National Herald reports, and would amount to an “international cybercrime,” according to US News and World Report. Some analysts caution that the conflict could escalate if the US pushes the wrong buttons. Russia could expel diplomats, issue sanctions, harass local US businesses, launch a counter-strike, or enhance kinetic operations.
Wired weighs in with the opinion that retribution “isn’t the answer,” and Holiday Bear hasn’t transgressed any norms the US upholds. Fortune concurs that a “hack-back” would be “hypocritical.” The logic behind a harsh comeback is unclear, since other Russian misadventures that have gone unaddressed have had worse effects. CrowdStrike Cofounder Dmitri Alperovitch commented, “[N]ext time they're going to say, screw you, we were responsible last time and we got hammered, so this time we won't be."
Furthermore, Wired adds, whatever precedent is set by the response would need to be replayed with China. Stanford fellow Jacqueline Schneider said, “I think that norm is going to be almost impossible for them to actually build and really, really hard to enforce." She suggested targeting Russia’s offensive cyber capabilities instead, while another expert advised framing any action as a warning, not a penalty.
Fortune quotes Alperovitch’s perspective that if either breach went too far, it was the Microsoft Exchange hack, which left “reckless and dangerous” access points wide open for other threat actors to enter.
Defense Department Cyber Tasking Order: not a hack-back directive.
The Pentagon’s Cyber Tasking Order amounts to voluntary compliance and coordination with the Cybersecurity and Infrastructure Security Agency’s recent emergency directive (which only applied to civilian departments) on defending against the Microsoft Exchange hack, FCW explains. According to a Defense Department representative, the Order instructs Defense commands to “take actions necessary to protect DoD” infrastructure, like applying patches and inspecting networks.
Retaliation is complicated.
The laws of armed conflict remain unsettled in cyberspace. That makes the gray zone even grayer, with espionage, sabotage, and combat conducted in a continuum where useful and essential distinctions are difficult to draw. It not only complicates response, but also affords adversaries cover, with opportunity for deniability and misdirection. US Cyber Command's annual legal conference last week discussed these and other issues. The CyberWire's coverage may be found here.
Upgrading water utility security in the wake of Florida’s cybersabotage incident.
Homeland Security Today details measures water utilities should take to strengthen their cybersecurity posture in light of the Oldsmar breach. Remote access software requires greater “hygiene and oversight,” including keeping tabs on all points of connection. Smart technology must be accompanied by checks and balances, like network segmentation and limits on chemical adjustments.
We received a few additional thoughts from CyberSaint Cofounder and Chief Product Officer Padraic O’Reilly about how Florida might protect its critical infrastructure. He recommended the Sunshine State look into the following:
- “A review of their current approach on a well-known benchmark such as the Cybersecurity Framework, or CSF.
- “A forward-looking analysis based on risk that generates a set of remediations that take return on security investment into consideration.
- “Closer alignment between the operational and managerial stakeholders.
- “Clear metrics around current posture so that a target state can be determined. This would include a review of application risk central to critical operations.”
O’Reilly said the effort should involve Risk, Compliance, Governance, and IT personnel, and would likely meet a predictable assemblage of roadblocks: “Budget and current processes are usually the two largest concerns. Smaller utilities and hospital chains are lagging with respect to cyber. This is why a simple assessment on a benchmark like the CSF is a good start. An analysis like this can point the way to cost-effective measures that would harden systems in a preventative manner, rather than the reactive stance that most smaller organizations currently are stuck in.”