The entire world, especially the military, is firmly entrenched in cyberspace. Everything from personal messages among friends and family to top secret military and diplomatic dispatches are created, transmitted, received, and read in the “0s” and “1s” of computer code.
Power grids, water treatment and distribution facilities, hospitals, traffic control, aviation, railroads, sea transport, space-based communications, position, time and navigation - all are part of the cyber domain.
That domain also encompasses home appliances, office equipment, children’s toys, medical devices, TV sets, unmanned vehicles, baby monitors, and espionage.
In short, it touches nearly every aspect of 21st century life. This makes cyber attacks — from annoying but benign hacking to deadly attempts to disrupt, control or destroy financial institutions, power grids, computer networks, and offensive and defensive military equipment — perhaps the single greatest threat the world faces, at all levels, in all nations.
The technology to detect and deter such attacks has improved substantially in recent years, yet it’s the modern version of the old armor/anti-armor loop — create a stronger, more resilient armor and someone will create a stronger, more potent anti-armor, leading to yet another new level of armor and more creative anti-armor.
This is not a new problem; it began as soon as the first computers appeared in war rooms and operations centers and has grown apace with the world’s ever-increasing dependence on electronics. But it is only in the past few years that the seriousness of the threat has been fully recognized, leading to the creation of cyber warfare and cyber security departments in almost every major entity, military and civilian, and the declaration of cyber as a full domain of war.
The sought-after end-result of cyber attacks varies by the source of the attack, some of which will have multiple targets and goals. China, for example, has an obvious interest in breeching U.S. military systems, to gather intelligence and to learn how to control or compromise them. However, contemporary reports also show a Chinese focus on academics, high technology, insurance, manufacturing, construction, media, telecommunications, transportation, and video games.
Military a priority target
The military is high on the list for most nation-states, compromising another nation’s military through cyber actions that often cannot be traced back to the attacker. Financial institutions also are at the top of the list, as are industrial-control systems for water and power networks, because a successful cyber attack there could have a devastating real world impact.
For individuals, it’s hit and miss — a lot of those, such as ransomware, are automated. So individuals always will be at some level of risk due to human nature, where people pay ransoms for things that never happened.
Corporations also are an obvious target and will remain so, as cyber adversaries look for intellectual property or competition strategies. Too many organizations still don’t think about what such an attack could do to their companies.
Small-to-medium businesses also are targets because they don’t have the resources or manpower to lock down their computer and digital networking environments, so an attacker knows there is a pretty good chance of compromising them and getting away with it.
Cyber attacks are very costly and have a definite impact on the economy and the confidence people have in the ability of companies and the government to protect their information and continue to provide goods and services.
“There will be variations depending on the target,” says Shane Liptak, vice president for cyber security services at Gray Analytics in Huntsville, Ala. “With industrial controls and critical infrastructure, you will see more damage. Just turning off the power grid for a couple of days will overload systems and shut things down for even longer. For example, water filtration plants need electricity, which spins out to the mass populace as people no longer have drinkable water or power,”
There’s big money involved, too. “In general, companies have a loss of revenue or capability because they can’t make their widgets, which then impacts their customers who need those widgets to make their own products and so on and on,” Liptak continues.
Reputations on the line
A company’s long-term reputation also could be in jeopardy. “An organization that is compromised loses the trust of its customers and the public, leading to a hostof lawsuits and loss of business,” Liptak says. “And if they are going to stay in business, they will have to raise prices, which has a ripple effect. Plus, once penetrated, you can’t tell for certain the threat actor actually gets out of your network if you don’t do a really thorough check, which many don’t, and sometime in the future, you’ll get hit again.”
Even the military continues to use systems too easily compromised and the civilian world continues to ignore recommended “hardening” of their vital systems due to cost or complexity, too often relying on simple — and easily breached — protection schemes.
“Looking at industry and cyber security overall, there’s a lot of stuff that gets put out there very quickly without much regard to security. So we’re nowhere near the point where you have to be really sophisticated to pull off a cyber attack,” says Steve Edwards, director of secure embedded solutions at the Curtiss-Wright Corp. Defense Solutions division in Ashburn, Va.
“It’s partly due to ignorance, but mostly because security is not free and when people weigh that cost versus getting a product out there, security often gets the short stick.”
However, the federal government, having created U.S. Cyber Command at Fort Meade, Md., as one of the joint military commands, recently has begun placing greater emphasis on enhancing the cyber security of non-military entities.
“The heart of CISA’s purpose is to mobilize a collective defense of our nation’s critical infrastructure,” states the CISA Strategic Intent document, released last August. “We lead the nation’s risk management efforts by bringing together diverse stakeholders to collaboratively identify risks, prioritize them, develop solutions and drive those solutions to ensure the stability of our national critical functions.”
CISA functions as the nation’s cyber security risk advisor, and partners with private industry, researchers, international governments, emergency responders, intelligence, defense, and other communities.
CISA has two goals: addressing cyber risks to national critical functions; and helping organizations manage their own cyber risks. CISA deploys intrusion-prevention technologies in federal networks, for example, and supports emergency communications during the response to wildfires that threaten lives and critical infrastructure.
Built-in cyber security
Cyber equipment manufacturers are increasing their investment in built-in cyber security, providing multiple layers of defense as such components are brought together to create new systems.
“Defensive capabilities are improving constantly, but the threat spectrum also is changing all the time,” warns David Sheets, security architect at Curtiss-Wright Defense Solutions. “Old attacks are continually being employed against new systems, so you can’t forget about those, and new attacks are being developed all the time. Industry overall is becoming a lot more aware the problem and putting more effort into addressing it. In the next few years, we should be seeing a lot better capabilities than in previous systems.”
For Curtiss-Wright, “industry” refers to the military, for which they are a major subcontractor in cyber defense. “Not only is the government paying more attention, as are the primes, but so are the chip vendors and hardware level providers,” Edwards adds. “They will continue to improve their ability to detect attacks, but you can’t prevent the ‘unknown’ unknown. These systems are complicated, so to do foolproof testing on every line of code or processor is probably impossible. So while capabilities will continue to advance, it will never be foolproof.”
As military changes — offensive and defensive — have come faster, the attitude of those ordering new military systems has changed dramatically — far more so, to date, than their opposite numbers in the civilian domain.
“One change in requirements is from ‘let’s harden this as well as we can and then we’re done’ to ‘how do we monitor this throughout its lifetime so we can be assured of having a hardened system even after it has been deployed’,” adds Curtiss-Wright’s Sheets.
Awareness of cyber security has improved considerably in the U.S. Department of Defense (DOD), Sheets adds. “Outside DOD, they still need to learn some ofthe lessons and improve their security efforts and understand the risk. DOD has put a lot of interest into understanding those risks and making those investments up front.”
The modern world, especially manufacturing, is heavily integrated. Even in the military, any given piece of equipment is likely to contain components from multiple — often foreign — sources. This is the case, despite great efforts of military officials to ensure that all elements of essential systems are from trusted sources.
This opens up yet another major target for cyber attack: The supply chain. Gray Analytics’s Liptak says that is a complex and constantly evolving area of concern.
Targeting the supply chain
“For detection, we’re focused on the supply chain cyber security framework, to aid in the identification of malicious software and hardware. Those include activities inherent in the whole system life cycle, from fabrication to shipping all the way to disposal, to identify and detect anomalies,” Liptak says.
“An organization might be a U.S. company with ties to a Chinese joint venture company, which gives them access to all the intellectual property and, typically, majority ownership, so they can see everything within the company,” Liptak says. “We determine if the components required for all defense systems are safe or have embedded malicious software or hardware. You can’t really secure the supply chain without a detection capability.”
In some cases, deterrence may depend not on the development of secret counter-cyber capabilities, but on making their existence public, he adds.
“Deterrence typically is technical and procedural,” Liptak says. “For example, say the U.S. develops a new automated threat-detection capability we can use to detect ransomware or if a threat can decrypt our communications. We publicly announce that so threat actors know we have the ability to deter their threat, which serves as a deterrence. If you can advertise you have effective deterrences, threat actors are less likely to attack.”
The sources of cyber attacks also have changed as defensive technologies have improved. In the early days, cyber terrorists often were depicted as bored teenagers working from their parents’ basement somewhere in Eastern Europe.
While that group still exists, breaking into major corporate, government or military networks now requires high-level skills, tools and experience typically found only in well-funded government or major criminal organizations. The “bored teen hacker” is still a threat to individuals, small businesses, and small countries without the resources or perceived need for top-of-the-line cyber detection and deterrence.
“The barriers to entry are relatively low, so a teenager just messing around can do some things; a nation-state spending part of its military budget on exploitation activities can do more,” Gray Analytics’s Liptak points out. “The source of most attacks is embedded malware that executes once a user opens or uses some item. A lot of the financial-based attacks are individuals or small group threat actors, often working in tandem, to exploit as many instances as they can to extort money or gain intel.”
Sometimes stolen intellectual property is the culprit. “A lot of the growth in technology of nations hostile to the U.S. is due to stolen intellectual property because the developers don’t have the cyber hygiene they should,” Liptak says. “Small criminal organizations are a big source, but some of the big nation-states and criminal organizations have big budgets, and skilled researchers.”
Difficult to pinpoint
As with any attack on the United States, determining the source is an important aspect in trying to determine the goal of the attack and against whom any retaliation should be directed. Unlike a rocket launch or attack by air, land, or sea forces, however, a cyber attack is extremely difficult to pinpoint.
“Attribution as a whole is improving, but in very small increments,” Gray Analytics’s Liptak says. “Mostly that comes through sharing of source code, where you can see the ‘fingerprints’ of specific actors,” he says. Machine learning and artificial intelligence (AI) can help with that, he says.
“When you think of the internet as a whole, you’re talking about hundreds of millions of devices and components — and that doesn’t even include hidden tunnels, such as VPNs and the dark web. All of which make it very difficult to track an attack back to its origin — and even if you do, that doesn’t guarantee the location of the threat identifies that nation as part of the attack.”
Given the complexity and speed of threat development, the government and its contractors generally have taken the lead in developing cyber defenses. Some of those may be shared with non-DOD entities, depending on the programs under which they are developed and their classification level.
As technology continues to evolve and mature, there will be components the government can share with industry. The defense industrial base, a public/private vehicle between government and industry, is one way that such new developments may be shared. The question is when, how much, and where, which is speculative because it depends on how something is classified. Not sharing new developments also may benefit the developer from an intel perspective by not letting adversaries know about them.
“The bigger the organization, the more resources it has that small and medium businesses can’t afford, making them more likely to be dependent on the big players to offer to help them — for a price,” Liptak says.
Threats to networks
Because everything is networked, a breach at any point could enable professional hackers to work their way up the food chain to more important targets that may recognize the system within which malicious software has been hidden as a trusted source.
With attacks constantly coming from all directions, employing ever-increasing levels of stealth and sophistication, every networked device needs some form of cyber protection, from the purely personal to the highest level of secured government or military systems.
“Detection is slowly but continually improving, but the threat also is growing,” Gray Analytics’s Liptak says. “By using intel on breech incidents, you can tell what actors were looking for and what and how they attempted to infiltrate. Threat hunting looks for a red team methodology on how a threat may attempt to get in. Industrial controls and manufacturing integrity, including supply chain protection, allow you to look for another source of supply or use compromise hardware, which can be a problem in itself.”
It’s about the same for deterrence,” Liptak continues. “While there are new techniques, tactics, and procedures being used, it is such a low barrier for actors to use cyber. It’s extremely difficult to do 100 percent deterrence. For every threat actor detected, there are probably hundreds doing the same thing undetected. Even with detection and deterrence systems in place, the threat guys will continue to try to compromise systems.”
With the speed at which technology is evolving — including the appearance of revolutionary new technologies — it is difficult to forecast what the future holds for cyber security detection and deterrence.
Improvement on the horizon
Liptak predicts the next five years will see a continual improvement on the detection side due to technology evolution and more sharing of information between government and industry. But there is a flip side to that “good” news.
The future will see improvements in software and hardware for cyber security, Liptak says. “I would say the next generation of cyber security will focus more on software and the human element, but hardware also will improve with new security postures for companies, internal and external contacts.
“There are efforts to develop hardware and software that not only detect malicious code, but also protect the hardware from attack,” Liptak continues. “A lot of effort also is being spent on the human element; we have a lot of organizations being compromised by social engineering efforts. But that’s a really difficult area to see improvement unless humans stop making mistakes.”
While the U.S. is developing whole-of-government efforts to deter attacks and the intelligence community is working closely to detect or deter foreign operations, experts agree just about any nation with the ability to do cyber intel attacks probably will.
“CISA is necessary because the 21st century brings with it an array of challenges that are often difficult to grasp and even more difficult to address,” CISA Director Christopher Krebs wrote in his introduction to “CISA Strategic Intent”.
“We immediately think of our reliance on networked technologies, or perhaps our interdependent supply chain, as significant risk factors — how well do we really know the things we’re relying on and do we understand what happens when we lose them? Making matters more complicated, it’s not just human-driven threats; we must also plan and prepare for Mother Nature, as well as for the fact that sometimes technology just fails and bad things happen as a result.” ?