When each day seems to bring new headlines about state-sponsored cyberattacks, it can be difficult to discern reality from fiction. And as the made-for-TV political drama continues to unfold, the story is losing its appeal. But there are important takeaways from the Russian hacks—not just of political parties’ servers, but also general trolling on social media, and, more recently, of the purported attack on a utilities company in Vermont.
Earl Matthews is a retired Air Force Maj. Gen. and former director of cyber operations and chief information security officer for the headquarters of the Air Force. These attacks matter to industry for various reasons, he said.
“The threat landscape isn’t going to change anytime soon, and the pace of the attacks will continue to increase,” he said. “Russia and other nation-states have gotten even bolder, and criminals will continue to operate with impunity.”
The Obama administration has taken some steps over the last four or five years, Matthews said, but both government and industry need to pick up the pace.
Geopolitics: It’s Not Just for Governments
“We are a fully integrated society online,” said former Deputy Secretary of Homeland Security Jane Holl Lute who was speaking on a press call run by Atlantic Council. Across every industry, in both the public and private sectors, individuals and institutions rely on the internet. As a result, the U.S. has far more at stake when it comes to cyberattacks than many other nations.
“If you’re in charge of any important network these days,” said Kenneth Geers, a non-resident senior fellow at the Atlantic Council’s Scowcroft Center for Cyber Statecraft, “you will be subjected to cyberattacks of a geopolitical sort.” Because everything is connected, everything is fair game.
“Just like in chess or football, you press your advantage when your opponent is on their heels: You go for the throat,” said Geers, who has also worked for the National Security Agency, the U.S. Army and NATO.
Cybersecurity, Inside Out
There is nothing new about cyberespionage, Lute said, especially when it comes to Russia. But its activity in the months leading up to the U.S. presidential election points to an important difference between how Russia and the West think about cybersecurity.
“Russians have been right [in how they approach the cyber domain]all along,” said Geers. “The West is talking about cybersecurity and technical security,” such as network and perimeter defense, firewalls and access management, “but the Russians are talking about information security in a much larger sense.” In their minds, the information on your LinkedIn may be just as valuable as the data on your laptop.
“At the heart of what criminals are trying to do is get access to data,” said Matthews, who’s now the head of enterprise security solutions at Hewlett Packard Enterprises. “Unfortunately, we continue to look at the problem from the outside in, meaning we’re trying to keep blocking people from trying to have access to our networks. The right way to look at it is from the inside out. What’s most important to me about my data and my business? Which applications are most important? Start putting controls and security around those, and then work your way back out towards the perimeter.”
After all, the real damage Russia did was not getting in to the Democratic National Committee and Republican National Committee servers; it was what it did with the extracted data or what it might still do.
Easy Targets
Reports indicate the parties’ servers were not hard to hack; unfortunately, neither are those of most enterprises. Everyone, from CEOs to students, needs to focus on the weaknesses we continue to experience in both our professional and personal lives, Matthews said. Spearphishing and other social engineering attacks remain the most effective way to get into a network. These types of personalized, highly targeted attacks use information that we, ourselves make publicly available, on social media, company blogs and corporate bios. And as more internet of things devices connect to the network, that data will only grow.
“We are a country of freedoms; people can say and do whatever they want,” Matthews said. “But people need to understand what the consequences are, outside of that.”
When people post personal details on social media, they are, in a sense, providing the ammunition to Russia’s cyber weapons.
“This is fundamentally a cultural issue,” Matthews said. “In order to affect spearphishing, it takes education and training for employees and ourselves, and recognition that it’s kind of life safety.” Just as we teach our kids not to talk to strangers, he said, we need to teach them how to be safe online.
“Every enterprise needs to adopt standards of good cyber hygiene,” Lute said. While there are differing opinions on how to best approach cybersecurity, she continued, one thing everyone agrees with is the need for enterprises to adopt best cybersecurity practices at scale.
“We keep acting like nothing can be done [to prevent cybersecurity incidents].” Lute said. But good cyber hygiene is not that difficult. We may not be able to prevent all attacks, “but we can elevate the floor.”
False Alarm? False Flag? Either Way, it Wasn’t Good for the Company.
The security community has worried about cyberattacks against critical infrastructure for decades, and for a moment in late December, it looked as though these fears were realized. News spread quickly of a Russian attack on a utilities company in Vermont the day after President Barack Obama ordered the expulsion of 35 Russian diplomats. Did this escalation mean we were at war?
It turned out there was no attack, only the presence of Russian malware on an employee’s computer. In fact, other than the media frenzy, this was a good example of U.S. national security mechanisms working just the way they’re supposed to. The Department of Homeland Security sent out a warning to executives in 16 different sectors with technical details from Russia’s hacks. Burlington Electric then checked all of its computers, identified one that had the malicious code and reported it to authorities. The laptop wasn’t connected to the grid—a good example of easy-to-do cyber hygiene—and Vermonters’ heat stayed on.
But what happened carries grave implications for industry. News—real or fake, verified or not—spreads fast and the nation’s current hypersensitivity to cyberattacks means any reports could have disastrous effects on consumer trust, brand reputation and stock value. As Burlington Electric wrote in a statement, “Federal officials have indicated that this specific type of internet traffic also has been observed elsewhere in the country and is not unique to Burlington Electric. It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.”
Related: What Cyber Breaches Can Teach You: Lessons Learned from Jim Jaeger
