Information security — or what is commonly referred to as “cyber” — has dominated the narrative in this week’s hearings on Capitol Hill about the Russian interference in the 2016 elections. Despite the political noise, a fact-based public debate on how to deal with strategic and targeted attacks is what’s needed now to develop better defenses for all — businesses or government organizations.
There is a universal agreement that a highly motivated and unapologetic entity has conducted an advanced and persistent campaign to disrupt, undermine and gain power over its strategic adversary. The questions become: What have we learned from the 2016 campaign and how are we going to adapt to prevent similar cyber campaigns in the future?
Convenience versus security
The alleged attempt by Russia to influence the outcome of the U.S. elections is today’s news. Yet this has not been and will not be the last time such operations have been conducted by nation-states, including our own.
From the Titan Rain in the early 2000s, to Operation Aurora/Hydraq in 2009-2011, Red October, Eurograbber and the infamous Sony intrusion, to name just a few, we see that well-funded global technology providers may still bend under the pressure of the advanced and persistent intrusion run by highly skilled cyber teams. In every circumstance, the pattern is: break in, harvest information and use it to gain influence.
If recent history is any lesson, the 2016 election has shown that complexity is often the primary source of weakness. Take the 2016 election campaign; years’ worth of private, high-value conversations were extracted from an unauthorized communication system and later strategically exposed to the public for a larger political effect. It is unlikely that any decisions to retain high-target sensitive information were made because sanctioned technologies were too simple and convenient.
Why do we still hope to teach end users to use complex products in the name of security? Do we, for example, rely on employees to never take a picture of a whiteboard or to ensure their phone settings are such that the picture is not stored in the cloud? Do we train our teams to make sure all IP is permanently deleted when it is no longer useful? Do we provide corporate phones that won’t talk to the internet and expect people not to use their personal devices? Or do we realize that they will default to the convenience of their own machines and provide them an easy-to-use application that auto-deletes proprietary information?
Offering our public officials and business leaders a simple system built to encourage collaboration while proactively deleting sensitive data could very well have made a significant difference in the many intrusion incidents we witnessed in 2016. We all need to come to grips with the fact that imposing complexity on end users will only further enable advanced and persistent adversaries.
Combating persistent adversaries
Many of us who worked in security during the Aurora incident response remember that it was an event that made the term “APT,” or advanced persistent threat, ubiquitous. Perhaps the most disappointing byproduct of Aurora was the sales frenzy it triggered in the infosec industry. Armies of “sportcoats” were unleashed to sell products that protected your everything from APTs. The current discussion of the “Russian Threat” has created a similar irrational demand for security silver bullets.
There is nothing wrong with developing defensive technologies, nor do I suggest that investments in layered security strategies are inappropriate. But we must face that existing security tech is often mere cyber speed bumps while the operating expense of protecting digital assets is fast outgrowing the value of what we attempt to secure.
Although there is no silver bullet solution, and security remains incredibly hard, enabling organizations to protect less is a first step in the right direction. Default ephemerality minimizes the window of opportunity for attackers. It robs advanced adversaries of persistence while offering an efficient and predictable framework for keeping proprietary information private.
No matter how robust and layered your end-point defense is, if important communications are stored, they are vulnerable to anyone with enough resources and persistence. That applies to policy-makers, corporations, critical infrastructure and any organization working with information of value. The result is expensive and mostly ineffective attempts to protect communications we don’t benefit from storing.
And while there is no compelling enough reason for retention of real-time communications in the face of security risks, we do it out of habit anyway. Because storage is free, just as are convenient services if only we allow the providers to access and hold on to our information.
What’s at stake?
Interestingly, in the 1990s, when cybersecurity was not much of a concept, Dan Geer foresaw that storage will be near free and, therefore, unreasonably costly in the future. At the time, not all appreciated the vision that storing everything would make the task of securing data nearly impossible and extremely expensive. Now there is almost a universal acceptance that we are simply storing too much.
As technology evolves, so do the capabilities of adversaries working to exploit not only the security flaws in common technology but the human nature of those with access to sensitive information. Things get even messier when an adversary begins to push the boundaries, exploiting the very strength of the system it seeks to compromise — free press, transparency, strong judiciary and law enforcement.
If before we used to fear the simple hacking of the election box, now it is clear there are multiple ways to disrupt and destabilize one’s political system. Several European nations are in the midst of their election campaigns. They, too, are facing foreign influence. Understanding how to adapt to increasingly sophisticated and unconventional tactics is all the more critical in minimizing the impact of the next generation of attacks built on the 2016 Russian playbook by other state and non-state attackers.
Progress will be made in the middle
So where do we go from here? Trust and understanding between the government and the industry is key to improving our readiness against foreign or domestic adversaries. Although it is understandable for law enforcement and intelligence to want more and easier access to information, including the ability to bypass encryption, it is counterproductive given the existing threats, including to the government’s own communications. Yet it is equally understandable that the private sector will not grant such easy access and should not be relied upon to do so.
We should perhaps face the fact that law enforcement will vilify encryption in the name of public safety, and privacy advocates will vilify surveillance techniques in the name of free speech and democracy. We should also expect to see more irresponsible reporting of leaked information and, as a result, silly and defensive posturing by companies suggesting that they have defeated the intelligence communities.
While extreme positions are important, progress will be made in the middle. That is why some of us will work fervently to create products that enable private communications, while others will be equally persistent in finding ways to gain unauthorized access to that same user content.
We can be certain that our adversaries continue to improve and build on their lessons learned from the 2016 elections, spinning off new hybrid attacks across global information networks. In turn, if we fight the instinct to continue hoarding sensitive communications and accept our own inability to access ephemeral conversations, we will extend this same limitation to our adversaries, eliminating the one weakness that proved most critical in disrupting our businesses and political system in 2016.