The enthusiasm of hacktivists worries longtime cybersecurity expert Patricia Muoio more than state-sponsored cyberattacks. The unprecedented sharing of hacking tools and knowledge could cause extensive collateral damage.
Cybersecurity experts have been watching cyberwar, incited by the Russian invasion of Ukraine this February, with interest. Some anticipated state-sponsored attacks targeting Ukraine's critical infrastructure, recalling Russian attacks on the Ukrainian power grid in 2015 or NotPetya malware that swamped websites of Ukrainian organizations, including banks, ministries, power companies, and media in 2017.
Patricia Muoio was not one of them. During the interview with Cybernews, she emphasized that acknowledging the Russian hacking power and its shifted offensive stance after the annexation of Crimea, many organizations boosted their defenses, making themselves a more difficult target.
Being an expert in cybersecurity and computing with a 30-year career in the intelligence community in various technical and leadership positions, Muoio now serves as a Venture Partner in a venture capital firm Sinewave Ventures, vetting the technical viability of emerging technologies of possible value to the government.
I sat down with her to discuss the current cyber war and its implications for entities worldwide.
At the beginning of the war, did you anticipate that Russia might use its cyber weapons to, for example, shut down Ukraine's power grid or do something similar?
I did not anticipate something similar would happen because it had happened already. Ukraine and others had a wake-up call and have improved their defenses. There might be strategic value to Russia in carrying out similar attacks. However, I'm not sure that a wide range of attacks is still available to them, given the defensive technology deployed in many places.
Since the Russian invasion, have you seen any significant cyberattacks? There's a lot of information on what hacktivists do, but did something of importance happen beyond that?
I don't do attack identification analysis in my current role, so I have no access to information about attacks other than what's in the news. I'm not aware of anything that's not public knowledge.
What do you make of that public information?
It's hard to tell from a distance whether what I would call annoyance attacks cripple operations for a decent amount of time. It doesn't look like any vital infrastructure facility was taken offline for any significant amount of time. But there was a lot of problematic operational disruption, and people had to work around it.
What do you think of Russian cyber offensive capabilities? Some say that Russia's cyber weapons might be as weak as its artillery.
People are ignoring the fact that defenses have changed as well. The unique edge of advanced persistent threats (APT) and nation-state threats is being sneaky about getting in, finding novel ways to get in, and, when they are in the system, finding sneaky ways to move around, finding ways to stay on there even if people run scans and remove malware.
Those advanced techniques are still being used but are less effective because they are being met with defensive technologies that don't care about how you get in. They care when you start executing. The unique knowledge and special value about getting in sneaky ways and doing all this reconnaissance become irrelevant.
The whole landscape of how attacks are made is changing because the defensive mechanisms have become attack-agnostic. You know any attack has to do one of these few things, and when one of those few things starts showing up on your system, you can stop it then. That's a significant change in the game. Russia and, I would argue, and probably many nation-state cyber experts, are finding it more difficult to find targets of opportunity because some of those targets have deployed defenses that just makes their special skillset less powerful and useful.
When talking about boosted security, are you talking about a broad range of organizations or mainly critical infrastructure, tech companies, and others who expect to get attacked? Is everyone up to the level that you are talking about?
No, and that's particularly frustrating to me. Many critical infrastructure things, in particular, because it's an older, more physical domain, are very slow in being able to hold up these attacks. To some extent, they have legacy systems in which a new software won't work, but also the security attitude is just a little different.
I think the financial industry has taken care of itself very well, and I would be surprised if any large, high-level financial institution didn't have a sophisticated defensive set to protect against these things. I think critical infrastructure is a bit leaky. That's a problem that needs to be addressed both by the infrastructure providers being smarter in the kinds of defensive technologies they deploy and by technology providers in providing solutions for these legacy systems and power-generated devices that don't have modern operating systems.
There is a problem there, and I don't think these solutions are ubiquitous. I do believe that in an attack a few years ago, Russia may have shot its wad, so to speak, with respect to Ukraine because they got their wake-up call and started to pay attention.
Does the same apply to the critical infrastructure in different countries?
Yes. I haven't done a lot of research on particular defenses worldwide. I think there are vulnerabilities in the US critical infrastructure, for sure. Those are the ones I'm more familiar with. I suspect it's a systemic problem because it stems from the nature of the machinery and the industries themselves in the late attention to the problem in general. I presume it's uneven but broad-spread.
Even if we are not talking about APT, Russia has been infamous for turning a blind eye to its hackers as long as they don't attack Russian organizations and focus on the Western entities instead. Given their patriotic sentiment, do you think that Russian threat actors might attack the West even more?
The citizen hackers worry me a lot more than the nation-states. They can do the same amount of damage once they get in. When I was in the government, I remember there was a lot of policy and diplomatic concern and constraint around how you develop and deploy technologies. You wonder if it will be ok to attack this particular system because, for example, a hospital might be on the same grid.
Hackers don't worry about those kinds of things at all. Most nation-states, certainly the US, do. Hackers are potentially a bigger danger because they are less controllable. They have less sophistication in understanding the ripple effects of what they do. Their motivations are more passionate than reasoned, so I do worry about that. I don't think their capabilities are any different than before the war. They run into the same things about increasingly better-defended targets and fewer opportunities to go after. But there are plenty of opportunities, and I think that is something that security people should worry about.
Do you worry about hacktivists and the collateral damage they might cause unintentionally while attacking their targets?
Yes, I do. Early in the war, when Ukraine called its citizen cyber army, you can give them a lot of credit for guts, but two, you think they let the genie out of the bottle. I don't know if anybody will be able to put that back in. Tools are out there for people to use. You want them to use them for these noble ends, but will they? Will these noble ends in the hands of amateurs cause collateral damage that you didn't think about and wish you hadn't started? Hacktivism, citizen hackers, and criminals that turn to nationalistic ideals is a serious problem, and it's more of a worry in my mind than an actual state-sponsored attack.
So from what I understand, it's not their leaks or DDoS attacks that worry you the most. It's the shared tools and knowledge that can be used for malicious purposes, right?
I worry about attacks that will make it difficult for critical infrastructures to function. DDoS is a very cheap way to make it hard for people to operate by making the networks hard to use, and so it is worrying from that point of view. But many people have put services in place to help them manage the network flow, so I'm not sure you could take anybody out for a long time with DDoS solely.
The attacks where you would be able to send corrupt command and control messages to infrastructure things and make these physical components behave incorrectly are worrisome attendance to a kinetic war. With the kinetic war, you want to make sure that you are helping reduce the enemy's ability to protect themselves and respond to the attack.
Do you think the current cyber war will make government and private organizations boost their cybersecurity budgets and raise awareness?
I'm not sure cybersecurity budgets are inadequate. I think cybersecurity buying is not all that smart. I'm hoping that there's increased awareness of cybersecurity, people being perplexed about why there weren't more cyberattacks makes some think about what might have stopped them, and the general understanding of the right kind of cyber tools to deploy becomes a smarter consideration.
The more people worry, the more they think about it. Hopefully, they make themselves smarter about it and do smarter things. There's been a lot of chatter about critical infrastructure people who are now worried in a way that I think they should have been worried about for years. But now they are because they believe Russia might come at them. Worry is a good thing because they have been a little irresponsible or naive in their investment and deployment of cyber defenses and need to improve in that arena.
You said that cybersecurity buying is not always that smart. Could you elaborate?
The cybersecurity industry, from the beginning, has been modeled on the attack response kind of way of thinking. Many technologists have spent their time figuring out where the attack is coming from and what this particular attack looks like. That's a losing battle.
The attacks can come from anywhere and frequently change what they look like. They are evolving faster than technology is. There's a lot of cyber technology that is not particularly useful but is well thought of. Many people are buying in response to what I call the attack de jour. This is a cool thing, and you have to buy another piece to plug in on top of whatever you have. Not many people are thinking of how this is architected, how these tools interact, is it redundant to something they already have, is there a more fundamental way to address this problem.
As these more attack-agnostic capabilities become prevalent and their effectiveness is more broadly understood, we will move from this attack du jour way of buying to a more systematic way of protecting our systems.
More from Cybernews:
Subscribe to our newsletter