Total war will be cyber, says former NSA agent
With tensions heightened in the wake of Vladimir Putin’s decision to invade Ukraine, many are now looking to cyberwar as the next field of human conflict. But for some, digital warfare is nothing new – and the recent escalation of hostilities with Russia comes as little surprise.
“Cyber's always a busy place, either people pay attention to it or they don't,” says Marianne Bailey, cybersecurity practice leader at Guidehouse. “Now we have all eyes focused on us – but even when people aren't paying attention to it like they are today, it's still happening everywhere.”
She should know. Before coming to work at infosecurity firm Guidehouse, Bailey spent more than three decades serving her country, working in cyber intelligence for the US National Security Agency (NSA).
But while some have expressed fears that the confrontation with Russia and its allies could escalate to nuclear war, Bailey believes that the future of any mass conflict is more likely to reside in the cybersphere.
As such, she believes the time has come for companies to finally get serious about their cyber defenses – and stop overlooking “basic things” that she says are allowing threat actors to “walk into” their networks.
Cybernews sat down with Bailey to pick her brains about the geopolitical outlook for information security, and the simple but effective measures organizations can take to reduce the threat of digital attacks.
Some observers seem to think the term “cyberwar” is an exaggeration – has it truly begun, or is what we are seeing with hacktivist groups like Anonymous just white noise?
I think it depends on how you define that. I would say we've been in a cyberwar for a long time, it just hides below the surface, and the average person doesn't see what's really going on every day. But there have been misinformation campaigns like during the [2020 US] election, and the challenging thing about cyberwar is that – just like you have these hacktivist groups – it's very hard to attribute who is doing what. In the cyber world, we're all connected digitally around the globe. Nobody really launches a cyberattack – or rarely – from their homeland. They host somewhere else and hop from country to country. So typically, you've attributed something to a nation before, and you're seeing them doing the same types of thing. They call it techniques, tactics, and procedures (TTPs). And then you're saying: 'OK, this looks like Country X because this is how Country X usually does things.' But it's very hard to attribute.
I was in government for 35 years, leading the cyber organization in the Department of Defense at the Pentagon and the cyber security organization in the NSA, so I get to see a lot of things and very classified stuff [about] capabilities of nation-state adversaries. And I've always wondered why we haven't seen the 9/11 of cyber yet. When I heard Putin's threat that if the West gets involved in Ukraine we're going to see a “wrath like we haven't seen before” – and I'm paraphrasing – I immediately went to cyber. He's going to take out power grids.
My other friends who don't live in this world say it will be a nuclear attack – they look at the total kinetic stuff, but cyberwar is incredibly appealing for a lot of reasons. It's much cheaper, you don't have to be physically in that geography. You can cause a lot of damage pretty quickly, and it's pervasive. So I think we're in a cyberwar. Look at the US, we built up an entire cyber command. We have air, land, and sea, right? All these warfare domains that we look at protecting – and cyber is now one of them. Look at the ransomware stuff that's grown exponentially in the past couple of years – if you don't think that there are some nation-states behind that, then you're not paying attention. And that's the thing that's hard to attribute, even if it's civilians. I know we talk about Anonymous, and they're definitely a standalone type of group. But a lot of these groups that purport to be Russian criminals or whatever – they're really funded by the state.
Another analyst I interviewed recently suggested that the West is lagging behind Russia and its allies in terms of attack capabilities – because traditionally, we've tended to focus more on defense. What’s your take on that?
I don't agree, and I think I have a lot of colleagues that wouldn't agree. We're just not as public. But while I've been part of an organization that certainly is involved in offense, you have to have a defense, and I don't think we've focused on it enough. I do think that we play the game – and it's not really a game because it's very serious – very differently than China or Russia or maybe Iran. We don't steal intellectual property from other nations, which is something some of our adversaries do. We're not in for destruction, we're just not as noisy. That doesn't mean we're not doing due diligence, and we don't have really wicked smart people.
So it's a different form of attack? Because destruction, that is attack isn't it? Some might say the ultimate offensive is to try and destroy…
Maybe. It depends on what your outcome is. What if it's an information campaign, which is kind of what Anonymous is doing today? Trying to get real information to the people that are being blocked from it, it's not really destruction. Ransomware is not really intended to be destruction, it wouldn't be effective if it was. If they were never able to unencrypt your information and give it back to you, people would stop paying. So it really depends. Sometimes it's kind of to send a message, “you need to be aware I can do this” kind of a thing. But the US fights differently: we fight with sanctions, we fight with all the different powers of war.
Speaking of which, how do you think the global economic blowback from the Russian sanctions will affect spending on cybersecurity?
It's very difficult to convince a corporation or even a government entity or a major Department of Defense program to invest in the cyber aspect of protecting their systems or their intellectual property if you don't have real evidence to give them. You can say these things are happening, and you need to protect yourself, but they really don't believe that until it happens to a peer of theirs or they've seen it [for themselves].
The analogy I was thinking about was like 9/11. I can barely think back to what life was like traveling in an airport before – because we're so used to it, right? We've birthed a whole new agency in the US called the TSA [Transportation Security Administration], you now have to have a ticket to get to the gate. You think back now, you're like, really? Anybody could just walk up to the gate before? When you think of all the stuff we've gone through and we've gotten used to – our children don't even know. And why? Because it was a loss of life and it was so catastrophic – it was a horrific thing to the US. And so we really buckled down. And I think when we see some major type of activity in cyber, you're going to see the same type of thing. People are very worried about the NotPetya [cyber attack] unleashed by Russia a few years back. It went rampant across the world, they lost control, it caused billions of dollars of damage to industries that they didn't have any intention of impacting. It opens your eyes.
Certainly, there will be issues with resources from this, like there are with any kind of conflict. We're going to focus on all these types of humanitarian things that you need to worry about – but I don't think they will take [funding] from cyber. If anything, I think there will be a continued increase, and companies will definitely double down on their security.
Colonial Pipeline was a backend billing system that didn't really impact their ability to deliver fuel – but guess what, they couldn't bill. You don't bill, you don't deliver – you don't deliver, gas stations don't get fuel, and then people are in line to gas stations because everybody panics. It's crazy, that ripple effect – but you never think about that unless you go into a conscious effort to find out if you're resilient to a cyber attack. And you have to have technical people working with you, talking about “this is what a bad guy can do.”
If an adversary gets into my system as an authorized user – which is one of the common ways these attacks start – people are still using username and password instead of multi-factor authentication. People always pick something they can remember, and it's always guessable by this great technology that we have. Adversaries get the username and password, and then they look for ways to privilege escalate this – it happens all the time.
People buy network equipment routers, firewalls – but they never change the factory password. The factory sets the password to the same thing for every one of these things they sell. So once the bad guy gets into the network, they look for a generic password, and next thing you know, they have privilege escalated and system administrator – they just walk through the network. Now they can do anything they want – like plant APTs [advanced persistent threats] that just sit there until they want to use them. And that's the scary part: it's like these little time bombs sitting all the way through the infrastructure.
A new law the Senate recently approved requires vital infrastructure companies to report within 72 hours of reasonably knowing about a cyberattack. That’s all well and good, but – assuming it's not a ransomware attack where criminals alert you to extort money – what happens if firms don’t learn about it for months or even years?
When you're doing forensics on a cyberattack, sometimes it's very complicated. Because if you're working against a nation-state adversary, they're doing everything they can to hide their tracks. So they're going to delete logs that you would look at to see what happened. I've been involved in intrusions where we saw the adversary exfiltrate data, but we never saw it leave that environment. And of course, that organization said: “Well, they didn't take it.” I said: “They absolutely took it – we just can't see it.” You're trying to find their maneuvering and following stuff – sometimes you find that they've been in there for six months, nine months, a year. I've been involved in cases where we thought we eradicated them, and three years later, they're back in.
What would you say to cash-strapped companies just starting out that are likely to grouse about anything that contributes to their overheads, including cybersecurity spending?
Regardless of how much money you have, you should have a cyber assessment done of your organization. People buy a lot of technology, they all love the new shiny thing that's going to solve something for them – but they never step back and ask themselves: “What is my risk profile like, and if I had $10 to spend, where am I going to get the biggest bang for the buck?”
When I was in the DOD, I was about to spend hundreds of millions of dollars across the enterprise on mid-point security. I had a team that did an assessment for me. They looked at the attack framework and an adversary's techniques and how they come into the system and cause damage. Then they put that against the entire defense architecture that we had to date. To make a long story short, they came back and said, “OK, you can spend $300 million here, which you're planning to – or you can spend $40 million on an endpoint, and all of these things that are red [flags] now will go green.” Organizations and companies don't step back and look at that.
So you think there's a problem of them just throwing money at a problem and not targeting that expenditure?
Right. I think companies that are setting up things like chief risk officers are starting to get that because this all ties back to cyber resilience. What is it that I really care about protecting? What do I need to do to protect those things? Instead of just protecting the entire enterprise at the same level.
I asked another cybersecurity person with a background in defense about the P4X vigilante hacker who took down North Korea's internet for 24 hours. He thinks it would be a good idea for the US to start bringing in these vigilante types to use their skills. What is your take on this – should these people be recruited, or are they best left alone as loose cannons?
I definitely agree that if we can bring them in and tap them we should do it – but under our rules and laws. We have pretty significant laws, what we can do in this area. Cyber operations have to be approved at a very high level, it's not just people going off and doing what they want. But if they have these mad skills then we should bring them in and make them part of us if they're interested – sometimes they're not going to be. I certainly think it's worth it, but I do worry about them operating on their own. I think it can get very dangerous very quickly.
Could you elaborate on that?
Just not thinking through what could happen. They're not all skilled. I've been involved in ransomware events with companies, supporting them. The ransomware actor messed it up, and they couldn't unencrypt the data because it was corrupt – so there are instances like that where they're not as skilled as you think. Or they don't realize that this thing is going to go rampant. Look at NotPetya – because we're so interconnected, it's just very easy for things to get out of hand. And then the other thing I talked about, attribution – what if they're operating out of the US, but they're not operating on our behalf? Then somebody retaliates against the US because they think it's us... So there are a couple of reasons why it gets scary.
Is there anything else you'd like to share?
I still think now's the time for companies to really look at how they protect themselves, because the basic cyber controls they really need to implement. They should have somebody help them: run scenario-based tests where they have an organization pretend to be an adversary, red team pen testing, and stuff like that. Most of the time, it's just simple things that will allow the adversary to get in.
Do you mean simple oversights, like not patching when you should?
Exactly. It's well known that [overlooked] patches are just a blueprint for your adversary to walk into your network. They're going to try all those first. Use multi-factor authentication. Obviously, phishing is big, so you have to educate your people – it's becoming more complicated. Just really basic things, it’s like that old saying: make sure your house is more secure than your neighbor's, and you're going to be safe. They're going to find a place where they can get in that's the easiest avenue of entry.
More from Cybernews:
Subscribe to our newsletter