Let’s face it – cyberwar is no longer science fiction. Our economies – and our democratic system – are under attack. Security researchers are often reluctant to attribute attacks to particular nation states. But it’s become increasingly clear that Russia attempted to meddle in the 2016 U.S. presidential election, and perhaps other elections in the UK and Europe.
Last summer, Russia-backed hackers allegedly exploited vulnerabilities in the websites of perhaps dozens of U.S. state election agencies, and in at least one case were able to “alter voter information,” Time reported. Secret documents given to The Intercept by NSA leaker Reality Winner showed that an electronic voting systems vendor in Florida was breached by (alleged) Russian attackers a few months before the November election. The attackers spoofed email addresses from the vendor to target government election officials, in an attempt to compromise them with malware.
Russia has allegedly laid the groundwork for assaults on critical infrastructure. According to confidential FBI and Homeland Security reports obtained by the New York Times, Russia has extended its cyber-tentacles into manufacturing and energy infrastructure in the U.S. and other countries, including a nuclear power plant in Kansas. While there is no indication the attackers managed to infiltrate control systems of U.S. nuclear facilities, their intention is clear. After a cyberattack caused service disruptions at energy utilities in the Ukraine in 2015, the nightmare scenario of cyberattacks taking out the power grid has become all too real.
So, how should the United States respond? Some say we should retaliate to deter future attacks. The escalating attacks ahead of last year’s election eventually led President Obama to approve a plan to plant cyber-weapons in Russia’s infrastructure, according to a bombshell report in the Washington Post. (The covert action was still in the planning stages when Obama left office.) The risk of this strategy is that we accelerate the cyber-arms race, with mutually assured destruction as a deterrent – but not a guarantee against – using those weapons.
A less risky strategy to prevent catastrophic fallout from attacks is to create much better defenses than we have now. WannaCry, the ransomware that disabled hundreds of thousands of computers around the world, proved that defenses of soft targets like hospitals, transportation systems, banks, retailers, and other businesses, are dangerously inadequate. WannaCry wasn’t as bad as it could have been, because of weaknesses in the design of the malware – a kill switch discovered by a researcher that stopped WannaCry from spreading.
Petya/NotPetya, which followed a few weeks after WannaCry, was even more disruptive. The motive was apparently not financial gain, but destruction. The WannaCry and Petya attacks seem to have used a zero-day exploit stolen from the NSA, but at the time of the attacks, the vulnerability was known, with patches available weeks before the attacks.
Yet nothing that I’ve read suggests that adversaries used some secret zero-day to carry out their attacks on U.S. election targets. Those attackers exploited preventable SQL injection weaknesses in applications, and used spearphishing to trick users. These are commonplace attacks. They came at us with lock-picks, but we had no locks for them to pick.
Actually, the lock analogy – while appropriate in reference to some crucial cyber-defenses, including encryption and access controls – doesn’t fully capture what’s ailing our vulnerable digital infrastructure. As Veracode’s Brian Fitzgerald observed in a recent blog post, the focus on intrusion detection and response against “advanced persistent threats” is a misplaced strategy. Prevention is the only answer. If an application has vulnerabilities in the code, no firewall or antivirus protection is adequate to defend it. We must create secure code from the early stages of design and development, through testing and production, to protect the entire software lifecycle.
The alternative is unacceptable. Jeh Johnson, the Secretary of Homeland Security under President Obama, said at a Congressional hearing recently that “cyberattacks are going to get worse before they get better.” Our software insecurity is a liability we have to overcome. This is a cyberwar – and we’re losing. The smart thing to do when you’re in a hole is to stop digging.