The Cipher Brief is bringing subscribers different expert perspectives on cyber threats this week. Today's perspective comes from Rick Ledgett, former Deputy Director of the National Security Agency. We spoke with Rick about the same issues that we spoke with former NCTC Director Nick Rasmussen about to get his take on the current cyber threat environment and issues ranging from terrorism to nation state threats, to deterring cyber attacks against the government and private industry.
The Cipher Brief: Has the U.S. done an adequate job in using offensive cyber operations to disrupt terrorist messaging? Are there opportunities and advantages to taking a more aggressive posture? Are there risks?
Ledgett: Taking things down and keeping them down is not an easy task, and it’s complicated by the fact that - at least in this case - advantage goes to the “defender” (the terrorists). U.S. and allied entities must discover the messaging account (say on Twitter or Facebook or YouTube) analyze it, and work with the provider to take it down. The terrorists can very easily set up a new account and populate it with content from off-line or on-line storage, in a process that is inherently faster. End-to-end encrypted applications like Signal and WhatsApp are difficult for authorities because nobody has the key to decrypt them except the end users. It’s possible that the companies will be able to use machine learning or other AI techniques to make detection faster, but there are 1st Amendment issues at stake, and they will likely move carefully.
The Cipher Brief: There were concerns after the U.S. walked away from the JCPOA agreement, that there might be retaliatory cyber attacks from Iran and those attacks might target private industry. How concerned are you about that and what would an effective public-private defense look like on that front?
Ledgett: I think it likely that Iran will use cyber to respond, as it fits in with their strategic model of a proportional response to sanctions, and they have done it before. The real question is whether they use denial of service attacks as they did against U.S. financial institutions in 2012-2014, or destructive attacks as they reportedly did against Saudi Arabia in 2012 and 2016. Even worse would be an attack that disables industrial safety systems like the 2017 attack dubbed ‘Triton’ that was designed to cause an explosion in a petrochemical plant in Saudi Arabia; some have attributed this activity to Iran.
For defense, start with patching systems. It’s trite, but the overwhelming majority of successful cyber incidents occur via a known vulnerability for which a patch exists, but was not installed. Then double down on prevention and detection of spear phishing, the most prevalent way legitimate login credentials are stolen. DHS already has contact with key infrastructure groups, and they should leverage those, and the individual members therein, as two-way conduits for exchange of threat intelligence and information on unusual activities on civilian networks.
The Intelligence Community is most likely already looking at this, but I think it would be a good idea to look at the level of resourcing directed against the Iranian threat, given the current (and warranted) focus on Russia and the mid-term elections. Finally, and this is most likely underway as well, the Administration should be preparing for the possible use of all its instruments of national power to prevent, respond to, and deter follow-on Iranian cyber attacks. These could include diplomatic outreach, public and private messaging, readying (but not yet using) more stringent sanctions, and cyber means. The recently released National Cyber Strategy allows for a more muscular and agile set of activities in cyberspace, and the planners at U.S. Cyber Command and the analysts and operators at NSA are likely quite busy right now.
The Cipher Brief: You and I have talked before about benefits that the U.S. could reap by following a GCHQ model. Are we any closer to that today than we were – say – a year ago?
Ledgett: Not really. There has been a move in Congress to rename the NPPD as the Cyber and Infrastructure Security Agency, but that’s not a significant change because it would remain in DHS, while the bulk of the nation’s cyber expertise lives in the Department of Defense, in NSA and U.S. Cyber Command. The current focus on election security has caused the organizations to work better together, as there’s nothing like a real problem to help eliminate bureaucratic barriers. But I still believe the right answer is some kind of a Task Force that reports to the White House and has operational capabilities embedded from DoD, DHS, FBI, and others and which has the authority to act within predefined boundaries, using all those capabilities. That’s the only way we are going to get the rapidity and agility of response that’s needed for successful defense.
The Cipher Brief: And finally, the United States often does not talk about its responses to cyber attacks – from the OPM hack to Sony – the mantra is that not all cyber attacks warrant cyber retaliation but then there are few details made publicly available about response. How important is it to get more information out in the public arena about the U.S. government’s response to cyber attacks either against government or the private sector?
Ledgett: I like the idea, which the current administration has been doing, of naming and shaming. The internal USG process that determines attribution is robust and nuanced. Because it involves intelligence sources and methods all the evidence won’t be disclosed, but I wouldn’t worry about that. I also think saying what we’re doing to respond, to include in cyberspace, would be good to do, for both domestic and international audiences. Having a potential adversary know you have a capability and will use it is an important part of deterrence.
