Reimagining our Domestic Cyber Defense Posture

Cyber Advisor

OPINION — The SolarWinds breach, targeting several government agencies and private sector entities, was a stunning feat carried out by a nation-state actor purported to be associated with Russia’s SVR intelligence service. We still don’t yet understand the scope of the operation or the extent of the damage wrought by the perpetrators.  Some describe this event as a failure of U.S cyber strategy, and many are calling for change.  At this stage of our understanding, most experts agree that it was a highly-sophisticated, highly-disciplined act of espionage. Such a dangerous and costly operation warrants a strong response now, as well as a fundamental redesign of our domestic cyber defensive posture.  In the words of Cipher Brief Expert General Stanley McChrystal, “it takes a network to defeat a network.”

Over the last year, we at the Cyber and Intelligence Projects at the Harvard Kennedy School’s Belfer Center have been conducting research and imagining what this new paradigm might look like.  We reference General McChrystal’s motto above as the driving tactical and operational vision behind our project. As he describes the Joint Special Operations Command evolution in Team of Teams, “Organizations must be networked, not siloed, in order to succeed…Specifically, we restructured our force from the ground up on principles of extremely transparent information sharing and decentralized decision-making authority. We dubbed this goal—this state of emergent, adaptive organizational intelligence—shared consciousness, and it became the cornerstone of our transformation.”

Cyberspace offers our adversaries the ultimate asymmetric capability, providing over-the-horizon reach without having to set boots on the ground, the ability to move quickly throughout networks, and all-important cover and concealment to conduct their operations.  These adversaries–known as Advanced Persistent Threats or APTs–are teams of intelligence gatherers and operators associated with a foreign government.  They are not one-off attacks–they are continuous assaults by networked cells armed with knowledge of their targets, sophisticated tools and techniques, and time–carrying out the interests of their nation. They target our nation’s critical infrastructure, our schools and companies, steal our intellectual property, and conduct information operations perpetrated against our electorate–such threats compromise America’s safety and security on a daily basis.

Surely there were clues–between the classified data points and the unclassified observation of activities on domestic servers and networks–but classification restrictions and inadequate infrastructure for data aggregation and sharing likely prevented piecing those clues together before it was too late.  Cybersecurity is national security–approaching cyber threats as anything less than that misdiagnosis the nature of the challenge we face.  Unfortunately, our current defensive cyber analysis and operations across the domestic landscape are stove-piped and uncoordinated, leaving us over-extended and vulnerable. The underpinnings of our modern economy–networks, servers, satellites, the Cloud–are all largely built, managed, and protected by private industry.  As such, every organization is responsible for the protection of its own systems, and many lack indigenous intelligence capabilities and have little incentive or infrastructure to coordinate analysis or defensive actions and with other organizations in the private sector, with states, and with the federal government.  Most importantly, there is little capacity for companies, organizations, and agencies to operate a collective defense, systematically sharing threat data and learning from each other.

The special operations model included a network of several forward operating bases with Joint Operations Centers across multiple theaters of war that were staffed with cross-functional teams of analysts from coalition nations and U.S. partnered agencies conducting real-time analysis sitting alongside and briefing the operators.  This concept could be applied to domestic cyber threat analysis and operations–we envision similar cross-functional forward-operating centers across the U.S. ready to analyze intelligence, inform stakeholders across the landscape, “action” an objective, collect and analyze post-operation intelligence, debrief, and repeat.  On the same token, it is critical that we have the technology to collect, anonymize, and index this data for all to access, at speed.

In this sense, actions on objective might mean cutting access to a domestic network, expelling an intruder across multiple networks, or pulling the plug on adversarial infrastructure in a coordinated and collaborative manner. Intelligence gained from an operation is gathered, processed, and indexed for use by all, and the results briefed up and across the domestic non-federal and private sector ecosystem and the Intelligence Community.  Achieving such a goal, however, requires legal protection, analytic capacity, and resources, things that Congress must thoughtfully consider and provide in budgets, legal framework, and authorities.  This networked approach would knock down silos and encourage organizations to work and learn from each other in order to defend against cyber-attacks and campaigns. Private sector entities, states, and sharing organizations would work in partnership, with the facilitated focus, resources, and tradecraft of the federal government.

This begets the question, would widely-shared, unclassified threat information and access help the adversaries and attackers we are trying to thwart? The reality of cybersecurity is that the offense is consistently ahead of the defense. Furthermore, the greatest advantage the offense has is that networks are ill-prepared or unaware. Zero-day vulnerabilities and new forms of old tools are used to penetrate unprepared or unwatchful systems. The faster and more widely threat information can be disseminated and actioned in a coordinated manner, the less success attackers will have.  Such coordinated actions must be conducted domestically at the tactical level, and externally at the operational and strategic level by the federal government.  This is key to a “whole-of-nation” approach that will increase the United States’ resilience against cyberattacks.

Moving toward this whole-of-nation paradigm requires reimagining the concept of national security. A new cyber intelligence and security structure must be designed from ground up to provide cyber threat information to the companies and institutions which defend the critical infrastructures upon which our national security depends.  We seek to reimagine how our nation conducts cyber threat intelligence operations with a networked approach.  Much like General McChrystal did, we must “tear down familiar organizational structures and rebuild them in order to confront a rising tide of complex threats.” This would be a monumental and challenging shift, but one that we believe is necessary.

Read also Washington’s Cyber Reckoning and other analysis and expert perspective from The Cipher Brief


Cyber Advisor

Leave a Reply

Related Articles