OPINION — Recent U.S. threat assessments have made it clear that the defense industrial base (DIB), critical infrastructure providers, and other private entities that are part of the fabric of the US economy and daily life, now have a new role as targets of our near-peer competitors in cyberspace. To stop these capable adversaries, companies must shift their focus from detecting and responding to attacks toward a more preventative approach to keep those attacks from entering their networks in the first place.
The unclassified summary of the Department of Defense’s 2023 cybersecurity strategy makes the stakes of defensive cybersecurity stark with its assessment that in the event of conflict, China “likely intends to launch destructive cyber attacks against the U.S. Homeland in order to hinder military mobilization, sow chaos, and divert attention and resources.” This underscores the Director of National Intelligence’s 2023 Annual Threat Assessment, which named China as the most active threat to US networks and elaborated that “China’s cyber pursuits […] increase the threats of aggressive cyber operations against the US homeland.” Russia has also signaled an increased willingness to conduct a number of cyberattacks against allies of Ukraine. Efforts to detect and respond have been further complicated by “living off the land” tactics that make it difficult to remove attackers from the network once they gain a foothold, as well as vulnerabilities in common browsers like Chrome that make entry into the network easier.
The exponential increase in capability on the part of threat actors via generative AI and automation technologies presents a technical challenge that parallels the geopolitical threat. From using large language models (LLMs) and generative AI to more effectively fool users via phishing attacks to more technical attacks such as AI fuzzing and using generative AI to alter the signature, but not the function, of malicious code, AI is already acting as a force multiplier for malicious actors in the cyber domain.
It's not just for the President anymore. Cipher Brief Subscriber+Members have access to their own Open Source Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.
Cybersecurity vendors have arrayed themselves against this threat by harnessing the power of generative AI to supercharge cybersecurity operations, particularly by improving the signature generation and behavioral detection for detecting malicious activity and optimizing response orchestration. The key risk inherent in this approach is that, by nature, it involves engaging attackers of increasing volume and velocity in a series of races to see who can harness AI for the most effectiveness and speed – a series in which the attackers only need to win a single race to do a significant amount of damage.
The current threat environment calls for a paradigm shift: instead of engaging adversaries in a seemingly endless series of skirmishes, cybersecurity leaders should invest in proactive and preventative technologies and architecture to dramatically reduce the number of opportunities that adversaries have to meaningfully engage the cyber defenses on their networks, while acknowledging the continued need for access to the information hosted on the Internet to maintain a competitive advantage for their business. A few examples of these technologies include:
Remote Browser Isolation (RBI) to remove the risk posed by processing potentially malicious web code on user endpoints within the trusted network. As the name implies, properly designed RBI solutions instead isolate processing of web code outside the network perimeter and provide users with a safe, interactive stream of the information they are attempting to access.
Attack Surface Management (ASM) to right size and secure organizations’ externally facing web presence. Most companies today don’t have a complete, current, and accurate idea of the Internet-facing services running on their network. A properly implemented ASM program seeks to understand an organization’s Internet exposure, eliminate unnecessary services, and properly secure necessary services.
Allow Listing trusted sites and blocking all others via secure web gateways and proxies ensures that organizations treat unknown material as malicious by default and significantly lowers organizations’ reliance on network and endpoint detection and response mechanisms. The significant restrictions this approach places on users’ access to non-trusted websites may be alleviated by implementation of RBI or creating a segregated network for non-trusted Internet activity.
By rethinking cybersecurity programs with this type of technology in mind, leaders can alter the one part of the threat equation over which they have control: the number of opportunities presented to the attacker. In doing so, they will be able to concentrate the gains that generative AI brings to defenders on the parts of their network that absolutely require porous connections to the Internet rather than spending resources on assets that do not require the same level of access. Essentially – when cybersecurity adversaries only need to win one battle to win the war, defenders ought to pick their battles wisely.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
