When he described today’s cyber threat environment during a virtual cyber conference this Spring, he said, "Rapid is not something that describes enough how fast and how crazy and hectic things are moving forward in cyberspace and I think we will remember this last month and May 2020 as a changing point in the history of modern cyber warfare."
That attack was believed to be launched by Iran, something Iran has denied. But there are other attacks on the rise as well. Just last Friday, officials at the University of California at San Francisco reported that they paid hackers a ransom of $1m in order to regain access to data that had been encrypted by malware. Is the world getting more ruthless or are hackers being emboldened by a new set of circumstances and opportunities? And most importantly, what should companies and governments have learned by now?
The Cipher Brief spoke recently with Crowdstrike Co-Founder Dmitri Alperovitch about cyber trends we’ve seen since the pandemic began and what the COVID crisis has taught us about adversaries, and the evolution of the cyber threat.
Dmitri Alperovitch, Co-Founder, Crowdstrike
In 2016, Dmitri Alperovitch revealed a Russian intelligence agency’s hacking of the Democratic National Committee (DNC), a discovery that led to the full scope of cyber influence operations being launched against the 2016 US Election. He is also a regular guest at The Cipher Brief’s annual Threat Conference.
The print version of this briefing has been edited for length and clarity.
The Cipher Brief: Are we at an inflection point when it comes to cyber warfare?
Alperovitch: It certainly seems that way. It seems that our adversaries have learned that red lines don't seem to matter a whole lot anymore, and they can do everything from interfere in elections, target critical infrastructure, engage in massive, destructive attacks in recent years and really not suffer any consequences for it. They keep pushing the line; certainly, the attempted attack on the water system in Israel believed to be from Iran, shows that even completely civilian infrastructure that has no military use is not off limits.
Attackers are going to continue experimenting and figuring out ways to infiltrate those critical infrastructure systems, and ironically, the COVID-19 situation is making those systems more vulnerable because as operators of these systems have transitioned into more remote management, they increasingly need connectivity to those systems. Systems that, even a few years ago, were mostly isolated, air gapped, and offline, are increasingly getting more interconnected, and, as a result, are becoming more vulnerable.
The Cipher Brief: We’ve been talking for years about nation state attacks, but has COVID-19 somehow changed the dynamic?
Alperovitch: The interesting thing is that the number of threat actors is holding fairly steady. There are some incremental increases, but the vast majority of problems we face from a nation state perspective comes down to the big four: Russia, China, Iran, and North Korea. These are the same big four we were talking about 10 years ago and the same countries we have been worried about in the geopolitical space for many decades. While we are starting to see some others join in, such as Vietnam, India, and Pakistan increasingly targeting firms in the US for economic espionage, they are learning from the Chinese playbook, it still comes down to China, Russia, Iran, and North Korea.
On the cyber-crime side, the vast majority of the sophisticated, really impactful cyber-crime operations are coming from the same countries: Eastern Europe and former Republics of the Soviet Union as well as Iran and, to some extent, North Korea, although that is more state sponsored. The number of threat actors is not changing, but they are growing bolder and bolder and, as I mentioned, not tolerating any red lines, at least red lines that were perceived even a few years ago. Now we are facing situations where the attacks are skyrocketing and, if you look at the first part of this year, it is a 100 percent year over year increase in the overall number of intrusions against American companies.
It really is a result of the adversaries also realizing that this is a unique moment in history where a lot of these organizations, both governments and private sector, are uniquely vulnerable because everyone is trying to work from home and, in some cases, from their own personal computers. They are not as well defended or monitored as corporate networks. Many holes are being poked through the firewalls in order to facilitate effective work environments. Those are the problems that our adversaries can leverage to get into those systems- either to steal data, destroy it, hold it ransom, or something else out of the wide slew of things that we are seeing right now in the treat landscape.
The Cipher Brief: How would you characterize the activities in cyberspace currently by the big four you mentioned?
Alperovitch: We have seen a slowdown in Chinese activity over the winter months as they have been coping with COVID-19 and, ironically, their own cyber teams had to work from home which impacted productivity. They started roaring back in the spring and engaging not just in the traditional activity like intellectual property theft, but also increasingly in information operations and becoming very aggressive and pushing fake narratives to promote China, to attack those who criticize China with regards to the COVID-19 situation, and learning from the Russian playbook on this matter in a really impressive fashion.
China used to be very bad at this. They would register fake personas on social network sites without any backstory. It would be a new account that just popped up without ever posting anything and suddenly tweeting pro-Chinese propaganda. They are learning from that. They are increasingly trying to set up personas that look like legitimate Westerners to promote their pro-China narrative- something the Russians have excelled in over many decades.
Russia is taking the opportunity to use the situation to target Ukraine as well as conduct traditional espionage against government networks in Western countries. They realized that intelligence communities working fully from home would have them functioning with one hand behind their backs. Some agencies are not allowing everyone to go into work and instead are only having some people work from home under limited conditions. This creates opportunities for attackers to take advantage and try to infiltrate networks to the extent that they can, both on the defense contractor side and in actual government networks.
Iran is being super aggressive against Israel and Saudi Arabia, their traditional enemies. We saw a slowdown in activity in the winter when they were getting hit hard by COVID-19 outbreaks in Tehran and all over the country, but they seem to have figured that out and are now back in force in terms of their offensive operations.
The Cipher Brief: Traditionally, a lot of cybercrime comes out of North Korea. Have there been any changes on that front that you have seen over the past several months?
Alperovitch: North Korea has not had a whole lot of activity recently. There have been some intrusions into South Korea, which they never stopped, but not a significant amount of activity compared to normal.
The Cipher Brief: The US seems to be stepping up their naming and shaming efforts. Is this having an effect, and what else could the US do in terms of accountability when we are talking about figuring out attribution and holding people accountable?
Alperovitch: The naming and shaming campaign, which I’ve long been a fan of… has been really important. Also, it isn’t the only thing that the government is doing with regards to China. We are trying to figure out the right levers of power to pull on to figure out how to get these actors to back off and to limit their impact on us in the various cyber spheres that they’re engaging in. It is going to be tailored to individual countries.
With China, I’ve always believed that what they’re doing should not be characterized as cyber activity; it should be characterized as economic warfare. It shouldn’t be characterized as cyber activity just because it’s being done through the cyber sphere. They are stealing our resources in the form of intellectual property and trade secrets and giving it to their domestic sector to build behemoth companies- either state owned enterprises or those which appear to be private companies but are closely aligned with the state. As we are seeing with Huawei in the 5G space, they are becoming global monopolies, and we need to treat it accordingly. This is economic warfare and the right response to that is economic in nature, which the administration is engaged in right now. Russia is a very different scenario and we need to figure out the right pressure points that will convince the Russians that these activities are not worth it for them either.
The exact actions will be tailored, but the public naming and shaming is not just about those countries themselves. It sends a message, first and foremost, to the American public about what is truly going on and helps us rally toward some of these causes so that if we are engaged in a trade war with China, we can make sure that the American public is on board as there will be pain that lots of people will suffer as a result of the trade war. It also sends a message to other countries that may be considering engaging in these sorts of activities- Vietnam and India, for example. We have a lot of leverage against those countries, and we should broaden our actions and make an example of some of those countries. It is a lot easier to achieve effects against these smaller countries than against the big four and would potentially serve as a deterrent to the big four as well.
The Cipher Brief: How do you assess US private industry efforts to improve cybersecurity? What are they doing well and where do they need to make improvements?
Alperovitch: This is probably one of the most untold stories about the progress that we have made in cybersecurity, particularly in the private sector. I can tell you from experience working with thousands of large and small companies over the years, there has been massive improvement in their ability to defend themselves against even the most sophisticated nation states. The improvement has not been across the board, but the best have learned the right models to take to their approach in this space.
The way you succeed is not by building the biggest walls and moats around your castle- that type of defensive model has not worked for centuries in the physical world, and certainly doesn’t work in cyber. You have to appreciate that a capable adversary will always find a way to get in, but that doesn’t mean they will accomplish their objective. Your high ground, if you will, is your own network that you should know well so that any time someone gets into your network, you should be able to rapidly respond, identify them, and kick them out before any damage is done. Getting into that model where you have active hunting teams that are looking for any potential intrusion 24/7 and are reacting within minutes to contain it and mitigate the damage is the way these companies can successfully solve these problems.
While the situation may seem dire when reading the news stories about companies getting breached on an almost daily basis, the reality is that there are thousands of companies that are successfully defending against the most capable actors and kicking them out before any damage is done. Of course, these stories don’t make it to the front pages of the newspaper. Even still, I think we need to think about how there are many organizations that have not learned that model. These organizations are still in the castle mentality and are doomed to failure.
More importantly, there are many organizations that simply don’t care enough. Many intrusion investigations I have done for companies that have been devastated by a cyberattack- either destructive or with lots of highly valuable Intellectual Property stolen- that, within minutes of walking through the door, I could tell that the company from the board of directors down didn’t play close attention to this issue, didn’t care, and, as a result, didn’t have an accountability culture within the organization that made the right investments possible. However, this is not about how much money is spent. I have worked with one Fortune 500 company that has nearly every nation state targeting them because of the highly valuable information they have, and they were able to defend against attacks on a daily basis with a team of 14 people. Their entire cyber defense budget was only 5% of their overall IT budget as a company.
The one thing they had that most companies do not is a board that was very actively engaged, not a board of cyber experts. I don’t believe in this idea that you need cybersecurity experts on your board to do the right thing. You need a board that can produce the right metrics to hold their teams accountable and is engaged in making sure that the trend lines are correct. They shouldn’t be engaged in figuring out what technologies to deploy or what people to hire- that isn’t the job of board members. They should be figuring out how to track what they’re doing in the space and how to hold people accountable when things are not going right.
We must make this very simple for board members. When you look at boards out there, very few of them contain experts in sales, but every single board member realizes whether the company made their earnings numbers or not. They know the target and if they are over or under it. They don’t need to be math experts to figure that out.
We need similar metrics in cyber. The three that I’ve looked at and developed over the years are all about capturing this concept of speed. The winning team, if you will, is the one that is faster than the adversary in three things: detecting an attack within a network, investigating that intrusion, figuring out where they are, what they’re up to, and what you need to do about it, and actually taking action to respond to it- detect, investigate, respond.
If you put metrics around how fast a team needs to be in each of those areas, you can start measuring it on a quarterly and annual basis. In terms of real incidents that were detected in the environment and simulated, red team incidents in which an external consultant is hired to go in and pretend to be an attacker, how fast did you pick them up? How fast did you investigate? How fast did you kick them out? Report these on a quarterly basis to the board so that they can start seeing the trend lines and hold them accountable. If the cyber defense team is asking the board for a $2 million investment after a bad quarter, and the board hires five people and more resources, then, six months later, the results get worse, then the board knows something is wrong and there may need to be a leadership change or something else. This is what board members should be doing.
The Cipher Brief: We just hosted the former Deputy Director of the NSA, Rick Ledgett for a recent web briefing as well, where he actually cited your 1-10-60 mode. And that is that it should take one minute to figure out that someone's in your system, 10 minutes to do your investigation and 60 to take action. It’s aspirational, of course, but did I get that right?
Alperovitch: Yes, that is what I used to call this rule, but I am stepping away from it because it is less important what the numbers are. I use those numbers as an example of some of the best of the best- the big platform companies that have thousands of people working on cyber defense. That's how fast they typically are at detecting, investigating and responding to a threat. It doesn't mean that every organization needs to be that fast, and many won't be, but it depends on who your threat actors are. While at CrowdStrike, I began measuring the breakout time- the time that it takes for an attacker, from the moment they initially breach the network to the time that they move laterally within a network. Lateral movement in a network is not just the breach of the network, but the ability to move around with the required level of access. This is a major problem because the attacker has administrative privileges across a network and kicking them out is a lot harder and more involved. For the best of the best, the Russians, the average breakout time was just under 20 minutes, but everyone else was much slower. The Chinese, for example, took an average of 5 hours to break out. Which is why, depending on who you are facing, you may have more or less time to respond. This is why each company needs to tailor their own metrics to their threat models and capabilities.
More importantly than the exact numbers, is a baseline. If I were coming in as a chief information security officer of a company, the first thing I would do would be to hire a red team firm to give me an assessment of how good my team is at detecting, investigating, and responding. Companies need to establish that baseline and put a plan in place to drive those numbers down each quarter.
The Cipher Brief: We have seen an increase in ransom demands exceeding $30 and $40 million. Can you speak to the evolution of ransomware from annoyance to business risks to untimely national security issues?
Alperovitch: Ransomware is not a new phenomenon, I believe the first ransomware attack was in 1990, 30 years ago. However, until the last seven or eight years ago, it wasn’t much of a problem because we didn’t have untraceable payment systems. In previous attacks before the emergence of Bitcoin and other cryptocurrencies, attackers would have to provide bank account numbers for someone to wire the ransom money. As you can imagine, this made it easy for law enforcement to figure out who owns the bank account and arrest the perpetrator. As a result, ransom wasn’t really a problem for the first 20 years, but as soon as Bitcoin appeared on the scene, there was a perfect way to collect payments, including huge ransom payments, anonymously, almost untraceably. Additionally, perpetrators can now use pretty simple malware to encrypt data on systems.
When attackers put those systems out of commission, especially if it is done across an entire network, and holding them ransom, organizations, even those with backup systems, are paying ransoms.
I was on a call with one major manufacturing company a number of months ago and they were asking for help in terms of how to pay ransom because they didn’t have Bitcoins ready and wanted to have assurances that if they paid the ransom, they would receive their keys back. I asked them before we even got into the whole process of how to pay ransom- do you have backups? They said yes, and I was astounded. I replied “well, if you have backups, why do you even worry about paying ransom?” and they said, “It would take too long to restore and we are literally losing millions of dollars every hour that we’re down and it’s cheaper for us to pay the ransom.” That is the situation a lot of companies are finding themselves in where it becomes cheaper to pay the ransom than to actually restore and rebuild, particularly if a company is in a situation where each moment they are down, they could be losing significant amounts of money. As a result, the ransom payments are going up because the criminals are realizing the appetite for payments is now significant. Personally, in most of the board conversations I’ve been in, it hasn’t been a question of will we pay, it’s been a question of how will we pay and how do we do it in a way that doesn’t get us in trouble, as there are some legal concerns about paying ransoms.
Ransomware is probably the number one problem facing organizations today. It used to be credit card theft and other personal identifiable information, but now anyone is susceptible to ransom attacks that take their network offline and hold their business hostage, which can put people out of business or cause them to lose literally hundreds of millions of dollars.
The Cipher Brief: Here is a question from one of our members: What should Cyber Command be doing that it is not doing? If you were advising Cyber Command, what advice would you have for them today?
Alperovitch: The first thing that I think we should have Cyber Command do is have 24/7 hunting operations across the DODIN, the DOD Information Networks, in every single corner of it. You can’t have Paycom or CENTCOM saying, no this is not acceptable, come back to us in two months when we’re ready for you, because the adversary, if they’re in the networks, will know that Cyber Command will come in for a hunting exercise two months from then and will leave, then come back when Cyber Command is done. We need to have real time, 24/7 continuous operations. Additionally, I think this aspect of defense is vastly underfunded.
The Cipher Brief: Another member question: What are your thoughts on DOD cyber security maturity model certification , which are supposed to improve cyber posture for the industrial base and what do you think about integrating cyber-physical and personnel security as well as other risk elements in order to identify enterprise risk from the insider threat?
Alperovitch: We as human beings are not good at estimating risk. This is one of the problems as to why cyber risk management is not really effective and why insider risk management programs have limited effects as well. While we need to spend some time trying to mitigate that risk, we also need to have a model where we will realize that we will have failures. So, with regards to you question, I believe more efforts should be focused on the response piece, the investigation piece, and the detection piece, rather than on shoring things up.
Effective organizations have a 90/10 model. 90% is on the side of the equation focused on detecting failures while 10% is on shoring things up. In this model, you can invest based on the lessons you’re learning on the real intelligence you collected about how adversaries are operating. We can learn from our mistakes and shore things up where they matter. But, even with all of this, we have to realize that there is no perfect security and we’re only as good as we are fast.
The Cipher Brief: What should we be thinking about over the next six to nine months in cyber? You've mentioned some really scary scenarios during the conversation today, but you’ve also mentioned some uplifting things like the fact that more companies are now aware of the risks. What are some other caution areas and bright spots that you see in the coming months?
Alperovitch: The brightest spot I see is that we know how to move forward. We've learned so much in the last 10 years that the solutions are in front of us. We need to have the will to actually move forward and take the actions that are necessary, and, particularly, that comes down to the US government protecting itself. I find it extremely irritating, to say the least, that most of the effort that you see coming out of the federal government is about protecting the industry and critical infrastructure. The industry will figure it out. They are figuring it out now. The worst at defense today is the federal government, specifically, the Department of Defense. It's not because they don't have great people. It's not because they don't spend enough money.
If you look at the combined cyber speed within the DOD, I bet it eclipses nearly everyone in the private sector. DOD is not behind because they don’t have talented, great people, but they’re behind because they’re too bureaucratic and too slow to move in this domain that requires speed and agility and requires a framework that enables someone like Cyber Command to take action on any part of the network. I would love to see a streamlining of the federal government- Cyber Command in the lead on the DOD side, CISA, the cybersecurity and infrastructure security agency that was just formed with Director Chris Krebs in charge, on the civilian side- take ownership of the security of those respective networks and being held accountable to high standards for the security of those networks. Once we do that, the government can go and tell industry what to do, but right now, they’re living in a glass house and throwing stones. We need to fix that very urgently. It doesn’t require a lot of money, it just requires breaking down some of those entrenched, bureaucratic interests. It requires telling many of the CSOs in the civilian federal government that “we're taking your job away from you because you have failed, and you will never succeed," because some people are not able to withstand the most sophisticated attacks. They don’t have the resources or the talent available.
Many federal agencies are in this boat. We need to centralize our limited base of talent in the space within one area- the civilian space. The best place for that is CISA. If we let them take the operational responsibility for securing civilian networks, federal government networks, and let Cyber Command do that on the military side, it doesn’t require a lot of funding and will organize us for success.
In the private sector, the most important thing to be done is to figure out the right model of carrots and sticks to incentivize the private sector to do the right things. We know what the right models are, it’s about how to get everyone to adopt them. I think it will require us to look at some regulations to hold companies accountable. One model I really like is, if you believe in my 1-10-60 rule, the metrics I mentioned, it would be nice to require the private sector to track those metrics at the board level, every quarter. If there is a major breach, those metrics would be discoverable in litigation. If you could show that the board was aware that the company was negligent, that those metrics were well below standards, and potentially getting worse, you could increase liability limits on those companies, both at the board level and for the company overall. This could potentially be a nice stick to try to get them to care about this issue and do the right thing. Cybersecurity should not be within the responsibility of CISA alone, it should be within the responsibility of the entire company, starting with the CEO and board of directors.
The Cipher Brief: What didn’t I ask you that you really wanted me to ask you?
Alperovitch: We didn’t talk about what the future holds in terms of the threat. The thing that I am increasingly concerned about is that if you look at the progression of cyber-attacks, they are in three stages or generations. The first state was the Soviet Union, at the time, now Russia, going at the United States and vice versa. It was all about stealing secrets, taking the traditional espionage intelligence collection, and moving into cyber. That was in the late 80s, early 90s. The second phase was broadening the target set and China primarily led the way and realized its not just about stealing government secrets, you could also steal commercial secrets and enable this world of economic espionage that they pioneered. Then, the third state, which is what we’ve been dealing with for the last 10 years has been more about disruption and destruction.
Certainly, we still have the theft of secrets and intellectual property remaining in the background, but now, increasingly, there’s concern about ransomware attacks that take companies out of business temporarily and more destructive attacks that can even cause physical damage. That last part is what I am very concerned about. We now can get into situations where a cyber-attack can cause a loss of life, either through direct action, like we have seen with the refinery attacks in Saudi Arabia where, had they succeeded, they could have blown that refinery up and caused the death of at least dozens of people, or broader implications, like if you are able to shut down electricity or water to a population and have cascading effects as a result.
Those are the types of things we are seeing more of. Once a year, those types of attacks come to light, but at an increasingly faster pace. I think that is what the Israeli official was referring to, that things are moving rapidly now. Red lines are disappearing, and we may look back at 2020, at least in terms of cyber, and say “Wow, those were the good times.”
Cipher Brief Intern Abby Sonnier contributed to this piece.
Cipher Brief Members can join us each week for the opportunity to ask questions of the experts. Know someone who would benefit from membership, or interested in joining the dozens of multi-national organizations and government offices that have enterprise memberships? Drop us a note at info@thecipherbrief.com for more information.
The Cipher Brief recently spoke with former Deputy Director of the NSA, Rick Ledgett, to talk about what corporate boards need to focus on in our piece, How Cyber Plays in Boardrooms of the Future.
On Thursday, July 9 we will welcome former NSA Director and former Commander of Cyber Command, General Keith Alexander to discuss the path forward for a public-private co-existence in cyber.
Read more expert-driven national security insights, perspective and analysis exclusively in The Cipher Brief
