The Biden Administration finally released its long-awaited new Cyber Strategy. As many had expected, the strategy emphasizes cybersecurity regulation implementation, highlighting the importance of establishing much-needed cybersecurity baselines across critical infrastructure sectors. This is not much of a surprise given that the Administration had already started looking to install similar plans on a sector basis such as healthcare, communications, transportation and water.
The inclusion of this strategic objective is clear: There is an appetite to move from voluntary compliance by the private sector to mandatory requirements or else face some punitive consequence. This is especially noteworthy given the U.S. government’s consideration of adding other sectors such as space, bioeconomy, and election infrastructure to be included to the current list of 16 critical infrastructure sectors already on the Department of Homeland Security’s list. Any addition will substantially expand that footprint, and by extension, increase the challenge to secure it. Forced regulatory compliance appears to be the next attempt at finding a workable solution to the defense of these important sectors.
But there is another side to the strategy aside from defensive considerations. The second pillar advocates an aggressive policy that will authorize U.S. defense, intelligence, and law enforcement agencies to execute offensive operations against criminal and/or state networks. As socialized in its current “defense-forward” strategy empowering U.S. Cyber Command (CYBERCOM) to proactively stop cyber threats, and in essence, the Administration will authorize U.S. agencies to use “purely defensive” pre-emptive attacks in in the spirit of strengthening defensive posture. Indeed, “hunt-forward” teams have been active in Ukraine and other countries in an effort to stop suspected adversaries at their sources, and by CYBERCOM’s standards, have been “highly effective,” although officials with knowledge of these operations provided no metrics determining what success looked like. Undoubtedly, these achievements greenlighted the further implementation of this offensive mindset. In mid-2022, CYBERCOM awarded a USD $60 million contract to a company to support hunt-forward missions, another indication that the Administration is turning to U.S. offensive cyber capabilities to commit to persistent engagement and tackle an ever-expanding cyber threat ecosystem and categorizing any success in the digital space a defensive victory.
The Bigger Picture
On the surface, the new Cyber Strategy appears to be a balance of defense and offense measures, regardless of how the latter term is spun. The regulatory focus of the former has been needed for quite some time, as the private sector has traditionally implemented cybersecurity guidelines on a voluntary basis, allowing individual companies to decide what practices to adopt or not. This has thus far proven ineffective at best, creating inconsistencies among companies within the same sector. Furthermore, failing to comply with best security practices not only puts companies at risk, but their partnerships with other companies, whether in the same sector or in another. Adhering to best practices has the benefit of reducing risk exposure; avoiding expensive incident response and recovery efforts; mitigating reputation loss and increasing trust with domestic and international partners, customers, and third parties.
However, the offensive aspect of the new Cyber Strategy raises more questions than answers. Proponents of such activities will cite that purely defensive measures have had limited impact against an aggressive cyber threat ecosystem. Attackers have the advantage of time on their side, and the more innovative and advanced actors have the capabilities to circumvent many defense mechanisms that are currently employed. Nevertheless, a counter argument to that is that when looking at various cybersecurity vendor reports, the overwhelming majority of cyber incidents have been caused through vectors that could have been easily prevented if the victim engaged in more robust cyber hygiene habits. Simply, organizations are not doing as well as they could, failing to apply basic cybersecurity principles in a timely manner (especially vulnerability patching). The ability to strike back, or in this case, strike first appears a compelling alternative to the current option with the added benefit of being able to “hurt” potential attackers prior to them hurting you.
Hunt Forward Operations
Hunt forward operations may be working now because they are fairly new, and up until the Ukraine crisis, have not been used with ongoing regularity, at least according to CYBERCOM reporting. But this approach is not a panacea, as it has not taken into account how adversaries may adjust their own tactics, techniques, and procedures in response to this more aggressive stratagem undertaken by the United States, largely considered a top tier cyber actor. Adversarial governments that have their own offensive cyber capabilities will undoubtedly observe how hunt-forward teams execute their operations and make the necessary modifications to how they engage. As more law enforcement efforts disrupt some of the more prolific criminal gangs, the more advanced cybercriminal groups will also take note, and adjust their operational security. It takes a significant investment of time, money, and effort to neutralize some of the more prolific cyber gangs like Hive and the one behind the ZLoader botnet. Given that the Ukraine conflict has strengthened cybercriminal ties with Russia, hunt-forward activities could further push the more accomplished gangs to look to establish alliances with foreign governments able to protect them.
National-level cyber strategies are needed because the dynamic nature of the cyber threat landscape requires persistent review and guidance. However, depending on the government, development and execution of these strategies can be mired in over-wrought bureaucracy, so that by the time governments develop, publish, socialize, and implement a strategy, it is already outdated. The new U.S. policy is already creating excitement but let’s hope that there is not an over-reliance on offense to take the place of defense. How the White House’s Cyber Strategy executes regulatory compliance across the critical infrastructure sectors might be the key for organizations to position themselves to properly address the cyber threats of tomorrow, particularly as new and emerging technologies are adopted into systems, products, and devices. This must be more than an afterthought.
Because cybersecurity, like strategic thinking, needs to be focused on long term advantage, and is something that the tactical and temporary nature of short-term disruption tactics simply cannot achieve on their own.