SHARED INTEL: New book on cyber warfare foreshadows attacks on elections, remote workers

By Byron V. Acohido

It’s difficult to convey the scope and scale of cyber attacks that take place on a daily basis, much less connect the dots between them.

Related: The Golden Age of cyber spying

A new book by Dr. Chase Cunningham —  Cyber Warfare – Truth, Tactics, and Strategies —   accomplishes this in a compelling, accessible way. Cunningham has the boots-on-the-ground experience and storytelling chops to pull this off. As a  cybersecurity principal analyst at Forrester,  he advises enterprise clients on how to stay in front of the latest iterations of cyber attacks coming at them from all quarters.

Cunningham’s 19 years as a US Navy chief spent in cyber forensic and cyber analytic operations included manning security controls at the NSA, CIA and FBI. He holds a PhD and MS in computer science from Colorado Technical University and a BS from American Military University focused on counter-terrorism operations in cyberspace.

Cunningham sets the table in Cyber Warfare by relating detailed anecdotes that together paint the bigger picture. Learning about how hackers were able to intercept drone feed video from CIA observation drones during the war in Iraq, for instance, tells us a lot about how tenuous sophisticated surveillance technology really can be, out in the Internet wild.

And Cunningham delves into some fascinating, informative nuance about industrial systems attacks in the wake of Stuxnet. He also adds historical and forward-looking context to the theft and criminal deployment of the Eternal Blue hacking tools, which were stolen from the NSA, and which have been used to cause so much havoc, vis-à-vis WannaCry and NotPetya. What’s more, he comprehensively lays out why ransomware and deep fake campaigns are likely to endure, posing a big threat to organizations in all sectors for the foreseeable future.

I had the chance to interview Cunningham about the big takeaways he hopes Cyber Warfare imparts. Here are excerpts of our discussion, edited for clarity and length.

LW: Over the next few years, which groups do you expect to wreak the most havoc: nation-state backed hackers gaining strategic positioning and carrying out outright attacks for geo-political advantage; or for-profit criminal hacking groups?

Cunningham: Being that we are in an election cycle, I personally think that there will be a big push by nation state hackers to try and impact the election, but now I think that this will be more than just a Russian influence operation. Other nation state groups learned from watching what worked for the Russians in 2016.

This time around there will be more involvement from Chinese and other nation state threat actors as they try and get certain influence operations to work. The actual goal of these disinformation operations will be to cause enough havoc and doubt that the validity of the process is affected.

Russian groups are quoted saying ‘chaos is the goal.’ That’s what this really is about.  Impacting a key democratic process and causing enough chaos to impact the US nationally.  We should expect this to happen.

LW: How do you explain the fact that companies spend more than ever of cybersecurity, yet continue to get catastrophically breached?

Cunningham: Usually it’s because everyone spends too much on the sexy, cool stuff and not enough on the basic blocking and tackling. And the policies in place for access and use are usually way too permissive. It’s a given that an infection is going to happen; the real problem is the proliferation and lateral movement of the exploit.

And it’s not humans that are the weak link in security, it’s trust relationships that are built into infrastructure.  If we eliminate the ability for easy attack proliferation and take care of the basics, like killing the password, then the low hanging fruit isn’t a problem and we can fix things from the core of the infrastructure outward.

LW: Do you expect micro-segmentation to ultimately emerge as a fundamental component of securing hybrid cloud networks in a DevOps world?  Why so?

Cunningham: Mirco-segmentation is supposed to be applied everywhere.  That’s what stops attacks from being a problem to becoming a global cataclysm.  DevOps and any other group in the space need to embrace this as it is a core capability that will eliminate the ultimate impact of an exploit.

Just like what we are all doing with the Covid virus, we are segmenting ourselves to break the chain of infection that’s the same thing we need in micro-segmentation.  Stop the spread, beat the infection.  It’s a must.

LW:  Speaking of Covid, hackers and scammers are having a field day exploiting the pandemic. What should consumers and companies be paying very close attention to from here on out?

Cunningham: This new remote workforce approach is the big issue.  Having users that were once somewhat secure at an office, inside a corporate network now being dropped on their own with nothing much more than a VPN to ‘secure’ them is a bad spot to be in.

This happened so fast and most companies aren’t prepared for it.  Organizations really need to secure their email systems and I suggest using solutions that can kill phishing type attacks and browser isolation, if possible.

LW: You’re not the first security expert to advocate eliminating passwords. That said, is there really a viable scenario for actually getting doing

Cunningham: Yes. We are much closer to that than we ever have been.  Between the OAuth stuff, bio-metrics, FIDO alliance, Self Sovereign ID, and other capabilities that are coming to light we are on our way to eliminating the password, and even the username at scale.

It won’t be final for a few more years, like 2025 probably but it is coming.  If you look at the way your IPhone and a Surface Book sign in works that’s where we are going.  Yes I have a password that I have entered, once, and then it is stored and tokenized and other out of band means are used to make sure I am actually the one accessing that asset.  This doesn’t have to be “hard” and good security solutions should be basically non impacting to the general user.

LW: How far do you expect the corporate sector to actually get mitigating cyber risks as digital transformation accelerates?

Cunningham: We are in the early stages of an inflection point for the future of security.  It has been generally accepted that the outdated perimeter-based security approach has proven to be a failure. Security leaders are reworking their thinking, which will lead to them reworking their infrastructures as well.

Security tooling and technology is finally available to do what the new models of security actually prescribe; like eliminating passwords, VPNs and other failed security solutions.  Coupling that with the current status of the world and nearly an all remote workforce and businesses are still at least viable, we will see a change in the approach we take to security and a modification of the way security is applied for a more diverse and dispersed workforce.

LW: What key technologies and processes will come into play?

Cunningham: Zero Trust is becoming the global standard security strategy.  But not with that old, firewall-to-death approach.  Now organizations understand that they must first secure what keeps the business running, it’s value. Then they must use virtualization and the ‘network’ to push the fabric of control out to the endpoints, as that is where infections start.

They must also secure users and their devices, as the future of work is a BYOD one.  As that happens, it is possible to do things like eliminating the password and VPN. And it is also possible to gain insight and control for that new dispersed infrastructure.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone