As US Ramps Up Cyber Offense, Questions Remain on How to Secure Hacking Tools
With great power comes great responsibility. Those famous words opined by Marvel Superhero Spiderman’s Uncle Ben were meant to teach the web-slinger a vital lesson that power should be used for positive purposes and not be abused. A report by US National Security Advisor John Bolton last week revealed that the United States is stepping up cyber offensive capabilities against foreign adversaries for not just election security, but also commercial espionage. This follows a June 7 report that the United States Congress is demanding responses from the US Department of Justice regarding how they safeguard the tools being used in the US cyber arsenal. After embarrassing leaks dubbed the Shadow Broker, Vault 7, and Snowden leaks where attackers stole and released hacking tools and programs developed by the US NSA and CIA, congressional leaders are demanding answers on how to prevent the disclosure from happening again.
Foreign hacking took center stage in US politics when agents of foreign countries allegedly hacked into election systems, ran influence campaigns on social media, and targeted individuals in political campaigns to retrieve and release incriminating information. Since then, there have been many congressional inquiries with a single question in mind: “How can we prevent this from happening again?” Mark Zuckerberg and Jack Dorsey did not have all the answers, but they understand that their platforms are going to be highly scrutinized moving into future elections. In response to the hacking allegations, the United States imposed economic sanctions on several individuals directly responsible for the attacks.
In a seeming change in US policy, “defending forward” is becoming an acceptable tactic by the US military to prevent future cyber attacks against the US. Contrary to “hacking back” when an attacked party hacks the group that attacked it, defending forward attempts to proactively disrupt cyber operations before they have a chance to materialize. Defending forward is a cyber equivalent of pre-crime from Tom Cruise’s action thriller Minority Report. Defending forward was previously limited to military targets due to UN treaties preventing attacks against civilian infrastructure. However, US foreign policy is now open to the idea of defending forward is being considered as a tool to protect the US against the theft of intellectual property (IP). The estimated losses to the US from intellectual property theft ranges somewhere between $225 and $600 billion. For better or worse, defending forward appears to be a policy to not only prevent major cyber attacks against US infrastructure but to prevent damage to the US economy, including deterring IP theft.
Noting that cyber offensive capabilities are going to get better over time and not worse, securing those tools becomes essential to prevent them from being used against those that developed them. As technology becomes more sophisticated and easily accessible, adversaries gain increasing access to privacy tools like end-to-end encrypted communications. End to end encryption helps guarantee that communications remain private, but poses a challenge to law enforcement agencies attempting to conduct lawful surveillance against targets that pose a threat to national security. In 2016, the US FBI notably paid Israeli firm Cellebrite $900,000 to unlock the iPhone 5C that belonged to a terrorist that shot up his Christmas party in San Bernardino, CA. The intelligence the FBI was hoping to gain was to determine if the attacker had any accomplices and if any future attacks were planned. New offensive cyber capabilities to not extend to unlocking encrypted mobile phones. The United States Department of Justice is investing heavily to develop technology to deanonymize cryptocurrency payments explicitly designed to protect user identity.
The Vault 7, Shadow Broker, and Snowden leaks show that the US is developing a significant and diverse arsenal of cyber offensive capabilities where ordinary civilians do not stand a chance against these signals intelligence agencies who are developing the exploits. In 2017, the WannaCry and NotPetya ransomware were unleashed on the world containing a weaponized version of EternalBlue; an exploit developed by the NSA, months after security patches were already made available. The US Congress is now asking Attorney General William Barr for a thorough accounting how law enforcement agencies safeguard these tools, techniques, and procedures to prevent them from falling into the wrong hands. Just like the US places proper security safeguard around its nuclear, biological, and chemical weapons arsenals, cyber offensive arsenals should also follow similar procedures.
Simply safeguarding the US federal government is not enough. As seen through the Snowden leaks and an NSA translator Reality Winner US contractors working with these agencies developing cyber offensive must also follow the strict guidelines placed on federal agencies. When the front door is locked, attackers will try the side door hoping to find weaker security further down the supply chain. Last week the US Customers and Border Protection (USCBP) admitted that it lost a photo and license plate database because a contractor downloaded the data and got breached.
Having US federal employees and contractors use a FedRAMP-approved always-on cloud security solution will ensure users are always protected no matter where they work. Unlike endpoint security solutions which require substantial resources to continually monitor processes, stacks, and integrity checks, all that is necessary for security-as-a-service solutions is a lightweight client to forward internet traffic to the nearest security cloud enforcement point. Appliance-based solutions require users to full-tunnel VPN their traffic back to a data center for security inspection while increasing latency and degrading the user experience.
The use of a cloud security stack will assist in protecting employees and contractors from phishing and social engineering attacks, even those hidden behind the use of SSL or TLS encryption. Attackers may target federal contractors believing they will be easier to compromise compared to systems protected with the government. Requiring federal contractors to use a FedRAMP-approved Zero Trust Network Access Platform can significantly reduce the attack surface and exposure in the event of accidental or intentional account compromise.
The US federal government has amassed both an arsenal of cyber hacking tools as well as the responsibility to secure them against unauthorized use. Ensuring that employees and contractors are always protected is a significant step in securing these tools. Simply air gapping the networks is not enough as attackers have found novel ways to defeat air gaps. Securing networks today will guarantee they will still be around tomorrow.