The Western world has not been vanquished by cybercriminals, but it needs to do much more to keep the growing threat of cyberattacks in check or else it will face a cyber-Masada, the head of the leading US cybersecurity agency has warned.
“I don’t think the Western world is losing the cybersecurity war,” said Brandon Wales, executive director at the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security. “I think that we collectively recognize that we’ve got a lot more work to do.”
“We have tremendous capabilities. We have a vibrant private sector cybersecurity community that is developed, in the United States in Israel and elsewhere. And we need to harness that, governments and private sector capabilities together, to achieve the positive cybersecurity outcomes that we all want,” said Wales, speaking with The Times of Israel on Wednesday on the sidelines of the Cyber Week conference at Tel Aviv University.
In his Tuesday speech at the conference, Wales compared the perseverance of the cyberattackers to that of the Romans during their siege of the ostensibly impregnable mountaintop fortress of Masada in the first century CE. When the Romans finally breached the fortress, tradition says, they discovered that the 960 Jewish rebels and their families had committed mass suicide rather than surrender.
“These rebels had tremendous defensive advantages both in natural terrain and fortification,” Wales said in his speech. “But a patient, well-resourced and determined adversary was able to overwhelm them. Their 12-year hold on Masada came to an end after a yearlong siege by the Roman Empire. Today, we face a variety of well resourced, determined adversaries. And like those Jewish rebels, operating alone, even our best defenses will simply not be good enough.”
There are “thousands of attempts a day,” he said. When they get thwarted, by governments or companies, they “don’t necessarily get recognized the same way that the disruptions from ransomware and other cyber security incidents do.” But the successful attacks “point us to the places where we need to do more work.”
Cybersecurity threats are not bound by national borders, Wales said in the Tuesday speech, and “the cyber threat landscape is as dynamic and forbidding as we have ever seen it. Our adversaries are diverse, from hostile nation states such as Russia, China and Iran to cyber criminals. They are growing bolder. Their targets more consequential. Their techniques more sophisticated.”
Over the past year the US has “witnessed cyber incident after cyber incident,” with widespread attacks that tested CISA and the entire cybersecurity community, Wales said in his speech.
Cybercriminals and nation-states have used the coronavirus pandemic as an opportunity to deliver malicious software, steal data, disrupt operations, and target vaccine developers and supply chains, he said. “They exploited the digital transformation brought about by remote work and education, targeting this expanded and increasingly difficult to manage attack surface.”
At the same time, Russia and Iran launched efforts to interfere in the 2020 US election, plus some US state and local election systems.
As the acting director of CISA, a post he held from November 2020 to July 12, Wales oversaw CISA’s efforts to defend civilian networks, manage the risk to national critical functions, and work with partners to beef up the security cyber and physical infrastructure.
Wales has led the agency’s response to a number of recent cybersecurity attacks: the SolarWinds Orion Supply Chain Attacks, in which US government networks were compromised by a hack blamed on Russia; the Microsoft Exchange vulnerabilities, a unusually aggressive Chinese cyber-espionage campaign; the Colonial Pipeline ransomware attack, which impacted the computerized equipment managing the US oil pipeline system; the Pulse Connect Secure vulnerabilities, which affected a number of US government agencies, critical infrastructure entities and other private sector organizations; and the Kaseya VSA supply chain ransomware attack, the single biggest global ransomware attack on record, conducted by a Russia-linked gang.
The perpetuators of the cybersecurity attacks must be held accountable, Wales said during the interview, and the Biden administration is determined that that will happen.
“The Biden administration has been very clear from the beginning that malicious cyber actors need to be held accountable,” Wales said. “And that accountability is critical to deterring and dissuading them from conducting attacks in the future.”
The private sector must be enabled “to spot, detect and stop” any malicious activity. At the same time, it has “obligations” to protect and secure its networks, he added.
Wales is responsible for leading and developing long-term strategy at CISA, ensuring national and international collaborations and managing policy initiatives. He is also on hand when significant cybersecurity breaches occur.
“There is no such thing as a typical day,” he said. His agenda is shaped by what is happening on the ground. “If there’s significant cyber activity happening, we may be engaging with critical US government partners in the law enforcement community or in the intelligence community around the threat, maybe engaging with the private sector that has been a victim of a cyber incident.”
And then there is his long-term work, he said, in which the agency tries to stay on top of efforts “to build a more secure federal cybersecurity system to make sure that our federal networks are protected.”
Bolder, more sophisticated
Hackers have gotten bolder and more sophisticated, he said, and have the resources to wreak damage on the most critical functions of society. The threat landscape will become even tougher, and the global response must be unified and coordinated.
“Actors across the spectrum, whether nation-states or cyber criminals, have grown bolder in targeting more consequential targets,” he said, including infrastructure targets like the Israeli water system last year, and US pipelines and the JBS meat processor this year.
“The sophistication of our adversaries has continued to grow as well,” Wales said. “They’re using more advanced tactics, ones that are better designed to evade detection.
“And so, we believe that the threat landscape will continue to evolve and that just puts more pressure on the network defense community to come together and to be as bold and be as resourceful as our adversaries.”
Wales was adamant that business or other entities should not give in to ransomware attacks. The growth of these attacks, he said, “has been fueled by the success of the business model. People have continued to pay, and that has emboldened the ransomware operators, and every ransom that is paid is money that has fueled the epidemic.”
On Wednesday Prime Minister Naftali Bennett said that Israel is setting up a “global network shield” based on a partnership with global governments to collaborate, detect and respond to cybersecurity attacks.
“We want to learn more about it,” Wales said, referring to the initiative. CISA already has a close relationship with the Israel National Cyber Directorate, working on actual incidents, sharing information and tactics. Similar collaborations have also been set up between the US and other countries, he said.
And yes, he added, there are also connections with Russia and China, if information about malicious activity needs to be provided. “But the relationship is obviously different,” he said “There’s more ongoing and direct partnership with countries like Israel, like the United Kingdom and others, where we have kind of close and continuing contact.”
Global collaboration to fight cybersecurity attacks is essential, he said, “but
there’s no silver bullet, there’s no one action that is going to be successful here.”
Multiple layers of security and resilience must be put in place on individual networks, he said, and on a national and global level countries need to get better at sharing cyber defense information to help to stop future attacks.
Wales said what he is most concerned about in the longer term is potential disruption to critical infrastructure. The systems that enable society’s “most critical functions, that enable our society to operate, are at risk,” he warned.
And because malicious players want to target these critical infrastructures, “they will seek the means to do so. And it means that we need to work extra hard to prevent that from happening.”