While the U.S. government and the private sector determine the breadth and depth of the SolarWinds event, we already can glean important lessons and identify immediate cybersecurity priorities for our nation. Three themes that have emerged are: How do we prepare for unexpected, low-probability, high-risk events? How should the framework for public/private collaboration evolve? And, what type of cyber attack warrants a response?
In the aftermath of the SolarWinds attack, we have learned that the sensors on our information networks were prepared to detect the tactics, techniques and procedures (TTPs) we knew our adversaries previously used against the United States. The challenge is that the likely actor responsible for this hack — the Russian hacking group known as APT29, or Cozy Bear — used novel TTPs, ones we had not seen before and for which we were unprepared. The sensors were set to detect what we know, but not prepared to detect what we didn’t know.
After 9/11, counterterrorism experts explained that we were prepared for an al Qaeda attack against U.S. interests overseas, but we were not prepared for an al Qaeda attack against the U.S. on our homeland. Applying the language used in the cyber domain, we were prepared for an attack using the physical TTPs we knew, but not prepared for never-before-used physical TTPs.
The issue that emerges from these two examples — the greatest physical attack on our country in modern history and, what we expect to be, the most serious cyber attack on our country in modern history — is this nation’s inability to prepare, effectively, for the unexpected. By nature, we don’t like to prepare for low-probability, high-impact events — and we typically plan for what we know we can respond to. But effective planning and preparation in cyberspace requires us to extend our thinking and creativity beyond what we know, to what is unimaginable.
Initial review of the SolarWinds event tells us that the capabilities of the private sector — FireEye, Microsoft and others — are far greater in detection and, in many cases, in response than the government, which means we have to re-examine our framework for pre-event collaboration. We also observed the deep capabilities of the private sector (i.e., Microsoft) in disrupting TrickBot — one of the world’s most prolific distributors of malware — in helping to secure the 2020 presidential election.
Over the years, we have grappled often with the tired, overused phrase “public/private information-sharing” and what it means. The private sector frequently has bemoaned that it would provide information to the government but get nothing “actionable” in return; the private sector would be left to fend for itself against highly capable threat actors.
Today, many corporations now have developed mature, sophisticated cyber databases, which are replete with “actionable” intelligence that the U.S. government may not have. We must establish a new framework for collaboration that facilitates the ability of the private sector to share its early-warning information with the government so that federal resources are brought to bear against threats that the private sector is not capable of confronting alone. The objective should be to create a mechanism that facilitates collaboration so that sophisticated actors, such as nation-states, are identified early in their reconnaissance efforts and stopped well before they successfully penetrate critical networks.
If the private sector can share real intelligence with the government, then the government can activate a whole-of-government approach to respond and collaborate with the private sector to identify, mitigate, remediate and recover from the toughest cyber adversaries. We should consider expanding this effort to include joint threat-hunting on networks.
Once we have a solid framework for this type of evolved collaboration, we will need to have a clearer understanding of what type of cyber event warrants a government response and what that response should be. We are still struggling to define what is an act of cyber war. Right now, some observers claim that the SolarWinds event is an act of traditional espionage and, as such, falls below an act of war. It is espionage … right up until the point that malware installed on a network is activated to destroy our infrastructure.
In 1962, we determined that we were willing to go to war knowing the Soviet Union had deployed missiles to Cuba; they hadn’t launched them, nor did we have intelligence saying they would. But their presence 90 miles off our coast was significant enough to warrant a response that took the U.S. and the Soviet Union to the brink of war. Afterward, the Soviets never again considered placing nuclear weapons in our hemisphere.
Are we doing enough to deter our adversaries in cyberspace? What is clear is that espionage in cyberspace is different from other domains, and we need to update our approach and look at responses that go beyond sanctions and indictments. The United States must work with its allies and like-minded economic partners to establish international consensus on norms and standards, and on collective responses to such attacks.
We are in the early stages of understanding the far-reaching impacts of this attack. But what we have learned already is that our planning for our greatest threats — whether it be cyber, terrorism, health or climate, to name a few — must engage innovative thinking to prepare for what we don’t know and to stretch ourselves and our thinking so that we are resilient against and prepared for the event that will come.
Through SolarWinds, a new requirement for public/private engagement has emerged and is now on center stage. Industry benefits from reducing the economic, political and financial impact to government of an attack, and from government’s resources; government benefits from the actionable intelligence collected by the private sector, and its early detection capabilities. Together, industry and government can thwart our adversaries and make it difficult for them to be successful.
While we will be in disaster recovery mode from SolarWinds for a long time, we already can begin to apply the early lessons learned from this attack to build a better, more resilient, whole-of-nation approach to cybersecurity, alongside our global partners.
Kiersten Todt is managing director of the Cyber Readiness Institute, managing partner of Liberty Group Ventures LLC, and a scholar with the The University of Pittsburgh Institute for Cyber Law, Policy and Security. She was the executive director of the Obama administration’s bipartisan Commission on Enhancing National Cybersecurity.