Cybersecurity Tensions Rise During President Biden’s First 100 Days
Cyber threats are a fact of life for nations and companies around the world. The United States government has recognized and addressed the growing risk of cyber attacks from adversaries dating back to at least 2001, when President George Bush appointed Richard Clarke as the first Cybersecurity Czar—a special adviser to the president on issues of computer security. A lot has changed since 2001—both in terms of the technology attack surface and the threat landscape—and cyberattacks have emerged as the primary battlefield in a new “Cold War” between the United States and its primary adversaries. In March, a panel of experts got together for a virtual roundtable titled “Restoring National Cybersecurity: A Look into the First 100 Days of the New Administration” to discuss the challenges we face and offer guidance for how to address them effectively.
We are nearing the end of President Joe Biden’s first 100 days in office. The first 100 days is generally recognized as a combination of honeymoon phase—as cabinet positions are filled, and individuals get acquainted with their roles and ramped up on the work to be done—as well as a significant milestone—as the nation considers the early tenor and vision of the policies being pursued by the new president. The job of President of the United States is never easy, but President Biden’s challenges were compounded by inheriting the fallout of gross negligence and incompetence by the former administration on virtually every front—from the economy, to foreign relations, to the climate, to education and infrastructure, to the urgent need to implement a functional plan for dealing with the COVID-19 pandemic and expediting vaccinations across the country. On top of all of that, the nation is facing a large and growing cyber threat from adversary nation-states and cybercriminals that can’t be ignored.
The roundtable discussion was hosted by Cybereason and moderated by David Spark. The panel of experts was comprised of Theresa Payton, CEO of Fortalice Solutions and former White House CIO, Corey Thomas, CEO of Rapid7 and a board member of the Cyber Threat Alliance, Michael Daniel, president and CEO of the Cyber Threat Alliance, and President Obama’s former Cybersecurity Coordinator and Lior Div, co-founder and CEO of Cybereason. Each person on the panel brings valuable cybersecurity expertise to the table, as well as experience addressing cyber threats from nation-states.
The roundtable was coordinated in the wake of the SolarWinds attacks that were discovered at the end of 2020. US intelligence sources and cybersecurity experts have attributed those attacks—which affected tens of thousands of systems around the world—to Russia. The agenda of the discussion was to develop an action plan that might help guide the Biden Administration as it strives to respond to these types of attacks and strengthen the cybersecurity posture of the nation in general to prevent similar attacks in the future. The discussion became even more relevant and poignant when another massive attack was revealed just days before the roundtable sessions took place. HAFNIUM—a hacker group based in China—targeted a variety of zero-day vulnerabilities to compromise tens of thousands of Microsoft Exchange Servers.
David Spark started the session talking about the budget allocated for cybersecurity in the American Rescue Plan legislation and asked Lior Div for insight on how he would begin restoration of America’s cybersecurity defenses.
Lior noted that the United States is under virtually continuous attack from Russia and China and suggested that we need to start by changing our mindset. He pointed out how the current situation is a rekindling or extension of the Cold War, but also that the objectives have shifted. “You can gather information, and you can manipulate information as much as you want. In general, I would say two things. One goal is espionage. And the other one is to control kind of what people think. And we can go back all the way back to 2016, when we had the election, when the Russians tried to influence it heavily, and even in the last election.”
David then asked Theresa Payton to weigh in on what she believes we are doing poorly now and what is the first thing we need to address. Theresa started off by offering praise and appreciation for the Herculean task that CIOs and CSOs have been faced with during the COVID-19 pandemic as entire organizations suddenly went 100% remote—simultaneously obliterating any concept of a network perimeter and vastly expanding the attack surface that needs to be monitored and protected.
Theresa stressed that super control access should be strictly limited, and that organizations should ensure users are rotating and using unique passwords. She added, “Accounts have got to be monitored with behavioral-based monitoring, segmentation of everything. So, the more you can segment everything down to the most granular level, when that data incident happens—which it will—you have the ability to go shields up and flip kill switches so that you can actually mitigate the incident and still have resiliency in the organization.”
Michael Daniel pointed out that nobody wants to get hacked, and nobody is intentionally doing cybersecurity poorly. He recommended that we need to step back and understand why it is that government agencies and private sector organizations struggle with the basic fundamentals of cybersecurity and try to figure out what we can do to improve it. For starters, he suggested that we not place so much of the burden on the end user. He explained that we expect drivers to be responsible for actually clicking their seatbelt into place when driving a vehicle, but there are other elements of vehicle safety that are automated. “We don’t have a car say, ‘Excuse me, you’re about to have an accident. Would you like me to deploy the airbags: Yes, or no?’ Like, it just does it, right?”
Corey Thomas noted that it may sometimes seem futile—especially when facing a nation-state attacker that has significantly more resources at their disposal. He stressed, though, that it isn’t just about completely eradicating the threat. There is value in simply raising the bar and making it more challenging so there are fewer attacks, or the attacks take longer to execute, or the impact of the attacks is diminished.
Lior emphasized that he spent more than 20 years of his life being on the other side—being a nation-state hacker for the West. With the benefit of perspective from both sides of the fence, he stressed that we need to stop treating nation-state attacks as being too complex or sophisticated for us to defend against effectively. “I think that that was an excuse for many, many years for many companies of saying, ‘Oh, this is nation-state. We cannot do anything about it.’ I think that by now we have the technology. We’re 10 years into that after this event. I think that there is enough innovation that we drove collectively in order to fight against them.”
It was a valuable and insightful roundtable discussion. As we approach the end of the first 100 days of the Biden Administration, the cyber threat landscape seems to be intensifying even more. Acer was reportedly hit by a ransomware attack demanding $50 million in ransom. A few weeks later, in the wake of sanctions by the Biden Administration against Russia and potentially in retaliation for that action, Quanta—a major partner and supplier for Apple—was also hit by a $50 million ransomware attack. Meanwhile, researchers found that the Prometei Botnet is leveraging the exploits from the HAFNIUM attack to target vulnerable Microsoft Exchange systems. The breaches and compromises seem to be increasing in frequency and escalating in scope and impact, so its imperative we take action quickly.
I expect and hope that the Biden Administration would seek out experts like those who participated in this panel and involve them to better understand the threats we face, and to provide guidance for how to address those threats affectively and improve cybersecurity.