Former Texas Congressman William "Mac" Thornberry and Trustwave Government Services President Bill Rucker recently sat down to discuss several pressing issues impacting the federal government’s cybersecurity preparedness, the impact the Russia-Ukraine War has had on cyber, and what remains to be done to shore up the nation's cyber defenses.
This is the second half of their conversation. Please read Part 1.
Q: Let's talk about the Russia-Ukraine War. Were you surprised at the role that cyber has played so far? Has this activity been more or less than expected?
Thornberry: We have long recognized that Russia is one of the most sophisticated cyber actors on the world stage, and almost everybody expected cyber to be a significant part of their offensive against Ukraine, and it has been.
What may be a little surprising is that Russia has been somewhat restrained when it comes to the number and intensity of cyberattacks it has conducted within the U.S. and Europe. This is most likely because they are still balancing how aggressive they can afford to be outside of Ukraine.
But that does not hide the bottom-line fact that Russia did everything it could within Ukraine itself and that the U.S., including some notable U.S. companies, have been very involved from before the invasion to repel Russia's cyberattacks against Ukraine.
Additionally, what has surprised everybody is how good the Ukrainians are at adapting on the fly to the threats that are coming at them. Some of that is defensive, and some of that is offensive. Ukraine has been remarkable and has given everyone an example of what one can accomplish with the proper motivation.
Rucker: When you look at the cyber aspect of this and the role cyber played, it's honestly shocking. People have talked about the fact that when an armed conflict took place, there would be offensive cyberattacks in advance of the kinetic aspect of the war.
And in the Russia-Ukraine conflict, all of that came true.
The attacks Russia made in the days prior to the invasion set the tone, and we will not see any other physical conflict ever again that doesn't have some technological warfare aspect. This will only get more and more advanced.
When you look at the resources the Eastern European bloc and Russia bring to bear, one of the stats that I thought was pretty mind boggling came from one of Trustwave's threat researchers. We were conducting threat briefings recently on The Hill, and the researcher noted how credit card theft is down 50% year over year. So, when you think about the actors from that part of the world and what they typically focus on, things like building and selling custom ransomware on the dark web, the research shows they've been called to service elsewhere.
They're not stealing credit cards; they're helping Russia in this conflict.
I will agree with Mac and say I think everyone has been a little bit surprised by how well Ukraine has defended against the attacks and that it was very ready and mature to handle this task from a cyber perspective.
I do worry that the war sets the tone for what type of attacks might be coming. We do a lot of work with CISA on the JCDC program, and they talk about "shields up" and cyber hygiene, which all launched at the same time as the Russia-Ukraine conflict because it was recognized that anyone "pro-Ukraine" opened themselves up to attacks.
The sophistication of the attacks and the fact that our enemies will take aim at our critical infrastructure and power grid are also of concern. We've seen SCADA attacks, some that have been thwarted and some that haven't.
That's the stuff that I worry about that will evolve from a cyber perspective because they're learning a lot through this conflict.
Luckily, we're able to watch, learn, and help.
I think that evolution will change the face of future conflicts and I think cyber will take an even bigger role in those in the future.
Q: How much do you think we've learned from the conflict and have we had time to start implementing any of those lessons learned from that particular battlefield?
Rucker: There were two major DDoS attacks during the front end of the conflict. Prior to these, it was not known that level of attack could be sustained at that volume for that period of time.
Before, we had not seen an attack run for more than 72 hours. In Ukraine, the attacks ran at that level for over 30 days. The compute power and the bot system they had preconfigured and set up to be able to launch that level of an attack surprised everyone. We are talking about an entire public service infrastructure in Ukraine being offline for over 30 days.
That is unbelievably damaging. Most DDoS attacks are thwarted through scrubbing centers and last less than 24 hours, so this was scary. It means that when adversaries are focused on a very specific target, for a very specific reason, the attacks can be extremely damaging.
Those are the kind of attacks that, as our adversaries advance their capabilities, we'll have to continue to advance our defenses and create different ways to thwart those types of attacks.
Thornberry: I would say we can learn many lessons from Russia-Ukraine. I worry that because we haven't seen a lot of impact outside of Ukraine itself, we may end up with a false sense of security. Telling ourselves, "Oh, it's not that bad. We can handle it."
And as Bill outlined, the potential danger facing the critical infrastructure and elsewhere is very much there, and because of Russia's somewhat restrained attacks in our homeland and Europe, it may color our view of how urgent this problem is to deal with.
Rucker: Leon Panetta, in 2011 or 2012, warned of the possibility of a cyber Pearl Harbor. I don't believe that we've seen anything that reaches that level yet, but those capabilities certainly exist.
A cyber Pearl Harbor is certainly something that I know terrifies those that are in charge of Cyber Command, and those forces are looking for ways to defend against such an onslaught.
Thornberry: One more thing. There's been speculation that some nations may have pre-planted destructive cyber bugs inside our critical infrastructure, so this brings us back to the importance of database security and scanning.
One of the challenges here is we don't know, what we don't know, and so the full extent of our vulnerability is something that still concerns a lot of people.
Q: We know there are critical security gaps within the civilian government and critical infrastructure so far, but how many exist further down the food chain into the small and medium-sized businesses, and even then, going down through smaller government entities such as county and town governments?
Thornberry: As Bill referenced earlier, since COVID, everybody has become much more aware of their supply chains, and just looking at DoD, there's been a real concerted effort to understand not only the suppliers, but the subcomponent suppliers. It ends up that a lot of those are very small businesses and maybe one that an entire weapon system depends upon and so we want to raise cybersecurity up and down the supply chain.
But if you're talking about a small business in the middle of Texas, there's going to be a limit to how much cost it can absorb to increase its cyber preparedness, especially against very sophisticated actors. One of the challenges we have not yet come to grips with is how much do we expect from these firms and who's going to pay for it?
And we are still working our way through those issues because we don't want to raise the standard so high that most small and middle-sized businesses say it's not worth dealing with the government.
Rucker: When it comes to small and medium businesses, there are additional issues. When we did a threat briefing for the Senate Armed Services Committee for Senator Kirsten Gillibrand's (D-NY) office, her staff noted that one of the Senator's biggest concerns centered on small businesses and how they can gain knowledge about threats and how they would afford to put defenses in place.
That brings up the question of what the role of the government should be. And that can be a bit of a double-edged sword in some areas because businesses want some help, but don't want government in their business.
With that said, I think some of the technologies that have come to market in the last three to five years are very good.
Endpoint Detection and Response (EDR) technology has changed the game for cybersecurity hands down, but alone it's not a game changer. For example, in three of the last five major breaches, EDR solutions saw things, but they were inside the other millions of events security defenders had to sift through.
EDR is great, but it's just a tool you have to have human-led processes around, and that's why when I look at our customers and the Managed Detection and Response (MDR) market in general, that's changing the game because they're able to put a managed service around those tools.
And as Mac mentioned, we need to add tools to fill those gaps, such as continuous threat hunting, using an automated pen test tool against their environment, and running tabletop exercises.
Tabletop exercises will help prepare for a ransomware attack or if you have a compromised server or when your data or user credentials show up on the dark web. You will know ahead of time how to respond.