Playing Defence - Nuclear Posture Review allows nuclear response to cyber

News by Doug Olenick

Calls from around the United States pour into the White House Situation Room reporting power plants shutting down across the Northeast and Midwest, causing massive black outs affecting tens of millions of people.

Calls from around the United States pour into the White House Situation Room reporting power plants shutting down across the Northeast and Midwest, causing massive black outs affecting tens of millions of people, with patients dying in hospitals and riots breaking out.

The president's advisors say local plant operators have been locked out of their control systems and have no way to restart the facilities, transfer power from other sections of the nation to the impacted areas and some nuclear power plants may even suffer catastrophic breakdowns if control is not recovered. A claim taking responsibility for the attack comes in from North Korea's Kim Jong-un saying the shutdown is in response to American interference on the Korean peninsula and an officer from Cyber Command confirms this, saying the Pentagon was able to trace the problem to a North Korean government-run hacking group.

The president slams his fist into the conference table, then turns to the Army colonel carrying the briefcase, known as the “football,” which contains America's nuclear launch codes and asks to start the procedure to counter North Korea's cyber-attack with nuclear fire.

Far fetched? Perhaps, but the possibility of the United States responding to a massive cyber-attack on its critical infrastructure took a step closer to reality last month when a draft of a plan called the Nuclear Posture Review was placed before President Trump. If implemented it would allow for a nuclear response to not only a nuclear, biological or chemical attack upon America, but to other types including cyber.

Other, less massively destructive methods, such as hacking back have also been brought up in government circles – for instance, Rep. Tom Graves, R-Ga., and Rep. Kyrsten Sinema, D-Ariz., last year introduced the Active Cyber Defense Certainty Act. While the US bill is still languishing in the House and has not been acted upon, the UK has a similar piece of legislation, many have come out against the idea of hacking back as possibly doing more harm than good.

“Regardless, I've found that in the vast majority of cases, the risks associated with hacking back outweigh the rewards,” says Israel Barak, CISO at Cybereason, adding, “The main risks (although certainly not the only ones) are that: hacking back can quickly cross the fine line separating legal vs. illegal activities, and that you risk a high chance of inflicting collateral damage, mostly since attacker attribution is highly inaccurate in many cases.”

Troy Gill, manager of security research at AppRiver, partially disagrees saying one way to deter these sorts of attacks is to have an equally or perhaps more advanced offensive capability.

“In other words, hacking back is a necessary evil in maintaining the balance of power. This is very similar to the mutually assure destruction doctrine,” he says, quickly adding defensive measures are equally important.

Graves believes the bill, if passed, will help level the playing field between consumer, corporate and government victims and their attackers.

“The certainty the bill provides will empower individuals and companies to use new defenses against cyber-criminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber-battlefield, if not give an edge to cyber-defenders,” Graves says.

Most cyber-security executives believe Graves' methodology to tackle the problem is mistaken and a focus on counterattacking would be using our resources incorrectly and instead believe the best defense is to actually have strong defense. Omri Moyal, co-Founder, vice president of research at Minerva Labs says that making it difficult and costly for attacker to get into sensitive systems is the best road to take, especially at the state level.

“In cyber we never have a 100 percent ability to know where it [the attack] came from,” Moyal said, adding that the other issue is a bug used in a hacking counterattack can be grabbed by an adversary and then used against the attacker or another victim.

Kris Lovejoy, CEO of BluVector, places the blame for the government's vulnerability to cyber-attacks squarely on the shoulders of those in charge and states that there is no reason to believe deterrence is a workable strategy.

“I would argue that we have to focus ourselves on putting in place controls that allow us to detect and disrupt attempted attacks. Cost effective, easy to implement, AI-based security solutions for both the network and endpoint exist. Perhaps if the US government succeeded in passing a budget they could actually buy some of their own?” she says.

Scott Nelson, a vice president at SecureSet, and a US Army Reserve colonel who just came off active duty as the national director for the USAR Cyber Public Private Partnership initiative and Deputy Commander of the Army Reserve Cyber Operations Group, says offensive weapons could be a useful tool, however, other areas need to be bolstered first. Such as attribution.

“Attribution is improving. The introduction of machine learning, big data and artificial intelligence will improve the ability to detect and discover signatures/ behavior of threat actors. Humans and machines leave patterns so it is possible to identify Active persistent threats (APTs) from their patterns of behavior, normal targets and tools used,” he said.

Here are the other areas Nelson sees that need improvement:

• Diplomacy: To improve the US's diplomatic efforts creating International norms and laws to create international standards for laws of war in cyber-space;

• Active Defense: Creating a much stronger active defence of critical national infrastructure.  China has demonstrated some of this with its Great Firewall, where you can lock down the cyber nervous system from centralised command and control systems.

• Cyber Response and recovery: Stronger indicators and warnings against attacks to effectively respond. As the military states; train as you fight. Invest in organisational and sector exercises to discover risk options, resource decisions and exercise the system on how to respond across the organisation/ sector.

Joseph Carson, Thycotic's chief security scientist, also backs the idea of diplomacy, but mainly to figure out who is behind a cyber-attack and to make sure others are not harbouring cyber-criminals.

“To prevent such a major catastrophe from occurring, governments and nation states need to work together with full cooperation and transparency to ensure that cyber-attribution is possible and hold each other responsible for the actions of criminal organisations carrying out cyber-attacks from within their borders.  It is important that governments do not provide a safe haven for cyber-criminals to carry out such attacks especially when they are doing it for both financial, political gains and extreme aggression,” he says.

While the more robust sounding plans like hacking back and nuclear retaliation might grab headlines, additional legislation has been proposed to protect the American election process that take a less violent approach, but if triggered could result in sweeping economic countermeasures that could have a huge negative impact on world economies.

The highest profile of this type of bill is the Defending Elections from Threats by Establishing Redlines Act (DETER), unveiled by Sen. Marco Rubio, R-Fla. and Sen. Chris Van Hollen, D-Md., earlier this year. Its inspiration comes from the more subtle election altering tactics the Russians used during the last election cycle. This includes using social media platforms to push fake news that bolsters certain candidates or try to place doubt in the minds of American voters that their electoral system is secure.

If any nation-state were discovered attempting to hinder or alter a US election the government would then determine what retaliatory measures to take. Russia is also called out specifically for a separate line of penalties if it is again caught. These include sanctions on Russia's finance, energy and defence industries, and possibly blacklisting Russian political figures blocking access to their assets in the United States and a travel ban.

“We appreciate the temptation of threatening the financial equivalent of massive retaliation, but at this stage it is the wrong weapon,” wrote Daniel Fried, a senior fellow in the Atlantic Council's Future Europe Initiative and Eurasia Center, and Brian O'Toole, a nonresident senior fellow with the Atlantic Council's Global Business and Economics Program, wrote for the Atlantic Council.

FROM THE - March 2018 Issue of SCMagazine US »

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews