A massive, damaging, and ongoing cyber-hack, reportedly perpetuated by Russian state actors, recently infected SolarWinds’ software update platform. This attack, by a patient and sophisticated state actor, highlights the fundamental and ongoing nature of our nation’s cyber vulnerability. Despite the deployment of current best practice security technology by SolarWinds, the attacker used stored credentials and keys that authorize access to systems, networks, and sensitive data to get the initial foothold. This vulnerability remains exploitable, as evidenced by continued, steady, successful and damaging cyber intrusion events. What does this tell us about our best practices in securing data, networks and critical infrastructure? Do offensive cyber actions always have the advantage of speed and innovation? Is defensive cyber destined to always play catch-up in a race to limit damage after the horse has left the barn?
Our current considered best-practices of doubling down on shoring up our defenses to breaches that already occurred, proves time and again a losing strategy. Our adversaries have moved on to their next line of attack. We cannot continue to center our digital security strategy on building bigger virtual walls, stronger fortresses, and more secure vaults to protect keys and credentials that grant access to our critical networks and data. We must instead shift our data security methodology to a true Zero Trust framework, where identity of devices and people is an additive and complementary component of digital security. In doing so, we alter the balance of cyber competition by eliminating the primary stored credentials-based threat surfaces that adversaries attack.
Cyber Competition: The Critical Front Line
Let us be clear, cyber attacks and conflict in the cyber domain are the new frontline of global competition for supremacy. Never before have we had a conflict front that afforded such a breadth of players to have such catastrophic influence at such miniscule associated cost or risk, while moving at such an accelerated pace. The ease of entry, anonymity, and rapid innovation afforded those who choose the cyber domain, allow bad actors, from individual hackers, crime syndicates to massive nation-state operators, access to a weapon of mass disruption. More ominously, an inexpensive, on-demand weapon of mass destruction provides capabilities to disrupt commercial, financial, health care, energy, identity, and military/government domains.
The power of effective operations can lay waste to financial markets, energy grids, take defense systems offline, expose our nuclear secrets, and access critical intelligence that render the core of our defense strategies transparent to our adversaries. All of this can be done with relative impunity. History and current threat hunting methodologies demonstrate little chance of detection until well after the desired damage has been achieved. Does it really make sense to continue to combat the threat by “improving” on best practices unable to keep pace with the innovation, effectiveness, and frequency of increased cyber assault? As Senator Romney rightly notes, the Solar Winds breach presents as a destructive cyber operation that is akin to “Russian bombers engaged over our sovereign territory.” We have a clear indication that cyber warfare is active and ongoing today, not a challenge or threat to be considered for the future. The time to change is now!
Innovation, Not Evolution Will Change the Game
Cyber security professionals have made repeated efforts to alter the advantage dynamic between offensive/defensive cyber operations. With every innovation and advanced concept comes a more complex, sophisticated and capable new threat vector that brings new peril to an overtaxed framework. Our government and commercial data experts have stretched current best practices and regulatory-compliant capabilities to the edge of their theoretical envelope. Adversaries continue to find ways to attack, successfully, critical vulnerabilities in the system, including but not limited to, stored keys and credentials that provide validated access to our environments and secrets needing protection.
It is time to look at data security differently. To stay ahead of the attacker, we must make identity management a secondary component of data security, not a pillar and single point of failure. The central core of our cyber defense strategy should lie in true Zero Trust principles, thereby eliminating key and credential compromise as a foothold technology to cyber attack success. Eliminating threat surfaces that facilitate offensive cyber success will deliver the resilient and robust data protection our collective national security demands, while enhancing the agility and operational employability of data to its full potential. KnectIQ’s technology was created for this very reason; to address these vulnerabilities by creating a data security strategy that eliminates those vulnerabilities at their source.
Our data, network and infrastructure security community must act now, with courage and conviction, to revolutionize our data security framework. We must be willing to step beyond our current, and proven inadequate, best practices to counter cyber warfare operations. Current regulatory standards make stored and persistent keys and credentials security a core tenant of technology authorization. These TTPs operate as an unintentional barrier to innovative solutions that meet the intent of cyber security standards and regulations while providing more effective secure access and utilization of networks and data.
We must stop letting regulations be a ceiling for solutions and make it a floor. We must embrace small, nimble, problem solving companies and get them in front of policymakers and leaders across our government, civilian and defense. Zero Trust security is a capability reality today, and now is the time to act! Our adversaries from Russia, China, Iran, and beyond continue to press the attack.
Reach out to us directly to find out how KnectIQ can deliver Zero Trust without the open back door of persistent stored keys today, tailor solutions to specific data needs, and provide architectural framework for future design.
Erik L. Cyre
CDR, USN (Ret)
Managing Director of Business Development; Government and Military