It can be really hard for the government to share information with citizens and businesses, for many reasons. We all wish it was easier, but the fact is that complex rules and regulations and the need to operate with some degree of certainty combines with the need to protect sources and methods. Everyone in the community wants things to improve, but I know for a fact some of the greatest people have been working hard to improve this and it is really hard. It can also take time before information is of a quality to be shared, and that can mean that attacks from adversaries that are underway can make great progress in their nefarious activities before the government alerts. Proof of that is a government announcement titled Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. They are not sugar coating this at all are they? This is a pretty clear declaration that Russia is not just surveying our networks, but conducting cyber attacks to break into them.
The bad news is that the report says the government has been investigating this since 2015.
Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.
This is a global investigation involving the DHS, FBI and the UK’s National Cyber Security Centre (NCSC). And it may well be that there was not enough info to release till now. I also think many investigations end up going through historical data to piece together a bigger picture, and it could be that this assessment just came together recently. But still, we should all push for faster action here.
But the good news is that the report provides a great deal of technical information that can be used by companies to help configure their devices to reduce the impact of these attacks. The report does far more than just encourage patching (which of course is important). It gives technical advice that can help tech teams implement better security. That is a positive.
It is also important to mention that raising defenses by properly configuring devices is a relatively low cost activity. Additionally, this does far more than make it harder on Russian bad actors who seek to attack. It can also slow down Chinese state sponsored actors who wish to steal.
My hope is that this will also inform U.S. technology vendors, who can take steps to help ship their devices with more secure configurations.
For more see: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices.
My recommendations to raise your defenses to counter nation-state attacks:
Invest in some help to ensure your technology is appropriately configured to make it as hard as possible on adversaries, regardless of where they are from. Better configuration of your existing IT is a very low cost activity but will give very high returns. A small investment will reduce risk. The configuration guidance from DHS/US-CERT is a great place to start, but external security experts who really know how to configure and test the configurations is important.
All organizations should also consider joining the Cloud Security Alliance (CSA) to help learn the latest best practices. One capability that came out of the CSA is a Software Defined Perimeter (SDP). Actually this approach had its roots in the government tech community, and I know it to be a very secure way to operate.
Reduce the threat of nation-state sponsored cyber attacks including those involving hardware that has been tampered with or malicious code on IoT devices by leveraging the capabilities of PFPCyber.
For more on these topics see the CTOvision Guide to National Security Technology and