The Line in the Sand: How We Respond Today Impacts Our Security Tomorrow

In the past few months, we’ve faced massive attacks with SolarWinds and the HAFNIUM attacks targeting Microsoft Exchange, followed by the unprecedented ransomware attack by DarkSide that crippled US critical infrastructure. It is time to ask ourselves again, what is really going on? More importantly, the time has come for the United States government to do some soul searching on why defenses have failed and how we can prevent similar attacks in the future. 

As a nation, we are pretty bad at detecting cyber threats. We generally discover attacks long after the fact--after the damage has been done. As bad as we are at detection, though, the US government and most organizations are even worse at response, and we do a generally poor job of learning and applying lessons to improve and prevent the next attack. 

Thankfully, it seems that may be changing. President Biden has been clear that nation-state sponsored cyberattacks will not be tolerated under his administration, and that those nations responsible will be held accountable. The United States can respond in a variety of ways: the Biden administration could expose Russian and Chinese intelligence assets, impose economic sanctions, issue warrants or subpoenas for Russian and Chinese nationals or agents suspected of being involved, expel Russian and Chinese diplomats from US soil, opt for a proportional military response if appropriate, or any combination of the above. With any available option also comes the potential for escalation, so how we choose to proceed is of great consequence.

The challenge is that some of these responses are a trivial slap on the wrist- that are unlikely to elicit change, and some of these responses punish the entire country and have an unfair impact on average citizens who have no involvement and lack the power to do anything about it. The goal is to find a response that strikes a balance and sends a very clear message that cyber attacks have consequences.

Firm and Appropriate Response

Why does it matter that these were nation-state sponsored attacks? It matters because the response will be different depending on the threat actor and their objectives. Criminals will be criminals, and law enforcement and the cybersecurity industry will continue to hunt down and prosecute them. But recent trends indicate that the line between cybercrime and nation-state attacks are continuing to blur, as many threat actors straddle the line by dabbling in both crime and APT operations.

There is strong evidence that these recent attacks were nation-state campaigns acting in the interest of nation-state adversaries, or were committed by criminal threat actors who enjoy the protection of nation-states to avoid prosecution. Our research on DarkSide suggests that the group is operating out of Russia or a related former Soviet Bloc nation. How the United States responds will have long lasting implications.

Cyber espionage and cybercrime have come to a crossroads with governments, and the security industry. How should we respond to such grave attacks, and where do we need to improve our strategies to defend against them and reverse the adversary advantage?

These attacks were all unparalleled in their scope--successfully infiltrating and compromising US government agencies and a wide array of medium and large private sector companies, as well as causing major disruption to the U.S. economy in the midst of a post-COVID recovery effort. 

There is a significant opportunity to cooperate on a global scale to develop extradition laws that enable cybercrimes and cyber espionage to be prosecuted more effectively. More impactful actions could include options like government mandates legally barring organizations from paying ransom demands to cybercriminals in an effort to stem the tide of ransomware attacks.

Preventing the Next Major Attack

Ensuring that those responsible suffer consequences for the DarkSide, SolarWinds and Microsoft Exchange attacks is important, but what is perhaps even more crucial is what we do after that. The extent of the potential impact to our critical infrastructure and national security is significant. How do we—as a nation and as a cybersecurity industry—do everything we can to make sure this doesn’t happen again? 

Protecting our cyber infrastructure is as important as protecting physical infrastructure. That's how dependent we have become in the connected world, whether it be with financial systems, healthcare systems, air traffic control towers, home automation or defense systems.

We will not prevent the next DarkSide, SolarWinds or Microsoft Exchange attack by deploying the same failed cybersecurity solutions that haven’t worked in the past - the same ones that completely missed these attacks against tens-of-thousands of organizations for the better part of a year. We need to change the way cyber operations are addressed. 

The future must include the US government drawing a line in the sand, and sparing no resources in pursuing and prosecuting those responsible for attacks like these. We cannot allow these foreign threats to continue to operate without fear of capture or any threat of repercussions or consequences.

The truth is that attackers still enjoy the advantage, but we can change that. The security industry has long stood together--shoulder to shoulder--with customers and partners and even competitors, because in this fight we stand together. We may disagree on the methods, but not on the merits. Now, with the words and actions of the Biden Administration, the public and private sector can work together to fight this threat and prevent the next major attack.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div