When RSA rolls into San Francisco each year, it’s time to ask what is going to be the hot topic. For 2020, my bet is “cyber retaliation” for the death of an Iranian general in the U.S. and Iran conflict will edge out a crowded field as the hottest topic. Let’s explore the motivation and attack surface for a few types of cyber retaliation, then discuss the impact on our organizations and the best value for playing the hand we’re dealt.
Bad blood in the U.S.-Iran relationship has escalated to the point where government and private-sector cybersecurity experts are proclaiming that Iran may launch cyberattacks purely to harm, not just for financial gain.[i] Using cyberattacks instead of airstrikes, Iran has an opportunity to retaliate opportunistically or systematically.
Foreign interference in the upcoming U.S. elections fits both models. On presidential election day, Iran could retaliate by shutting down our voting systems. Imagine the chaos! They have time to prepare for the attack, but there are downsides. Every defender knows what day to look for this attack. It can only succeed once in 2020. Systematically, Iran could influence our elections through social media, but retaliation must be visible and credible. It’s hard to claim responsibility for attacks designed to be ongoing and undercover, and that have been conducted by other nation states. For hacking elections, the window of opportunity is small and the results dubious.
Cyberattacks put Iran on equal footing with the U.S. because they require fewer resources to conduct and our way of life is more dependent on digital technology. Experts suggest Iran’s best opportunity for retaliation that is costly and visible to the U.S., with credible attribution to Iran, is to damage any system on which our government, business, and private organizations depend[ii]. They can attack anywhere anytime, produce devastating results, and make the results public. Tit-for-tat, Iran’s motivation, becomes an Iranian cyberattack for any U.S. attack (air, land, sea, space, cyber).
The attack surface also plays in favor of cyber retaliation on online systems, not foreign interference in elections. A voting system has a small attack surface, compared to the systems that run the rest of our country, in part because we isolate voting machines offline. The ecosystem running the U.S. elections (voter registration databases, political party mailing lists, social media, and other systems) has a larger attack surface than the voting systems themselves, but nothing compared to the connected systems that run our financial systems, healthcare, government, and infrastructure. Given the attack surface is the sum of the different points where unauthorized users can ingress/egress, the hackers don’t have to start with the largest, most valuable systems because they can hack connected partner ecosystems and supply chains, then pivot to the primary target.
Now that we understand why the motivation and attack surface favor cyber retaliation through online systems, what can we do so we don’t become sitting ducks? Security vendors are alerting and educating their customers on cyber retaliation.[iii] But do recommendations to “Disable all unnecessary ports and protocols” and “Enhance monitoring of network and email activity” and “Make sure your backups are up to date and stored in a location that’s easily reached when needed, but which is air-gapped from the production network”[iv] leave you wondering if you have already lost the battle?
RSA is a showcase for the cybersecurity industry announcing new tools and technologies to detect smarter attacks. The time to value (TvT) for a new tool can be significant, with training staff and managing complexity for yet another security product. The RSA conference started in 1991, and each year organizations spend more for security yet get hacked more. The rising cost of cybersecurity is unsustainable, and the results are unacceptable. Indira Gandhi’s quote is timeless. “History is the best teacher, who has the worst students.”
Here’s a lesson we can apply to cybersecurity. Benjamin Franklin famously advised fire-threatened Philadelphians in 1736 that “An ounce of prevention is worth a pound of cure.” “Preventing fires is better than fighting them, but to what extent can we protect ourselves from … disasters? [Current research] is to make sure that we not only do reactive groundwork after the disaster but also proactive work, to mitigate and prepare ahead of the event and reduce the risk of disaster.”[v]
To benefit in 2020, we need to apply prevention now. Prevention by reducing the attack surface is available and time-tested. Keeping the attack surface as small as possible is a fundamental security practice. Isolating voting machines from the network is 100% effective in preventing network attacks, but what about systems that must be online? To shrink the attack surface for online systems, we could turn off all unnecessary ports. But we’ll not always be 100% right, and other known ports remain exposed. Instead, we could isolate the biggest attack surface, the web browser, resulting in a 70% reduction in attack surface for endpoints and a 98% reduction in browser-based threats.[vi] And the solution is seamless to the end-user with a time to value in days not months or years.
“Retaliation often engenders escalation: something that the cyber domain facilitates with unprecedented ease. As nation states all-too-willingly adopt this tit-for-tat mentality, the prospect of attacks spilling over the ether into the conventional domains of war becomes increasingly likely.”[vii] In 2020, it’s clear that the U.S. and Iran are using cyberattacks like real bullets to retaliate. It’s also clear we don’t have to be sitting ducks. We can change how we protect ourselves. World War I started with the integral use of horses. It ended with tanks and fighter planes.
Reducing the attack surface through a Zero Trust strategy implemented as browser isolation provides a better value than detection alone and the best time to value.
To learn more about browser isolation and how it can prevent the attacks used for cyber retaliation, check out our latest whitepaper on Remote Browser Isolation.
[ii] Sarah Kreps, Jacquelyn Schneider, Escalation firebreaks in the cyber, conventional, and nuclear domains: moving beyond effects-based logics, Journal of Cybersecurity, Volume 5, Issue 1, 2019, tyz007.
[vi] Innovation Insight for Remote Browser Isolation, Neil MacDonald, Gartner, March 2018