As has been reported time and again, the U.S. critical infrastructure is under constant attack, held at risk by the insecurity of the computing systems that operate its most essential services. Increasingly, the means for this misconduct are the very tools employed in the name of cybersecurity.
In May. Microsoft identified Volt Typhoon, a Chinese actor targeting critical infrastructure in Guam—a critical U.S. interest in the Pacific—since at least 2021. While the campaign involved many notable features, there is one aspect that has yet to garner the attention it deserves: the security devices employed to protect the system contained the very vulnerabilities used by the actors to gain access.
This is not the first time security software has been abused, as it presents a juicy target: operating at elevated levels of privilege and storing some of the most sensitive data.
Once again, the security community is faced with a few uncomfortable truths. First, it should be recognized that cybersecurity systems can be just as flawed as the systems they protect. Development of cybersecurity tools falls victim to the same pressures and incentives that leave other software insecure, such as rushed delivery cycles and a market that values new features over greater quality.
Cybersecurity systems can be just as flawed as the systems they protect.Share on Twitter
In an ideal world where buyers select for security and developers meet that need, this would not be the case. Second, and perhaps more controversial, there is mounting evidence that the current approach to cybersecurity may not meet U.S. security needs in conflict. Until now, the U.S. experience of cyber has largely been in the form of espionage and crime.
The most damaging events, such as the Colonial Pipeline attack, have essentially been cybercrime incidents gone awry, as damage was not the primary intent. While losses have been felt, the harshest outcomes have yet to materialize, and the benefit of time to identify, remediate, and analyze attacks has driven modern approaches to cybersecurity.
The United States should begin now to prepare for adversary employment of cyber for reasons more nefarious than espionage. The infrastructure of Guam has military value beyond spying, and future attacks may be more likely to look more like those against ViaSat at the onset of the Russia-Ukraine conflict, only at scale.
If stealth is no longer a goal—as is unlikely in hostilities—and with average lead times of up to 197 days to detect a breach, cyber effects could be felt well before the first alerts are ever raised. There will always be a need to monitor systems for attribution and forensic purposes but relying solely on such measures without considering the expanded attack surface they bring is a disservice to a comprehensive cybersecurity program.
To the extent that the current detection-centric defensive posture has worked to date, it is far less obvious that it will support the shift from contest to conflict: the pace and overtness of hostilities don't match the speed at which current systems detect, remediate, and attribute attacks, or the scope and scale of vulnerabilities.
A higher standard for cybersecurity focuses on developing systems that are fit for purpose and designed to operate in hostile environments. Recent calls from the Cybersecurity and Infrastructure Security Agency for an increased emphasis on cyber resilience, backed by objectives in the National Security Strategy (PDF) to shift liability for insecure software products and services onto the providers of those products and services are a good start, but additional steps should be considered.
First, meeting these goals with policies and investments that measure the scope and effectiveness of these efforts and the systems they cover will be necessary. Without this understanding, these policies will remain difficult to measure and enforce
Policymakers should consider adopting a greater standard for critical infrastructure that requires adherence to secure development and design principles.Share on Twitter
Second, policymakers should consider adopting a greater standard for critical infrastructure that requires adherence to secure development and design principles. This will both minimize the introduction of vulnerabilities and, perhaps more importantly, maximize the level of insight into the security and quality of systems—to include the risk they may introduce. These practices complement reactive detection capabilities with a proactive approach that leads to well-understood systems that present less opportunity for adversaries.
This shift will not be free, as secure development may increase cost and time, at least at first. Investments in tools and techniques to increase the accuracy, efficacy, and coverage of secure development tools and techniques will be required—especially for the many software languages and technologies essential to the U.S. defense ecosystem, but not commercially attractive enough to prompt private sector investment.
Without government investments and policies to drive transparency and a clear understanding of what cybersecurity tools do, how well they work, and how securely they are built, the United States risks continuing to offer its adversaries the means to undermine its systems and, ultimately, its security.
Chad Heitzenrater is a senior information scientist at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared on C4ISRNET on September 21, 2023. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.