LAS VEGAS - The U.S. government over the past years has stepped up its efforts to defend against serious cyberattacks against critical infrastructure. However, sophisticated threat actors are constantly evolving, and a large piece of the country’s strategy moving forward will depend on not just adapting to new threats, but staying ahead of them, a top cybersecurity official said this week at the Black Hat USA Conference.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), on Wednesday said that private and public sector organizations in the U.S. in particular can learn important lessons from how Ukraine has positioned its cyber defenses over the last decade in response to various cyber threats from Russia - including ones that are part of the ongoing war. A major piece of this strategy involves a more “sustainable approach” to security, she said.
“There was a huge effort to raise the bar in cybersecurity,” said Easterly. “We need to have a sustainable approach to cybersecurity. What we are doing - as we continue to see the threats get more serious, as we continue to see increased global cybercrime damages - doing the same thing is not going to work.”
Over the last decade, Ukraine has built up its defenses in response to a number of serious threats like NotPetya, as well as other attacks threatening critical infrastructure like power distribution centers, wiper malware and DDoS attacks. As part of this strategy, Ukraine has gotten better at not just responding to cyberattacks, but getting ahead of them in order to block them. In 2016, for instance, Ukraine created a National Cyber Strategy, which aimed to improve the security of critical infrastructure organizations and enhance capabilities across the security and defense sectors. Fast forward to this year, and Ukraine has now also built up its relationships both with the private sector and internationally with other government security defense agencies, allowing it to trade valuable information about threat intelligence that has helped the Ukrainian government get ahead of cyberattacks, said Victor Zhora, deputy chairman and chief digital transformation officer of the State Service of Special Communication and Information Protection in Ukraine, during the Black Hat session.
“We’ve been talking about building technology that is secure by design, moving up the chain, not bolting on security after a product is released but making sure it is secure out of the box."
CISA has partnered with Ukraine to help share information on threat intelligence and infrastructure security, as well as providing security training and joint exercises. However, Easterly said that the U.S. can apply the “capacity building” efforts with Ukraine to its own strategies.
In an analysis released this week, the U.S. government highlighted the pivotal shifts in approach needed for the public and private sector to defend against security threats at a more proactive level. As part of this, CISA is encouraging organizations to pinpoint their most critical functions and assets and understand the full range of threats impacting these operations, and to map out their defenses by developing recovery plans in the event of a compromise.
However, the most important shift will be creating an environment where organizations can regularly adapt to changing threats. This starts with a “culture of continuous improvement,” according to CISA, that is based on evolving risks. Part of this also means being more proactive about security, said Easterly, pointing to the Secure by Design concept heavily touted this year by CISA, where manufacturers are incentivized to build security into their products from the start.
“We’ve been talking about building technology that is secure by design, moving up the chain, not bolting on security after a product is released but making sure it is secure out of the box. That is how we can get ahead of some of these threats,” said Easterly.
At the end of the day, the improvement of critical infrastructure security defenses will benefit not just the organizations being hit by cyberattacks, but the people relying on the functionalities of those assets. Zhora said that maintaining cyber resilience has not been easy, but it is vital for the functionality of society in Ukraine. Zhora said his team is making sure, despite power shortages or air alerts, that citizens continue to have safe and secure internet connectivity and businesses can continue to function.
“Central to all our efforts are people… we are doing this for people that in spite of all circumstances and challenges can live their normal lives,” said Zhora.