Ep. 22: Adapting the “Defend Forward” Cyber Policy for Business

Summary

By persistently engaging in threat intelligence and then “defending forward,” the U.S. has been able to thwart a number of cyberattacks around the world in recent years, from the China-backed botnet that infiltrated some 260,000 Microsoft Exchange servers, to the Russian attack on Ukraine railways that – had it not been foiled – might have resulted in the death of hundreds of thousands of Ukrainians.

What’s proved effective for nation-states may also be surprisingly applicable to businesses, says Richard Harknett, a key architect of this new proactive approach to cybersecurity, and co-author of Cyber Persistence Theory: Redefining National Security in Cyberspace, from Oxford University Press. Harknett walks us through some of those key cyber victories (those that are un- or declassified, at least), and suggests how enterprise leaders who adopt the same mindset can reap benefits in terms of contracting, supply chains, and overall business opportunity.

(The conversation continues with Harknett next week, as we review the latest cybersecurity implications for TikTok, AI, and other issues enterprise leaders will need to tackle in the coming year.)

HOST: Mike Curran, vp of global talent, Tanium
GUEST: Richard J. Harknett, Ph.D., director of the Center for Cyber Strategy and Policy and co-director of the Ohio Cyber Range Institute, University of Cincinnati

Show notes

For more info on U.S. cybersecurity policies and how autonomous endpoint management can keep you active, not reactive, check out our articles in Focal Point, Tanium’s award-winning online cyber news magazine, and these other useful resources.

• What Businesses Need to Know About the New U.S. Cybersecurity Strategy | Focal Point
• What Many Get Wrong About Persistent Engagement and Why It Matters to Business | Focal Point
• The Feds Are Coming for CISOs – Here’s How to Steer Clear | Focal Point
• How Automation and AI Defend Your Software Supply Chain | Focal Point
• The Next Evolution of Endpoint Management Is Autonomous | Tanium
• The Benefits of Continuous Endpoint Management (and How It Differs from Antivirus Software) | Tanium
• Introducing Tanium Automate: Easy-to-Create Orchestration and Automation at Scale | Tanium

Transcript

The following interview has been edited for clarity.

We need to actually change our mindsets about what it means to be reasonably hygienic, reasonably secure. And so I like to put it in the notion that there are no best practices in cybersecurity. There’s only better practices.

Mike Curran: When it comes to cybersecurity, it’s better to be active than reactive. That’s the core tenet of today’s U.S. cyber policy, what’s called the “Defend Forward” strategy. It was considered fairly radical just a few years ago, but the U.K. and other cyber allies are now following our lead, and it’s got me wondering, is this something U.S. enterprises should be doing as well?

Hi, I’m Mike Curran, vp of global talent here at Tanium, and today on Let’s Converge, we’re talking “defending your business forward,” and how practical and profitable that might be.

Just as a little background, the federal government started testing this strategy in 2018 and enshrined it as our official cyberdefense plan just last year. Our guest today was a key player in making that happen.

He’s Richard Harknett, Ph.D., director of the Center for Cyber Strategy and Policy and co-director of the Ohio Cyber Range Institute at the University of Cincinnati. He’s a professor, and the first scholar-in-residence at U.S. Cyber Command and the National Security Agency. And he’s one of the architects of this new theory of persistence and proactivity in cyberdefense.

In fact, he co-wrote the book on the subject. It’s entitled Cyber Persistence Theory: Redefining National Security in Cyberspace, from Oxford University Press.

Welcome to the podcast, Richard. Appreciate you spending the time. You’re a very busy guy, traveling to D.C., Vienna, London, all over the place. So thanks so much for taking the time today.

Richard Harknett: Thanks so much. Mike. Just actually got back from London, spent a little time with our allies trying to figure out the challenges of cyberspace.

Curran: Fantastic. Appreciate that. I’m noticing something over your right shoulder there. Is that a coin or something like that? It looks pretty interesting, but I can’t read it. What’s that all about?

Harknett: Oh, thanks. Welcome to my office, home office. Yeah, that was really a nice gesture on the part of Admiral Mike Rogers, who was the four-star commander of U.S. Cyber Command and director of NSA. So I went on loan from the University of Cincinnati back in 2016 to become their scholar-in-residence, the first one they ever had, and helped – what is now public knowledge – develop some of the big pivots that we’ve made in national cyber strategy. And so Admiral Rogers gave me a little commendation and a four-star coin, so it’s a cool thing.

Curran: Good for you. Congratulations on that. Appreciate you telling us about it. But hey, we’re here to talk about persistent engagement, taking a proactive approach to cyber. But if we step back a bit, you have a background as an expert in nuclear deterrence. Was there some point or something that happened where you had that aha moment, where we needed a new approach to cyber?

Harknett: Yeah, that takes me all the way back to 1992-ish, ’93-ish. I was doing work on nuclear issues, sort of trying to deal with the collapse of the Soviet Union and how we manage all that. And I did a little work for the DOD and they kind of liked it and they said, “Hey, we got this thing called a browser. What do you think the security implications of this are going to be?” And so I did some early analysis and said this just doesn’t map up to the way we think about security and the way we organize for security.

So it was really pretty early on, Mike, that I felt like there was something between the reality of the space and the way we thought about security that was going to be problematic for us. So I was pretty consistent on that for about 20 years. I knew what the problem was, but didn’t know exactly what the solution was. And over the last 20, 25 years, it took us a little while to get there, but I think we’ve figured it out.

Curran: Let’s start with, can you define “persistent engagement” and also “Defend Forward” a little bit?

Harknett: Yeah. So it’s important to [look at] how they relate to each other. So “persistent engagement” is officially considered a military doctrine, one that helps organize Cyber Command’s operations. But it also is one that’s now being deployed – a form of it – by the Department of Justice to deal with cybercrime.

Persistent engagement basically in a nutshell says that cyberspace is an environment of continuous activity seeking to exploit inherent vulnerabilities across network computing.

So when we built this thing that we call the internet, we didn’t anticipate all the things that we were going to layer onto it, from social media to massive economic support and efficiencies and those types of things. At its core, it wasn’t designed around security, it was designed around access.

But as soon as you started to layer on personal identity information [or] economic wealth, these are things that other people want. And so you need to think through, well, how do I secure it? And the challenge is that it is a space that’s open to exploitation.

So persistent engagement basically says, security rests on me anticipating how you’re going to try to exploit my vulnerabilities before you exploit it. And the one way to do that, from a military and national security standpoint, is to figure out what our adversaries are thinking of doing to us before they do it. And that’s where the “defend forward” comes in.

Because you can’t defend inside your networks. If you defend on the edge of your networks, you’re going to be just chasing rabbits through the holes. So you’ve got to defend forward in both space and time. So yes, it means I have to get outside my networks and into other people’s networks to see whether they’re developing malware that they can then use against me. So that way maybe I could patch up vulnerabilities before they exploit ’em.

But I also need to get ahead, or “defend forward,” in time. Because if I actually discover their tools before they use ’em, I can fix those vulnerabilities. And then all the time, talent, and energy they’ve put into developing those cyber tools that they’re going to use to attack me, they’re now no longer useful.

So…why do I need to be persistent? Because the other side is. The other side is always looking for that opportunity to exploit the interconnectedness of this space. And so security rests in anticipation, Mike, and that’s why I have to persist and I have to engage constantly. That’s a big, big shift from the way we used to think about security in the Cold War.

Curran: Yeah, dramatic shift. Well, when you look at private enterprise specifically, I’d like to kind of lean in a little bit on that today and how do they engage and how do they defend forward? When I look to private enterprise and I looked at the DOD’s policies, there was one policy they have that I think was alerts… “Indications and Warnings,” I think it was called.

Harknett: Right.

Curran: And they were particularly focused on what they call the DCI and the DIB, which is the [defense] critical infrastructure and the defense industrial base. We know who they are, the Boeings and the other big companies. But what about the rest of corporate America? The rest of the G-2000 that’s maybe not associated that closely? How do they defend forward?

Harknett: Yeah, that’s a great question. So I’m going to suggest two ways of thinking about that.

From a corporate standpoint, it’s illegal for you to get out and go into somebody else’s network. That would be considered hacking, to try to mess around with their networks. National governments, national security governments under international law, have the authority to do that. So partly what companies need to be able to do is be receptive to information that’s coming from the government as we start to defend forward and as we get persistent engagement going.

These are new constructs, we’re building out new forces – Cyber Command and National Security Agency are sort of core to this, but we’ve got other intelligence agencies, other law enforcement agencies getting on the front foot. But it doesn’t help if we get on the front foot and we turn around and say, “Hey, there’s a vulnerability we’ve discovered,” and business is not ready to be adaptive and flexible in updating their systems.

There was a fairly significant Microsoft Exchange vulnerability that we know, as it turns out, was a Chinese operation. So the longer this thing was open, the more vulnerable more companies around the country were, right?

Curran: Yeah.

Harknett: So the U.S. Department of Justice was able, through a thing called Rule 41, which is a search-and-seizure authority, to go in and actually patch this vulnerability.

We had Internet of Things [devices] and types of servers; 260,000 had been compromised and put into what we call a botnet. So they are controlled by a single command server. Really, really clever operation, in my opinion. We figured out where the Chinese command server was that had compromised these 260,000, took that command server over, and told it to go and delete its own malware – remove itself from all of these private-sector devices.

So the Chinese are there, [and] they shouldn’t be there. The U.S. government doesn’t go into the private sector of U.S. companies. It actually gets the Chinese to delete their own stuff. How does that happen?

That happens by persistent engagement, figuring out that they’re always trying to exploit…. [In this instance], they had a good day; they compromised 260,000.

That is them winning the initiative for a little while. But by persistently engaging and then defending forward, we figured out where that command server [was], and with a really clever tactic, were able to restore the proprietary space that all of these IT devices had.

So that just gives you a little flavor of the dynamics that are occurring in this space. The private sector has to get on this anticipatory foot. So when we can give them a heads-up on where vulnerabilities are, you can’t take five months to decide to patch it. Because those are periods of time where you are vulnerable.

But there’s another twist to this, Mike, in terms of business practices for particularly larger companies. If you will, their ability to defend forward is through better practices with their supply chains and with their suppliers. So if you are going to connect your networks to a downstream supplier, from a defend forward mentality, you might want to know how good that network is.

A number of years ago, for example, Target right at point-of-sale had been hacked. When you went into a Target store, you swiped your card, and that card data was being stolen. That cyber malware was deployed through the HVAC supplier for all Target stores. You would’ve had to know that that HVAC was actually vulnerable because they made you vulnerable as a company.

So there’s practices you can start to think about in your contracting and in your supplying. You need your suppliers to reach a certain level of security.

And there’s another defend forward, persistent engagement operation that we’ve been running which we call “hunt forward” operations, that the U.S. Cyber Command have been talking about a bit more. The Canadians have done it, the Brits have done it. What it is, is that a country, a partner, will invite the U.S. into their networks. That’s a big trust issue to begin with. But by being in their network and keyboarding next to them, we can discover things they might not have discovered, help them with their own network, but bring back those kinds of assets to defend the homeland.

The biggest public case that I can talk to you about is October 2021, before Russian tanks rolled into Ukraine, U.S. Cyber Command is actually in a “hunt forward” operation with the Ukrainians, invited by the Ukrainians to be in their networks. They find a pretty virulent, pretty sophisticated piece of malware that would’ve taken down the rail system in Ukraine. And if you know anything about Ukraine, they don’t drive cars, they take trains, most of the population.

So what we did is we enclaved that and left it there. The Russians kept thinking it’s working and they’re doing stuff with it. So [we] gain intelligence, [we’re] able to go back to our transportation networks and say, “Hey, do you guys have this vulnerability?” We don’t tell ’em how we learned about it, but “you got this vulnerability? Maybe this is what you need to do to patch it up.”

You get homeland security from that.

And then tanks roll in February, [the Russians] hit the enter key and it doesn’t work. The Financial Times of London has suggested that this may be the first cyber operation that saved lives, because 1.2 million Ukrainians get out of cities on trains in that first week of the Russian invasion.

Curran: Wow. Fascinating.

Harknett: So… pretty big deal from just one sort of operation. So if you think about all you can gain by being anticipatory, businesses could do the same thing, right?

Think about the contract environment as a “hunt forward” invitation. Your supplier is saying, “Hey, you can come into my networks and see that, in fact, I’ve got up to the standards that you need.” Those companies, by doing that, they make themselves more attractive suppliers.

I would say from a business practice standpoint, the more cyber-secure you are, the more attractive you are up that supply chain. [And] we need it to move both ways, Mike. We need larger entities to require better practices below them, and from an economic incentive standpoint, we need those smaller companies to become more secure up and through the supply chain.

Curran: I mean, if you had a cyber hygiene score from a neutral, trusted source, could be one of the Ernst & Youngs, the Accentures of the world, that basically say this particular supplier has all the hygiene necessary, that you should feel comfortable with. But I don’t know if there’s any universal hygiene score that people are comfortable with, for making decisions on suppliers, let’s say….

Harknett: No, I think that’s a great observation, and this is part of the challenge of the theory of cyber persistence theory and understanding that this is a continuously fluid environment. We tend to think about standards from a compliance model. Like you meet some static level of X and I can operationalize that across a whole bunch of boxes. And am I compliant, right? I’m going to check that Excel sheet.

And that’s been applied to cyber – and it’s not a really effective way of doing it.

Because since you and I started talking today, and that’s not been that long, there’s some app on your phone that’s updated to a new version. And so my compliance yesterday hasn’t captured that.

We need to actually change our mindsets about what it means to be reasonably hygienic, reasonably secure. I like to put it in the notion that there are no best practices in cybersecurity. There’s only better practices.

What we need to do from an organizational standpoint is organizations have to move away from this pure sort of compliance model and start to adopt an organizational form that says <em>somebody’s checking on this on a regular basis.</em> I have an organizational flow that adapts and adopts. And unfortunately, we do that for business opportunity; we don’t tend to do that on the security side.

But I would argue if we start to understand that being secure is business opportunity, then that mindset shift says this is part of doing business well in the 21st century.

Curran: So thank you for your time today and good luck on all the good work that you keep doing. We appreciate it.

Harknett: Well, thanks, and thanks for the platform to talk to your listeners. I really appreciate it and really enjoyed the conversation.

Curran: I’ve been talking with Richard Harknett, director of the Center for Cyber Strategy and Policy and co-director of the Ohio Cyber Range Institute at the University of Cincinnati.

If you’d like to learn more about proactive cybersecurity strategies, check out Focal Point, Tanium’s award-winning online cyber news magazine; we’ve got links to articles in the show notes. Or visit tanium.com/p for publications.

To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app. And if you liked this episode, please give us a five-star rating.

Thanks for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.