People in the security industry often criticize the federal government for being woefully behind the times on information security, not understanding the current threat landscape and not having enough trained law enforcement agents who can handle sophisticated computer crimes. Steven Chabinsky doesn’t want to hear it. A longtime FBI lawyer and former chief of the bureau’s Cyber Intelligence Section, Chabinsky believes that the government is doing a better job at security than ever before, as is the private sector. But, he also believes the attackers are still gaining ground every day.
“What made me realize that was I started seeing the government working inside government circles better than ever, and I saw the private sector working better than ever, and the two working together better than ever, and I saw the cybersecurity problem still getting worse and worse every year,” said Chabinsky, who recently left the FBI and joined CrowdStrike as the company’s senior vice president of legal affairs and chief risk officer.
“When that happens, you know you have a strategy problem on your hands. Had the strategy been working, people would have been executing properly and succeeding. But it isn’t. The government and private sector were executing on their plans very well and they didn’t improve cybersecurity every year. There was objectively better security, but subjectively, against threat actors, they were gaining momentum. The threat continues to outpace us.”
Specifically, it seems, the high-end attackers who have been raiding coroporate and government networks, stealing intellectual property, military secrets and whatever else they can lay their hands on, have been jumping well ahead of the most sophisticated defensive efforts for the last several years. Groups of attackers, state-sponsored or otherwise, are conducting their own research on new vulnerabilities, writing or buying exploits and hammering networks around the world with them. The most recent example is the so-called Elderwood gang, a subset of a large, well-known attack crew in China that has been conducting long-term operations against U.S. networks for several years now.
But that’s just one of the handful of known high-level groups of attackers that researchers have been tracking. And while their tactics and techniques are well-known, that hasn’t translated into much in the way of success for defenders. Chabinsky thinks it’s time to rethink our defensive strategies.
“It’s grown increasingly obvious our cybersecurity efforts have to focus on threat deterrence, really as the dominant focus of cybersecurity,” he said in a recent interview. “That hasn’t been the approach in the private sector, and to some extent it hasn’t been the worldwide approach either. Physical security focuses first on threat deterrence, not vulnerabilities. Networks can’t be fortresses or bunkers. Dynamic systems are incompatible with vulnerability focused systems.
“Cameras don’t make a business impenetrable. They just tell the robber, we can identify you and track you down. In cybersecurity, we tend to call the locksmith when we have an issue. We think it’s a patching problem. When you’re faced with an invasive disease, it needs to be targeted and eradicated. This is no longer a time for hygiene.”
For the companies and government agencies that are regularly targeted by sophisticated attackers, Chabinsky said, the time to change their thinking and tactics is now.
“It’s widely known both inside the U.S. and outside how serious the cyberespionage problem is. People get it. What I find is the more likely issue is that people don’t know how to respond,” he said. “Vulnerability mitigation doesn’t deliver good return on your investment. People say they don’t have any more budget for security, but the stuff they’re doing now isn’t a good place to put more money anyway.
“There needs to be a focus on real-time information sharing. That’s been missing. There’s been good strategic information sharing, but what’s been missing is an ability to understand what the threat actor is doing and how to disrupt it. We need to share information in an automated way that allows networks to self-heal. That hasn’t been done yet.”