Think Differently on Cybersecurity Or Fall Farther Behind, Former FBI Lawyer Says

People in the security industry often criticize the federal government for being woefully behind the times on information security, not understanding the current threat landscape and not having enough trained law enforcement agents who can handle sophisticated computer crimes. Steven Chabinsky doesn’t want to hear it. A longtime FBI lawyer and former chief of the bureau’s Cyber Intelligence Section, Chabinsky believes that the government is doing a better job at security than ever before, as is the private sector. But, he also believes the attackers are still gaining ground every day.

CybersecurityPeople in the security industry often criticize the federal government for being woefully behind the times on information security, not understanding the current threat landscape and not having enough trained law enforcement agents who can handle sophisticated computer crimes. Steven Chabinsky doesn’t want to hear it. A longtime FBI lawyer and former chief of the bureau’s Cyber Intelligence Section, Chabinsky believes that the government is doing a better job at security than ever before, as is the private sector. But, he also believes the attackers are still gaining ground every day.

“What made me realize that was I started seeing the government working inside government circles better than ever, and I saw the private sector working better than ever, and the two working together better than ever, and I saw the cybersecurity problem still getting worse and worse every year,” said Chabinsky, who recently left the FBI and joined CrowdStrike as the company’s senior vice president of legal affairs and chief risk officer.

“When that happens, you know you have a strategy problem on your hands. Had the strategy been working, people would have been executing properly and succeeding. But it isn’t. The government and private sector were executing on their plans very well and they didn’t improve cybersecurity every year. There was objectively better security, but subjectively, against threat actors, they were gaining momentum. The threat continues to outpace us.”

Specifically, it seems, the high-end attackers who have been raiding coroporate and government networks, stealing intellectual property, military secrets and whatever else they can lay their hands on, have been jumping well ahead of the most sophisticated defensive efforts for the last several years. Groups of attackers, state-sponsored or otherwise, are conducting their own research on new vulnerabilities, writing or buying exploits and hammering networks around the world with them. The most recent example is the so-called Elderwood gang, a subset of a large, well-known attack crew in China that has been conducting long-term operations against U.S. networks for several years now.

But that’s just one of the handful of known high-level groups of attackers that researchers have been tracking. And while their tactics and techniques are well-known, that hasn’t translated into much in the way of success for defenders. Chabinsky thinks it’s time to rethink our defensive strategies.

“It’s grown increasingly obvious our cybersecurity efforts have to focus on threat deterrence, really as the dominant focus of cybersecurity,” he said in a recent interview. “That hasn’t been the approach in the private sector, and to some extent it hasn’t been the worldwide approach either. Physical security focuses first on threat deterrence, not vulnerabilities. Networks can’t be fortresses or bunkers. Dynamic systems are incompatible with vulnerability focused systems. 

“Cameras don’t make a business impenetrable. They just tell the robber, we can identify you and track you down. In cybersecurity, we tend to call the locksmith when we have an issue. We think it’s a patching problem. When you’re faced with an invasive disease, it needs to be targeted and eradicated. This is no longer a time for hygiene.”

For the companies and government agencies that are regularly targeted by sophisticated attackers, Chabinsky said, the time to change their thinking and tactics is now.

“It’s widely known both inside the U.S. and outside how serious the cyberespionage problem is. People get it. What I find is the more likely issue is that people don’t know how to respond,” he said. “Vulnerability mitigation doesn’t deliver good return on your investment. People say they don’t have any more budget for security, but the stuff they’re doing now isn’t a good place to put more money anyway.

“There needs to be a focus on real-time information sharing. That’s been missing. There’s been good strategic information sharing, but what’s been missing is an ability to understand what the threat actor is doing and how to disrupt it. We need to share  information in an automated way that allows networks to self-heal. That hasn’t been done yet.”

Suggested articles

Discussion

  • Anonymous on

    Just because the Feds are "doing better than ever" doesn't mean they are up to the level they need to be. I will agree they are "doing better" but far from where they need to be. 

  • JM on

    I don't disagree that we still need to do more but we still have to focus on vulnerabilities and mitigate them.  However, I'm not seeing the thought process here.  Are we to launch a counter attack to attempt to disrupt an event?  I think this article needs expanded with details on 'thinking differently'.

  • Jan van Niekerk on

    Doom. We're doomed. We're all doomed.
  • GPL on

     

    Like with other unwanted global behaviours, governments in every jurisdiction around our globe need to set down their foot, define boundaries and discipline offenders. If you set this strategy, efficient results can be accomplished and make the longevity of the efforts needed endurable. Short of this, healthy democracy and human rights are not to be included in the solution. Technical solutions may or may not come along the way. The current trend seems however to be pointing in the wrong direction.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.