Cybersecurity Countermeasures Starts with Hardening the Mind
2021 June 06
Cloud computing adoption can fail due to knowledge, trust and security concerns. Information technology (IT) experts often address cloud computing rejection due to security concerns as a factor of technical feasibility versus emotional or uninformed decision making. While this may be true in some instances, this paper will seek to point out the more enduring threat to cloud computing technologies, targeting the psychology of the decision maker, consumer and user through novel and highly sophisticated offensive cyberspace capabilities (OCC)[1]. Securing cloud architecture can certainly be better managed at scale than more traditional IT architectures. However security challenges will continue as serious threats to private, public and commercial sector clients utilizing cloud computing services.
The security challenges are larger than intrusions, malware and service denials. The challenges can have more endemic and enduring implications that get at the psychology of the decision-makers, consumers, and users by slowly degrading trust with content, code and configuration. While centralized cloud computing does a lot to improve security posture it does not completely resolve security concerns, and certainly does not address the less tangible aspects of damage to reputation, profit and dependability.
Centralization of cloud computing pools security resources but also centralizes impacts of offensive effects. There have been numerous literatures about the value proposition for economies of scale driving the gig economy towards a more interwoven cloud computing world. We can see this at various scales over the past two decades as we look at Microsoft, Amazon, the United States Department of Defense [2] and others. The financial return-on-investment is clear. What are less clear are the hidden dangers in single sourcing critical components of functional services — whether they be government or critical financial markets. This might explain why the energy sector in the United States has been slow to adopt to single market configurations and more to the point — why energy sectors globally have been hesitant to adopt cloud computing writ large.[3]
Threat actors view data at rest, data in transit, and extended trust boundaries as critical vulnerabilities. There are certainly mitigating measures but in the world of security, trust equals risk. Just ask Equifax or more specifically the United States Office of Personnel Management (OPM). Between 2013 and 2015 OPM were targeted for highly sensitive and personal files for candidate and cleared United States employees. 22 million personnel files were exfiltrated, a value that some estimate will be litigated for between $130M and $1B. The OPM instance was an intrusion into what is likely a private cloud. There were numerous mitigating factors that could have prevented the damage like data encryption, multifactor authentication and more advanced intrusion detection and prevention systems (IDS/IPS). Additionally, more advanced IDS/IPS could have expedited response timelines and characterization of the threat.[4]
Psychology plays a role here too. Decision makers thought they were clever and had the intruder cornered. That was not the case, as a secondary exploitation continued to exfiltrate and scan files internal to the cloud, reporting out to a subtle command relay exposed by a sloppy boundary.[4] Former FBI Director testified that “… every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses…So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.” [5] The cost to reputation and trust is lasting and significant.
Threat actors are increasing in sophistication, motivation and tools. While a denial or distributed denial of service (DoS/DDoS) can still provide powerful effects, adversaries are developing far more intricate maneuvers in cyberspace. In the 2016 United States Presidential election, Russian military and intelligence threat actors conspired on cyber operations that included hack and dump of stolen data at rest.[7] The intent of this was not to deny access to a network or service — it was to influence psychology. In Russian jargon, the information-technical (hack and steal) and information-psychological (release) [10] shifted opinions in the larger American public opinion. This is of course an intangible, difficult to measure but nonetheless important aspect of cybersecurity risk. [7] When well-resourced and highly targeted, some threat actors or advanced persistent threats (APTs) can go unnoticed for as long as eight years. [6] One might conclude, highly sophisticated actors only exist at the state and state-sponsored level, but the world of OCC has continued to mature outside of government.
Impersonation-as-a-Service (IMPaaS), Access as a Service (AaaS) [1], Ransomware and other advanced technologies have come to the market fore to meet a demand. Likewise ransomware insurance has become a market feature to offset cost — a risk calculation that some corporations can make. The enormity and the breadth of cybersecurity risks have created a market where buyouts are now a viable option. [12] Threat actors have for decades taken to the onion router and other lesser known parts of the dark web where they share techniques, tradecraft, targets and sometimes the treasures of their exploits. The ability to protect cloud-hosted (Infrastructure as a Service — IaaS and Data Base as a Service — DBaaS) treasures (E.g. personnel files, personally identifiably information, personal health information) in the information environment well-beyond the 22nd century, from sophisticated offensive cyberspace capabilities and techniques will only get harder.
We’ve learned a lot of important lessons over the past two decades. We certainly need to have better cybersecurity hygiene from data encryption, better identity management and protocol for role-based access and need-to-know. Advanced IPS and IDS should be part of all cloud computing security portfolios, but how they manage multitenant threats could complicate risk internal to the cloud. Multifactor authentication is everywhere now but is already being seen as a rock in the stream for threat actors to row around. [13]
There is good news on the international stage, especially for the individual and moderate sized countries and companies. The answers may not be where you would expect though. The real key is enhanced understanding and practice from cradle to grave of our “digital competence.” This important nuance — digital vice cyber is something that Estonia has been making waves about because they are incorporating critical thinking and digital awareness into the lives of their citizens from a very young age which “include[s] data literacy, online safety, and problem solving in digital environments.” [13]
This example of resilience is being built due to the Estonian perceived threat from Russian and Russian-aligned actors. The same information-technical and information-psychological operations that targeted the 2016 United States Presidential election are being addressed through education: building a smarter, more resilient society. Not only will it better prepare them for cybersecurity posture, but it has had remarkably positive impacts on the Estonian posture going into COVID-19. At the beginning of the pandemic, Estonia, “the first fully digital republic” announced a “hackathon” that resulted in five cloud computing solutions to give Estonians an advantage and have an impact on the COVID-19 crisis. A Platform as a Service (PaaS) was developed to connect vulnerable self-isolated people with volunteers, and other apps connected medical workers and volunteers across the country to apply economies of scale in novel ways. The digital health of Estonia matched their societal health — their real health. [15] There will always be vulnerabilities, but Estonians have taken important steps to address the future of the health of their society. We can learn from their example.
Cloud reliability and dependability are not emotional factors — they can be psychological factors that threat actors use for their ends or sell to the highest bidder. Mitigating the risk to downtime, to identified intrusion sets, malware and interruption to service is easy. Recovering from reputational damages, loss or even destruction can be impossible. Trust is hard to unbreak. True resilience matches day-to-day practice and critical thinking with investment in understanding tomorrow’s problems. Estonia has given us a good example of how to build resilience and countermeasures into society. We have examples throughout this research of missed opportunities or false pretexts for true cybersecurity. We must shift our paradigm and elevate our digital diplomacy by enhancing our cyber posture and practice.
References:
[1] W. DESOMBRE et al., “A Primer on the Proliferation of Offensive Cyber Capabilities,” Atlantic Council, 2021. Accessed: Jun. 06, 2021. [Online]. Available: https://www.jstor.org/stable/resrep30741
[2] J. Mishory, “Pentagon Strategy To Focus On Single Enterprise Cloud, Infrastructure,” Inside the Pentagon, vol. 28, no. 22, pp. 1–11, 2012.
[3] R. K. Perrons, “How the energy sector could get it wrong with cloud computing,” Energy Exploration & Exploitation, vol. 33, no. 2, pp. 217–226, 2015.
[4] “The OPM hack explained: Bad security practices meet China’s Captain America | CSO Online.” https://www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html.
[5] T. Armerding, “The OPM breach report: A long time coming,” CSO Online, Oct. 13, 2016. https://www.csoonline.com/article/3130682/the-opm-breach-report-a-long-time-coming.html.
[6] M. R. DeVore and S. Lee, “APT(ADVANCED PERSISTENT THREAT)S AND INFLUENCE: CYBER WEAPONS AND THE CHANGING CALCULUS OF CONFLICT,” The Journal of East Asian Affairs, vol. 31, no. 1, pp. 39–64, 2017.
[7] “Grand Jury Indicts 12 Russian Intelligence Officers for Hacking Offenses Related to the 2016 Election,” Jul. 13, 2018. https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election.
[8] B. Tashev, M. Purcell, and B. McLaughlin, “Russia’s Information Warfare: Exploring the Cognitive Dimension,” MCUJ, vol. 10, no. 2, pp. 129–147, Dec. 2019, doi: 10.21140/mcuj.2019100208.
[10] N. Kollars and M. B. Petersen, “Feed the Bears, Starve the Trolls: Demystifying Russia’s Cybered Information Confrontation Strategy,” presented at the Army Cyber Institute, West Point, Nov. 2018. Accessed: Jun. 06, 2021. [Online]. Available: https://www.hsdl.org/?abstract&did=.
[12] I. Smith, “Cyber insurers recoil as ransomware attacks ‘skyrocket,’” Financial Times, Jun. 03, 2021. Accessed: Jun. 06, 2021. [Online]. Available: https://www.ft.com/content/4f91c4e7-973b-4c1a-91c2-7742c3aa9922.
[13] “Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques.” https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks.
