In this file photo, Chris Inglis, former deputy director of the US National Security Agency, speaks during a forum at a conference on cybersecurity at Georgetown University March 4, 2014, in Washington, DC. Retired General Michael Hayden, former leader of the Central Intelligence Agency and the NSA, listens. Inglis has been named cyber czar in the Biden administration. Photo: AFP / Brendan Smialowski

To: Chris Inglis

From: William J Holstein and Stephen M Soble

Re: The national cyber security crisis

Congratulations on your appointment as America’s first national cyber security director. We concur it was a wise choice. Your first step should be to acknowledge the scope of the challenge you face: Cybersecurity must be improved for both private-sector and public agencies at all levels.

The ransomware attack against Colonial Pipeline underscores the gaping need. As you get started, let’s recognize that the severity of the problem requires innovative, new approaches – not more of the same old cybersecurity logic.

The reality is that the United States has been losing the cyber wars to China and Russia for several years, starting in earnest perhaps with China’s hack of the Office of Personnel Management in the 2014-15 timeframe, resulting in the theft of the personal information of 22 million federal employees.

The attacks kept coming: Equifax, Marriott, APT 10 and others. Now we have Colonial Pipeline, SolarWinds and Microsoft Exchange.

The Chinese and Russians recognize they have common interest in undercutting America’s power in the world, and the cyber sector is one area where they are succeeding in doing that.

Supply-chain attacks (SolarWinds, Microsoft Exchange and Amazon’s domestic servers) and critical infrastructure attacks on pipelines, water-treatment plants and electric power generation now mean that a whole new approach to establishing the baseline for required security must be established and executed.

Traditional cyber assessments have failed and traditional reliance on endpoint and network security alone have failed. The gear that our major cybersecurity firms sell today routinely gets hacked.

Mr Inglis, you don’t have four years to putter through committees. Tens of thousands of private-sector companies today are sitting in the crosshairs. Almost no government agency or private-sector company can be sure it’s keeping data fully secure.

We suggest that you call for a desperately needed cyber reckoning, a moment of truth. The latest executive order, although welcome, is just a tiny first step.

After years of assuming American superiority in the cyber realm, we face a crisis. Either we can maintain control of our critical infrastructure, communications and data systems – or we cannot. You must spell out what the stakes are. You must dig into the philosophical underpinnings of true security and decide what is possible to change until we are adequately secure.

These new nation-state attacks targeting our supply chains have jumped from one company’s system to another company’s databases. They have spread like wildfire. We haven’t discovered the full scope of the penetrations. We haven’t catalogued the stolen data, nor defined the precise techniques used to execute these attacks.  

We know the Chinese are particularly adept at leaving pieces of malicious software inside systems to be activated later, which is often called the Trojan horse technique. They develop the most sophisticated attack vectors and use them for a period of time before they start to lose their efficacy. Then those tools are sold on the Dark Internet, often to other bad actors.

The North Koreans tend to use their attacks to redress a loss of face (the Sony Hollywood studio attack) or to supplement their insatiable need for cash.

The Russians seem to be trying to use social media to destroy Western democracies. And the Iranians have developed the insidious capability of disrupting data to cause miscalculation and chaos.

The apparent inability of the US government or private sector to understand precisely what happened in this most recent round of attacks, much less formulate a clear response, demonstrates the lack of coordination among government agencies and between government and private-sector companies.

The attackers launched at least some of their penetrations from inside the United States. Ironically, that means they enjoyed the protection of US law and could avoid scrutiny from the National Security Agency, which is dedicated to protecting the United States from foreign attacks, not domestic ones.

“Our adversaries understand that they can come into the United States and rapidly utilize an Internet service provider, come up and do their activities and then take that down before a warrant can be issued, before we can actually have surveillance by a civilian authority here in the United States,” General Paul Nakasone, head of both the NSA and the Pentagon’s CyberCommand, told the Senate Armed Services Committee.

The penetration of SolarWinds software, widely used in managing complex cloud computing networks, occurred because the company failed to protect the keys to its encryption system. The attackers were able to take on seemingly legitimate identities. They literally took control of “the keys to the kingdom.”

This situation raises fundamental questions. Do we need to reinvent the US approach to cybersecurity? Are we spending our resources wisely? Is there a free flow of threat, attack vector and other critical information among private-sector and government entities?

You should launch a framework for analysis to address these questions. If we could create a cost-efficient, concerted solution to protect ourselves, what would that be? The old school of cyber security – tick-the-box cyber assessments, malware protection, employee shaming, firewalls and intrusion detection systems – obviously is not working.

One starting point might be recognizing that 80% of all successful cyberattacks over the past five years have exploited “known vulnerabilities” in software. The software in our public and private sector ecosystems is so plagued with known vulnerabilities that hackers seeking targets find our defenses as full of holes as Swiss cheese.

The National Institute of Standards and Technology, an arm of the US government, says that about 200 to 500 vulnerabilities in existing systems are discovered each week. Could any of us really have a complete understanding of all the software and applications downloaded or installed into our ecosystem?

The very nature of modern software is part of the problem. In new software, there are millions of lines of code typically in a single program, often relying on libraries or other previously developed tools. Mistakes are inevitable.

Mr Inglis, you should develop ways of explaining cybersecurity obstacles so that both experts and small and medium-sized businesses can understand.

Here’s how you might explain the problem: Think of the concept of a known vulnerability as a hole in the bottom of your boat, letting water breach the hull. A little water might pose no threat and might not be worth addressing until your voyage is over. But, unfortunately, holes can sink ships.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency reported last September, in cooperation with the Federal Bureau of Investigation, that China’s top spy agency was using open-source tools to troll through US networks looking for vulnerabilities that had been identified but not yet been patched.

The report was largely ignored. This is something the public and private sectors need to fix. We need your leadership to do that. What we need are devices and systems that can detect all known vulnerabilities and empower us to fix the holes before an attacker finds them.

Imagine if there were an easy-to-use scanner to detect all known software vulnerabilities, so the holes could be fixed daily, weekly or monthly. WannaCry, Petya, NotPetya, the Equifax attack and many other attacks, including ransomware hacks, all would have been prevented.

Do we even know how the Colonial Pipeline attack was executed? Did it exploit a known vulnerability in the software? Imagine if more companies undertook comprehensive annual cyber risk assessments, obtaining practical recommendations to reduce risk.

Just addressing these basics would mean that foreign adversaries might have to completely redesign their tools to achieve their goals. We could dramatically shrink our adversaries’ field of attack.

The fundamental issue, we submit to you, is the prevailing mindset of the cybersecurity industry. In essence, the old school of cybersecurity accepts that penetrations are inevitable. We get attacked and penetrated. Then we spend money on new systems that get penetrated again. To call for a paradigm shift has become a cliché, but that’s precisely what is necessary.

We are not living in medieval castles surrounded by moats where the goal is to keep the intruder out. The real goal should be to keep the enemy from obtaining access to our data. Who cares if 1,000 bad guys penetrate the perimeter of a network, as long as they cannot read, collect, copy, exfiltrate, manipulate or otherwise gain access to or do harm to your data? Equate data to wealth, to state secrets. It is all about the data.

The really major challenge you face, sir, is persuading private-sector companies that their focus on short-term profits, rather than long-term strategic IT security, is a miscalculation. Together, public and private sector must agree that national security is not just the government’s problem. The cyber czar is the right person to frame that crucial discussion.

The very architecture of widely dispersed cloud-based computing systems may have to be re-examined, as cyber experts such as Ted Schlein are starting to argue.

“The way the US government is organized makes it very difficult to defend the country, its corporations and its citizens from cyberattacks,” Schlein, a venture capitalist who built Symantec into a cybersecurity powerhouse, told a trade publication. “We have designed a bureaucratic, decentralized infrastructure.” But he added, “I think the whole landscape needs to be completely rethought.”

He is right. Now the question is how and with what priorities? With what cybersecurity tools? Based on what philosophy? Old-school focus on networks and endpoints? Or new-school focus on comprehensive risk assessments and data protection, especially in a defense in depth, layered approach?

Mr Inglis, the nation-state hackers have played to our weaknesses and they have played off of our divisions. New solutions and new approaches are the keys to protecting America. Can you spur America to wake up in time?

William J Holstein is author of the forthcoming A Grand Strategy: Countering China, Taming Technology and Restoring the Media. Stephen M Soble is chairman and chief executive officer of the cybersecurity firm Assured Enterprises, Inc, in Vienna, Virginia.