In the course of the much appreciated exchange of ideas in a LinkedIn thread, the concept of Cyber Standards like CMMC (the new DoD Cybersecurity Maturity Model Certification), and the Solar Winds hack came up.
The general broad consensus is that CMMC would not have prevented this attack, a supposition that I fully support. From the first, the standard is not intended, across most of the levels to stop Advanced Persistent Threats (APT) types of attacks which this clearly was. This was a very capable and sophisticated attack from various reports. Brian Krebs wrote a nice short piece on it here.
My larger argument is that standards, even the strict adherence to standards, do not detect and then stop attacks, Operations stop attacks.
What do I mean by operations? In this context? Well, my outlook is formed by a career as a Naval Officer with more than my fair share often enough of combat operations. The foundation of US military doctrine for Operations is Joint Publication - 03 Joint Operations, and it defines an operation as “1. A sequence of tactical actions with a common purpose or unifying theme. 2. A military action or the carrying out of a strategic, operational, tactical, service, training, or administrative military mission.” Let’s repeat “a sequence of tactical actions with a common purpose.” It is something we do, and those tactical actions go on every day, 24/7 until the operation is complete. We cannot “have” cybersecurity. We can only do cybersecurity operations.
Business also understands operations. The Corporate Finance Institute defines operations as, “activities that businesses engage in on a daily basis to increase the value of the enterprise and earn a profit.” There again, things we do every day.
Compliance and standards have their place. The military has doctrine, and standards ad infinitum. Those things are valuable and needed. They inform training. They inform the weapons and support systems we build. They guide our preparation in many ways, but they are not in themselves meeting operational objectives nor do they win any wars, and we are in an ongoing, continuous low level cyber war. If we want to meet our security objectives, then we need to do Cyber Operations in order to accomplish those objectives.
The heart of these operations in my view is DETECTION. Detection is something that we spend far, far too little time on. The vast majority of our efforts are on prevention. Prevention has its place as well in the cyber war, and is valuable, worthwhile work. We continue to think of cybersecurity in terms of compliance and prevention though to our peril.
This, in turn, runs up against the #1 problem in cybersecurity, “The truth we don’t want to know.” We don’t want to know that prevention failed, and in not wanting to know, we neglect or all too often suppress Detection. Prevention failed in Solar Winds because the enemy ran a really smart, capable sophisticated operation. One built through lessons learned of constantly probing our defense, constantly testing, constantly driving to succeed.
Immediately in the Solar Winds after math we have begun to deep dive more prevention. “Why was this allowed to happen!” is the cry. The question we should be asking is “Why did it take so long for us to detect it?” Prevention is going to fail eventually. We can have a 99.99% perfect prevention system, and smart operators will eventually exploit that .01%. In this case, we again have a major breach that went undetected for 9+ months and was only found because they were foolish enough to hack the #1 Cyber Operations company in the world, Fireye. (@Fireye, you can thank me for the high praise later). Fireye did not prevent it. They detected it, and in that detection shut it down. You cannot stop the hack you do not know about.
So as the dust settles and the after action on Solar Winds rolls out, let’s keep the cry for “Better Detection!” front and center, particularly inside our Federal Government. I know that every company in the Defense Industrial Base (DIB) cannot afford much cyber operations, but our Federal institutions can and should. CMMC is a standard that will raise the level of play across the DIB and it is needed, particularly with its accountability mechanism for a basic level of play.
Across the board though, we should be looking at how we enhance Cyber Operations, particularly at the top level. We need to review actions we are taking every day, and how we make those tactical actions more effective at meeting our operational objective; protecting our information, information systems, and critical infrastructure.