With governments and private companies under constant malicious cyberattacks, Anne Neuberger said it's time to shift the collective mindset from incident response to prevention.
Neuberger, deputy national security advisor for cyber and emerging technology, delivered an RSA Conference 2021 keynote Tuesday, titled 'Cybersecurity as a National Imperative,' where she reiterated points found in the executive order President Biden signed last week and offered additional steps to be taken. A major portion of the keynote and executive order emphasized the need to modernize the United States cybersecurity defenses, as the government has navigated two major incidents in its first 100 days: the SolarWinds supply chain attack and the exploitation of zero-day vulnerabilities in Microsoft Exchange Server.
In light of those significant hacks that claimed high-profile victims, she spoke on prioritizing prevention rather than relying on incident response. To that end, Neuberger said there needs to be a mindset shift that includes the ability to facilitate early detection.
"I've observed that as a community we've accepted that we will move from one incident response to the next, and while we must acknowledge breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo on which we operate," she said during the session. "The national security implications of doing so are too great."
Incident response following the SolarWinds attack highlighted hard truths, according to Neuberger. It revealed that some of the most basic cybersecurity prevention measures, including multifactor authentication, encryption, constant logging and endpoint detection, were not systemically rolled out across federal agencies. Another example of inconstancies inside the federal government was that it took multiple advisories from the National Security Agency and the Cybersecurity and Infrastructure Security Agency to get the compromised software systems updated.
Neuberger said the government has taken immediate action to address these issues, but there is still much work to be done. That action starts with the software the federal government purchases, which she said often include "defects and vulnerabilities."
"These are defects and vulnerabilities that the developers are accepting as the norm with the expectation that they can patch later," she said. "Or perhaps developers decide to ship software with defects and vulnerabilities they decide to ignore because they deem them not sufficiently serious enough to merit fixing. That's not acceptable. It's knowingly introducing potentially grave risks."
Neuberger said software supply chain security is a particular concern for the U.S., and there needs to be more visibility into the software the government buys because they place their trust in vendors -- and "we do it blindly" because there is no way to measure that trust.
Having a secure build environment that includes strong authentication, limited privilege and encryption is crucial, Neuberger said. Additionally, software developers should carefully review their code and check for known and potential vulnerabilities before the product ships.
"This is hard and it also may seem basic to you -- maybe even obvious. But we all know these basic practices are not universal," she said.
Tackling ransomware threats
In addition to improving security around the software supply chain, Neuberger said addressing the growing ransomware threat is a top priority. One of the government's first global initiatives will be a collaborative effort to target ransomware gangs. Extortion through ransomware poses a national security threat for countries around the world, Neuberger said, and it's a huge financial cost for the private sector.
During a White House press briefing last week, Neuberger addressed the ransomware attack on Colonial Pipeline, which disrupted fuel delivery to the East Coast and led to the company reportedly paying a $5 million ransom. During the briefing, she said while the FBI has provided advice in the past that paying a ransom would encourage further ransomware activity, they recognize that companies are often in a difficult position if their data is encrypted and they do not have backups to recover.
Along with increasingly large ransom demands, Neuberger said Tuesday that the threat actors themselves are evolving. "We're also concerned about the growing sophistication of these groups, both in their exploits such as the use of file-less ransomware and in their operational models, including the evolution to big game hunting. The growth of ransomware cartels and increasing prevalence of double extortion schemes is also a concern," she said during the session.
Charles Carmakal, senior vice president and CTO at FireEye's Mandiant, said ransomware gangs are the biggest threat facing public and private sectors today.
"Multifaceted extortion and ransomware are the most prevalent threats to organizations," Carmakal said. "Data theft and reselling of unauthorized access to victim organizations remain high as multifaceted extortion and ransomware actors have trended away from purely opportunistic campaigns in favor of targeting organizations that are more likely to pay large extortion demands. Given this surge, organizations must take proactive action to mitigate the potential impact."
International cooperation is critically important, Neuberger said, because transnational criminals are most often the perpetuators of ransomware crimes. While proactive prevention and better cybersecurity are often the best defense against the threats, she said the U.S. government also wants to hold threat actors accountable for these attacks.