Defend Forward Amid a New Era of Cyber Espionage | Opinion

During a testimony before the Senate Armed Services Committee on March 25, General Paul Nakasone revealed that Cyber Command launched more than two dozen cyber operations to protect the 2020 U.S. presidential election. The effort was successful in the sense that foreign actors did not alter any U.S. voting processes, according to the Office of the Director of National Intelligence.

While we had our sights set on securing the election, our enemies pivoted.

No More Hackers, Only Spies

In many ways, cyberattacks against the U.S. election four years earlier kicked off a new era of cyber espionage where hackers became spies. Cybercriminal cartels were now using espionage techniques to prime extraordinarily sophisticated cyberattacks. Nation-state attack groups went after critical infrastructure with ransomware attacks such as WannaCry and Petya. State and non-state actors were stealing immense amounts of U.S. intellectual property. And malicious actors flooded social and traditional media worldwide with disinformation.

Triggered by these trends, the Department of Defense initiated a new cyber strategy in 2018 that we know today as Defend Forward. Defend Forward planned to focus on the most aggressive nations. It would take risks to catch adversaries and would actively pursue them wherever they attacked, including confronting them on their home turf. The strategy made DHS the first responder for cyberattacks against U.S. infrastructure and ordered the U.S. military to "disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict."

We first witnessed the U.S. flexing these new muscles during the 2018 midterm elections. Deploying an active threat hunting strategy, Defend Forward launched a preemptive attack on Russia's Internet Research Agency in Saint Petersburg. From 2014 until 2016, the IRA posed as American owners of social media pages and patriotic groups to sow discord in America and heighten tensions related to race, sexual identity, gun rights and freedom of speech. In the days leading up to the 2018 midterm vote, the U.S. military blocked the IRA's internet access, thereby preventing them from continuing the disinformation campaign they began in 2014 and carried successfully through the 2016 election. At least for a time, it seemed our new posture was working.

SolarWinds and the Slight of Hand

The evolution of the DoD's cyber strategy should have enhanced the U.S.' ability to directly counter foreign cyber espionage offenses before they reached the U.S. After all, espionage relies on subterfuge and illusion. It is premised on attacking an adversary where they least expect in order to exfiltrate the most damaging information that will provide a lasting benefit to the spy. Spies are like illusionists in that they will wave one hand to draw your focus so that you fail to notice the ace hidden up their other sleeve.

As U.S. counterintelligence was focused on securing the 2020 election, a nation state, which the FBI presumes to be Russia, methodically launched a supply chain attack against the U.S. government and ultimately stole the keys to the kingdom.

Using a technique called island hopping, the cyber attackers compromised SolarWinds, whose technology is used by 425 of the U.S. Fortune 500 and numerous agencies in the U.S. government, including the Pentagon, DHS and State Department. Organizations were compromised upon installing a legitimate, yet trojanized update which allowed attackers to steal user credentials and move laterally through infected systems.

President Joe Biden delivers remarks on Russia at the White House in Washington, D.C., on April 15, 2021. JIM WATSON/AFP via Getty Images

This attack on SolarWinds turned a major supplier to the U.S. government and private sector into an unwitting spy. New reports show the espionage campaign went all the way to the email accounts of top DHS officials including the former acting secretary under former President Donald Trump. Remediating the attack is predicted to cost upwards of $100 billion and the future espionage fallout from exfiltrated confidential information cannot be quantified.

Our Defend Forward strategy failed to understand the changing role of espionage in cyberattacks.

The Future of Defend Forward

To prevent such attacks in the future, the U.S. must further unshackle U.S. cyber capabilities to increase threat hunting and deploy more present and operational counterintelligence fed from U.S. spy agencies.

Key to this effort will be truly activating the power of threat intelligence. If government agencies are going to effectively hunt threats and disrupt attacks, they need real-time, actionable intelligence from private sector organizations, and vice versa.

At the recent Senate hearings on the SolarWinds hack, senators concluded that a lack of information sharing was one of the main issues that would need to be addressed as we looked at how to strengthen our defenses moving forward. Senator Mark Warner (D-Va.), the committee chair, specifically noted that an effective defense was "just not going to happen" if left only to our government agencies, stating that "we need a different model," inviting companies to think about the situation.

As the Biden administration takes aim at protecting against new and evolving cyberattacks, one thing is clear: We need Defend Forward to hunt threats before the threats hunt us. And to deter future attacks, we need to improve cooperation and communication between the private and public sector so that we all understand the gravity of successful cyber espionage.

Eric O'Neill is national security strategist at VMware Security Business Unit. His Twitter is @eoneill.

The views expressed in this article are the writer's own.