NSA: ‘We have not responded to a zero-day in two years – our adversaries are hitting known vulnerabilities’
Cybersecurity unit director reveals how US intelligence agency is working to spread best practice by promoting openness and collaboration
The US National Security Agency has revealed that its cybersecurity unit has not had to deal with a zero-day cyberattack in two years, as adversarial states have been able to exploit bad practice and human error to cause harm.
Zero-day assaults occur when an attacker exploits a vulnerability that the target of the attack was not previously aware existed – and for which there is, consequently, no pre-existing fix or patch. They are much harder to respond to than assaults on known weakness, and are so-called because there is no time – ‘zero days’ – between the vulnerability’s discovery and its exploitation by hostile actors.
The Stuxnet worm – which is widely understood to have been created as a cyberweapon by US and Israeli authorities – wreaked havoc with Iran’s nuclear programme around 2007. It is surely the most infamous, and the most destructive zero-day exploit of all.
Sony Pictures suffered a zero-day assault in 2014, in which yet-to-be-released films and private emails were accessed and leaked by hackers. US authorities fingered North Korea for the hack – although the country denied it was responsible.
In spring 2016, the US Democratic National Committee was breached by a zero-day exploit, leading to another leak of sensitive emails. Intelligence authorities attributed responsibility for this attack to Russia, via the hacking group known as Fancy Bear.
In defending the cyber networks of the US Department of Defense, the NSA’s Cybersecurity Threat Operations Center “serves on the frontlines” of the digital battlefield, according to the organisation’s technical director Dave Hogue.
“We have seen multiple ransomware attacks, data-deletion, penetration of government networks – every day we are handling a major event somewhere across the world,” he says.
China, Russia, North Korea, and Iran
The four countries identified by the NSA as its main cyber adversaries
Bug bounties paid out to hackers by the US Department of Defense as part of the recent Hack the Air Force 2.0 challenge
Percentage of cyberattacks responded to by the NSA that could have been prevented by security best practice
Target and Walmart
The two retail rivals - the biggest and seventh-biggest retailers in the US, respectively - who have teamed up to help fight cyberthreats
The organisation’s four main online adversaries are identified as China, Russia, Iran, and North Korea. But, over the last two years, this quartet, and any other hostile parties, have not needed to launch complex and carefully constructed assaults in order to cause harm.
“We have sophisticated adversaries using unsophisticated means to wreak damage,” Hogue says. “We have not responded to a zero-day attack in 24 months. They are attacking the edge, or hardware and software updates… they are taking advantage of bad security practice.”
The NSA cybersecurity chief (pictured above) claims that 90% of incidents dealt with by his unit are caused by human error, while 93% could have been prevented if best-practice measures had been followed.
“The most distressing thing is that a lot of attacks would have been prevented [by techniques] that had been out there for ages, such as whitelisting applications,” Hogue adds.
Working with allies to share information and best practice is key to fighting the cyberthreat, he says. Hogue points to some examples of how organisations – in both the private and public sector – can unite to their mutual benefit. And he reserves his most abundant praise for the UK National Cyber Security Centre’s work to create a central hub from which to disseminate knowledge among and co-ordinate incident response.
“Cyber is a team sport,” Hogue says. “In the US, the security operations centres (SOC) of our two biggest retailers – Target and Walmart – are in contact every day. They know if they are being attacked, their whole sector is likely to be affected. And that is the equivalent of the Manchester United and Liverpool SOCs working together.”
He adds: “If I had a drink here, I would raise my glass to the UK for what they have done with NCSC – galvanising public and private interests with that bold statement of becoming the safest place to live and do business online. And the results have spoken for themselves – it has been amazing.”
One way in which the NSA is reaping the benefits of a team approach to cybersecurity is by increasing use of so-called bug bounties, where hackers are sought out and rewarded for discovering previously unknown vulnerabilities in an organisation’s network.
Hogue says that the intelligence agency is using bug bounties as a means of tapping into the knowledge of the hundreds of thousands of cybersecurity professionals working in the US.
“We need to bring in that community expertise,” he says. “[Web-browsing company] NetScape rolled out bug bounties in 1995, but for the Department Defense it is pretty new. [The attitude has always been]: ‘We are going to allow someone to hack into our network?! No, thanks!’.”
One bug successful bug-bounty challenge was the recent Hack the Air Force 2.0 initiative. The exercise, which took place during the last three weeks of 2017, saw expert hackers from various countries help the US military uncover 106 previously unknown vulnerabilities.
“Including one that would have allowed an adversary to access a very sensitive part of the website,” Hogue adds.
"We have sophisticated adversaries using unsophisticated means to wreak damage... they are taking advantage of bad security practice"
Dave Hogue, NSA Cybersecurity Threat Operations Center
The hackers earned a collective $103,883 from the Department of Defense.
Bug-bounty exercises are just one example of how cybersecurity professionals ought to take an outward-facing and open-minded approach in their attempts to understand and combat the current threat landscape, according to Hogue.
“We have to foster a culture of curiosity,” he says. “CISOs will say ‘we can close out a ticket in a [certain] number of minutes’. But that is not the right metric.
“You have really got to change your thinking.”
Hogue was speaking at the NCSC’s CYBERUK 18 event, which has been taking place in Manchester this week.
Force expresses disappointment in ‘negative and unbalanced’ tone of report it commissioned
Ability to compel telecoms firms to gather data was introduced in Investigatory Powers Act
Work also begins on developing a framework for identity products after Verify enters private ownership
A month on from the revelations about the Chinese vendor’s potential involvement in the UK’s 5G network, PublicTechnology examines the key issues
Sharon Hobson of Riverbed explains why the key to justifying an investment in cloud technology is visibility of network performance