President Joe Biden laid out a series of cybersecurity initiatives last week at his inauguration, including earmarking $10 billion for various cybersecurity defense initiatives. Those included hiring key security personnel to support for the Cybersecurity Infrastructure Security Agency (CISA).
The significance of this strategy is considered paramount, with the U.S. government reeling on the heels of the SolarWinds cyberattack. And, while Tom Kellermann, head of cybersecurity strategy for VMware Carbon Black, applauds Biden’s plan, he stressed that it should merely be considered a “down payment” toward a much larger sum needed to invest in digital security.
“That number should probably be about $100 billion over time,” said Kellermann. “And I hope that there’s a classified cybersecurity spend, that exceeds that in a classified… military appropriation budget.”
During this week’s podcast, Kellermann breaks down the top cybersecurity priorities for the Biden administration to achieve what he predicts will be a “historic shift to more of a forward leaning posture.”
Below is a lightly edited transcript of this week’s podcast episode.
Lindsey Welch: Welcome back to the Threatpost podcast. This is Lindsey Welch with Threatpost. And I’m pleased to be joined today by Tom Kellermann. Tom is the head of cybersecurity strategy for VMware Carbon Black. And previously, he held the position of chief cybersecurity officer for Carbon Black. And in 2020, Tom was also appointed to the cyber investigations advisory board for the United States Secret Service. So Tom, thank you so much for joining me today on the podcast.
Tom Kellermann: Happy to, it’s a pleasure.
LW: Great. Well, just looking at the news this week, there certainly was a lot going on this past week in the cybersecurity world and in politics. And Wednesday was inauguration day for Joe Biden. And I know from a security standpoint, we’ll be focused in with eagle eyes on the incoming administration’s new strategy for cybersecurity. So, you know, just to kind of set the context here, we’d love to hear your thoughts on some of the biggest challenges or issues that the US government is currently facing right now, and over the past few years, when it comes to cybersecurity and how that really sets the stage for right then and now.
TK: Yeah, the US is dealing with a cyber security quagmire. Essentially, it’s experiencing an insurgency in American cyberspace, which is really unprecedented. One that has been stoked by our traditional Cold War adversaries. And I think the number one challenge facing the US government right now is to really root out the persistence of these nation state actors, within infrastructure and within government agencies. The number one focus needs to be proactive and expanded cyber threat hunting, from just a technical perspective, and integration of security controls so that they get better visibility into what these actors are doing, since they already have a footprint in those networks.
LW: What has the government done over the past few years to kind of step up to the plate there in approaching some of those issues? Or maybe not, I mean, what steps have been taken to kind of meet these nation state actors?
TK: Not much, frankly, the law enforcement and intelligence communities have been hampered by a lack of leadership and strategy from the Trump administration. I think we’re gonna see a historic shift to more of a forward leaning posture under the Biden administration. I think that’s evidenced by the empowerment of Anne Neuberger to become the National Security Council appointed person on cybersecurity and Rob Joyce over at the NSA, both of which are incredibly talented individuals and very thoughtful about the issues that we must face. And you see it through the Defense Authorization Act that was passed in December, the empowerment of CISA, the increased funding to CISA, the increased funding for threat hunting and workforce development and capacity building, since there’s a shortage of cybersecurity personnel. I think now, we’re gonna see a shift, though, to more of a containment and deterrence approach in cybersecurity. I think Cyber Command will be given more liberty, and more leeway to actively go on the offensive against many of our nation state adversaries, versus just merely being on the defensive side of things. And I do think there’s going to be a huge push to strengthen information sharing and intelligence sharing with the private sector from the US government, led by CISA, as evidenced recently by the release of the free tool called Sparrow, which was purposely built by CISA to disrupt the campaign associated with SolarWinds and the threat actors.
LW: Right, right. And, you know, obviously SolarWinds is kind of a big, overhanging incident on top of all of this right, I mean, that recently happened and it affected several government agencies. Can you talk a little bit more about Sparrow and what that is and kind of what it aims to do?
TK: Sparrow essentially allows you to identify and disrupt the TTPs associated with the large scale SolarWinds campaign and kill chain. It was built by CISA, actually a woman named Victoria, who’s brilliant, and kudos to her. And, and I think that, uh, it will help dramatically in rooting out essentially, the adversary that has maintained persistence in these systems.
The problem that we face with SolarWinds, though, is twofold. Number one, it’s not just evidence of a supply-chain hack. It’s an example of the island hopping that we’ve been speaking about for a while. The adversary’s goal is to commandeer digital transformation and use your infrastructure to attack your customers and your citizens. And that has been evidenced through SolarWinds. And they weren’t the only company that was targeted in this fashion. We’re seeing now based on our colleagues and partners in the incident response community that used the Carbon Black EDR, that 55 percent of the time when they conduct investigations, they realized that the primary goal of the attack was to commandeer the digital transformation of the victim and use it to attack their constituency. And that is a huge challenge that’s facing all of us. And it really changes the game of how we need to approach cybersecurity. The second challenge from a tactical perspective and a technical perspective is much of the secondary command and control that’s been put on a sleep cycle that is used by these Russian threat actors, it is stored and hidden in image files through steganography. And there is not yet to exist a capability that can scalablely associate and identify the existence of steganography across all image files in an organization.
LW:Mm hmm. Yeah, that’s a really interesting point about steganography. I feel like that’s something that has been up and coming for a while now. And, you know, from the defense defense standpoint, you know, organizations really do need to step up to the plate there, regarding that. So, but yeah, back to your first point about SolarWinds – can you talk a little bit more about what this means from a governmental standpoint, and, what could have been done from the government’s standpoint, to prevent this or to mitigate this, or stop something like this from happening?
TK: Well, first of all SolarWinds was very elegant, and it leveraged a number of newly created capabilities and custom made malware purpose built to leverage this campaign. It had multiple stages of the campaign. Like I said, there were three groups that were involved in it – Turla, APT 29, and APT 28, all leveraging their own facet of the campaign. What’s interesting to me, I think now, is they burrowed in so deeply, and they probably still have footprints in these systems that we can’t just focus on eliminating the backdoors and unknown malware, because of the fact that they have employed steganography with secondary C2 on sleep cycles, we really need to begin looking for more of the unique telling signs that they were there in the first place. So we should be looking at “Hey, was AMSI ever disabled on this endpoint?” “Or do we see periods of logs that have been deleted like 90 minute intervals of logs that were deleted since CosmicGale allowed for the automation of deletion of logs after the adversary setup a session?” “Are you seeing large PNG files in your O365 environment and inboxes?” I know that sounds like such basic stuff, but we really need to hunt them in a different way. And we need to be much more clandestine when we hunt them for fear of them becoming disruptive, and leveraging more ferocious forms of counter incident response – moving from deletion of logs to manipulating time to manipulating the integrity of data and/or dropping ransomware NotPetya-style inside these systems where they have persistence. So we need to be very careful about the escalation as we hunt. To the first point of the question about where did we fail, I think we failed in assuming that the adversary was going to hunt us in a traditional fashion, where they were going to break in and then merely steal or conduct espionage, versus actually attempted to commandeer our digital transformation and use it to attack other agencies and/or other entities. In addition to that, I think the perimeter defense posture espoused by the standards orgs that have been embraced by the federal government are outdated. That fortress-like, castle-like construction perimeter defense is no longer effective against the attack of today, as the adversary is using trusted communication protocols, networking infrastructure, cloud infrastructure, things that are implicitly trusted and allowed to bypass the perimeter to attack you.
LW: Wanted to switch gears real quick and look at a recent proposal from Biden regarding spending $10 billion in cybersecurity and IT spending, and a large part of that proposal aims to send funds towards you know, CISA, as we were talking about earlier. And then also the General Services Administration, in order to complete various cybersecurity and IT modernization projects. Would love to kind of pick your brain regarding any key takeaways you have, or what really stands out to you regarding this proposal when it comes to security and what might work, what’s missing there, anything that really stands out to you.
TK: First of all, I applaud it. But it’s a down payment. And that number should probably be about 100 billion over time. And I hope that there’s a classified cybersecurity spend, that exceeds that in a classified, you know, military appropriation budget. But the future of warfare and the future of national security is dependent on cyber. And right now, American cybersecurity is incredibly fragile. And we’re dealing with an adversary that has already dropped troops in the domain, however, has already set up shop inside our sovereign boundaries as it relates to cyberspace. That’s why I compare it to an insurgency in that regard. I think that the $10 billion would be well spent to do all of the things that have been listed there from, you know, workforce development, to empowering CISA and improving security across federal government agencies. But I do think we need to begin to invest in things that are much more proactive, as evidenced by this attacker in this campaign of SolarWinds, we need to invest more heavily in workload security, cloud security, we need to invest more heavily in cyber threat hunting, we need to invest more heavily in the integration of existing security controls, particularly network detection response platforms and Endpoint Protection and response platform, right. We need to invest more heavily in zero trust, but extending zero trust beyond the identity, to the endpoint, all the way through the infrastructure. And then we really need to modernize you know how we sign certs and how we protect against SAML attacks and SAML assertion attacks, because of the over dependency and trust placed in those. And that’s just getting granular. Beyond that, I think there’s a there’s a couple significant policy endeavors that are being considered that are strategic opportunities for public policy, that may well happen. For one from a governance perspective, the elevation of CISOs, to be equal to CIOs within government agencies with their own correspondent budgets and authorities, and to have those CISOs report to the directors of those agencies and not have to go through the CIO would be tremendously impactful; the push for more spending on DevSecOps and container security throughout the federal government for any new developments, right, that they’re developing for a specific agency purposes, is a good one. There’s been discussion about moving Secret Service back into Treasury so that they can focus on financial crimes more thoroughly. There’s been discussions about creating a Superfund of forfeited digital currencies and alternative payments associated with cybercrime conspiracies, that could be used to fund critical infrastructure protection. And there’s been discussion about expanding threat hunting from CISA to critical infrastructures by mandate if it’s been proven that they have been successfully breached. And finally, there is a policy movement on the hill to provide tax incentives for companies that invest in cybersecurity, that invest over 10% of their IT budgets in cybersecurity, and also have a dedicated head of cybersecurity within their organization.
LW: Sounds like there is at least the awareness and there’s some, you know, discussion and movement happening too – a lot of those sound like those could be really effective strategically for really kind of prioritizing security at the forefront as well. So that’s definitely good news there.
TK: And what’s really important though, we can’t we can’t be isolationists when we think of cybersecurity. Strengthening how we work with NATO on cybersecurity must be an imperative. Re-establishing the position of the Assistant Secretary for cyber policy at the State Department, like Chris Painter had before he was terminated by the Trump administration is quintessentially important because of the nature in which cybercrime, cyber espionage, cyberattacks are global in nature. So no matter what we do just domestically, we have to become much more multilateral and macro in that regard.
LW: I also wanted to ask you, you know a little bit more about any initiatives that CISA has been kind of taking on or that you think we should keep a finger on the pulse of moving forward. I know that they have had various mandates over the past few years for government agencies, including directing agencies to implement vulnerability disclosure policies and some other things. And I know, too, that part of this new policy proposal would aim to improve monitoring and incident response across federal agencies working with a CISA project. So I was wondering kind of what your thoughts were there.
TK: Yeah, I think the empowerment of CISA is fundamental. I applaud, everything says done, they’ve been doing God’s work, or they’ve been underfunded and understaffed for too long. They’re finally receiving additional funding through the Defense Authorization Act, the work they’ve done with the Sparrow tool and with countering both SolarWinds as well as election manipulation in November, was herculean, to say the least, I just hope that they are given expanded authority to proactively conduct cyber-threat hunting and expanded authority to share more relevant intelligence with the private sector, and with those critical infrastructures that essentially host American cyberspace. I think those authorities will inevitably come down from the administration due to the leadership due to the leadership of Anne, as she sits at the NSC. And then I’m really looking forward to see what Rob Joyce, ah, what his strategy is, and how that unfolds as it relates to the National Security Agency, as it relates to countering this this insurgency.
LW: Right, right. I think, you know, part of this proposal was, you know, hiring security experts. And as you point to, there have been a couple of kind of key personnel add-ons there that hopefully will really help in this regard as well.
TK: I have a lot of hope. I actually, you know, 22 years in cybersecurity. I’m hopeful. I’m very hopeful that we have an opportunity to turn the tide in 2021.
LW: That’s great. Yeah. Always good to be optimistic, especially when it comes to big policy changes and government and whatnot. So, Tom, before we wrap up, is there anything else you wanted to mention or make note of regarding either some of the top security challenges facing the US government or kind of what the government can do to really step up to the plate there?
TK: We have to create shared risk, the government has to create shared risk for nation states that actively colonize US cyberspace. And that shared risk needs to manifest soon, because the private sector cannot defend themselves sufficiently against these nation state actors. And I don’t know what form that shared risk needs to take. But I’d like to see significant actions taken by the US government to punish those who have colonized our infrastructure.
LW: Absolutely. Well, Tom, thank you so much for coming on to the Threatpost podcast.
TK: It was my pleasure. Thank you for having me.
LW: Great for all of our listeners. Thanks for tuning in today. Once again, this is Lindsey Welch joined today by Tom Kellermann. Catch us next week on the Threatpost podcast.
Want more in-depth security interviews and infosec insights? Check out our podcast microsite, where we go beyond the headlines on the latest news.