When the National Security Agency (NSA) – whose mission centers on signals intelligence and cybersecurity – tips its cap to the private sector for cyber intelligence, that’s a heady endorsement.
That acknowledgement of private sector threat intelligence expertise was one of the standout points from Rob Joyce, the director of NSA’s Cybersecurity Directorate, during a keynote address Oct. 18 at the Mandiant Worldwide Information Security Exchange event in Washington, where he talked about lessons that NSA is taking away from Russia’s invasion of Ukraine.
Joyce, talked about six lessons he has learned over the last year from the Russian invasion and its run-up, along with four pillars he believes cybersecurity companies must implement to prevent future attacks from foreign adversaries.
Anatomy of a Cyber Assault
Before Russia launched its physical attack on Ukraine in February, it first targeted the eastern European country through malware that hacked Ukrainian government websites. Joyce described that as “pretty big” because it represented a different, more aggressive cyberattack then ones seen before.
Beyond just Ukraine, the impact of that attack quickly crossed international borders and affected critical infrastructure in neighboring countries – like Germany’s power generating wind turbines and France’s emergency services.
Russia’s cyberattacks on Ukraine were carried out through “unique, custom-built malware that was first ever deployed into that space,” Joyce said. The attack proved to put civilian infrastructure under the same amount of risk, if not more, as the government.
By using espionage, Russia was better able to pinpoint where Ukrainians were and what they were doing – and it was then that they began physical attacks.
Amid that assault, however, Ukraine has benefited from private sector cyber intelligence of the type that Joyce said the U.S. government may not be able to generate.
“They played a tremendous role,” he said of the private-sector intelligence providers. “Industry was using their own platforms to look at [threats] within the high ground that they have created, and they know best.”
“From the outside, a foreign intelligence agency – like NSA – is able to scan and look across swaths of the ecosystem, but the precision, the detail that’s inside those individual platforms, that’s the domain of industry. That’s where the expertise is,” Joyce said.
Industry experts sharing their insights in the cyber realm have empowered the intelligence to make a difference in the Russia-Ukraine conflict, the NSA official said.
“When we protect us, we protect you and it’s through partnerships with industry that really get us to that scale,” Joyce said.
He then highlighted the work Ukraine did to create resiliency after they were attacked – a page that he said American companies could take from their ally’s book.
“They’ve gotten good at doing defense,” he said. In particular, Ukraine cyber officials developed skills in hardening and protecting targets, as well as practicing incident response plans, Joyce said.
Joyce listed six lessons that NSA is taking away from the Russian invasion of Ukraine that can be applied to cyber efforts on American soil as well:
- Both espionage and destructive attacks will occur in conflict;
- Industry has unique insights into these conflicts;
- Sensitive intelligence can make a decisive difference;
- You can work to and develop resiliency skills;
- Don’t try to go at it alone; and
- You have not planned enough for the contingencies.
Joyce also plugged a recent playbook from NSA and their partners of the top 15 commonly exploited vulnerabilities that agencies and companies can use to plan how they will mitigate attacks. And he left the audience with the four enduring pillars to good cybersecurity:
- Harden: invest in the basics and hardening your systems and networks;
- Actively defend: take an active stance against adversaries, not a passive one;
- Contest: impose costs on malicious actors; and
- Scale: collaborate with industry.
“We’re in a new environment. Think about those nation-state challenges. Think about those thinks you can proactively do,” Joyce said. “You’ve got to invest in cybersecurity, you’ve got to do the basics, but then from there you need to think about how you harden, defend, contest, and get to scale.”