Inglis: People, companies need to replicate collective cyber defense seen in Ukraine
United States National Cyber Director Chris Inglis said the cyberdefense tactics used in Ukraine by residents, government agencies and companies is something the U.S. needs to replicate going forward.
Onstage with journalist Kim Zetter at the DEF CON hacking conference in Las Vegas last week, Inglis — a former NSA deputy director and the first person to serve in his role — sidestepped questions about how the U.S. government should view the array of hacking groups that have taken sides in the Ukraine-Russia conflict as well as inquiries into what line the U.S. should enforce against allies who attack critical infrastructure.
But he spoke at length about how the thinking around cybersecurity and defense needed to change, from both the perspective of regular end users as well as the companies developing critical platforms.
The Colonial Pipeline ransomware attack, he said, was emblematic of how things need to change, considering the cyber hygiene of one person affected the confidence of millions of gas customers across the East Coast.
“In defeating one person, they defeated all of us. They defeated tens of millions of people because of a single person’s error. We need to flip the script and we’re not going to shoot our way out of this. No amount of response, no amount of fire drills responding to two- and three-alarm fires is going to restore the confidence that people didn’t have that day,” Inglis said. “The only reasonable solution is to get serious about defense. To make defense the new offense, such that if you’re an adversary in this space, you’ve got to beat all of us to beat one of us.”
No situation illustrated this idea better than the invasion of Ukraine, according to Inglis, who lauded the country for collectivizing cyber defense in a way few countries have done before.
Inglis, like many experts, said he thought the massive power difference between Russia and Ukraine from a cyber offensive standpoint meant Ukraine would “have a really tough time defending themselves in cyberspace.”
“We didn’t give enough credit to the Ukrainians,” he said, explaining that the country’s government did extensive preparatory work building out a system of resilience and robustness that was buoyed by a larger cybersecurity awareness among the country’s residents.
According to Inglis, the other main tranche of cyber defense that broke in Ukraine’s favor was the decision of major tech providers to step up cybersecurity efforts significantly.
Inglis said companies like Microsoft, ESET, Cisco and others took the innovative step of viewing their terms of service as an obligation to defend customers in Ukraine.
Microsoft and many others have released several blog posts about their work defending organizations in Ukraine since the invasion began in February, showing little fear in outing Russian government operations or hacking campaigns.
Inglis said this kind of defense from corporate technology providers is different than what would have been done “5, 10, or even 15 years ago” but noted that it should be what is required of companies providing hardware and software.
When pressed by Zetter about the trend of major tech providers definitively picking a side in the conflict and outwardly helping Ukraine, Inglis said it was “entirely appropriate.”
“If they find a problem… I think it is an appropriate act under the terms of service to defend. It’s not provocative, it’s not imposing any particular effect. It’s only more costly for Russia to do something that’s already inappropriate,” he said. “I think it’s high time that if you’re a provider of commodity service, you think about what inherent resilience and robustness you should deliver. If [conflict] is the only place that can be done at scope and scale, then that is the most appropriate place to.”
Inglis tied the tech industry’s response to the war in Ukraine into a larger argument about what tech companies owe their users.
From inception, technology products need to incorporate cybersecurity and the discussion has to reach every level of the company, he said.
He added that companies have to be accountable for what they deliver in terms of secure products and systems.
“We need to make sure that we’re no longer going to accept that you can deliver a system to somebody and have made no investments in its inherent resilience and robustness. We need to allocate responsibility and accountability to the providers, the suppliers, the integrators, so that they actually invest what’s required to make those systems inherently resilient and robust,” he said.
On the other hand, he noted that more needs to be done in teaching children and young adults the kind of cyber hygiene that will be needed moving forward.
He noted that kids are “taught more about hot stoves and crossing city streets than about cyberspace.”
“Defense is the new offense. Unless we get serious about defense and make the investments necessary, we will not put cyber in its proper place,” he said.
This general lack of interest in cybersecurity more broadly is reflected in the fact that both the government and private sector have struggled to fill thousands of open cybersecurity roles.
Inglis touted the White House efforts to expand cybersecurity training and education to the “broadest possible population” but said part of his office’s work is centered on making sure anyone in any discipline has some amount of cybersecurity awareness.
“Whether they’re lawyers or CEOs or tradesmen, we need to know that they have the skills necessary to make intelligent choices about the use of digital infrastructure in this brave new world,” he said.
“They don’t all need to be programmers, but they need even more than they already have. We need to solve all of that by mobilizing a strategy that says, how do we educate and train? How do we make the awareness possible so that everyone is participating in defense?”