In March 2022, the Biden administration announced that cyberattacks from Russia were imminent. Although this is untrue, it shines a light on how unprepared the federal government and the rest of the country are for a nation-state attack.
A nation-state attack is exponentially more serious than ransomware. Unlike ransomware, a nation attack does not attempt to extort a fee to restore operations. It simply destroys without regard to consequence.
More importantly, a nation attack accelerates the frequency and sophistication of the attacks. For over a decade, the United States, Russia, China, North Korea, and Iran have been stockpiling vulnerabilities in the event of a cyberwar. This is the reason why a cyber attack is NOT imminent, because Russia knows that America likely has a larger stockpile with more severe consequences.
When the Americans shut down 3 Iranian nuclear reactors and Russia shut down the Ukrainian electric grid, each of these attacks was accomplished through one vulnerability. The WannaCry virus infected 250K computers in one day through one vulnerability.
Any nation-state, and most certainly Russia, has dozens if not hundreds of these vulnerabilities. Rather than one vulnerability, a nation-state attack would deploy numerous vulnerabilities simultaneously entering unobstructed into every server and endpoint and any other device that contained critical information in the nation.
The first line of defense is patch management but this is wholly ineffective because patch management works with known vulnerabilities and these vulnerabilities are unknown by design.
The next line of defense is the antivirus which has not functioned against modern threats for almost a decade yet consumers and businesses and even the federal government blindly throw money at this obsolete vestige from a prior era of computing. So the attack continues.
The last line of defense is EDR / XDR / Zero Trust, which attempts to detect and respond to the full-frontal onslaught nation-state attack. Unlike ransomware, a nation attack would overwhelm the SOC (Security Operations Center) and it would quickly fall down.
This exposes the largest flaw in the nation’s defense. EDR / XDR / Zero Trust / SOC cannot scale to meet a spike in attacks. For a SOC to double in size, would take months, and a nation-state can increase its attack level in seconds.
As stated earlier, this is not going to happen due to respect for America’s vulnerability stockpile, however, our defense frameworks should consider the possibility of a nation-state attack. Unfortunately, none of the popular frameworks including NIST, MITRE, and even Jack Voltaic comprehend the possibility of a nation-state attack.
The first nation to contemplate in its national defensive cyber strategy the impact of a national attack will win the cyberwar. The first nation to effectively create cyber defenses that negate a flood of vulnerabilities attacks from a nation-state will rise to the top of the world order because it is no longer exposed to a cyber counterstrike.
There is a solution and that is application whitelisting, AKA allow listing or software asset management. As NIST has been recommending for the last 7 years, application whitelisting should reside between the patch management and the antivirus layers. In this way, during a nation-state cyberattack, the application whitelisting will strictly allow authorized applications to run. During this scenario, the volume on the network is substantial and network performance may deteriorate but it will not fall down. Some new good programs may not run properly until the attacks abate, but the goal is resilience, to withstand the attack.
This resilience gives patch management time to identify the vulnerability and remediate the vulnerability so the attacks abate. The nation-state will likely deploy more of its stock of vulnerabilities which should also prove futile. At this point, the nation is deploying vulnerabilities faster than it can replenish, until the stockpile falls to zero. Then America wins.
Secure the Homeland.