Although they did severe damage to hundreds of thousands of global computers, the military services — like most civilian federal agencies — escaped both episodes essentially unscathed, officials say. But that’s not to say that IT leaders didn’t learn a thing or two about what they need to do to improve their response to cyber attacks in the future.
Brig. Gen. Maria Barrett, the deputy director for operations at U.S. Cyber Command, said the quick defensive response that CYBERCOM and the rest of DoD was able to mount against the potentially crippling attack showed that the military has made major strides in governing and securing its networks at an enterprise level.
“You can maneuver the [DoD Information Network]. It is a little bit like turning an aircraft carrier around, but you can maneuver it,” she said Thursday at a conference hosted by the Association of the U.S. Army in Arlington, Virginia. “Using intelligence and seeing what adversaries were doing, in a very short time period of when a vulnerability was known, we could operationalize that. We were able to say, ‘I think we’ve got the risk right on how fast we want to deploy [our remediations], and we need to stay on track with this.’ For attacks like this to basically be a non-event for the Department of Defense is huge. But there’s more work to be done.”
Barrett said CYBERCOM’s success in keeping systems malware-free during the exploits’ global spread was due, in large part, to DoD’s close relationships with the cyber and intelligence arms of militaries in other nations, where infections emerged sooner and were more widespread.
“We got to work around this around the clock, because our partners were in different time zones,” she said. “So to come back in the next day and then say, ‘OK, what did we get from the U.K., what did we get from this country?’ Getting that fused picture of what the threat looked like and the initial attack vector was extremely beneficial. But did we completely optimize that process? Where can we take that now? That’s the opportunity that I see.”
The ransomware episodes were not of the flavor that generally concerns cybersecurity experts the most — zero-day exploits that have not been previously discovered — rather, they both leveraged vulnerabilities in Microsoft’s Windows operating system that the company had already issued security patches for. And the exploits were reportedly originally stolen by cyber criminals from the National Security Agency, itself a branch of the Defense Department.
Nonetheless, the incidents gave DoD a real-world opportunity to utilize the changes in network governance and command-and-control authorities it’s been establishing over the last several years in order to shut down what could have still been a damaging attack, since at least some of the DoD’s computers had not been properly patched at the time the attack began.
“I think we learned a lot of lessons out of this. We probably re-learned a lot of lessons that we probably should have learned and incorporated previously, which I’m not going to go into with a lot of specificity,” said Brig. Gen. Joseph McGee, Army Cyber Command’s deputy commander for operations. “But the first one is that leadership is pivotal in this field. We can waste lots of money on new technologies to get after this, but if leaders don’t fully embrace this as one of their responsibilities and take the steps to make sure that our networks are defended, it just won’t work. Commanders have an absolute responsibility to prioritize these efforts and organize their efforts to be effective at it.”
To coordinate those types of efforts, the Army created what McGee termed the Mission Command Collaboration Network so that it could quickly issue instructions to various Army organizations that operate different parts of the Army network. In the harried weeks that followed the appearance of the WannaCry attack, those orders were issued from the Nolan Building at Fort Belvoir in suburban Washington.
“We nicknamed it [Forward Operating Base] Nolan, because it had that sense of a traditional military operation,” he said. “And now the Army entities that own a portion of the DoDIN understand that Army Cyber has the legal authority to direct their actions in these sorts of situations. That’s an authority that was reaffirmed in January by the secretary of the Army, and frankly, there had been some confusion as to where our authorities lied and what we could do without an Army operations order. This was an opportunity for us to demonstrate to all that when we tell them to do something, they have no choice but to comply.”
And the Army organizations that chose not to comply with ARCYBER’s directives to implement remediation measures faced consequences.
“There were significant portions of the network that were quarantined until they became compliant, and then we allowed them back onto the network,” McGee said.
Another key takeaway, according to McGee: given the scale and complexity of Defense networks, modern endpoint-based security systems tended to do a better job of remediating the WannaCry and Petya security vulnerabilities than approaches that relied on security administrators to scan and patch networks remotely.
“Our legacy scanning and patching architecture does not move at the speed we need in these kinds of instances,” he said. “The Marines and the Air Force have already rolled out endpoint agent capabilities, and the Air Force was able to do a remediation of 600,000-plus machines within a few hours. That’s a great technical solution, but you also have to marry that with operational practice, and it was good to see that come to fruition.”
Perhaps most importantly, the WannaCry attack presented the Army with a global attack in which all of its systems were potentially vulnerable — one that’s difficult to simulate in red team exercises — and highlighted several areas in which the service now believes it needs to improve its defenses and network management.
“WannaCry was a low-level type of threat,” McGee said. “What does it mean for this organization if a nation state went to war against or network with the assets a nation state has?”
For example, he said, the Army needs to develop more advanced cyber intelligence capabilities so that it can predict what an adversary will do in the weeks after it first launches a cyber attack, developing cyber defenses that can adapt as the threat “morphs.”
And for the lower-level IT administrators that do most of the grunt work of keeping the Army’s networks up and running, the organization needs to find ways to inculcate the operational mindset that permeated “FOB Nolan” earlier this year.
“There’s a very different mindset that exists when you think every day that you’re going into combat operations against a thinking adversary, as opposed to showing up to do a checklist,” he said. “Our default mechanism is to think that when something goes wrong on the network, it’s some kind of power outage, it’s a tree that’s fallen down on a power line. Most of the time that’s correct, but we need to start rapidly moving to a point where we assume that threat action is behind it, and then prove it is not. That translates to everything, including the responsiveness and willingness of people to dig beyond the surface. Because our sensors for this kind of thing in the future aren’t going to be just computer systems, they’re going to be people who are seeing things out on the edge of the network.”