WASHINGTON: The CEO of US cybersecurity firm Mandiant said today that he believes the next big advancement in cybersecurity will be the ability of governments and private companies to work together in a “coordinated national and global response” to incidents — not unlike how he said his firm worked with the government in response to the SolarWinds hack.
Kevin Mandia, whose company discovered the cyberespionage campaign in December 2020, said the past few years have brought him to share the view of US Cyber Command and NSA chief Gen. Paul Nakasone that “cybersecurity is national security.”
Speaking at the Mandiant 2021 Cyber Defense Summit, the executive disclosed for the first time that he called the NSA right before Thanksgiving last year, only the second time in his career doing so, after he began to suspect the Russian Foreign Intelligence Service (SVR) was involved in the widespread hack. (Mandia said he reached Anne Neuberger, who is now deputy national security advisor for cyber and emerging tech and who also spoke at the event.)
“It took knowing who we were up against to understand the criticality,” he later said while moderating a conversation with Nakasone. Mandia has previously highlighted why SolarWinds was so difficult to detect.
(Mandiant was bought by FireEye years ago, which was the company that originally disclosed the hack. Fireye recently announced the sale of FireEye as a products company to a group of private investors, with Mandia’s threat intelligence and incident response firm now retaining its original name, Mandiant.)
Overall, Mandia spoke positively about his company’s coordination with the NSA and Federal Bureau of Investigation in response to SolarWinds.
And while Mandia sees such coordination as critical, he said he “doesn’t think it’s possible to eliminate cyberespionage because it’s asymmetric.” Rather, he echoed Nakasone’s comments about the need to “impose cost” on cyber actors.
“Academics will sit back and say, ‘Well, if you just did that and that and that, you would have avoided it,’” Mandia said. “But if there’s no way to impose risk or consequences for [threat actors] doing it, your day is coming.”
Mandia said such large-scale, coordinated responses have several requirements, including strong public-private partnerships, timely information sharing, and resiliency, or continuity of operations.
As to the threat landscape, Mandia said it’s a “good news/bad news story” right now. He pointed to three trends he sees:
- Implants — By which he meant threat actors targeting the software build process rather than source code, a direct reference to the SolarWinds hack. He pointed to “adaptive” networks and endpoint solutions as a key prong in thwarting such attacks.
- Zero-day vulnerabilities — Mandia noted the tripling of discovered zero days being exploited year-to-date relative to 2020 and 2019. He said expanding attack surfaces are a key factor and emphasized patch management, data collection, and the need to use software that “learns and thinks,” a reference to artificial intelligence and machine learning applications for cybersecurity.
- Ransomware — He noted this is “the No. 1 topic” he’s asked about by company boards and urged “don’t be the low-hanging fruit.” He also noted ransomware actors’ ability to “drive you to pay or drive you to pain.” He said bolstering cyber hygiene and “reducing the blast radius” — or minimizing the impact of a ransomware attack — are key mitigations.
More broadly, he said the cybersecurity community needs to focus on closing security gaps, “automating the expert” with advanced technologies, and developing “adaptive tech to learn normal [behaviors] and identify the abnormal” will be key elements to improving cybersecurity.
Mandia has been around the cybersecurity world for decades, in and out of government, noting that he began in the Pentagon’s basement reviewing security logs as a cyber analyst. He highlighted what he perceived to be turning points he saw in cyberspace — from the rise of eCommerce and the “militarization of cyber” by China to the advent of social engineering and consequential nation-state hacks, such as North Korea’s on Sony Pictures in 2014.
He acknowledged a lot has changed since the 1990s, when it was largely “technician vs. technician, UNIX vs. UNIX, .gov vs. .gov” to 2020, which he characterized as “a tough year to be a [chief information security officer], probably the toughest I’ve ever seen.” But he also said CISO’s have unprecedented visibility and influence inside their companies, and he urged the CISOs to use these advantages or lose them.
Overall, he said his goal is to get people as close as possible to 100% security.
“100% security is pretty unreasonable, but it’s our damn job to help people operate with confidence,” he said.