By: Maria Young, Pallas Foundation Fellow
As a Pallas Foundation Fellow, I recently had the opportunity to attend a dinner hosted by the Pallas Foundation which discussed critical challenges in U.S. cybersecurity, such as mitigating third-party cyber risk and zero-day vulnerabilities. A key theme that emerged during the discussion was the need for a more proactive cybersecurity posture.
One guest described the current U.S. approach to cybersecurity as akin to a boxer who enters the ring with a "don't get hit" strategy. A champion doesn't just dodge punches; they must throw their own, exploit weaknesses, and adapt to their opponent's style. You must hit to not get hit. This is the difference between reactive and proactive stances, and it's a distinction the U.S. needs to address in its approach to cyber defense.
The boxer analogy remains apt when examining the threat. Cyberattacks are a relentless onslaught, rather than a single punch. Malicious cyber actors probe for weaknesses and ruthlessly exploit any they find.
Zero-day vulnerabilities are an especially difficult cybersecurity risk to mitigate. Zero-day attacks take advantage of previously unknown flaws in software or systems that hackers can exploit before developers even have a chance to fix them, giving developers "zero days" to address the problem. Zero-day vulnerabilities are particularly dangerous because they can be exploited to cause damage or steal data before anyone is aware they exist. This makes it incredibly difficult to defend against them. Once these vulnerabilities are discovered, the race begins to patch the software before attackers can do significant harm; however, patching these vulnerabilities is often not enough.
Relying solely on reactive measures proves insufficient because it does not prevent the initial exploitation of the vulnerability. Imagine fixing a leak in a dam: once the water has started leaking, the damage has already begun, and simply patching the leak won't address the initial flooding or the subsequent water damage.
To better protect against cyber vulnerabilities, proactive security measures are necessary – just like a boxer improves through consistent training. Such measures include regular software updates, rigorous security testing, and adopting a layered security approach that doesn't rely solely on one method of protection. By explaining these concepts in simple terms, it becomes clear why an effective cybersecurity strategy must be proactive rather than just reactive.
Another cybersecurity challenge that participants discussed was third-party cyber risk. When we use software or systems, often we're not just relying on the technology created by the main company we're dealing with, but also on additional tools and services supplied by other “third-party” companies. These vendors might provide anything from email services and storage to specialized business applications.
Our reliance on these interconnected systems and software supplied by third-party vendors creates additional attack surfaces for malicious actors. An attack surface includes all the different points where an attacker can try to enter or extract data from an environment. Think of it like a house: if a house has more doors or windows, there’s more for a homeowner to secure. Similarly, each third-party service is like an additional door into our digital 'house.'
The U.S needs to take a proactive cyber defense stance. Like a boxer who studies their opponent, identifies potential weaknesses, and develops a well-rounded strategy that combines offense and defense, a proactive cyber defense would involve proper threat intelligence, vulnerability management, cybersecurity awareness training, and offensive cyber operations.
Back at the dinner, we concluded with a note of optimism. Attendees highlighted America's enduring strengths as a cybersecurity leader, emphasizing our role as a global innovation hub where a free society fosters the exchange of ideas – a critical advantage over closed systems.
It's time to stop hoping we "don't get hit" and start developing a proactive cyber defense strategy that disrupts attacks, strengthens defenses, and deters future threats.
The event described was held under Chatham House rules; the above summary reflects the views of the author alone and does not imply endorsement by any other attendee.
Maria Young was a Pallas Foundation Fellow for the Spring 2024 term. She holds a Master's degree in Intelligence and International Security from King's College London, where she collaborated with the UK Ministry of Defence through the Hacking For Defence program. Previously, Maria earned her Bachelor's degree in International Affairs from John Cabot University in Rome, Italy, and completed law enforcement internships, including with the Italian Carabinieri.
Comments