DOD to adversaries: Send us your zero-day attacks

The Defense Department wants adversaries to increase their spending on cyber attacks, because the attacks they use now don’t cost those adversaries enough.

After reviewing cyber attack data collected through an incident and threat information sharing program with industry, DOD discovered that the most sophisticated adversaries are not using zero-day attacks, which exploit vulnerabilities previously unknown by the victim. Rather, Deputy CIO for Cybersecurity Richard Hale said adversaries are finding misconfigured computers, and exploiting poor passwords, credentials or missing patches, which can be easily—and cheaply—exploited.

“We have to drive the bad guys up the value chain, we have to cause them to spend more money, we have to slow them down so we can have a better chance of spotting them and containing them,” Hale said at a Feb. 17 event hosted by FCW. 

Hale further clarified that he was not necessarily speaking of deterrence. DOD wants to kick away preventable vulnerabilities exploited by adversaries, such as bad passwords and unpatched networks, thus compelling attackers to spend more. “We think that if you have to use zero-days against us, for instance, that ups the expense for a bad guy and potentially slows down the development of certain tools,” he told Defense Systems. “It makes our challenge harder as well in the defense so we have to up our game at the same time. But we think that strategy alone will help us start to get to the place where we can at least some of the time be ahead of an adversary. It will give us some time to maneuver.” 

Others, especially members of Congress, have spoken in the past about greater deterrence efforts for raising adversary’s costs in cyberspace. That conversation addresses capabilities—typically offensive that can be so debilitating against adversaries that penetrating networks is not worth the risk.      

Many have also discussed the cost imbalance cyber affords adversaries and less capable actors.  Defense costs much more than offense, as an adversary must only penetrate a single crack in an exorbitantly large attack surface. For example, out of 700 million emails in a month, about 98 million are actually good, DISA Director Lt. Gen. Alan Lynn, said at a September Defense Systems event. “The rest are spam, worm attacks, just bad guys trying to get into our networks,” he said. Russia, considered one of if not the most capable opponents in cyberspace, has used email phishing tactics successfully against the White House and the Joint Chiefs of Staff’s unclassified email system. In fact, DOD has taken the phishing threat so seriously, they have disabled all links sent via email. 

Hale also discussed an internal document created using the cyber attack data as a means of prioritizing policies and ensuring employees are using the best practices in cybersecurity. DOD will in the next few weeks release an unclassified version of the Cybersecurity Discipline Implementation Plan, which was finished last spring for official use only, Hale said.