NSA Cybersecurity Director's Six Takeaways From the War in Ukraine

Written by

From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.

Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022.

Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organizations. Infosecurity investigates these learnings.

1. Both espionage and destructive attacks will occur in conflict

First, Joyce insisted that seven new families of wiper have been deployed since the beginning of the war, “and they were all unique, custom-built malware deployed in the context of the war.”

He also said that “civilian infrastructure was under as much risk as the government if not more and that even cyber-attacks focused on Ukrainian infrastructure spilled out into near neighbors or allied countries.”

A great example of this is the Viasat attack in March 2022. “It ended up taking out the connections to a number of power generation wind turbines in Germany, as well as energy services in France,” described Joyce.

The NSA cybersecurity chief also noticed that “exploitation for intelligence collection has been very prevalent – and not just from Russian actors. We saw China and others collecting on the situation to understand what was happening.”

“Information is often the coin of the realm and drives the activities in times of war,” he added.

2. The cybersecurity industry has unique insight into these conflicts

Joyce said that while the NSA had a great understanding from the outside, cybersecurity firms have done remarkable work to report and share data on these threats.

“With some of their solutions, like Endpoint detection and response (EDR) services, [they] turned up some cyber-attack attempts, blocked them at times, found evidence on the victims. Most of the seven wiper families I mentioned were first reported by industry actors. The sharing they did brought us all together to a better understanding, empowering sensitive intelligence,” Joyce recalled.

3. Sensitive intelligence can make a decisive difference

According to Joyce, the conflict also taught the US intelligence community to “get much better at sanitizing intelligence and making it useful and operationally effective in defense purposes to our foreign partners and the cybersecurity industry at scale.”

While the NSA’s primary objective is to protect the US defense industrial base, the actions the agency takes “ripple well beyond the companies you think of as defense contractors,” he said.

With an estimated 2.5 billion endpoints covered through its network and over 85,000 analytic exchanges with industry experts over the last year, the NSA has prioritized "sharing its deep technical expertise with foreign intelligence," Joyce explained.

As he put it, “what we know is not nearly as sensitive as how we know it, and sensitive intelligence can make a decisive difference. The challenge was understanding how to get signal through the noise, to take the vast number of threats and coalesce those to assure a specific look at what is most impactful.”

4. You can develop resiliency skills

As Ukraine has been under attack multiple times over the past decade, the country has gotten better at building robust network architectures, Joyce said. “But, most importantly, they got good at doing backups and restoration. They had an incident response plan; they knew what they would do in the face of these emergencies.”

"There were people who were disappointed that Cyber Armageddon didn't roll out from the activities that occurred in the Russian Ukraine invasion, but I really believe that some of the credit goes to the incident response skills of the Ukrainians,” he said.

5. Don’t try to go it alone

Then, Royce returned to the cybersecurity industry's role in the conflict. He said he was impressed by how swiftly it came to the aid of Ukraine.

"When the DDoS efforts, the wiper and all other attacks started to materialize in advance of the invasion, we were talking about the need to harden and defend against the imminent threat of the coming invasion – and a segment of industry listened and started to help. They rallied to the point where many domestic processes being run on servers inside the threatened area that might not have power, might not even have a building, were moved up into the cloud. They were brought off Ukrainian soil and moved into resilient data centers, often over in the US, where it would be a much more significant incident if they were taken down en masse."

Speaking directly to the mWISE audience in Washington D.C., Royce told them: “Don't try to go it alone; get yourself some security at scale.”

6. You have not planned enough yet for the contingencies

Finally, another learning from the cyber-conflict is that many companies, including in the cybersecurity industry, realized they had many ties to Ukraine and Russia, Joyce said.

“Either segments of their corporate networks are in Ukraine or Russia, or they have people working for them over there. They want to keep them safe. And what about the insider threat from Russians, or even Ukrainians, who want to take down their companies? These were not problems organizations had thought about before – and you should always assume you have not planned enough anyway.”

Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.

“After 20 years of prioritizing the fight against terrorism, we have returned to a point where we are concerned about nation-state threat, and the line between wartime and peacetime is increasingly blurred, with ever-growing impact on the civil components of infrastructure in times of cyber warfare,” Joyce said.

“From a nation-state adversary point of view, we get to success not by the defenses that the victim thinks they have in place but by the technology that is actually in place, so organizations need to get their shadow IT and unpatched software fixed as soon as possible,” he concluded.

What’s hot on Infosecurity Magazine?