NIST offers tools to defend against nation state cyber threats

This post originally appeared on FCW.

While both public- and private-sector entities are still reeling from the consequences from the SolarWinds Orion hack, the National Institute of Standards and Technology this week published new tools to help organizations defend sensitive information against nation-state backed threats.

The tools are mostly aimed at non-governmental entities responsible for housing sensitive, but unclassified government information. The security controls largely fall into one of three categories: structuring systems to be resistant against malicious actors, improving an organization’s ability to detect threats and mitigate potential damage and ensuring an organization can recover from an attack.

“We developed SP 800-171 in response to major cyberattacks on U.S. critical infrastructure, and its companion document SP 800-172 is designed to mitigate attacks from advanced cyber threats such as the advanced persistent threat actor,” said Ron Ross, a computer scientist and a NIST fellow.

NIST cited a 2018 incident in which Chinese government hackers stole sensitive data from a contractor working with the Navy to design an anti-ship missile as the reason for its work. But the connection to the SolarWinds hack is clear.

“These tools are absolutely relevant to preventing the next SolarWinds, both for the public- and private-sector hacks,” said Blake Moore, formerly chief of staff for the Pentagon’s CIO and now a vice president at Wickr. “Similar to the Navy hack of 2018, the SolarWinds breach highlighted the vital importance of securing federal networks against these advanced nation-states.”

Moore said that although the SolarWinds Orion hack received more attention due to its scale, the remedies needed in the aftermath of SolarWinds and the 2018 Navy breach are similar. NIST’s new publications provide a “roadmap” for how agencies of any size should counter “increasingly advanced tradecraft from nation-state actors,” he said.

Sarah Powazek, an analyst at the Institute for Security and Technology, said that while the report’s goal is the protection of controlled unclassified information, the recommendations all target “daily security operations of federal partners, suggesting that NIST may be equally concerned about the upstream effects of poor security.”

“Tightening access controls for non-federal agencies would improve confidentiality of sensitive information but can also prevent the initial access for [advanced persistent threats] targeting government agencies,” she said.

Kathryn Waldron, a cybersecurity fellow at the R Street Institute, emphasized that most of SolarWinds victims were private companies, not government agencies. NIST’s new publication proves “just how desperately both government agencies and private companies need to change the way they think about cybersecurity,” she said.

“Private organizations — both companies and academic institutions — that work with the government need to realize how appealing a target they are to countries that are looking to harm the United States,” Waldron said.

Waldron also noted NIST’s new guidelines come a few months after the intelligence community lobbied under former President Donald Trump the White House to rescind an Obama-era executive order that established the Controlled Unclassified Information program.

A December memorandum sent to National Security Advisor Robert O’Brien by then Director of National Intelligence John Ratcliffe said the program poses “insurmountable hurdles” and has become “unsustainable,” according to a letter published by the Federation of American Scientists.

“We have yet to see if the new DNI or the Biden administration feel the same way about the CUI program,” Waldron said. “But the fact that federal intelligence agencies have struggled to comply with the CUI program could potentially hinder the rollout of these new guidelines.”