A senior NSA official says that none of the major hacks of U.S. systems in the last two years relied on zero-day exploits. Instead, they took advantage of easier vulnerabilities resulting from poor cyber hygiene and practices.
For all the concern about zero-day exploits, a senior NSA official said that the high-profile hacks of U.S. networks in the last two years show there are far easier ways for cybercriminals to infiltrate government systems.
Speaking at the American Enterprise Institute on Oct. 18, Curtis Dukes, deputy national manager for national security systems at the NSA, said that none of the high-profile government hacks the NSA responded to -- Office of Personnel and Management, the White House, State Department, Department of Defense -- used zero-day exploits.
"Basically the adversary took advantage of poorly secured, poorly patched systems," said Dukes. "Once they had that initial foothold they the elevated privileges and then moved to mission objective," which ranged from stealing data to (in the case of the Sony hack) destroying it.
"We talk a lot about zero days, we talk about Shadow Brokers, things of that nature, but so far we haven't actually changed the equation for the adversary," said Dukes. "They still can easily attack us [and] achieve mission objective -- I want to actually raise the cost."
Dukes said that raising the cost means implementing a set of practices and protocols outlined in the NSA's Top 10 Mitigations publication. Dukes said that following those protocols, which include controlling administrative privileges, updating and patching software and application whitelisting, would make it more difficult for cyber criminals and force them to consider zero-day exploits, which he described as precious commodities that hackers use only on their most difficult targets.
In his talk, Dukes expanded on comments he recently made to FCW about the bureaucratic hurdles that NSA must jump when responding to a hack of a non-national security system.
NSA has authority over national security networks, but must be asked by the Department of Homeland Security and the FBI through a Request for Technical Services in order to assist in investigations into breaches of other agencies.
"I just think by the time it's all orchestrated, you've lost valuable time in order to do defense at cyber speed in that regard and I think that's what we need to relook at as a nation," Dukes told FCW.
In his AEI remarks, Dukes said that "when we actually have to do incident response, and again if you look at the last 24 months we've done a fair amount of that ... it's typically days to a week before we can actually respond."
And by that point, Dukes said, the crime is over and it's difficult to determine if the adversary is still inside the system and what mitigation steps can be taken. Therefore, he said, the U.S. needs to revise its approach to cybercrime.
"Possibly even going so far as that we unite pieces of [DHS, FBI, and NSA] into one organization that does it on behalf of the whole of government," he said.
Dukes pointed to the U.K.'s new National Cyber Security Centre as an example of a single entity that responds to cybercrime against any government agency.
"It's one entity, they're in charge," said Dukes. "I think it's a model we need to look at, possibly explore how that best aligns with how we do cyberdefense on behalf of the nation."
NEXT STORY: DHS warns holdout states on REAL ID deadlines