Ten tips for protection in a ‘hybrid war’: counterterrorism expert at Purdue annual cyber event

Richard A. Clarke believes the U.S. may be headed toward a significant “hybrid war” with Russia. Clarke, who served in multiple national security and intelligence roles in the Ronald Reagan, Bill Clinton and George W. Bush administrations, served as the U.S. counterterrorism czar from 1998 to 2003.

Clarke recently gave a keynote address at an annual cybersecurity symposium at Purdue University, hosted by CERIAS, the Center for Education and Research in Information Assurance and Security. The two-day CERIAS symposium featured talks on a variety of current, highly technical cybersecurity issues including artificial intelligence fairness, secure digital health care and securing the software supply chain.

Clarke’s address focused on the aspects of a hybrid war that are unique to information technology.

“We are probably in the early stages of a major hybrid war,” Clarke said, citing the definition for hybrid war that Valery Gerasimov, Russia’s top military general, gave to his own military academy.

“Hybrid war is designed to substitute for, or augment, conventional war,” Clarke said. “The key thing about hybrid war is that people who do it don’t look like the military. They may not be in the military at all. What they do is designed to disrupt the enemy and sow dissent in the enemy ranks.”

Clarke focused on two key IT strategies of this kind of war: disinformation and cyberattacks.

Clarifying that Russian disinformation is not at all new, Clarke recalled an example in the 1980s when he worked in intelligence for the State Department. In conversation with an American ambassador from an African country, he inquired about problems troubling the area and was shocked by the answer.

“The ambassador said, ‘Well, the major one, of course, is that the United States invented HIV AIDS,’” Clarke recounted. “He went on to explain that everyone in this African country all believed that the Wistar Institute in Pennsylvania had invented AIDS in order to kill Black people.”

Clarke said that the disturbing fabrication, which was accepted as fact throughout Africa, was then traced to a disinformation campaign during which the Soviets had paid newspaper editors and TV and radio producers throughout Africa to disseminate the story. “It was just accepted by everybody in Africa, and no one in Washington knew it until it was too late,” Clarke said. “The effect that it had on our image in Africa probably continued until George W. Bush.” In 2003, the Bush administration launched a $500 million Emergency Plan for AIDS Relief abroad, sending HIV antiviral drugs to Africa. The program continues today.

Clarke said that today, the Russians are more active in disinformation than ever, with many more tools to exploit, such as social media.

“In 2015 and 2016, in terms of affecting our election, they created tens of thousands of American personas on every social media you’ve heard of and many that you have not heard of,” he said. “They sent agents into the United States to help them make those postings credible by learning more about our culture and narrowing in on particular zones in particular cities. They were able to be so convincing that they organized rallies in the United States at which thousands of people showed up. They organized those rallies pretending to be Americans, and they did it all from St. Petersburg.”

The other key IT component in hybrid war is the cyberattack. Cyber-attackers use viruses, worms, trojans, ransomware, bots or botnets, adware, spyware, rootkits, fileless malware, phishing, and a tactic called malvertising. Clarke pointed to President Joe Biden’s recent message to U.S. CEOs to “go shields up” in their cybersecurity. He then shared his top 10 list of how they can accomplish that:

1: “Patch, patch, patch, patch, patch. Do not wait for the one day a month that you patch you networked systems. Patch when the patch comes in. And while you’re patching, go back and look at your risk register. Pull forward things that you were going to do next year.”

2: “Get more eyes on glass (computer screens) now. Make sure that the SOC (security operations center) is staffed 24/7. And if you don’t have people to do that, hire an MSSP (managed security service provider).”

3: “Use multifactor authentication (MFA) with a physical key. Find all sorts of places where you aren’t using MFA and install it; and please do it with a physical key.”

4: “Look at your backup. Have your backup offline and have it at varying intervals in time, going back as far as you can because you may have backed up malware, and if you mount it, it may again affect your system.”

5: “Go to active blocking. Companies have invested lots of money on data-loss prevention tools that they have on alarm. During this period where the shields are up, take the switch and move it from ‘alarm’ to ‘block.’”

6: “Get a threat intelligence program. There are lots of companies out there who provide really good threat intelligence information and they will give it to you days before CISA (The U.S. Cybersecurity and Infrastructure Security Agency) will give it to you.”

7: “Block inward and outward DNS (Domain Name System) domains and IP (Internet Protocol) addresses that you don’t need. Your enterprise or institution doesn’t need to be communicating with everybody in the world.”

8: “Educate your workforce. The workforce wants to be part of the solution, but if all you tell them is they have to change their password constantly, they’re not going to do it. Have an all-hands meeting virtually or in person.”

9: “Find your old, hidden incident response plan and business continuity plan. Dust them off; see if they make sense and update them. One tells you what to do when something has just happened. The other tells you how you run the business while nothing is working.”

10: “Take that incident response plan and exercise it. A coach would never put the Purdue basketball team out on the court with a really good plan if they hadn’t exercised it.

“If ever there was a time to exercise response plans, it’s now because the difference in companies that have done that and companies that haven’t when the real thing happens is night and day.”

The annual symposium is a hallmark of CERIAS, the first-of-its-kind cyber organization established at Purdue over 20 years ago. Joel Rasmus, CERIAS’ managing director, says the symposium provides a small glimpse into myriad cybersecurity-related initiatives that Purdue researchers are involved in daily: “The symposium allows our students and faculty to hear from industry on emerging concerns and opportunities while simulataneously allowing our commercial and government visitors to learn of the more than 140 cyber and cyber-physical security research and educational initiatives being conducted in nearly 20 academic departments across Purdue.”

A video recording of Clarke’s talk, as well as recordings from other symposium sessions, is available at www.cerias.purdue.edu or https://www.youtube.com/user/ceriaspurdue.

Visitors to campus should follow standards set in Protect Purdue guidelines.

Writer: Amy H. Raley

Media contact:

Source: Joel Rasmus, jrasmus@robert76