Why a top US cyber spy urges: Get religious about backups

Not all defense tech is bleeding-edge cyber — or kinetic — warfare tools. Sometimes the best defense is as boring as ... backups.

Yes, backups. 

The rest of the world should take this lesson learned from the Russia-Ukraine war to heart, said Rob Joyce, director of the US National Security Agency's cyber security arm, speaking at the recent Silverado Policy Accelerator summit.

"Ukraine has been under tremendous cyber pressure for years, long before the invasion," Joyce said. "And so they, by necessity, had to learn from that. They got religious about backups; they got to the point where their sysadmins understood how to respond to a breach, clean up, and move on. They were practiced."

Backups aren't sexy. But in a real-word cyberwar, they kept the Ukrainian communications, government and critical infrastructure online despite a year of dozens of data-wiper and other types of attacks. 

And in addition to having backups in the first place, "think about the practical step of checking your backups," Joyce said. "You don't want to find out in a crisis that your backup process didn't work and it wasn't able to restore a key aspect of your business."

Another defensive strategy that isn't as exciting as, say, AI-based threat hunting tools to help warfighters defend their networks? Practice. Ukraine had years of practice repairing their networks in the wake of Russian cyber attacks, including recovering from NotPetya – which wiped data from energy firms and banks – and the related Bad Rabbit malware.

• Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups
• US cyber spymaster calls TikTok China's 'Trojan horse'
• US Cyber Command, DARPA ink cyberwar R&D pact
• How to shave years off the journey from military lab to real-world use

The February 2022 invasion wasn't the first time Ukraine had to think about what to do in case of an attack; it has arguably been at war since Russia invaded Crimea. Likewise, a data breach shouldn't be the first time an organization considers what to do in the event of a security incident.

Companies need to have playbooks that outline how they will respond and who will be involved for different types of cyber threats, according to the NSA's Rob Joyce and Mandiant's Head of Global Intelligence Sandra Joyce (no relation), who also spoke at the Silverado event. 

According to Sandra Joyce, Google-owned Mandiant responds to more than 1,000 breaches every year. "And for the most part, this is a survivable incident," she said.

The companies that are best equipped to deal with a breach already have implemented security basics including two-factor authentication and vulnerability scanning, Sandra Joyce said. 

In addition to the basics, she also suggests having processes to run in case anything goes wrong. "That's another piece I would give as advice," Joyce added. "Run a table top. Get the key players in place." ®