Sometimes, the best defense is a good offense, but we apparently have neither despite years of attacks and billions of dollars in defense, so we’ll just blame Russia and move on
In October 2019, a (presumed to be) Russian actor, possibly part of the Russian government, compromised a Texas-based company’s network and systems monitoring software in a potential dry run for a planned attack. During the dry run, the hackers changed an innocuous piece of code in the software supply chain to ensure they could ultimately insert the malicious code in the future. Six months later, they initiated the actual attack.
“Sometime in March, the operators behind this attack did put malicious code into the supply chain,” explained Kevin Mandia, CEO of FireEye, to CBS news. He continued, they “injected it in there and that is the backdoor that impacted everybody.”
The impact was substantial: 18,000 companies used the platform, around 50 have suffered a material breach. The US government was targeted including the Treasury, Homeland Security, State and Defense. The true extent of the breach remains unknown. It is believed the goal was to steal data instead of disrupt systems, but anything is possible as the attack was ongoing for almost 8 months.
According to the BBC, “SolarWinds Orion earlier said that 18,000 of its 300,000 customers might have been affected, but there is no indication that significant theft of customer or citizen data was an aim of the cyber-attack. Researchers, who have named the hack Sunburst, say it could take years to fully comprehend it.”
This hasn’t stopped the immediate rush to blame the Russians. Republican Senator Marco Rubio Tweeted a statement. “Increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history.” Democrat Congressman Adam Schiff said “I don’t think there’s any question it was Russia.” Outgoing Secretary of State Mike Pompeo agrees as well.
To borrow a phrase from the mainstream media, however, they are making this claim without evidence. Mr. Mandia notes that the attack was “very consistent” with what US officials know about the work of Russia’s foreign intelligence agency, the SVR. “I think these are folks that we’ve responded to in the ‘90s, in the early 2000s. It’s a continuing game in cyberspace,” he explained.
This is not to say it wasn’t Russia. Certainly, they are constantly trying to hack us, but so is everyone else: China, Iran, North Korea, private actors, you name it, everyone is engaged in a hot cyber war. The University of Maryland estimates that hackers attack every 39 seconds, an average of 2,224 per day; other estimates put that figure at over 80,000 per day. Data breaches exposed an estimated 4.1 billion records in the first half of 2019 alone.
The source of an attack can be very difficult to track down, however. Sometimes, it’s difficult to know if there even was an attack. Hillary Clinton’s use of a personal email server as Secretary of State is a perfect example. In July of 2016, then FBI Director James Comey said it was “possible that hostile actors gained access to Secretary Clinton’s personal email account.”
The Department of Justice Inspector General disputed the claim, saying Comey “insinuated that hostile foreign actors may have in fact gained access to former Secretary Clinton’s private email account, based almost entirely on speculation and without any evidence from the…investigation to support his claim.”
This claim, however, is highly questionable. According to an FBI report on the server, the server itself had to be shut down repeatedly because of hacking attempts, unnamed “hostile foreign powers” were able to access the personal email accounts of Clinton aides, and another Clinton family server was successfully hacked at least once by a service known as “Tor.”
Somehow, in that instance, the government couldn’t even agree whether or not Clinton’s email server was hacked, but this time we know it’s Russia. A little skepticism about these claims is surely warranted.
Unfortunately, we should also be skeptical that we can successfully respond, especially if we stick to anything resembling our current strategies.
Utah Senator Mitt Romney summed it up on Meet the Press in a rare moment of lucidity. “This invasion underscores that Russia acted with impunity. They didn’t fear what we would be able to do from a cyber capacity. They didn’t think that our defense systems were particularly adequate. And they apparently didn’t think that we would respond in a very aggressive way.”
The problem is: We already spend big money on cybersecurity; we’ve been preparing our defenses for decades now. The US government spends almost $19 billion a year. Forbes projects that private companies will spend $123 billion in 2020. Unfortunately, this spending has done nothing to reduce the number of attacks or the potency of effective attacks.
The truth is defense alone is not a winning strategy: Imagine these networks are an old fashioned bank vault beset by thousands upon thousands of thieves, attempting to break in thousands of times per day, in thousands of different ways, doing it all day, every day, for as long as it takes to get in.
Is it possible to secure such a safe?
While there are measures we can take to improve our cyber security, our strategy cannot rely on securing every system every time. This is especially true when the system itself doesn’t even need to be compromised; all that is necessary is to obtain access via an authorized account, like a bank worker that unintentionally robs the vault while counting the money.
The only way to prevent attacks is to change the dynamics and ensure the culprits incur too high a cost.
We need a new, far more offensively focused strategy, much more akin to the mutually assured destruction that prevented the cold war from going nuclear. State actors in particular need to fear our response, knowing that any intrusion will be met with the equivalent of an H-bomb detonated on their systems.
This strategy should be overwhelmingly obvious by now, but like many other obvious things, it is completely lost on the establishment class. Recently fired head of cybersecurity at the Department of Homeland Security, Chris Krebs,spoke to CNN’s State of the Union this week.
In part, he took responsibility for being in charge when the attack happened, though not without casting blame of his own. “So, the way I look at it is, yes, it happened on my watch at CISA. And we missed it. A bunch of other folks missed it,” he said when Jake Tapper asked who was at fault for the breach.
Mr. Krebs then called for caution and international cooperation in response. “I’d be very careful with escalating this. I think there needs to be a conversation globally, internationally, across like-minded countries about, what is acceptable?”
This is the problem in a nutshell: We’ve been on the receiving end of attacks for years, and instead of taking out the networks of the attackers and responding in kind, we’re going to have a conversation about what is acceptable. Except, we’ve been having this conversation for 50 years already.
I kid you not: Back in 1967, Willis Ware, head of the RAND Corporation’s Computer Science Division, was on an advisory board for the NSA when the US government was creating the seed of the internet, the ARPANET. At the time, Ware wrote a memo warning that the system would be inherently vulnerable.
Fast forward forty years, and former Defense Secretary Robert Gates, a member of both the Bush and Obama Administrations, asked the Pentagon’s general counsel, “At what point do these attacks amount to an act of war as defined by international law?” He also sought some kind of international consensus, but nothing has changed.
Slate.com’s Fred Kaplan, author of a history of cyberwarfare, Dark Territory, explains it this way. “Where do you draw the line? What are you going to promise that you will do? And while there have been some think tanks that have talked about this, this has not yet been worked out. There is no real systematic strategy. In terms of analogizing it to nuclear weapons, we’re still in 1946.”
Years later, and we’re told we still need to have a conversation. The latest attack took 8 months to identify, much less respond to. In the meantime, the cyberwar is still hot, the bodies keep piling up, and the offensives just get worse.
Why do we refuse to fight back?