The cyber security firm FireEye revealed that it has been the victim of a massive, long-running hack of its network. Given FireEye’s stature in the tech community, that alone would have made headlines, but the company went on to explain that the hackers were able to gain access to their system through corrupted software updates dispatched by SolarWinds, a company whose network monitoring programs are used by the vast majority of the Fortune 500; top U.S. telecom companies; every branch of the U.S. military; the departments of Justice, State and Defense; the White House Executive Office; the National Security Agency; the Department of Energy and National Nuclear Security Administration; a number of state governments and private sector actors; and many more.
Even in a year like 2020, this is massive news.
Why It Matters:
This is a nightmare scenario for the U.S. government: A private sector company hired by multiple U.S. agencies was used as Trojan horse to gain access to wide swaths of some of the most sensitive data the U.S. government possesses. Cyberattacks like this are called “supply chain attacks,” where hackers hijack trusted software updates provided by legitimate companies to break into their customers’ networks. While the perpetrators have yet to be conclusively identified, the resources needed to pull off this kind of operation and keep it undetected for months—the compromised updates started going out in March and continued as recently as this past weekend—mean nation-states are the prime suspects. Given its history with these kind of attacks and the desire for payback against the NSA and CIA for past cyber operations as revealed by Edward Snowden and data dumps like Vault 7, the leading suspect is Russia. More specifically, suspicion has fallen on a group known as APT29, aka Cozy Bear, which is affiliated with Russia’s foreign intelligence service, the SVR.
Whoever was behind it, the damage to U.S. national security (and the reputation of its key agencies that are responsible for protecting and deploying the country’s most sophisticated cyber weapons) is substantial. The hack has revealed that U.S. critical infrastructure and sensitive data remain vulnerable to threats from cyberspace. But we already knew that (see the Office of Personnel Management attacks from a few years ago); the real question is what the U.S. can do about it. And therein lies the problem.
What Happens Next:
For the next months (at least), the focus will be on assessing the damage done, patching up any remaining vulnerabilities, and rooting out hackers who may have used the initial breach to gain “persistent” access to sensitive networks. Rather than downloading all the critical data immediately, the attackers used their access to install additional backdoors and cover their tracks, allowing them to monitor developments over the course of the year. In other words, the hack remains “ongoing”.
The next goal will be to determine the actual purpose of the cyberattack, which will be critical in forming the official response of the U.S. government. If it’s decided this was a more classic attempt at espionage—albeit updated for our 21st century reality—then more defensive cyber tools (like beefed-up firewalls) will be deployed in response to shore up network defenses. A Biden administration would also try do this as part of a coordinated international effort, which makes sense as SolarWinds—a publicly-traded company—has multiple international corporations and other governments as clients as well. The overall U.S. response in this scenario will be measured, part of the business of 21st century politics, and will focus on targeting individuals and entities responsible for the attack, but nothing sweeping against Russia (or whatever state) perpetrated it.
Why not more aggressive? Two critical reasons—the first is that the U.S. has never had solid responses to existing cyberattacks given the amount of confusion inherent in them, and things can quickly escalate unintentionally in the cyber realm. The second, and arguably more critical reason, is that the U.S. engages in similar activities, and escalating the response also runs the risk of exposing covert U.S. activities under way.
That doesn’t mean foreign adversaries aren’t keeping a close eye on the response. While the timing of the attack wasn’t intended to target the incoming Biden administration as it was first launched months ago, its exposure on the cusp of Biden assuming office means that how the new administration team responds will set the tone for the next four years of cyber competition. In addition to shoring up defenses, network defenders have already begun targeting the SolarWinds hackers’ command-and-control systems, by seizing IP addresses used in the operation. At the organizational level, look for a White House cyber czar to be coming back, a position that was cut during John Bolton’s tenure at the National Security Council. That makes sense given the need for coordination across the government as the U.S. braces for more of these types of hacks, both because of the growing sophistication of hackers (and the tools they’ve stolen over the years, both the newly disclosed theft from FireEye and the earlier theft of hacking tools from the NSA which were later leaked by a group known as the Shadow Brokers) and because there are just evermore digital targets as our lives and huge chunks of the global economy are increasingly ported over to cyberspace.
But if it’s determined that the hackers were after critical infrastructure (with the potential of costing American lives) or to kneecap U.S. industries, then the response gets more serious and aggressive. We’re just unlikely to hear about it. That’s because…
The One Major Misconception About It:
The U.S. is not engaging in the same kinds of cyber operations against our adversaries. Don’t believe it. The U.S. has the same, if not greater, offensive capabilities than other nation states out there. But cyberspace isn’t like more traditional domains of conflict, where you want your adversary to know you have the bigger and better weapon to act as a deterrent; it’s wiser to keep your most advanced capabilities under wraps. Another reason you don’t hear about U.S. cyberattacks? Because many of the countries that are the targets of U.S. cyber operations—Russia, China, and North Korea—are authoritarian regimes that would never publicize their failures. In the U.S., exposing hacks like this leads to short-term political embarrassment, but also stronger cyber systems over the long run as key weaknesses are addressed. Think of it as the inherent long-term tech advantage of operating in an open political system.
The One Thing to Say About It on a Zoom Call:
America’s reliance on the private sector, one of its greatest strengths in a traditional economy, is also the source of one of its biggest vulnerabilities in the digital world if left unaddressed. SolarWinds just proved that; what’s left to be seen is how well the government can adapt to this new reality. Yet one more urgent thing on Biden’s plate come January 20th.