This is a security failure of enormous proportions – and a wake-up call. The US must rethink its cybersecurity protocols
‘The
only reason we know about this breach is that the security company
FireEye discovered it had been hacked and alerted the US government. We
shouldn’t have to rely on a private company to alert us of a major
nation-state attack.’ Photograph: Patrick Semansky/AP
Recent news articles have all been talking about the massive Russian
cyber-attack against the United States, but that’s wrong on two
accounts. It wasn’t a cyber-attack in international relations terms, it
was espionage. And the victim wasn’t just the US, it was the entire
world. But it was massive, and it is dangerous.
Espionage
is internationally allowed in peacetime. The problem is that both
espionage and cyber-attacks require the same computer and network
intrusions, and the difference is only a few keystrokes. And since this
Russian operation isn’t at all targeted, the entire world is at risk –
and not just from Russia. Many countries carry out these sorts of
operations, none more extensively than the US. The solution is to
prioritize security and defense over espionage and attack.
Here’s what we know: Orion
is a network management product from a company named SolarWinds, with
over 300,000 customers worldwide. Sometime before March, hackers working
for the Russian SVR – previously known as the KGB – hacked into
SolarWinds and slipped a backdoor into an Orion software update. (We
don’t know how, but last year the company’s update server was protected
by the password “solarwinds123” – something that speaks to a lack of
security culture.) Users who downloaded and installed that corrupted
update between March and June unwittingly gave SVR hackers access to
their networks.
This is called a supply-chain attack, because it
targets a supplier to an organization rather than an organization itself
– and can affect all of a supplier’s customers. It’s an increasingly
common way to attack networks. Other examples of this sort of attack
include fake apps in the Google Play store, and hacked replacement screens for your smartphone.
SolarWinds has removed its customers list from its website, but the Internet Archive saved it:
all five branches of the US military, the state department, the White
House, the NSA, 425 of the Fortune 500 companies, all five of the top
five accounting firms, and hundreds of universities and colleges. In an
SEC filing, SolarWinds said
that it believes “fewer than 18,000” of those customers installed this
malicious update, another way of saying that more than 17,000 did.
That’s
a lot of vulnerable networks, and it’s inconceivable that the SVR
penetrated them all. Instead, it chose carefully from its cornucopia of
targets. Microsoft’s analysis
identified 40 customers who were infiltrated using this vulnerability.
The great majority of those were in the US, but networks in Canada,
Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted.
This list includes governments, government contractors, IT companies,
thinktanks, and NGOs … and it will certainly grow.
Once inside a network, SVR hackers followed a standard playbook:
establish persistent access that will remain even if the initial
vulnerability is fixed; move laterally around the network by
compromising additional systems and accounts; and then exfiltrate data.
Not being a SolarWinds customer is no guarantee of security; this SVR
operation used other initial infection vectors and techniques as well. These are sophisticated and patient hackers, and we’re only just learning some of the techniques involved here.
Recovering from this attack isn’t easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isn’t compromised is to burn it to the ground
and rebuild it, similar to reinstalling your computer’s operating
system to recover from a bad hack. This is how a lot of sysadmins are
going to spend their Christmas holiday, and even then they can’t be
sure. There are many ways to establish persistent access that survive
rebuilding individual computers and networks. We know, for example, of
an NSA exploit that remains on a hard drive even after it is reformatted. Code for that exploit was part of
the Equation Group tools that the Shadow Brokers – again believed to be
Russia – stole from the NSA and published in 2016. The SVR probably has
the same kinds of tools.
Even without that
caveat, many network administrators won’t go through the long, painful,
and potentially expensive rebuilding process. They’ll just hope for the
best.
It’s hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more.
At this point, there’s no indication that any classified networks were
penetrated, although that could change easily. It will take years to
learn which networks the SVR has penetrated, and where it still has
access. Much of that will probably be classified, which means that we,
the public, will never know.
And now that the
Orion vulnerability is public, other governments and cybercriminals will
use it to penetrate vulnerable networks. I can guarantee you that the
NSA is using the SVR’s hack to infiltrate other networks; why would they
not? (Do any Russian organizations use Orion? Probably.)
While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, “virtually a declaration of war by Russia on the United States” While President-elect Biden said he will make this a top priority, it’s unlikely that he will do much to retaliate.
The
reason is that, by international norms, Russia did nothing wrong. This
is the normal state of affairs. Countries spy on each other all the
time. There are no rules or even norms, and it’s basically “buyer
beware”. The US regularly fails to retaliate against espionage
operations – such as China’s hack of the Office of Personal Management (OPM) and previous Russian hacks – because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, said:
“You have to kind of salute the Chinese for what they did. If we had
the opportunity to do that, I don’t think we’d hesitate for a minute.”
We
don’t, and I’m sure NSA employees are grudgingly impressed with the
SVR. The US has by far the most extensive and aggressive intelligence
operation in the world. The NSA’s budget
is the largest of any intelligence agency. It aggressively leverages
the US’s position controlling most of the internet backbone and most of
the major internet companies. Edward Snowden disclosed many targets of its efforts around 2014, which then included
193 countries, the World Bank, the IMF and the International Atomic
Energy Agency. We are undoubtedly running an offensive operation on the
scale of this SVR operation right now, and it’ll probably never be made
public. In 2016, President Obama boasted that we have “more capacity than anybody both offensively and defensively.”
He may have been too optimistic about our defensive capability. The US prioritizes and spends many times more on offense than on defensive cybersecurity. In recent years, the NSA has adopted a strategy
of “persistent engagement”, sometimes called “defending forward”. The
idea is that instead of passively waiting for the enemy to attack our
networks and infrastructure, we go on the offensive and disrupt attacks
before they get to us. This strategy was credited with foiling a plot by the Russian Internet Research Agency to disrupt the 2018 elections.
But
if persistent engagement is so effective, how could it have missed this
massive SVR operation? It seems that pretty much the entire US
government was unknowingly sending information back to Moscow. If we had
been watching everything the Russians were doing, we would have seen
some evidence of this. The Russians’ success under the watchful eye of
the NSA and US Cyber Command shows that this is a failed approach.
And how did US defensive capability miss this? The
only reason we know about this breach is because, earlier this month,
the security company FireEye discovered that it had been hacked. During its own audit of its network, it uncovered
the Orion vulnerability and alerted the US government. Why don’t
organizations like the departments of state, treasury and homeland
security regularly conduct that level of audit on their own systems? The
government’s intrusion detection system, Einstein 3, failed here because it doesn’t detect new sophisticated attacks – a deficiency pointed out
in 2018 but never fixed. We shouldn’t have to rely on a private
cybersecurity company to alert us of a major nation-state attack.
If
anything, the US’s prioritization of offense over defense makes us less
safe. In the interests of surveillance, the NSA has pushed for an insecure cellphone encryption standard and a backdoor in random number generators (important for secure encryption). The DoJ has never relented in its insistence
that the world’s popular encryption systems be made insecure through
back doors – another hot point where attack and defense are in conflict.
In other words, we allow for insecure standards and systems, because we
can use them to spy on others.
We need to adopt a defense-dominant strategy. As computers and the internet become increasingly essential to society, cyber-attacks are likely to be the precursor
to actual war. We are simply too vulnerable when we prioritize offense,
even if we have to give up the advantage of using those insecurities to
spy on others.
Our vulnerability is magnified
as eavesdropping may bleed into a direct attack. The SVR’s access allows
them not only to eavesdrop, but also to modify data, degrade network
performance, or erase entire networks. The first might be normal spying,
but the second certainly could be considered an act of war. Russia is
almost certainly laying the groundwork for future attack.
This preparation would not be unprecedented. There’s a lot of attack going on in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid, and the US is hacking
Russia’s power grid – just in case the capability is needed someday.
All of these attacks began as a spying operation. Security
vulnerabilities have real-world consequences.
We’re
not going to be able to secure our networks and systems in this
no-rules, free-for-all every-network-for-itself world. The US needs to
willingly give up part of its offensive advantage in cyberspace in
exchange for a vastly more secure global cyberspace. We need to invest
in securing the world’s supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace.
Hardening widely used software like Orion (or the core internet
protocols) helps everyone. We need to dampen this offensive arms race
rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically
criticizing the Russians for doing the same thing we do every day won’t
help create the safer world in which we all want to live.
Source: The Guardian
