It was extensive and it will take months to assess the damage
18 December 2020 (Paris, France) – The hack of SolarWinds, most assuredly by Russian security services and their agents, is brazen, extensive and damaging. It has compromised (at minimum) 18,000 US government systems that will likely leave persistent vulnerabilities. Even Microsoft systems have been compromised.
In brief: FireEye suffered an enormous attack this month, and its Red Team tools were stolen. FireEye, whose clients include many agencies of the United States government, said it was a very sophisticated attack, one of which they’ve never seen before. They asked for Microsoft’s help to investigate and unleashed 250 steps for companies to protect against potential attacks being deployed using these tools. While probing for their own hack, they discovered that SolarWinds had been hacked. SolarWinds is a publicly traded company that provides software to tens of thousands of government and corporate customers.
The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.
This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R. (the Russian Foreign Intelligence Service) whose tradecraft is among the most advanced in the world. It’s long been considered Russia’s most advanced intelligence agency in cyber operations,
I have had the good fortune to participate in several Zoom chats over the last two days on the details of the attack (one of which included Bruce Schneier) with members of my intelligence community groups and cyber security vendors. I was also able to attend a webinar by Control Systems whose IT mavens provided a detailed analysis on why the attack was so easy.
There is an enormous volume of analysis to plow through but I hope to have a fairly detailed monograph by Monday. Herein, a few initial reflections.
You need to start by understanding the Russian dynamic. At the European Electronic Warfare Symposium two years ago, one of the best presentations was by Dr. David Stupples, director of the Centre for Cyber Security Sciences at City University London. He made several points but here are the key ones from the presentation:
• Russia’s intelligence services decided years ago to make cyber warfare a national defense priority. They have become increasingly proficient in cyber operations as a result.
• From around 2007, Russia decided that information warfare was key to winning any world conflict, and that it was this area of capability and technology they decided would benefit from vastly increased military investment. What made this decision easier was that Russia was also home to the largest number of the world’s best hackers.
Information warfare has always been the dominant Russian interest in the cyber domain. Some perspective from Alexander Klimburg in his book The Darkening Web :
Soviet computer systems nearly played a decisive role in world history. Already in the 1940’s, Soviet engineers had begun to make significant strides in computer science, and by the early 1970s some part of Soviet computing were equal to or even better than their US counterparts. Russian programmers have for decades played vital roles in the development of computing in general. Topcoder.com, a community Web site, has consistently ranked Russia the first nation worldwide in terms of providing sophisticated coders (with China second, Ukraine fifth, and the US only sixth). Indeed, brilliant Russian coders have a reputation of having helped build Silicon Valley.
The Soviet in-depth consideration of “cyber” was markedly different from the western approach to network systems. On its surface, the Russian interest in kibernetika, or “cybernetics”, was heavily informed by the writings of American mathematician who first coined the term. Norbert Wiener’s work was largely ignored in the US for decades many having perceived cybernetics as a minor branch of general system theory. Not so in the Soviet Union, where Wiener was celebrated as a philosopher of renown, somewhere between Gramsci and Hegel. As an MIT colleague once put it, “Wiener is the only man I know who conquered Russia, and single-handed at that”. The influence that Wiener’s cybernetics revolution had on post-Stalinist Russia is simply astonishing.
Alexander’s book is a “must read”. As part of my longer post I will include snippets of a video interview with him at he International Cybersecurity Forum in Lille, France.
As noted by a presenter at a NATO cyber intelligence workshop, the U.S. military and U.S. spy agencies, law enforcement, and diplomatic corps all have roles in “cyberwar” but they also have limiting boundaries. This necessitates handoffs and generates turf battles between the organizations and within them. The Russians are in an opposite position: they excel in information warfare because they seamlessly integrate cyber operations, influence, intelligence, and diplomacy cohesively; and they don’t obsess over bureaucracy; they employ competing and overlapping efforts.
And Russia also has a distinct advantage in the cyber realm because on a regular basis it engages the services of non-governmental cyber crime entities, which masks its role in cyber attacks. This is what the U.S. and others do not do – engage proxy cyber warriors. This is not to say we never use them. But as explained to me by Linda Nowak of Crowdstrike:
“What the Russians are saying is that we will make these criminal organizations our partners – recruiting them to do cyber work for the Russian state. The Kremlin promises its criminal partners it will turn a blind eye to their attacking banks, disrupting commerce in the West, stealing money, etc. so long as they make themselves available to do the odd job for Russia’s intelligence services and military”.
To call the SolarWinds incident a cyberattack would be off the mark. At this point, the operation appears to have been espionage to steal national security information, rather than to disrupt, deny, or degrade US government data or networks. While it may seem like splitting hairs, terminology is important because it has policy, and often legal, consequences. Espionage is an accepted part of international statecraft, one that states often respond to with arrests, diplomacy, or counterintelligence. In contrast, an attack (even a cyberattack) has international and domestic legal ramifications that could allow states to respond with force.
How can the US respond to such an operation? American military psychology seems rooted in a bygone era when the country was protected by two oceans and radar. The fortress was unassailable. The full force of 9/11, beyond the profound immediate tragedy, was the perforation of the American shield and therefore psychology.
It’s not entirely unlike the COVID response. The impact of things that “shouldn’t happen here” escalates because the country places huge efforts on preventing threats, and less effort on managing successful threats. As there were many fewer threats until recently. Once a virus, either physical or electronic, gets into the country there seem to be few internal firewalls. While this reflects the country’s trademark freedoms – no internal borders – it also reflects a perhaps antiquated view that threats come over the horizon in knowable forms. What happens when the threats are invisible and propagated internally?
Thus the catch-22. A US reliant on both (1) being on a global network, and (2) keeping bad actors out appears to be a cyber-nation with weak fundamental view of security. More than likely, any interconnected system should presume it’s going to be compromised. That’s one of the design principles of the blockchain that sticks. Presume your network is insecure and design your protocols to deal with it.
When one considers what “cyberspace” really is, electrons and photons that modify atoms and molecules, far from being a “virtual world” in the sense it’s not real. While perhaps we like to consider software as language, fundamentally it is moving energy around. The software that controls the dams is on the internet (for efficiency, maybe indirectly) and security is dependent on keeping bad actors out of specific logic addresses and memory spaces in directly interconnected electrical systems.
It already is a kinetic war, I guess the second part of the question is at what point does messing with electrons result in a response of atoms? Tricky because there’s attribution problems. When a missile it launched, it very clearly came from somewhere. When a cyberattack is launched, it may have come from where it looks like it came from, or that could be the ruse. How does one make sure they’re attacking the right party?
Ultimately, it seems unlikely that there will be true cybersecurity on connected networks, as we’ve seen thirty years of that failing. It’s failing more and faster. And the next wave of technologies are built for insecure systems. You can’t hack something where everything is public.
Air-gapped networks seem unlikely for that doubles (at least) the costs while posing significant maintenance issues. Can we imagine the NSA laying all new fibre? And then what? It’s cut into and tapped the same way as the old fibre?
More likely than not, I think we’ll move toward some kind of verified internet. Largely – potentially completely – unrecognisable from it’s current cousin. In the Herzog film Lo and Behold, one of the UCLA researchers discusses how cybersecurity was never designed into TCP/IP itself because “security” was physical connections between computers. One was either online or not. And if one was online, there was little need for access management.
And how do we classify backdoors left in place? Evidently some compromised systems belonged to utilities. Did they have any operational control over any power, water, gas, etc.? To what extent do our current practices and infrastructure constitute a single point of failure? That is they are based on a limited set of low level protocols and a widely dispersed supply chain. If damage to utilities is considered is our move to more and more integrated communication (think 5G) the right direction? For several decades, the holy grail of improved computing has been faster processing. Recently there has been development of systems with substantial hardware support for security. Is that a direction that needs more attention?
Do we need some systems which are by design, incapable of interoperation with an internet based on tcp/ip and its offshoots?
Is the current attack the right place to start an investigation? Do we need to look at the context of past penetration of systems by various state and non-state actors?
That is still the protocol that runs the world today. Which is a real triumph of design on one hand. On the other hand, it’s a protocol that is inherently always open and therefore always insecure. Any security layers are attached to the open protocol. You’re always trying to bail a leaky boat with that one, because there’s no direct connection between sender and receiver in the virtual world and a sender and receiver in the real world. The protocol simply doesn’t support it. That is in part what gave us the explosive growth and experimentation of the last three decades. How lightweight and unencumbered TCP/IP was.
Now you want to secure it? Doubtful. The US really wants the world to be two oceans and radar, but it’s not. Therefore the entire paradigm of the network has to change.
I recall a story about how in 1900, there were no passports. If one got on a ship, one could sail to wherever there was to be sailed to. A world of complete physical freedom provided one had the means. Could we imagine that world today? A world literally free from passports? It sounds a bit difficult.
I presume the internet will be the same. It will be quite sad, however that is where the true darkweb will be born.
More to come. Enjoy your weekend.