Here’s what we know: The Russian government is suspected of pulling off a major intelligence penetration of American networks. The U.S. government failed to prevent it or deter it. As of Friday morning, President Donald Trump has yet to condemn it.
This sort of hack was almost guaranteed to happen.
This is bad. But it’s not, as Sen. Dick Durbin said, “virtually a declaration of war.” It’s also not a surprise — and there’s not much we can do to prevent it from happening again, at least in the near-term.
SolarWinds, a company that provides back-end software to the U.S. government among other clients like Microsoft and Lockheed Martin, updated one of its core products, Orion, in March. Orion helps its customers survey, and then visualize, activity on their systems, so the software has to have regular and unfettered access to a lot of their clients' databases and other digital infrastructure.
Sometime before then, an “advanced persistent threat” — a technical term for a long-term cyber campaign, usually carried out by a nation, in this case probably Russia — found a way to hack into the updated server for Orion. It used this access to add in an ingenious hidden program that would, upon execution, allow it to root around inside the systems served by Orion, gather all sorts of information and then quietly exfiltrate that information back to Russia.
This sort of hack was almost guaranteed to happen. Managing supply chain risk has become a priority for the U.S. government, but the supply chain it currently manages was built before policymakers took the potential problems seriously.
The resulting digital supply chain that the government relies on involves hundreds of commercial companies contracted to build, maintain, operate and secure its networks. It’s a long, multibranched kluge, with millions of potential vulnerable access points, and has worried the cybersecurity community for several decades.
The U.S. intelligence community knows fully well how vulnerable the supply chain is — it exploits that weakness to break into foreign networks. (One of the biggest covert operations in U.S. history was a supply chain hack of the Soviet Union. Using the pretext of export controls, the Reagan administration tricked the KGB into buying gimmicked technology on the black market. The sabotage disrupted legitimate economic activity — an oil pipeline exploded — along with covert Soviet efforts to make chemical weapons.)
In the digital age, hardware can be tampered with; software can be manipulated at the point of purchase, or during testing, or during delivery. Software specifications can be engineered to allow backdoor access.
The Trump administration was too focused on fighting 2016’s version of cyber-conflict to see what Russia was really doing.
In theory, companies’ products have to be certified as secure before they can be purchased by the government, but often the market and demand for these products incentivizes speed and efficiency over a careful consideration of how outside software might interact with programs developed entirely within the government’s bubble. (It wasn’t until 2018 that the Pentagon added “security” to its acquisition standards.)
The tools the government has on hand to try to defend its systems weren’t prepared for this kind of attack. Einstein, for example, is a system that was built to detect intrusions on nonintelligence community networks. Think of Einstein as a security guard who protects networks at their front entrances, using a regularly updated list of people who are barred from entering.
But Einstein won’t be able to detect when data is being transmitted to a secret user outside the network until 2022. The NSA updates Einstein with “signatures,” the computer version of fingerprints, that it collects as it forages through foreign networks. The Cybersecurity and Infrastructure Security Agency has thousands of employees working to reduce the number of ways outsiders can get into the network and to speed system upgrades, but their efforts are not scalable.
What’s worse, the Trump administration was too focused on fighting 2016’s version of cyberconflict to see what Russia was really doing. The National Security Agency and the U.S. Cyber Command have adopted a strategy they call “defend forward.” By penetrating adversaries’ networks and implanting beacons of sorts to form an early warning network, the theory is that agents can detect potential attackers targeting the U.S. before attacks are executed.
Cyber Command has found some success with this strategy, because it has a lot of visibility into adversary networks, none of which set off any of the alarms it had set up — but there’s a logical fallacy here. Silence doesn’t equal success. What if the adversary uses a new group, new techniques, walls off its attackers from the rest of its intelligence services and doesn’t trigger the beacons? That appears to be what happened here.
We are past the point at which cyber deterrence might have worked.
So, is this war, as Durbin suggested? Not really — although it is the latest move in an endless and, by nature, secret conflict. It’s not war as conventionally conceived, but there is no good way to create a working mental model of cyber war. I see it as part of the spectrum of conflict between nation-states. But if it’s useful for politicians to use martial language to pass legislation and rally support for supply chain protections and better security, then we should allow them the indulgence.
That leaves the question: How do we deter Russia from doing this again? Well, we don’t, in the near-term.
We are past the point at which cyber deterrence might have worked. Kicking out spies, retaliating with cyberattacks, even responding with physical-world weapon attacks, sanctions — all of these have been attempted. They’ve failed.
What does work, then? Making it really, really hard to get into systems. Making it costly — so costly that it’s not worth the effort, so costly that the effort to penetrate our systems this deeply would force Russia to reveal too much about its own capabilities. Other than that, short of a thaw between the two countries, there is no reliable method of deterrence. We live, we learn and we wait for the next move.