.
I

n a remarkable cyber espionage campaign, which many fear goes much further than initially reported, a recently discovered hack allowed a foreign adversary to monitor the internal email traffic of the U.S. Treasury and Commerce departments. The hack also affected the U.S. National Security Council as well as the Department of Homeland Security, among many notable others. FireEye, the U.S.-based cybersecurity company, first noted the existence of the hack after delving into a breach of its own systems. FireEye’s extensive source code analysis came to the conclusion that a backdoor existed—and had been exploited—in a product made by SolarWinds, a major U.S.-based provider of cybersecurity tools.  

The hack was conducted in what is called a supply chain attack and worked by hijacking a software update that purported to be from SolarWinds to its customers, pushing malicious code that would eventually compromise Microsoft’s authentication controls and allow further installation of malware the scope and scale of which is presently unknown. To put it plainly: it is a catastrophe.

Since the SolarWinds attack affected so many Fortune 500 companies, including critical infrastructure entities, once noticed it was bound to become public. It is a matter of conjecture as to whether the perpetrators cared about what collateral damage they caused to industry and government entities that were less likely to be targets of interest.  According to SolarWinds, at present count over 18,000 of its 300,000 customers installed the malware. It is hard to understate the scale since SolarWinds counts the Office of the President of the United States, the Department of Defense, the NSA, Visa, Mastercard, Harvard, Subaru, Volvo, Lockheed Martin, Cisco, The New York Times and thousands more major organizations among their customers.

While FireEye stopped short of attributing the hack to Russian intelligence, the attack has since been widely credited to a unit of the SVR (Russia’s external intelligence agency), known by the nickname Cozy Bear, or more directly in the U.S. as Advanced Persistent Threat 29—or APT29 for short.  

All Your Base Are Belong to Us!

Russia was quick to deny the allegations, calling them “baseless.” Yet, if this were indeed a campaign done by Russian intelligence, it was a considerable coup. Nothing of this magnitude has been previously reported. The only publicly known hack that comes anywhere close in its audacity is the 2015 Office of Personnel Management breach, attributed to China, that exfiltrated the detailed personal data contained in the SF-86 forms of millions of Americans with, or seeking, security clearances. The damage from the OPM breach may pale in comparison to what will eventually come to be understood about SolarWinds.

Denial is the norm in state against state cyber operations, but the allegations and news pointing to Russia as the source play to their public advantage: while the US can assert that Russia did it, Russia can say they didn’t but then also accrue the international reputation as unstoppable hackers that humbled the United States.  

Public denials aside, the SolarWinds attack was not espionage as usual but was instead a grossly indiscriminate act, reckless and done with disregard for the global system as a whole.

“Somebody set up us the bomb.”

Industry and government leaders need to break with the persistent myth that the cyberscape is lawless space where actions occur without the prospect for attribution and—ultimately—accountability. States and companies, have it within their power to attribute actions. That said, understanding the political and economic costs of attribution and the means to alter state behavior are not cut and dry activities. Cyberspace is not some alternative notional nerd space but is instead wholly bound up in political and economic challenges.  

When attacks are noticed, it becomes necessary to categorize what occurred and very often such categorization is largely related to effects. Categorization is an attempt to gain control over events. Was the attack economic? Political? Physically damaging? Such questions are necessary, even if the answers revealed are often very ambiguous. From there it is possible to imagine responses.

Very often foreign policy experts will suggest that naming and shaming is the first stop in deterring bad behavior. “Name and shame” is indeed one of the preferred approaches and yet, the present attack notwithstanding, the past several years have not shown it to be successful. After all, when has a state been deterred? If such naming occurs only in camera, then there isn’t much shaming. Furthermore, as unattractive as it may sound, there will also be states that cannot be shamed.

Deterrence is also inextricably tied to the concept of escalation. Consider that where country X is undeterred and country Y has more to lose (think the U.S. and Europe and the vast economies dependent on information technologies), there are bound to be further problems if shaming does not have the desired effect. Clearly, creative thinking is needed here to make a breakthrough on what is allowable and what is not. Microsoft and other companies have started this conversation in the Paris Call for Trust and Security in Cyberspace, but to date a basic question remains unanswered: to what extent will countries agree to such voluntary, normative standards or will states simply continue espionage as usual  (or, in the case of the SolarWinds attack, unusual) and cyber offensive operations? If the U.S. has a comparative advantage in offensive cybersecurity as a method of deterrence, the public is not going to hear about it. Classified operations rarely make the news unless something goes wrong. The balance of investments in offensive to defensive cybersecurity should also be examined.

Nuke the site from orbit?

Bruce Schneier, Fellow at the Berkman-Klein Center for Internet and Society at Harvard, quipped that the only way now to know that the network is clean is “to burn it down to the ground and rebuild it.” The logic behind this assertion is that the scale of the SolarWinds attack is so grand, and the teams of trained cyber analysts so few, that there is no practical way to get back to a clean network, if ever there was one. However, we need to consider a basic question that would concern any senior or fledgling technologist: do we have a clean restore point?

If you are the CFO, and are concerned primarily about profitability and cost to operations, “burn it down” is also a thoroughly unattractive, expensive option. The situation today in the corporate boardroom with technologists and executives is likely to be reminiscent of the scene in the sci-fi classic “Aliens” where our hero, Ripley, rides roughshod over corporate cost-based arguments, asserting instead that nuking the site from orbit “is the only way to be sure.”  

Yet the terms of that analysis do not capture the full picture. Many of the cybersecurity problems we have seen to date are tied to fraught concepts of trust in systems and our own conceptions of technological progress, not to mention the prevalence of human error, problems that are only becoming more common and consequential. To get to a higher level of trust there are experts who would argue for more technology to improve security and more analysts and engineers in the service of technological fixes; in short more to ostensibly produce better. Yet in the rush to buy security and install more products, complexity has increased manifold, leading to what the late Yale sociologist Charles Perrow would likely have accepted as fitting under his rubric of "normal accidents”—where systems are so complex, tightly coupled, with catastrophic potential, that a massive accident is in effect inescapable.

In many cases today we see that the basics that are needed to normalize cybersecurity in understandings of risk get pushed to the sideline in favor of new technology. It happens so often that executive technologists recognize the problem and have given it a name: Shiny New Technology. Where such a shiny new fix is preferred or seen as a way out of other problems, risks may balloon while the basics remain undone. For the U.S. Federal government, which is itself a highly complex system of systems, consider that today there is no central inventory of which agencies use what software in which offices. Not to mention that many companies, SolarWinds among them with their “SolarWinds123” password, have shown a particularly cavalier attitude when it comes to the security of their own products.

On the heels of the SolarWinds hack announcement, the Government Accountability Office released the findings of its extensive Federal agency audit that predated the present troubles, noting that none of the 23 agencies they audited fully implemented all of the recommended supply chain risk management (SCRM) practices and 14 of the 23 agencies had not implemented any of the practices. Clearly there is much work to be done inside the government.

Normalization of cybersecurity in a risk framework is another route that must be earnestly explored in all serious ventures. The National Institute for Standards and Technology has done the world a favor by developing frameworks to help organizations of all sizes come to terms with cybersecurity risks. Risk and threat are often used interchangeably but they are not to be confused: threats are sources of danger, whereas risk is a determination based on a threat’s perceived consequences and likelihood. Where cybersecurity risks and threats can come to be understood, trust remains important but all activities are understood to involve some level of risk.  With that knowledge, priorities and decisions can be made.  Such work needs to start with the basics.

Many multinational corporations are moving to a new security model called “Zero Trust” that turns assumptions about trust on their head by explicitly assuming breach and requiring the verification of all requests as though they originate from outside the network. Such an approach might well have allowed SolarWinds customers to avoid the worst by limiting communications only to known and authenticated entities.

Moving beyond surprise at “sophistication” to the mainstreaming of cybersecurity.

Very often we call hacks sophisticated largely because we are embarrassed by them. After all, who would want to accept that basic mistakes may have been made and, perhaps worse, tolerated? From what is publicly known about the SolarWinds hack, there appears to be blame enough to go around and certainly more facts will be revealed in the coming months. Most immediately, at the federal level, the attack has led to renewed calls for a central authority for cybersecurity in the United States, a challenge which the incoming Biden administration will encounter as it prioritizes gaps in cybersecurity.

Critically, the Biden administration has a chance to finally mainstream cybersecurity, placing it alongside other foreign policy priorities. Such mainstreaming has advantages that have traditionally played to the strengths of the United States: the building of alliances and public-private partnerships to help secure growth, predictability, and fair outcomes.

This work cannot be done in a vacuum: government is no longer “in charge.” There is vast dependency on industry to make the business of government secure and, ultimately, useful for all. Recognizing the challenges for the defense industrial base, the Department of Defense worked with University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry to develop the new Cybersecurity Maturity Model Certification with the goal of improving cybersecurity. Other sectors of the economy could benefit from similar models.  

To bring the global system to a higher plane of security, governments will have to pursue all available routes, which should include allying, convening, partnering, regulating, fining, and ultimately not tolerating poorly secured products or reckless state behavior. With so much uncertainty and the growing need for security against determined adversaries, much is at stake.

About
Sean S. Costigan
:
Sean Costigan is a professor at the George C. Marshall European Center for Security Studies. The opinions expressed in this article are the author's own and do not reflect the view of the George C. Marshall Center, the Department of Defense, or the United States government.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

Charting a New Path for Cybersecurity After SolarWinds

January 4, 2021

I

n a remarkable cyber espionage campaign, which many fear goes much further than initially reported, a recently discovered hack allowed a foreign adversary to monitor the internal email traffic of the U.S. Treasury and Commerce departments. The hack also affected the U.S. National Security Council as well as the Department of Homeland Security, among many notable others. FireEye, the U.S.-based cybersecurity company, first noted the existence of the hack after delving into a breach of its own systems. FireEye’s extensive source code analysis came to the conclusion that a backdoor existed—and had been exploited—in a product made by SolarWinds, a major U.S.-based provider of cybersecurity tools.  

The hack was conducted in what is called a supply chain attack and worked by hijacking a software update that purported to be from SolarWinds to its customers, pushing malicious code that would eventually compromise Microsoft’s authentication controls and allow further installation of malware the scope and scale of which is presently unknown. To put it plainly: it is a catastrophe.

Since the SolarWinds attack affected so many Fortune 500 companies, including critical infrastructure entities, once noticed it was bound to become public. It is a matter of conjecture as to whether the perpetrators cared about what collateral damage they caused to industry and government entities that were less likely to be targets of interest.  According to SolarWinds, at present count over 18,000 of its 300,000 customers installed the malware. It is hard to understate the scale since SolarWinds counts the Office of the President of the United States, the Department of Defense, the NSA, Visa, Mastercard, Harvard, Subaru, Volvo, Lockheed Martin, Cisco, The New York Times and thousands more major organizations among their customers.

While FireEye stopped short of attributing the hack to Russian intelligence, the attack has since been widely credited to a unit of the SVR (Russia’s external intelligence agency), known by the nickname Cozy Bear, or more directly in the U.S. as Advanced Persistent Threat 29—or APT29 for short.  

All Your Base Are Belong to Us!

Russia was quick to deny the allegations, calling them “baseless.” Yet, if this were indeed a campaign done by Russian intelligence, it was a considerable coup. Nothing of this magnitude has been previously reported. The only publicly known hack that comes anywhere close in its audacity is the 2015 Office of Personnel Management breach, attributed to China, that exfiltrated the detailed personal data contained in the SF-86 forms of millions of Americans with, or seeking, security clearances. The damage from the OPM breach may pale in comparison to what will eventually come to be understood about SolarWinds.

Denial is the norm in state against state cyber operations, but the allegations and news pointing to Russia as the source play to their public advantage: while the US can assert that Russia did it, Russia can say they didn’t but then also accrue the international reputation as unstoppable hackers that humbled the United States.  

Public denials aside, the SolarWinds attack was not espionage as usual but was instead a grossly indiscriminate act, reckless and done with disregard for the global system as a whole.

“Somebody set up us the bomb.”

Industry and government leaders need to break with the persistent myth that the cyberscape is lawless space where actions occur without the prospect for attribution and—ultimately—accountability. States and companies, have it within their power to attribute actions. That said, understanding the political and economic costs of attribution and the means to alter state behavior are not cut and dry activities. Cyberspace is not some alternative notional nerd space but is instead wholly bound up in political and economic challenges.  

When attacks are noticed, it becomes necessary to categorize what occurred and very often such categorization is largely related to effects. Categorization is an attempt to gain control over events. Was the attack economic? Political? Physically damaging? Such questions are necessary, even if the answers revealed are often very ambiguous. From there it is possible to imagine responses.

Very often foreign policy experts will suggest that naming and shaming is the first stop in deterring bad behavior. “Name and shame” is indeed one of the preferred approaches and yet, the present attack notwithstanding, the past several years have not shown it to be successful. After all, when has a state been deterred? If such naming occurs only in camera, then there isn’t much shaming. Furthermore, as unattractive as it may sound, there will also be states that cannot be shamed.

Deterrence is also inextricably tied to the concept of escalation. Consider that where country X is undeterred and country Y has more to lose (think the U.S. and Europe and the vast economies dependent on information technologies), there are bound to be further problems if shaming does not have the desired effect. Clearly, creative thinking is needed here to make a breakthrough on what is allowable and what is not. Microsoft and other companies have started this conversation in the Paris Call for Trust and Security in Cyberspace, but to date a basic question remains unanswered: to what extent will countries agree to such voluntary, normative standards or will states simply continue espionage as usual  (or, in the case of the SolarWinds attack, unusual) and cyber offensive operations? If the U.S. has a comparative advantage in offensive cybersecurity as a method of deterrence, the public is not going to hear about it. Classified operations rarely make the news unless something goes wrong. The balance of investments in offensive to defensive cybersecurity should also be examined.

Nuke the site from orbit?

Bruce Schneier, Fellow at the Berkman-Klein Center for Internet and Society at Harvard, quipped that the only way now to know that the network is clean is “to burn it down to the ground and rebuild it.” The logic behind this assertion is that the scale of the SolarWinds attack is so grand, and the teams of trained cyber analysts so few, that there is no practical way to get back to a clean network, if ever there was one. However, we need to consider a basic question that would concern any senior or fledgling technologist: do we have a clean restore point?

If you are the CFO, and are concerned primarily about profitability and cost to operations, “burn it down” is also a thoroughly unattractive, expensive option. The situation today in the corporate boardroom with technologists and executives is likely to be reminiscent of the scene in the sci-fi classic “Aliens” where our hero, Ripley, rides roughshod over corporate cost-based arguments, asserting instead that nuking the site from orbit “is the only way to be sure.”  

Yet the terms of that analysis do not capture the full picture. Many of the cybersecurity problems we have seen to date are tied to fraught concepts of trust in systems and our own conceptions of technological progress, not to mention the prevalence of human error, problems that are only becoming more common and consequential. To get to a higher level of trust there are experts who would argue for more technology to improve security and more analysts and engineers in the service of technological fixes; in short more to ostensibly produce better. Yet in the rush to buy security and install more products, complexity has increased manifold, leading to what the late Yale sociologist Charles Perrow would likely have accepted as fitting under his rubric of "normal accidents”—where systems are so complex, tightly coupled, with catastrophic potential, that a massive accident is in effect inescapable.

In many cases today we see that the basics that are needed to normalize cybersecurity in understandings of risk get pushed to the sideline in favor of new technology. It happens so often that executive technologists recognize the problem and have given it a name: Shiny New Technology. Where such a shiny new fix is preferred or seen as a way out of other problems, risks may balloon while the basics remain undone. For the U.S. Federal government, which is itself a highly complex system of systems, consider that today there is no central inventory of which agencies use what software in which offices. Not to mention that many companies, SolarWinds among them with their “SolarWinds123” password, have shown a particularly cavalier attitude when it comes to the security of their own products.

On the heels of the SolarWinds hack announcement, the Government Accountability Office released the findings of its extensive Federal agency audit that predated the present troubles, noting that none of the 23 agencies they audited fully implemented all of the recommended supply chain risk management (SCRM) practices and 14 of the 23 agencies had not implemented any of the practices. Clearly there is much work to be done inside the government.

Normalization of cybersecurity in a risk framework is another route that must be earnestly explored in all serious ventures. The National Institute for Standards and Technology has done the world a favor by developing frameworks to help organizations of all sizes come to terms with cybersecurity risks. Risk and threat are often used interchangeably but they are not to be confused: threats are sources of danger, whereas risk is a determination based on a threat’s perceived consequences and likelihood. Where cybersecurity risks and threats can come to be understood, trust remains important but all activities are understood to involve some level of risk.  With that knowledge, priorities and decisions can be made.  Such work needs to start with the basics.

Many multinational corporations are moving to a new security model called “Zero Trust” that turns assumptions about trust on their head by explicitly assuming breach and requiring the verification of all requests as though they originate from outside the network. Such an approach might well have allowed SolarWinds customers to avoid the worst by limiting communications only to known and authenticated entities.

Moving beyond surprise at “sophistication” to the mainstreaming of cybersecurity.

Very often we call hacks sophisticated largely because we are embarrassed by them. After all, who would want to accept that basic mistakes may have been made and, perhaps worse, tolerated? From what is publicly known about the SolarWinds hack, there appears to be blame enough to go around and certainly more facts will be revealed in the coming months. Most immediately, at the federal level, the attack has led to renewed calls for a central authority for cybersecurity in the United States, a challenge which the incoming Biden administration will encounter as it prioritizes gaps in cybersecurity.

Critically, the Biden administration has a chance to finally mainstream cybersecurity, placing it alongside other foreign policy priorities. Such mainstreaming has advantages that have traditionally played to the strengths of the United States: the building of alliances and public-private partnerships to help secure growth, predictability, and fair outcomes.

This work cannot be done in a vacuum: government is no longer “in charge.” There is vast dependency on industry to make the business of government secure and, ultimately, useful for all. Recognizing the challenges for the defense industrial base, the Department of Defense worked with University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry to develop the new Cybersecurity Maturity Model Certification with the goal of improving cybersecurity. Other sectors of the economy could benefit from similar models.  

To bring the global system to a higher plane of security, governments will have to pursue all available routes, which should include allying, convening, partnering, regulating, fining, and ultimately not tolerating poorly secured products or reckless state behavior. With so much uncertainty and the growing need for security against determined adversaries, much is at stake.

About
Sean S. Costigan
:
Sean Costigan is a professor at the George C. Marshall European Center for Security Studies. The opinions expressed in this article are the author's own and do not reflect the view of the George C. Marshall Center, the Department of Defense, or the United States government.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.