The US has suffered a massive cyberbreach. It's hard to overstate how bad it is
Photo: Patrick Semansky / AP
The recent news has talked about the massive Russian cyber attack on the US, but this is wrong in two ways. In terms of international relations, it was not a cyber attack, it was espionage. And the victim wasn't just the US, but the whole world. But it was massive and dangerous.
Espionage is allowed internationally in peacetime. The problem is that both espionage and cyber attacks require the same computer and network intrusion and the difference is just a few keystrokes. And since this Russian operation is not being targeted at all, the whole world is at risk - and not just from Russia. Many countries perform these types of operations, none more extensive than the United States. The solution is to prioritize security and defense over espionage and attacks.
Scroll to continue with the content
Microsoft and Redis
Meet the fast and fully managed in-memory data store.
Don't miss the opportunity to hear the unique perspectives from Microsoft and partner specialists and learn more about Azure Cache for Redis.
Related: Microsoft suspects that suspicions of increasing Russian cyberattacks are increasing
Here's what we know: Orion is a network management product from a company called SolarWinds that has over 300,000 customers worldwide. Just before March, hackers working for the Russian SVR - formerly known as the KGB - hacked into SolarWinds and put a backdoor into an Orion software update. (We don't know how, but last year the company's update server was password-protected by "solarwinds123" - indicating a lack of security culture.) Users who downloaded and installed this corrupted update between March and June gave SVR unintentional hackers access their networks.
This is known as a supply chain attack because a supplier is more focused on an organization than an organization itself - and can affect all of a supplier's customers. It is an increasingly common way of attacking networks. Other examples of this type of attack include fake apps on the Google Play Store and hacked replacement screens for your smartphone.
SolarWinds removed its customer list from its website, but the Internet archive saved it: all five branches of the U.S. military, the State Department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accountant firms, and hundreds from universities and colleges. In a SEC filing, SolarWinds stated that "fewer than 18,000" of these customers installed this malicious update, another way of saying that more than 17,000 did so.
There are many vulnerable networks, and it is inconceivable that the SVR has permeated them all. Instead, it carefully chose from its cornucopia of destinations. Microsoft's analysis identified 40 customers who were infiltrated by this vulnerability. The vast majority of these were in the United States, but networks in Canada, Mexico, Belgium, Spain, United Kingdom, Israel, and the United Arab Emirates were also affected. This list includes governments, government contractors, IT companies, think tanks, and NGOs ... and it's sure to grow.
On one network, SVR hackers followed a standard playbook: create persistent access that persists even after the initial vulnerability has been resolved. Move sideways on the network by compromising additional systems and accounts. and then filter data. Unless you are a SolarWinds customer this is no guarantee of safety. This SVR operation also used other initial infection vectors and techniques. These are sophisticated and patient hackers, and we are only just learning some of the techniques used here.
Recovering from this attack is not easy. Since SVR hackers would establish permanent access, the only way to ensure that your network is not compromised is by burning it down and rebuilding it, much like reinstalling your computer's operating system to recover from a bad hack. This is how many sysadmins will spend their Christmas vacation, and even then they can't be sure. There are many ways to establish permanent access that will survive rebuilding individual computers and networks. For example, we know of an NSA exploit that remains on a hard drive even after it is reformatted. The code for this exploit was part of the Equation Group tools that the Shadow Brokers - again viewed as Russia - stolen from the NSA and released in 2016. The SVR likely has the same tools in place.
Even without this limitation, many network administrators will not go through the long, painful, and potentially expensive recovery process. They only hope for the best.
It's hard to overstate how bad this is. We are still learning of violations of U.S. government organizations: the State Department, Treasury Department, Homeland Security, Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Safety Agency, the National Institutes of Health, and many others More. There is currently no evidence that classified networks have been penetrated, although this could easily change. It will take years to find out which networks the SVR has penetrated and where it still has access. Much of this is likely to be classified which means that we as a public will never know.
And now that the Orion vulnerability is public, other governments and cybercriminals will use it to break into compromised networks. I can guarantee you that the NSA is using the SVR's hack to infiltrate other networks. why shouldn't they? (Are Russian organizations using Orion? Probably.)
While this is a huge security flaw, it is not, as Senator Richard Durban said, "practically a declaration of war by Russia on the United States." While President-elect Biden said he would make this a top priority, it is unlikely that he will do much to seek revenge.
The reason is that, according to international standards, Russia did not do anything wrong. This is the normal state. Countries are constantly spying on each other. There are no rules or even norms and it is basically "buyers attention". The US does not regularly take revenge on espionage operations - like China's Office of Personal Management (OPM) hack and previous Russian hacks - because we do too. Commenting on the OPM hack, then director of the National Intelligence Service, James Clapper, said, “You have to kind of greet the Chinese for what they have done. If we had the chance, we probably wouldn't hesitate a minute. "
We don't, and I'm sure the NSA staff are reluctantly impressed with the SVR. The US has by far the largest and most aggressive intelligence operation in the world. The NSA's budget is the largest of any intelligence agency. It aggressively takes advantage of the US position, which controls most of the internet backbone and most of the major internet companies. Edward Snowden announced many goals for his 2014 effort, including 193 countries, the World Bank, the IMF, and the International Atomic Energy Agency. Undoubtedly, we are currently conducting an offensive operation on the scale of this SVR operation that will likely never be made public. In 2016, President Obama boasted that we "have more capacity than anyone, both offensively and defensively".
He may have been too optimistic about our defense capabilities. The US prioritizes and spends much more on attacks than it does on defensive cybersecurity. In recent years the NSA has adopted an "ongoing engagement" strategy sometimes referred to as "forward defense". The idea is that we don't passively wait for the enemy to attack our networks and infrastructure, but instead go on the offensive and interrupt attacks before they reach us. This strategy has been credited with foiling a plot by the Russian internet research agency to disrupt the 2018 elections.
But if persistent engagement is so effective, how could it have missed this massive SVR operation? It appears that pretty much the entire US government was unknowingly sending information back to Moscow. If we had watched everything the Russians did, we would have seen some evidence of it. The Russians' success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.
If anything, the prioritization of the offensive over defense by the US makes us less secure
And how did US defense capabilities miss this? The only reason we know about this breach is because security firm FireEye discovered it had been hacked earlier this month. During its own audit of its network, it uncovered the Orion vulnerability and alerted the US government. Why don't organizations like state, finance, and homeland security departments regularly perform this level of auditing on their own systems? The government's intrusion detection system, Einstein 3, has failed here because it fails to detect new sophisticated attacks - a flaw pointed out in 2018 but never addressed. We shouldn't have to rely on a private cybersecurity company to alert us to a major nation-state attack.
If anything, the prioritization of the offensive over defense by the US makes us less secure. In the interests of surveillance, the NSA has pushed for an insecure encryption standard for cell phones and a back door for random number generators (important for secure encryption). The DoJ has never insisted that the world's popular encryption systems be compromised through backdoors - another hot spot where attack and defense conflict. In other words, we allow insecure standards and systems because we can use them to spy on others.
We have to pursue a defense-dominant strategy. As computers and the Internet become increasingly important to society, cyber attacks are likely the forerunner of actual war. We are just too vulnerable to prioritize crime, even if we have to give up the advantage of using those insecurities to spy on others.
Our vulnerability is increased as eavesdropping can lead to direct attack. By accessing the SVR, you can not only listen to data, but also change it, impair network performance or delete entire networks. The first could be normal espionage, but the second could certainly be viewed as an act of war. Russia is almost certainly laying the groundwork for future attacks.
Related: The US is trying hard to understand the implications of the suspected Russia hack
This preparation would not be unprecedented. There are many attacks in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid and the US is hacking the Russian power grid - in case the capability is needed one day. All of these attacks began as an espionage operation. Vulnerabilities have real consequences.
We will not be able to secure our networks and systems in this world without rules and for each network for itself. The US must willingly give up some of its offensive advantage in cyberspace in order to maintain a far safer global cyberspace. We need to invest in securing global supply chains from this type of attack and push for international norms and agreements that prioritize cybersecurity, such as the 2018 Paris Demand for Trust and Security in Cyberspace or the Global Commission for Cyberspace Stability. Hardening widely used software like Orion (or the major internet protocols) helps everyone. We have to dampen rather than intensify this offensive arms race and work towards cyber peace. Otherwise, it doesn't help to hypocritically criticize the Russians for doing what we do every day to create the safer world we all want to live in.
Bruce Schneier is a security technologist and author. His most recent book is Click Here to Kill All: Safety and Survival in a Hyper-Connected World
In this article
Election Center 2020
You should check here to buy the best price guaranteed products.
Lorenzo Lamas, 63, is reportedly engaged to a younger woman who goes by 'Nerdy Blonde' online
An Arizona GOP official tore into the state's election recount on Fox News: 'This was not a stolen election'
Ted Cruz and other Texas Republicans, you sure give us a head-scratcher on the election
Letters to the Editor: Eric Clapton's anti-vaxxer hypocrisy is on brand for him
Meghan and Harry Planned Money-Making Schemes Long Before They Left the Royal Fold, Embittered Staffers Claim
Atlanta police officer suspended after video appears to show him kicking handcuffed woman in the head