Stop Blaming Foreigners for America’s Awful Cybersecurity
This week brought disturbing news of a large-scale computer hack, a mega-hack if you like, of American government and industry by a foreign state actor that’s widely assumed to be Russia. Although the full scope of the damage inflicted is yet undetermined, it will take months of investigation for that to become clear, this already appears to be one of the worst cybersecurity fails in history.
What we can say for certain is that this cyber offensive was perpetrated over months in 2020 by APT29, a Russian hacker group popularly termed Cozy Bear. Western counterintelligence deduced years ago that APT29 is really the Russian Foreign Intelligence Service, or SVR. Thus, this year’s mega-hack comes to America courtesy of the Kremlin, a fact which Secretary of State Mike Pompeo admitted yesterday with his statement, “We can say pretty clearly that it was the Russians that engaged in this activity.”
Official Washington, DC is being tight-lipped about what exactly got hit, as federal investigators survey the cyber-damage, but we know this effort was not confined to the United States. Microsoft President Brad Smith, whose firm finds itself in the middle of this online maelstrom, stated that while more than 40 of its customers were hit by APT29, and 80 percent of them are American, Microsoft has identified hacking targets in Canada, Mexico, Belgium, Spain, Britain, Israel, and the United Arab Emirates as well. Smith cautioned that the number of victims in this case is certain to rise as the investigation proceeds.
This cyber offensive runs back to a Texas-based software firm called SolarWinds. In short, SVR hackers breached that company’s Orion software, which is used by tens of thousands of private clients as well as many agencies of the U.S. and allied governments. SolarWinds was already known to possess a dodgy security record, including use of weak passwords, among other problems, which can be perhaps attributed to the fact that SolarWinds did not have a chief information security officer on staff. Suspicion has inevitably fallen on a possible insider threat as the source of the compromise, in other words a turned or compromised employee (wittingly or not) – such is often the beginning of large-scale hacking operations – but information is sketchy at present.
Regardless, SolarWinds’ security failure has brought great pain to Washington, since the federal Departments impacted here include Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, and Treasury. Alarmingly, among individual agencies reported to be vulnerable to APT29 penetration include the National Security Agency (our most sensitive Intelligence Community agency) and the National Nuclear Security Administration (which protects our atomic research and weaponry), all of which used SolarWinds software.
What passes for the good news is that APT29 penetration here is reported to be confined to unclassified communication systems; moreover, classified Pentagon communications networks like SPIRNet and JWICS, which handle Secret and Top Secret communications, respectively, are reported to be unaffected by the SolarWinds breach. That may be cold comfort since the SVR can learn an awful lot from just reading the unclassified emails and messages of a bevy of federal agencies, while cyber-penetrations of those unclassified networks can sometimes enable access to classified ones.
In response, Washington is doing what it knows how to do, making statements, issuing warnings, gathering investigators, creating task forces, and circling the bureaucratic wagons until the full extent of the damage can be assessed. This week, the Cybersecurity and Infrastructure Security Agency issued a blunt emergency directive to start pushing back the SolarWinds breach across government and industry, while the White House stood up a Cyber Unified Coordination Group to ensure that federal agencies are cooperating adequately to ascertain, and eventually roll back, what APT29 hath wrought here. Nevertheless, it will take months, at minimum, to undo this damage, not least because the SVR presumably is watching our mitigation efforts unfold on compromised networks in real time, while counteracting them wherever the Russians can.
There can be no sugarcoating what constitutes a grave failure of cybersecurity by the United States. The rhetoric emanating from Washington over Cozy Bear’s antics is severe, even extreme. While President Donald J. Trump is being castigated for keeping mum about this debacle, high-ranking Democrats are employing sky-is-falling rhetoric about the mega-hack. Illinois Sen. Dick Durbin termed it “virtually a declaration of war by Russia on the United States,” while his Connecticut colleague Sen. Richard Blumenthal stated that a classified briefing on the hack “left me deeply alarmed, in fact downright scared.” Their slightly more measured Delaware colleague Sen. Chris Coons explained, “It's pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war. ... [T]his is as destructive and broad scale an engagement with our military systems, our intelligence systems as has happened in my lifetime.”
However, it’s already apparent that APT29’s activities, while devastating from an information security viewpoint, plus deeply embarrassing to the United States, do not constitute the “Cyber Pearl Harbor” which cybersecurity gurus have been warning about since late in the last century. Where are the exploded power grids, the opened dams, the crashed trains, the darkened hospitals? The SVR seems to have gotten that deep inside lots of sensitive computer grids and networks, what did they actually do with that power? Nothing, it seems so far.
One of those alarmist gurus is Richard Clarke, who warned about a “Cyber Pearl Harbor” for decades from various perches in Washington, and he now seems to have gotten one, or close. As he stated this week, “This is the largest espionage attack in history. This is as though the Russians got a passkey, a skeleton key for about half the locks in the country. Think about it that way. It’s 18,000 companies and government institutions scattered around the U.S. And the world. This is an espionage attack.”
Clarke’s half right. It’s definitely espionage, but as yet there’s no evidence of any actual attack. Here there’s eliding of important cyberespionage terms, and Clarke certainly knows the difference. We need to talk about CNE versus CNA. The former, Computer Network Exploitation, is really just espionage via cyber means, the reconnaissance of online systems, stealing data and establishing what those networks do. Computer Network Attack is disrupting, damaging, or even destroying computer networks and the things which connect to them. CNA is what we fear, that’s potentially a Cyber Pearl Harbor. There’s no indication, as yet, that any CNA happened with APT29 in this vast cyberespionage operation. It’s all been CNE, based on what we’ve been told so far.
That’s cold comfort, of course, since CNE can easily turn into CNA, in fact you need to execute a lot of successful CNE to enable any painful CNA, but there remains a big difference between spying on computer networks versus blowing them up. Russian cyberespionage and attack doctrine are well understood, if you bother to read about them. Moscow doesn’t view cyber as something radically new, rather as an extension of normal intelligence collection and reconnaissance practice. As communications move into the cyber realm, that’s where you need to spy, it’s that simple.
This all has the whiff of politics about it, of course, because everything in America does these days. What APT29 did in 2020 represents the most serious American cybersecurity defeat since the mega-hack of Office of Personnel Management data by Chinese intelligence, which was announced by OPM in mid-2015. That hack compromised the most sensitive personal information of tens of millions of Americans who had applied for U.S. government security clearances. Despite repeated warnings about the pressing need to take cybersecurity seriously, OPM gave Beijing the store, an intelligence loss with staggering implications for multiple federal departments and agencies. It was a severe blow to morale in what the current White House resident terms the Deep State. Obama did not publicly call out Beijing over the OPM hack, beyond a banal statement that “There are certain practices that they are engaging in, that we know are emanating from China and are not acceptable.”
It’s impossible to miss that Democrats who are declaring war on Russia over Cozy Bear’s antics were much more moderate in their criticisms of China five years ago, while Republicans who were demanding that Obama retaliate harshly against Beijing over the OPM mega-hack are generally more circumspect about what we need to do against Moscow now. Since we do not want an actual war with Russia, a country which possesses several thousand nuclear weapons and seethes with hatred for the West in general and America in particular, it would be wise to assess what really happened with APT29 in 2020 with analytical precision rather than reckless rhetoric.
Thus far, it’s evident that this was another episode in the SpyWar which we’re in with both Moscow and Beijing, and the Kremlin won this round. The SVR is more cautious in its spy operations than its “neighbors” in military intelligence, the infamously reckless GRU, and APT29 seems to have executed an impressive reconnaissance of a wide array of American and allied computer networks, private and governmental. The intelligence loss to Moscow here appears to be massive. Vladimir Putin and his cyber-Chekists have good reason to be chilling champagne over this operation.
But they only got away with it because we let them. Just as with China’s mega-hack of OPM back in 2014, the Russians succeeded here due to America’s lackadaisical attitudes towards cybersecurity, public and private. Our enemies are competent, but our defenses are too often incompetent, which makes for a deadly combination in the SpyWar. It’s difficult to be excessively critical of private companies and their security shortcomings when the federal government itself can’t get its act together with cybersecurity. Federal agencies, even very sensitive ones, conduct only cursory inspections of private software which they place on their governmental computer networks, thus “After embedding code in widely used network management software made by a Texas company called SolarWinds, all [the SVR] had to do was wait for the agencies to download routine software updates from the trusted supplier.”
These debacles will keep happening until we get serious about security in general, cyber or otherwise. There are big obstacles to getting better. Politics remains a problem, when our political parties are only interested in security when it can be used as a cudgel to beat the other party with. In addition, Americans of all stripes have had an unserious attitude towards counterintelligence for decades, as I highlighted in my last Top Secret Umbra column. Counterintelligence and security work can be a drag: difficult, time-consuming, and sometimes downright depressing. The SpyWar never sleeps. Victories there are incremental, never total, and sometimes difficult to detect at all.
This dismissive attitude towards counterintelligence was painful enough during the last Cold War, with traitors costing us lives, battles, and uncounted treasure. However, this fundamental unseriousness about protecting secrets is seriously lethal in the online age, when every government agency is fully networked and virtually every American is walking around every waking moment carrying around an espionage device that spies on everything they do, buy, and say, while offering Internet and telephone access in exchange.
There’s also hypocrisy at play here. We lost this round of the SpyWar to the SVR, but we’re plenty active in the hush-hush cyberespionage realm ourselves. NSA is probably the world’s most skilled agency at conducting CNE while its tightly linked U.S. Cyber Command partner is among the most effective at executing CNA. Edward Snowden spilled some of those Top Secret beans to the world back in 2013, when he walked out of NSA Hawaii with over a million classified documents on his way to Moscow. Although CNA can be construed as an act of war, CNE is merely espionage in the 21st century, something which every first-class intelligence agency in the world is doing, right now, as you read this.
We must get serious about cybersecurity, not least because defeat in the SpyWar often precedes defeat in an actual war, and right now a shooting war with China looms as a serious possibility. Just as we should assume that details of Beijing’s mega-hack of the OPM were shared with Moscow, the SVR’s mega-hack of American government and industry via SolarWinds is something the Kremlin has likely shared with its friends in China. The stakes here are important and rising. It would be nice if President Trump said something meaningful about APT29’s activities, including what the U.S. government is doing to mitigate the damage while discouraging Moscow from executing further mega-hacks. It would be nicer still if Washington got serious about counterintelligence and security, cyber and otherwise, beyond mere words, before it’s too late.