WASHINGTON — One simple way to think about the threat posed by Russian intelligence in its “SolarWinds” hack is that it exposed the vulnerability of the vast store of supposedly secure personal and corporate data known as the “cloud.”
This wasn’t an attack on classified systems or a sabotage mission, from what we know. Loose talk by Sen. Richard Durbin, D-Ill., calling it “virtually a declaration of war” is misplaced. This appears to have been an especially intrusive version of cyberespionage, which governments conduct routinely around the world.
But make no mistake: The SolarWinds hack, named for the company whose widely used network software was manipulated to plant malware, was a scary snapshot of today’s Internet — a world where personal privacy has all but vanished and nation states or private actors can penetrate systems and steal data almost at will. If you’re used to thinking of the United States as a fortress, forget it. Our information space has become the terrain where people fight their cyberwars: We’re the Internet version of Belgium or Lebanon, trampled by so many armies of manipulation.
An interesting fact about this hack is that private companies seem more agitated about it than do the cyberwarriors at the Pentagon. Brad Smith, the president of Microsoft, called the SolarWinds hack “an act of recklessness” and a “moment of reckoning.” A more cautious assessment came from an official familiar with the thinking of U.S. Cyber Command, who was reluctant even to call it an attack, describing it instead as “espionage” and “below the level of conflict.” The official cautioned in an interview: “To respond to espionage as an act of war might be disproportionate.”
Was this a failure of the U.S. approach to cyberwar, a strategy described as “persistent engagement” by Gen. Paul Nakasone, the head of both Cyber Command and the code-breaking National Security Agency? I think not. Instead, I believe it underlines the reality of Nakasone’s premise in framing that doctrine two years ago — that the world is in a constant state of low-level cyber conflict, and the United States needs to “defend forward” so it can deter real acts of war, like disabling the power grid, by threatening similar actions.
Why wasn’t the SolarWinds hack discovered sooner, so preventive action could have been taken? That’s the real question, and it involves whether government and the private sector can cooperate better in cyber counterespionage.
What’s really happening here, I suspect, is a problem very familiar for the United States — a failure to “connect the dots” and share information between silos. Glenn Gerstell, a former NSA general counsel, noted in an interview that the Department of Homeland Security was apparently aware last summer that the Russians were probing the “Einstein” system that supposedly protects unclassified “dot-gov” systems. But that information didn’t trigger action by the FBI, NSA or Cyber Command or other agencies that might have identified and stopped the hack. Answer: That’s not their turf, but DHS’. As Gerstell told me: “There’s no one place in the U.S. government where all the foreign intelligence gets merged with the domestic cyber hints and turned into action.”
Connecting the dots should also involve private companies. Smith put it bluntly in his blog post last week: Cybersecurity threats “require a unique level of collaboration between the public and private sectors.” Private companies may be the first to spot malware breaches, and, as Smith argues, “effective cyber-defense requires not just a coalition of the world’s democracies, but a coalition with leading tech companies.”
To understand why tech companies are so concerned, check out the Cybersecurity Advisory issued by the NSA last week warning that attackers are “abusing trust” by using forged credentials “to access protected data” in the cloud. The NSA warned that these hacking tools “subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.” Yikes!
Fortunately, this is the rare crisis where the needed reforms have just been enacted into law — too late to stop the SolarWinds hack, obviously, but perhaps in time to prevent the next one. The National Defense Authorization Act passed last week contained 26 amendments from the blue-ribbon Cyberspace Solarium Commission’s report last March, including a new White House cyber director and a new threat-hunting team at the Department of Homeland Security.
“We can’t patch our way out of the risk,” argued Sen. Angus King, I-Maine, one of the co-chairs of the commission, in an interview Tuesday. New laws will encourage the “layered deterrence” the commission recommended. And if other tech companies follow the lead of Microsoft and find ways to work with democratic governments, we might have a better chance of protecting the security of our data — which was so ravaged in the latest assault.