In a video posted to YouTube five years ago, a team of cybersecurity experts listens as one of their colleagues reels off some major recent hacks of corporate systems: Sony, Target, Home Depot. “They were all hacked long before anyone figured it out,” he says. “By the time it becomes visible, the damage is usually done.”
Apparently, he and his employer didn’t take the warning to heart.
The speaker worked for SolarWinds, an obscure but important provider of network management tools for the U.S. government and hundreds of thousands of private customers, including many of America’s biggest corporations. Over the weekend, Reuters reported that a software patch issued by SolarWinds in the spring had been compromised by a hacking team that other reports connected to Russian intelligence. The reporting was backed up by forensic research from FireEye, a prominent security firm that was also a target of the hacking campaign. In short, SolarWinds was hacked beginning eight months ago, but the damage is only now coming to light.
Around the world, hundreds of corporate and governmental cybersecurity teams are now scanning their inventory for SolarWinds products and testing their systems for signs of intrusion. The reality is that most of them are probably fine—at least in this case. As the SolarWinds YouTube video argued, they’ve almost certainly been hacked by someone; they just don’t know it yet. But the ability of a determined group of hackers to gain access to such sensitive government systems speaks to a larger issue, one that security experts have warned about for years: When it comes to cybersecurity, our government is as vulnerable as ever, and it’s been focused for far too long on offense over defense.
With SolarWinds’ customers ranging from Cabinet-level departments to intelligence agencies to four hundred of the Fortune 500 list of companies, the potential for harm is vast. An anonymous source told The Wall Street Journal that the hack was a 10 out of 10 on the scale of concern. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, whose director, Christopher Krebs, was recently fired by President Trump via Twitter, directed government agencies to shut down all SolarWinds products. SolarWinds, which is in the middle of a CEO transition, hurriedly issued a new patch—one that its customers can ostensibly trust—and entered crisis P.R. mode.
The U.S. government was lucky this time. According to reports, this hack had the hallmarks of a long-term espionage mission, designed for infiltrating and monitoring secret communications, not causing mayhem. While the hackers had potentially huge, world-spanning access, the attack was focused on gaining access to certain entities, such as FireEye and the Treasury Department, at the heart of the intelligence-industrial complex. (It was later reported that Homeland Security, the State Department, and the Pentagon were hit, too.) The hack highlights the government’s and industry’s vulnerability to supply-chain attacks, where hackers target some of the many systems and vendors powering government networks. As Microsoft noted in a security advisory, the attackers, by gaining a small foothold in SolarWinds’ Orion software, could then gain administrative privileges allowing them to impersonate any user. (Microsoft has updated its Windows anti-virus program to account for the SolarWinds vulnerability.)
This attack is only the latest volley in an ongoing war that has already caused real damage. The New York Times recently reported on a wave of Russian ransomware attacks targeting hospital computer systems that left cancer patients unable to schedule treatments. Especially during a pandemic, the United States can’t afford to have its essential infrastructure compromised. For the last few years, members of the foreign policy establishment have floated the idea of a global cybersecurity treaty, perhaps built on previous arms and cybercrime agreements. Getting some of the world’s most prolific cyber-espionage actors—Russia, Israel, China, Iran, North Korea, even France—to commit to such an agreement would be difficult. Enforcement would be even harder. But it’s a necessary effort.
The U.S., which has refused to sign a range of international agreements, from the International Criminal Court authorization to bans on cluster munitions, may be the toughest of all to bring aboard. For all the hysteria about Russian cyber intrusions, the truth is that the U.S., through its own widespread, clandestine hacking operations, has as much or more visibility into the systems of its adversaries. In recent years, Russia has proposed more cooperation on cyber matters with the U.S., and the U.S. has refused. In September, echoing the Obama-era “reset” in overall relations, President Vladimir Putin called for a “reboot” in the U.S.-Russia cyber relationship. He specifically cited Cold War arms control agreements as a model.
There are obvious reasons for mistrust, but the fact remains that the U.S., whose massive cyber-surveillance and cyber-espionage programs are by now a matter of public record, has been made to appear the more recalcitrant party. Perhaps the U.S. government hopes to preserve a balance of power in which it sees itself as having an overall advantage. An example of its thinking might be found in the Vulnerabilities Equities Process, through which the federal government decides which software vulnerabilities to disclose so that vendors can patch them and which to keep secret for spy agencies’ offensive use. The VEP has long been a source of contention. Some think that it favors preserving too many software vulnerabilities for the use of agencies like the National Security Agency, rather than alerting vendors to issues that may affect millions of customers. The process remains opaque, so we will likely never know if this SolarWinds vulnerability was also part of the NSA’s offensive arsenal.
However flawed the VEP is, at least it constitutes a framework for decision-making. There is no such framework for adjudicating conflict with our cyber adversaries. Instead, we have various world powers duking it out daily, endlessly probing adversaries’ networks for weaknesses, planting malware that may be called on later for intelligence gathering—or something worse. This, after all, is the job of spies who are entrusted with powerful hacking tools.
It’s the job of politicians and senior officials to see the bigger picture: that the status quo can’t hold and that the next big foreign hack may be far more damaging than the operation that just came to light. One might not expect this base level of insight from Trump, who once anointed Rudy Giuliani a cybersecurity expert, but President-elect Joe Biden and his foreign policy team—many of whom are Obama veterans familiar with the devastating hacks described in that SolarWinds video—should know better. The incoming administration must learn to make peace in cyberspace.
This article has been updated.