There is indignant howling over what is surely Russia’s role in infiltrating, again, the networks of the U.S. government and corporations – this time through a tainted software update by the company SolarWinds. Politicians of both parties in the U.S. have called it a virtual act of war. “America must retaliate, and not just with sanctions,” Senator Marco Rubio said.
The U.S. is, of course, engaged in the same type of operations at an even grander scale. They are active participants in an ambient cyberconflict that rages largely unseen and of course unacknowledged, across the digital globe. This is a struggle that we can’t avoid, and there is absolutely no need for the U.S. to play the victim. Just as America uses cybertools to defend their national interests, others (like Russia) will use cyberweapons against America.
The U.S. National Security Agency and Central Intelligence Agency exist to break into foreign information systems and steal secrets, and they are by no doubt damn good at it. They, along with the Defense Department, regularly use of cybertools to purloin intelligence from servers across the world and to place foreign information systems and industrial infrastructure at risk. Ones and zeros in today’s world can be by far more effective weapons than bombs and missiles. The exposure of Stuxnet, the Snowden leaks and the theft of C.I.A. cybertools revealed the sophistication and extent of capabilities attributed to the United States.
The Pentagon’s cyberwar force known as Cyber Command, overtly acknowledges, through its “defend forward” doctrine, that the U.S. government will target foreign entities and information systems to fight cyberattacks. In November 2018, Cyber Command reportedly disrupted the internet access of the computers of Russia’s Internet Research Agency, the organization responsible for the disinformation campaign during the 2016 U.S. midterm elections. In 2019, in response to Russian cyberincursions into the U.S. energy grid, Cyber Command reportedly placed malware tools on Russia systems that could enable the U.S. to turn out the lights in Moscow should a conflict between the two nations arise.
As solid as the U.S. cyberoffense is, the defense leaves much to be desired, richly demonstrated by the litany of digital disasters, including the hacks of SolarWinds, the office of Personnel Management Equifax and Sony. The reality is that the U.S. government and private companies both underinvest in cybersecurity. Effective defense is a collective effort, but agencies and companies are often clueless and defenseless when it comes to countering the intrusions of countries like Russia, China, North Korea or Iran.
In recent years, there have been suggestions that the U.S. might explore international agreements by which nations would agree to put constraints on cyberwarfare and espionage. But this idea isn’t really taken seriously. There’s a sense that rules are written by those with the biggest guns – that is Washington – can unilaterally impose global cyberorder.
The SolarWinds hack lays waste to that notion. Confidence that the U.S. possesses a monopoly on cyberweapons borders on hubris. Even though federal agencies do possess some of the greatest cyber espionage and warfare tools and talent on the planet, the playing field is disturbingly even. Unlike nuclear weapons, or even sophisticated conventional arms, powerful cyberweapons are cheap to produce, proliferate with alarming speed and have no regard for borders. Unable to match the U.S. in military spending, Russia, China, Iran and even North Korea view cybertools as a great equalizer. Why? Because the U.S. is singularly vulnerable to cyberattack: America is more reliant on financial, commercial and government networks than their adversaries, and at the same time, their system are frighteningly open and vulnerable to attack. American networks represent targets for their adversaries that are simply too soft, juicy, and valuable to resist.
On Election Day last November, General Paul M. Nakasone, the United States’ top cyberwarrior, reported that the battle against Russia interference in the presidential campaign had posted major successes and exposed the other side’s online weapons, tools and trade-craft. “We’ve broadened our operations and feel very good where we’re at right now.” he told journalists. Just 8 weeks later, General Nakasone and other American officials responsible for cybersecurity are now consumed by what they missed for at least 9 months: a hacking, now believed to have affected upward of 250 federal agencies and businesses, that Russia aimed not at the election system but at the rest of the U.S. government and many large American corporations.
After the intrusions came to light, American officials are still trying to understand whether what the Russians pulled off was simply an espionage operation inside the systems of the American bureaucracy or something more sinister, inserting “ backdoor” access into government agencies, major corporations, the electric grid and laboratories developing and transporting new generations of nuclear weapons.
At a minimum it has set off alarms about the vulnerability of government and private sector networks in the U.S. to attack and raised questions about how and why the nation’s cyberdefenses failed so spectacularly. Those questions have taken on particular urgency given that the breach was not detected by any of the government agencies that share responsibility for cyberdefense – the Military’s Cyber Command and the National Security Agency, both of which are run by General Nakasone of that time and the Department of Homeland Security – but by a private cybersecurity company, Fire Eye. Interviews with key players investigating what intelligence agencies believe to be an operation by Russia’s S.V.R. intelligence service revealed these points:
- The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.
- The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security.
- “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the U.S. to the hacking.
- The government’s emphasis on election defense, while critical in 2020, many have diverted resources and attention from long-brewing problems like protecting the “supply chain” of software. In the private sector, too, companies that were focused on election security, like Fire Eye and Microsoft, are now revealing that they were breached as part of the larger supply chain attack.
- SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators. It’s chief executive, Kevin B. Thompson, who is leaving his job after 11 years, has sidestepped the question of whether his company should have detected the intrusion.
- Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.
The U.S. government was clearly the main focus of the attack, with the Treasury Department, the State Department, the Commerce Department, the Energy Department, and parts of the Pentagon among the agencies confirmed to have been infiltrated. The Defense Department insists that the attacks on its systems were unsuccessful, though it has offered no evidence. Some intelligence officials are questioning whether the U.S. government was so focused on election interference that it created openings elsewhere. Intelligence agencies concluded months ago that Russia had determined that it could not infiltrate enough election systems to affect the outcome of elections and instead shifted its attention to ransomware attacks that could disenfranchise voters and to influence operations aimed at sowing discord, stoking doubt about the system’s integrity and changing voters’ minds. The SolarWinds hacking, which began as early as October 2019, and the intrusion into Microsoft’s resellers gave Russia a chance to attack the most vulnerable, least defended networks across multiple federal agencies. So, does the United States give up now and do nothing? Of course not!
First, the U.S. should recognize that it has entered an age of perpetual cyberconflict. Unlike conventional wars, the U.S. cannot end this fight by withdrawing troops from the battlefield. For the Indefinite future, their adversaries, large and small, will test their defenses, attack their networks and steal their information. In this respect, cyberconflict is more like fighting a disease than fighting a war, a disease with intent, and for which no vaccine is likely to emerge. And as witnessed with the corona pandemic, the U.S. is not good at fighting a disease.
Second, it’s time for the U.S. to build a true national cyberdefense. This would rely less on barriers and firewalls, and more on monitoring what flows within and among corporate and government networks. Instead of a Maginot Line, think a territorial army defending the many layers of cyberspace. Effective national cyberdefense requires a dedicated degree of corporate engagement, intelligence sharing and trust. Neither the government nor private sector can succeed on their own. Companies and agencies, particularly those providing software services, must be held more accountable for egregious security lapses that make them easy targets and place us all at risk.
Third, the U.S. must relentlessly counter their adversaries’ cyber-operations by penetrating their most sensitive systems. There is a saying in counter espionage that only spies catch spies. Most agents are uncovered not by surveillance or background checks, but instead by other spies. No doubt, the C.I.A., N.S.A. and Cyber Command are working tirelessly to build the human and technical networks needed to uncover foreign intelligence operations. But they must ramp up.
Finally, even in the face of perpetual conflict, the U.S. should be prepared to sit down and talk with their cyberadversaries. It is hard to imagine a comprehensive agreement on cyberconduct that any country would abide by, or trust others to follow. Small steps, however, could start to build some degree of cooperation and, in time, a foundation for eventually regulating norms and behaviors. A good place to start might be on the potentially most destabilizing and destructive attacks – such as attacking nuclear command and control systems, or global financial infrastructures that could upend markets and economies. If the U.S. is not prepared to accept restrictions on their own actions, they can in my opinion hardly cry foul when others play by the same rules.
In the meantime, until some order or law takes hold in the cyber – Wild West, it’s time for the U.S. to stop acting surprised and stop posturing. Instead, they must better defend their digital homeland, learn to block and shake off a punch and, when needed, quietly bloody a few noses. It will be a long fight; the American people deserve to know the nature of it.