Tue, Dec 15, 2020

FAST THINKING: Why the new Russian hacks are a game-changer

Fast Thinking by Atlantic Council

Related Experts: Erica Borghard, Trey Herr,

Cybersecurity Russia Security & Defense Technology & Innovation United States and Canada

REUTERS/Kacper Pempel/Illustration

JUST IN

The bad news keeps coming about the scope of a suspected Russian hack: The US Department of Homeland Security was compromised, in addition to the State, Treasury, and Commerce Departments and parts of the Pentagon. The breaches, reportedly carried out by an arm of the Russian intelligence services, targeted a vulnerability in software developed by a firm called SolarWinds that is used across private industry and the US government. And while Americans were focused on preventing Russian hackers from once again disrupting a presidential election, these hackers instead kept quiet, likely making off with reams of valuable data before the intrusion was recently detected. What’s going on?

Today’s expert reaction courtesy of

  • Trey Herr: Director of the Cyber Statecraft Initiative at the Scowcroft Center for Strategy and Security
  • Erica Borghard: Senior director on the congressionally appointed US Cyberspace Solarium Commission and senior fellow in the Scowcroft Center’s New American Engagement Initiative

THIS IS A BIG DEAL

  • Trey calls this “one of the most significant cybersecurity incidents ever to impact the federal government” and predicts that the reaction to it will “dominate” US cybersecurity efforts for at least the first two years of the Biden administration. “Plans are being rewritten and priorities dropped to resource the investigation and response to this event,” he tells us. “It will change the perception of the cybersecurity landscape the Biden-Harris team inherits.”
  • How bad could the breach be? Trey notes that the kind of access the hackers reportedly secured into government networks “would provide insight on strategic decision-making, and advance warning of sanctions,” among other highly sensitive information. “While no one has yet publicly reported there was a compromise of classified networks,” he says, “what attackers appear to have had would effectively be a means to read the mind of an organization, comparable to well-placed human intelligence sources.”

Subscribe to Fast Thinking email alerts

Sign up to receive rapid insight in your inbox from Atlantic Council experts on global events as they unfold.

  • This field is for validation purposes and should be left unchanged.

A CRITICAL VULNERABILITY COMES INTO FOCUS

  • Here’s a key insight from the hack, according to Trey: Rather than targeting one government agency, attackers can target vulnerabilities in widely used software, helping them access many agencies at once. And each of the myriad pieces of software a government agency uses could end up being the proverbial chink in America’s cyber armor. “Software like Microsoft Word or the operating system for a combat aircraft integrates smaller pieces of software that depend on regular updates; all of this software forms a supply chain,” he explains. “Criminal groups and states like Russia and China attack these supply chains to wreak havoc.”
  • To Erica, the hack is a prime example of what she calls “third-party risk”: “Third parties, like SolarWinds, are high-reward targets because they have a high concentration of data, access, and inroads into a wide range of entities,” she tells us. “Targeting this kind of critical node in the supply chain can have cascading implications.”

RETHINKING CYBER SUPPLY CHAINS

  • During the coronavirus pandemic, we’ve talked a lot about the importance of global supply chains for access to essentials such as medicine and personal protective equipment. We should be having a similar discussion on cyber, Erica says. “The reality is that securing the supply chain will take decades and significant investment, and it's nearly impossible to secure every link in the chain. That's why, in addition to security, it's equally if not more important to think about supply-chain resilience.”
  • Resilience, in a nutshell, means ensuring that even if one part of the supply chain is compromised, the victim can withstand and rapidly recover from the event. “In addition to focusing on securing the supply chain, the US should also incorporate the concept of resilience into its supply-chain strategy to account for those inevitable instances where compromises and disruptions will take place," Erica says.

THE BIGGER PICTURE

  • In an interview on Monday, Secretary of State Mike Pompeo said that, when it comes to incidents like this, “we see this even more strongly from the Chinese Communist Party.” In fact, Erica tells us, it’s exactly this sort of narrow focus that may have made the US so vulnerable in the first place. The cybersecurity discussion has lately centered on the US-China rivalry and China’s market share of key technologies, she notes, and this "risks missing other, equally significant issues”—like the kind of compromises that led to this breach.
  • US officials, Erica adds, must recognize that not every cyber incident will look like Russia’s infamous efforts to stir up the American public during the 2016 election. The goal can also be to gather intelligence—diligently and quietly. Russian actors “reportedly gained access to US government networks and, rather than exploiting that access to conduct a disruptive or destructive cyber attack, chose to maintain persistent presence over a long period of time to exfiltrate information,” she says. “This illustrates the inherent tradeoffs between noisy offensive cyber operations that generate typically limited, transient effects, and stealthy intelligence operations that can uncover a trove of national security information.”

Further reading