The bad news keeps coming about the scope of a suspected Russian hack: The US Department of Homeland Security was compromised, in addition to the State, Treasury, and Commerce Departments and parts of the Pentagon. The breaches, reportedly carried out by an arm of the Russian intelligence services, targeted a vulnerability in software developed by a firm called SolarWinds that is used across private industry and the US government. And while Americans were focused on preventing Russian hackers from once again disrupting a presidential election, these hackers instead kept quiet, likely making off with reams of valuable data before the intrusion was recently detected. What’s going on?
Today’s expert reaction courtesy of
- Trey Herr: Director of the Cyber Statecraft Initiative at the Scowcroft Center for Strategy and Security
- Erica Borghard: Senior director on the congressionally appointed US Cyberspace Solarium Commission and senior fellow in the Scowcroft Center’s New American Engagement Initiative
THIS IS A BIG DEAL
- Trey calls this “one of the most significant cybersecurity incidents ever to impact the federal government” and predicts that the reaction to it will “dominate” US cybersecurity efforts for at least the first two years of the Biden administration. “Plans are being rewritten and priorities dropped to resource the investigation and response to this event,” he tells us. “It will change the perception of the cybersecurity landscape the Biden-Harris team inherits.”
- How bad could the breach be? Trey notes that the kind of access the hackers reportedly secured into government networks “would provide insight on strategic decision-making, and advance warning of sanctions,” among other highly sensitive information. “While no one has yet publicly reported there was a compromise of classified networks,” he says, “what attackers appear to have had would effectively be a means to read the mind of an organization, comparable to well-placed human intelligence sources.”
As the global community continues to grapple with the coronavirus (COVID-19), the Atlantic Council is open for business. Our business, meetings, and events, however, are occurring virtually. For more information, please read an update from our President and CEO.
A CRITICAL VULNERABILITY COMES INTO FOCUS
- Here’s a key insight from the hack, according to Trey: Rather than targeting one government agency, attackers can target vulnerabilities in widely used software, helping them access many agencies at once. And each of the myriad pieces of software a government agency uses could end up being the proverbial chink in America’s cyber armor. “Software like Microsoft Word or the operating system for a combat aircraft integrates smaller pieces of software that depend on regular updates; all of this software forms a supply chain,” he explains. “Criminal groups and states like Russia and China attack these supply chains to wreak havoc.”
- The latest hack, he adds, “shows these attacks aren’t going away despite the hundreds of millions of dollars technology vendors have invested to improve security. There have been dozens of attacks on software updates over the last decade.”
- To Erica, the hack is a prime example of what she calls “third-party risk”: “Third parties, like SolarWinds, are high-reward targets because they have a high concentration of data, access, and inroads into a wide range of entities,” she tells us. “Targeting this kind of critical node in the supply chain can have cascading implications.”
RETHINKING CYBER SUPPLY CHAINS
- During the coronavirus pandemic, we’ve talked a lot about the importance of global supply chains for access to essentials such as medicine and personal protective equipment. We should be having a similar discussion on cyber, Erica says. “The reality is that securing the supply chain will take decades and significant investment, and it’s nearly impossible to secure every link in the chain. That’s why, in addition to security, it’s equally if not more important to think about supply-chain resilience.”
- Resilience, in a nutshell, means ensuring that even if one part of the supply chain is compromised, the victim can withstand and rapidly recover from the event. “In addition to focusing on securing the supply chain, the US should also incorporate the concept of resilience into its supply-chain strategy to account for those inevitable instances where compromises and disruptions will take place,” Erica says.
THE BIGGER PICTURE
- In an interview on Monday, Secretary of State Mike Pompeo said that, when it comes to incidents like this, “we see this even more strongly from the Chinese Communist Party.” In fact, Erica tells us, it’s exactly this sort of narrow focus that may have made the US so vulnerable in the first place. The cybersecurity discussion has lately centered on the US-China rivalry and China’s market share of key technologies, she notes, and this “risks missing other, equally significant issues”—like the kind of compromises that led to this breach.
- US officials, Erica adds, must recognize that not every cyber incident will look like Russia’s infamous efforts to stir up the American public during the 2016 election. The goal can also be to gather intelligence—diligently and quietly. Russian actors “reportedly gained access to US government networks and, rather than exploiting that access to conduct a disruptive or destructive cyber attack, chose to maintain persistent presence over a long period of time to exfiltrate information,” she says. “This illustrates the inherent tradeoffs between noisy offensive cyber operations that generate typically limited, transient effects, and stealthy intelligence operations that can uncover a trove of national security information.”
Sat, Dec 12, 2020
Mass protests led by Indian farmers are presenting perhaps the greatest challenge to Prime Minister Narendra Modi to date. The protests have drawn in supporters from across Indian society, as farmers vow to dig in outside the capital for months. Why is the new movement so powerful—and how will Modi respond?
Fast Thinking by
Wed, Dec 9, 2020
Today, NATO’s security is threatened by Russia’s and China’s continuous cyberattacks on the Alliance and its members. To accomplish its mission of deterrence and defense, NATO needs to implement a strategy of proactive, continuous responses to China and Russia in cyberspace, where great power competition is playing out in real time.
New Atlanticist by
Mon, Dec 7, 2020
The Trump administration recognized opposition figure Juan Guaidó as Venezuela’s interim president and mobilized nations around the world to do the same. But Nicolás Maduro is still in power—and perhaps even more entrenched after winning control this weekend of the National Assembly in an election boycotted by Guaidó and his allies. What does the election mean for the opposition’s future?
Fast Thinking by