That’s the bad news. The good news is that we can halt cyber mischief by other countries, but it will take bolder action than is currently on the table.
The details of the attack have been widely reported, but there are at least two aspects worth noting. First, and most obviously, the scope, scale and secrecy of the attack reflected a level of skill and comprehensiveness that only another country’s spy agency would be capable of — most likely the SVR, Russia’s foreign intelligence service. Second, the attack was unusual — implanting malware in computer networks through routine updates misidentified as authentic and proper by the systems’ doorkeepers. Undiscovered for months, the attackers were able at their leisure to scrutinize everything on the networks. By communicating with the compromised networks via computers located in the United States, rather than in Russia or elsewhere, the attackers were careful to leave almost no tracks, ensuring their few digital footsteps would look innocuous.
As a result, neither our federal government nor the private sector was able to detect, much less stop, the attack. We must of course vigorously investigate the scope of the attack and why we missed it. But we must also focus on larger, more difficult questions, such as whether we are properly resourced and structured to fight the cyber arms race of the future. Restricting itself to proposals that were reasonably likely to be implemented, the congressionally chartered Cyberspace Solarium Commission, which was established to develop a governmentwide cybersecurity strategy, recently recommended strengthening our existing governmental structures, with more central leadership and some modest expansions of authority. Some of the key recommendations, which are on the verge of becoming law, include the creation of a National Cyber Director in the White House and the granting of subpoena power to Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security, to enable it to track down cyber vulnerabilities and breaches in private sector systems. These are all important and commendable ideas — but the enormity of this hack makes clear that those recommendations won’t be enough.
It’s unrealistic to think we’ll be able to detect and stop every future attack; yet there are BOLDER steps the government can take now that will make a big difference in protecting its vital information and systems and aiding the private sector.
Civilian agencies need better, state-of-the-art cybersecurity systems.
Emails in key civilian departments and agencies — including Treasury, Commerce, Agriculture, Energy and Homeland Security, as well as the National Institutes of Health — were accessed surreptitiously. These and other agencies are protected by a government cybersecurity system called Einstein, designed to look for known computer viruses and malicious internet addresses.
But the Einstein system, administered by CISA, isn’t designed to catch software updates that are masquerading as authentic and correct. If an update bears cyber credentials saying it came from the actual software vendor, Einstein looks no further; it’s not able to peer inside the update itself to confirm that it is malware-free. Moreover, Einstein has no ability to investigate and stop internet connections that injected malware might use to communicate with a “command and control” server in the United States. There are systems and procedures for doing much if not all of this, but the government hasn’t spent the money to buy and implement them. The Russians certainly knew this.
Experts, both within the intelligence community and outside, have been sounding the alarm about the vulnerabilities of civilian agencies for years; some efforts have been made to remedy the situation, but with no central authority to push the executive branch in an urgent and coherent way, dispersed congressional oversight and a lack of funding, those efforts remain seriously deficient. We failed, at our peril, to recognize that our adversaries in the cyber realm might well be our equals. We worry less about cyber defense because of our conviction that our overall military and economic capabilities are superior. But those capabilities have digital vulnerabilities, so that’s no longer the right assumption.
We need to break down siloed cybersecurity surveillance systems.
Even if CISA and its partners in cyber defense, the FBI and the National Security Agency, hadn’t been focused on the security of our recent national elections (and properly so), they still wouldn’t have caught this hack. The 9/11 Commission criticized the government for intelligence silos that prevented information sharing; this hack reveals a comparable resource and structural failure to connect the cyber dots within government and with the private sector.
Experts were warning of gaps in the Einstein system, parts of the federal government were, according to news reports, aware of suspicious cyber signals coming from government systems, and we were surely alert to Russian efforts to probe election systems over the past year. Presumably, our intelligence community keeps track of what Russian and other cyber malefactors would like to accomplish. But there’s no one place where all these tips, hints and analysis come together in a meaningful way — one that enables us to take action.
We need to take measures to detect when our adversaries are operating inside our country.
Russia, China and others knowingly exploit two fundamental gaps in our cybersecurity architecture. They acquire or co-opt domestic computers and cloud services as a platform to launch malicious cyber operations. They appreciate that our intelligence services are focused on cyber activities beyond our borders, and that these services are generally not allowed to track foreign mischief once it moves onshore. Moreover, the private sector — very much a component of our national security — is largely left to fend for itself against foreign cyberattacks, yielding a situation inconsistent with the federal government’s role of providing our “common defense” under the Constitution.
Addressing these gaps raises enormously complex legal and policy questions about the scope of government in protecting us from foreign cyber malevolence. Yet our understandable hesitancy in confronting these questions allows adversaries to continue to exploit the situation. We must start that discussion and consider how our foreign intelligence services could work with the FBI and CISA — in a manner fully consistent with our values and the Constitution — to pursue foreign cyber maliciousness when it involves using domestic parts of the internet.
To have prevented this hack, we would have had to piece together information from the intelligence community about Russian intentions and activity, link it to hints (from affected agencies or DHS) that some government systems had suspicious domestic internet connections, and then monitor those internet connections. Media reports indicate that the Russians used a domestic internet domain leased from Go Daddy, a reputable and popular host for web domains, to control the malware that was inserted in government networks. Normally a search warrant or other legal process, often taking days, is required before the FBI can fully review the traffic connecting with a suspected malicious internet site. None of the foregoing steps could, at least under current structures, have been taken in sufficient time to detect the attack in the first place; at a very minimum, we could be better structured to stop such attacks from spreading.
There is no single structural or legal solution to the problem of foreign cyberattacks. More robust sanctions against foreign adversaries and better international efforts to stop the export of cyber mischief and bring cyber criminals to justice will also help. Working with other like-minded nations, we need to raise the risks and costs of cyber espionage and cyber damage.
But steps like those outlined above are also needed to bolster our federal government’s defenses and to give us more robust tools to use against foreign cyber wrongdoers. That, along with more vigorous sharing with private businesses of otherwise classified information about the techniques of those wrongdoers, would go a long way to addressing the vulnerabilities of the private sector, and thus help fulfill government’s responsibilities in that regard. As if we needed an illustration of the private sector’s vulnerability, the recent sophisticated attack was undetected even by cybersecurity incident response firm FireEye, apparently itself a victim, with some of its cybertools used to test customer network security audaciously stolen by the intruders.
So far, there’s no sign the tools have been turned against us; moreover, it’s not, and might never be, clear exactly what the attackers were seeking or found from the government networks. Consequently, it’s not clear whether the United States should treat this hack as espionage, in which we and almost every nation engage — and which customarily doesn’t give rise to retaliation outside of spy circles. Or was there some yet-to-be-revealed damage or theft, even an action akin to an act of “cyber warfare,” which might warrant some broader reprisal?
The full extent of the damage to our country has not yet been ascertained. But we already know enough to minimize future cyber risks to our nation. Sometimes it takes a crisis to prompt bold steps. Thanks once again to Russia, we have just been handed one.