Recent news articles have all been talking about the massive Russian cyber-attack against the United States, but thats wrong on two accounts. It wasnt a cyber-attack in international relations terms, it was espionage. And the victim wasnt just the US, it was the entire world. But it was massive, and it is dangerous.
Espionage is internationally allowed in peacetime. The problem is that both espionage and cyber-attacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isnt at all targeted, the entire world is at risk and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.
Heres what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR previously known as the KGB hacked into SolarWinds and slipped a backdoor into an Orion software update. (We dont know how, but last year the companys update server was protected by the password solarwinds123 something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.
This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself and can affect all of a suppliers customers. Its an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.
SolarWinds has removed its customers list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes fewer than 18,000 of those customers installed this malicious update, another way of saying that more than 17,000 did.
Thats a lot of vulnerable networks, and its inconceivable that the SVR penetrated them all. Instead, it chose carefully from its cornucopia of targets. Microsofts analysis identified 40 customers who were infiltrated using this vulnerability. The great majority of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs and it will certainly grow.
Once inside a network, SVR hackers followed a standard playbook: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data. Not being a SolarWinds customer is no guarantee of security; this SVR operation used other initial infection vectors and techniques as well. These are sophisticated and patient hackers, and were only just learning some of the techniques involved here.
Recovering from this attack isnt easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isnt compromised is to burn it to the ground and rebuild it, similar to reinstalling your computers operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they cant be sure. There are many ways to establish persistent access that survive rebuilding individual computers and networks. We know, for example, of an NSA exploit that remains on a hard drive even after it is reformatted. Code for that exploit was part of the Equation Group tools that the Shadow Brokers again believed to be Russia stole from the NSA and published in 2016. The SVR probably has the same kinds of tools.
Even without that caveat, many network administrators wont go through the long, painful, and potentially expensive rebuilding process. Theyll just hope for the best.
Its hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, theres no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.
And now that the Orion vulnerability is public, other governments and cybercriminals will use it to penetrate vulnerable networks. I can guarantee you that the NSA is using the SVRs hack to infiltrate other networks; why would they not? (Do any Russian organizations use Orion? Probably.)
While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, virtually a declaration of war by Russia on the United States While President-elect Biden said he will make this a top priority, its unlikely that he will do much to retaliate.
The reason is that, by international norms, Russia did nothing wrong. This is the normal state of affairs. Countries spy on each other all the time. There are no rules or even norms, and its basically buyer beware. The US regularly fails to retaliate against espionage operations such as Chinas hack of the Office of Personal Management (OPM) and previous Russian hacks because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, said: You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I dont think wed hesitate for a minute.
We dont, and Im sure NSA employees are grudgingly impressed with the SVR. The US has by far the most extensive and aggressive intelligence operation in the world. The NSAs budget is the largest of any intelligence agency. It aggressively leverages the USs position controlling most of the internet backbone and most of the major internet companies. Edward Snowden disclosed many targets of its efforts around 2014, which then included 193 countries, the World Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly running an offensive operation on the scale of this SVR operation right now, and itll probably never be made public. In 2016, President Obama boasted that we have more capacity than anybody both offensively and defensively.
He may have been too optimistic about our defensive capability. The US prioritizes and spends many times more on offense than on defensive cybersecurity. In recent years, the NSA has adopted a strategy of persistent engagement, sometimes called defending forward. The idea is that instead of passively waiting for the enemy to attack our networks and infrastructure, we go on the offensive and disrupt attacks before they get to us. This strategy was credited with foiling a plot by the Russian Internet Research Agency to disrupt the 2018 elections.
But if persistent engagement is so effective, how could it have missed this massive SVR operation? It seems that pretty much the entire US government was unknowingly sending information back to Moscow. If we had been watching everything the Russians were doing, we would have seen some evidence of this. The Russians success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.
And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye discovered that it had been hacked. During its own audit of its network, it uncovered the Orion vulnerability and alerted the US government. Why dont organizations like the departments of state, treasury and homeland security regularly conduct that level of audit on their own systems? The governments intrusion detection system, Einstein 3, failed here because it doesnt detect new sophisticated attacks a deficiency pointed out in 2018 but never fixed. We shouldnt have to rely on a private cybersecurity company to alert us of a major nation-state attack.
If anything, the USs prioritization of offense over defense makes us less safe. In the interests of surveillance, the NSA has pushed for an insecure cellphone encryption standard and a backdoor in random number generators (important for secure encryption). The DoJ has never relented in its insistence that the worlds popular encryption systems be made insecure through back doors another hot point where attack and defense are in conflict. In other words, we allow for insecure standards and systems, because we can use them to spy on others.
We need to adopt a defense-dominant strategy. As computers and the internet become increasingly essential to society, cyber-attacks are likely to be the precursor to actual war. We are simply too vulnerable when we prioritize offense, even if we have to give up the advantage of using those insecurities to spy on others.
Our vulnerability is magnified as eavesdropping may bleed into a direct attack. The SVRs access allows them not only to eavesdrop, but also to modify data, degrade network performance, or erase entire networks. The first might be normal spying, but the second certainly could be considered an act of war. Russia is almost certainly laying the groundwork for future attack.
This preparation would not be unprecedented. Theres a lot of attack going on in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid, and the US is hacking Russias power grid just in case the capability is needed someday. All of these attacks began as a spying operation. Security vulnerabilities have real-world consequences.
Were not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the worlds supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day wont help create the safer world in which we all want to live.
Read the original here:
- National Security Agency - Wikipedia - August 5th, 2022
- Defence analyst Pravin Sawhneys new book begins with an imagined cyberattack on India by China - Scroll.in - August 5th, 2022
- NSA, Cyber Command tap new election security leaders - The Record by Recorded Future - May 12th, 2022
- This TikTok User Who Finds the Games Playing in TV Shows Needs to Be Working for the NSA - Barstool Sports - May 12th, 2022
- Graduation Week 2022: Cybersecurity grad prepares to protect the world - Jagwire Augusta - May 12th, 2022
- Amazon Is Busting Unions. Biden Is Giving Them Huge Federal Contracts Anyway. - Jacobin magazine - May 12th, 2022
- Modi@20: Balakot blew away the myth of Pakistans nuclear blackmail, writes NSA Ajit Doval - The Tribune India - May 12th, 2022
- Jesus, endless war and the irresistible rise of American fascism - Salon - May 12th, 2022
- Meet Three Bay Area Artists Working to Amplify the Voices of People Who Stutter - KQED - May 12th, 2022
- Nation-state Cyber Attackers aiming at the US Defense Industrial Base - Security Boulevard - May 12th, 2022
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption - The Register - September 5th, 2021
- Opportune moment for indigenous development of 5G NSA & SA by C-DOT: Prakash - United News of India - September 5th, 2021
- A Softening Economy Will Be Buffeted By Stimulus Withdrawal And Delta-Variant Surge - Forbes - September 5th, 2021
- Actions of IT giants pave the way for states to monopolize data Snowden - TASS - September 5th, 2021
- Microsoft's Azure Government Top Secret Cloud: All you need to know - TechHQ - September 5th, 2021
- The Scandalous History of the Last Rotor Cipher Machine - IEEE Spectrum - September 5th, 2021
- The NSA Does Not Deny Reading Tucker Carlsons Emails - July 12th, 2021
- Home, but Not Free: NSA Whistleblower Reality Winner Adjusts to Her Release From Prison - The Intercept - July 12th, 2021
- Congress newest subcommittee is focusing on cyber troops and JEDI - Federal News Network - February 11th, 2021
- End the war on whistleblowers - The Week - February 11th, 2021
- NSA Warned Russia to Stay Out Of 2020 Election And Got SolarWinds Hack Instead - NPR - February 1st, 2021
- Biden administration will build on the Quad: NSA Jake Sullivan - The Hindu - February 1st, 2021
- William P. Crowell, Former Deputy Director of the National Security Agency, Joins LookingGlass Advisory Board - HSToday - February 1st, 2021
- SolarWinds Is Not the 'Hack of the Century.' Its Blowback for the NSA's Longtime Dominance of Cyberspace - Common Dreams - February 1st, 2021
- NSA fumes over the violation of coronavirus safety protocols - GhanaWeb - February 1st, 2021
- A Top Biden Cybersecurity Aide Donated Over $500000 to AIPAC as an NSA Official Mother Jones - Mother Jones - February 1st, 2021
- What to expect from NASS and NASED conferences - Politico - February 1st, 2021
- Companies Pay Criminal Penalties And Compensation For Undermining Competition - JD Supra - February 1st, 2021
- Split Up NSA and CYBERCOM - Defense One - December 28th, 2020
- Edward Snowden Pardon and the SolarWinds Hack | - City Journal - December 28th, 2020
- Edward Snowden and wife share photos of newborn son amid push for Trump to pardon NSA leaker - Washington Times - December 28th, 2020
- NSA Year in Review: Election Security, Cybersecurity, and More - HSToday - December 28th, 2020
- No, the United States Does Not Spend Too Much on Cyber Offense - Council on Foreign Relations - December 28th, 2020
- Satoshi Nakamoto from NSA, AntiChrist and Other Bitcoin Conspiracy Theories - Cryptonews - December 28th, 2020
- How A Cybersecurity Firm Uncovered The Massive Computer Hack - NPR - December 28th, 2020
- Snowden and Assange Deserve Pardons. So Do the Whistleblowers Trump Imprisoned. - The Intercept - December 28th, 2020
- Talks with China will not help says USA NSA on situation on Ladakh - Oneindia - October 10th, 2020
- How to choose the right multifactor authentication program - Federal News Network - October 10th, 2020
- UofL to launch health care cybersecurity curriculum with $6.3 million from National Security Agency, pilot focused on veterans and first responders -... - October 10th, 2020
- National Storage Affiliates Trust Announces Date of its Third Quarter 2020 Earnings Release and Conference Call - Business Wire - October 10th, 2020
- NSA announces new Autumn webinar series 'Feeding the flock and getting it right' - The Scottish Farmer - October 10th, 2020
- How the NSA is disrupting foreign hackers targeting COVID-19 vaccine research - TechCrunch - September 18th, 2020
- Crime Prevention and Community Outreach, Common Goals for NSA and NYPD Commissioner - Abasto, Food and Beverage Industry News - September 18th, 2020
- Deputy NSA gets one year extension - The Hindu - September 18th, 2020
- Exceeding All Expectations: A Journey of Adversity, Triumph and Eternal Optimism - Worth - September 18th, 2020
- Huge threat to national security as hackers attack NIC computers, steal sensitive information - DNA India - September 18th, 2020
- Police: 2 more held in Agra boys kidnap-murder, NSA to be invoked - The Indian Express - September 18th, 2020
- NSA to be invoked against miscreants involved in killing Malihabad farmer: Lucknow DM - Outlook India - September 18th, 2020
- Did the NSA spy on Congress? RT The World According to Jesse - RT - September 5th, 2020
- Nebraska native, 101, defied convention: She served in South Pacific, with MacArthur and at NSA - Omaha World-Herald - September 5th, 2020
- NSA Ajit Doval reviews situation at India-China border - The New Indian Express - September 5th, 2020
- NSA Webinar Part 3: Skills Development and the future of learning during and post the Covid-19 pandemic - Mail and Guardian - September 5th, 2020
- ICE Robotics Expands Offering With NSA Partnership - CleanLink - September 4th, 2020
- National Security Agency | History, Role, & Surveillance ... - August 16th, 2020
- The NSA and FBI Expose Fancy Bear's Sneaky Hacking Tool - WIRED - August 16th, 2020
- NSA and FBI Expose Russian Previously Undisclosed Malware Drovorub in Cybersecurity Advisory FBI - Federal Bureau of Investigation - August 16th, 2020
- Shah Faesal reached out to NSA before he quit party; open to IAS return - Hindustan Times - August 16th, 2020
- How has the pandemic impacted work at the NSA? - C4ISRNet - August 10th, 2020
- Election interference efforts have shifted, NSA and Cyber Command election threats leads say - CyberScoop - August 10th, 2020
- Did Hedge Funds Make The Right Call On National Storage Affiliates Trust (NSA)? - Yahoo Finance - August 10th, 2020
- National Speakers Association Inducts Mary Kelly, Ph. D. into the Speaker Hall of Fame - The Grand Junction Daily Sentinel - August 10th, 2020
- For 2020 Election, Threat is Bigger than Russia > US DEPARTMENT OF DEFENSE - Department of Defense - August 10th, 2020
- The White House reportedly quashed part of an intelligence report that showed Russia is helping the Trump campaign - MSN Money - August 10th, 2020
- GFA Express Appreciation To NSA | General Sports - Peace FM Online - August 10th, 2020
- NSA O'Brien Says US Has 'Sanctioned The Heck Out Of Russia' - Newsmax - August 10th, 2020
- DHS Warns of a Persistent Cyber Threat Targeting Critical Infrastructure in the U.S. - CPO Magazine - August 10th, 2020
- Money Explodes; Gold Glitters; The Recovery Slows - Forbes - August 10th, 2020
- NSA Reports on New Cyber Vulnerability in Computers - ExecutiveGov - August 10th, 2020
- The Trump administration reportedly quashed an intelligence report that showed Russia is helping him win the 2020 election - MSN Money - August 10th, 2020
- There Will Be Blowback - Forbes - August 10th, 2020
- What and how are you thinking? Anything is possible - Martins Ferry Times Leader - August 10th, 2020
- TikTok and National Security: The Need for a Comprehensive U.S. Privacy Law - Security Boulevard - August 10th, 2020
- Buhari to overhaul the nation's security apparatus, says NSA - TheCable - August 10th, 2020
- Trump quashed report section showing Russia is helping him win 2020 - Business Insider - Business Insider - August 9th, 2020
- NSA Sheep 2020 to be a virtual sheep show - South West Farmer - August 8th, 2020
- All you need to hijack a Mac is an old Office document and a .zip file - TechRadar - August 8th, 2020
- Silicon Valley's Vast Data Collection Should Worry You More Than TikTok - Jacobin magazine - August 8th, 2020
- T-Mobile Is The First Carrier Globally To Launch Nationwide Standalone (SA) 5G - Forbes - August 7th, 2020
- The Room Where It Happened: Former US NSA exposes the frailties of the Trump administration - The Financial Express - August 4th, 2020
- NSA Sheep 2020 to go virtual over two days - FarmingUK - July 31st, 2020