SolarWinds Hack: Is NSA Doing the Same to Russia?Espionage Operations Demand a Different Policy Response to Damaging Cyberattacks
Spies are going to spy.
That's my "light on the Chicken Little, heavy on the realpolitik" hot take on the SolarWinds Orion supply chain attack.
"What if CIA and NSA have already been doing to Russia what SVR did to the United States - just without getting caught doing it?
It's important to remember that the apparent focus of the hack of Austin, Texas-based SolarWinds' software development pipeline, which resulted in the company's Orion network monitoring software being backdoored, was espionage. In particular, investigators have suggested that Russia's SVR foreign intelligence service may have been behind the hacking campaign.
While the Trojanized Orion software was pushed to nearly 18,000 customers, FireEye investigators suspect attackers only pushed additional malware onto devices - escalating the attack and paving the way for data exfiltration - at approximately 50 organizations' networks. From an intelligence standpoint, each of those victims was likely a big fish.
Some U.S. lawmakers have been calling on the government to authorize destructive online reprisals to deter further hack attacks. They portray what Russia has done as an act of war.
But such reprisals are a bad idea.
While it isn't pretty, the job of intelligence agencies is to gather data and distill it into intelligence to better inform their country's policymakers. Intelligence-gathering exists in no small part to help avoid real-world - aka kinetic, as in bullets and bombs - conflicts.
Russia's SVR service is staffed by "intelligence collectors," Chris Krebs, the former head of the U.S. Cybersecurity and Infrastructure Security Agency, told CNN on Sunday.
"They're looking for policy decisions. They're looking for diplomatic negotiations in federal agencies. They're typically not the ones to run the destructive types of attacks," said Krebs, whom President Donald Trump fired last month after he said that this year's election was the most secure one in history (see: Fired CISA Director Refutes Election Fraud Allegations). "That doesn't mean they can't hand off access, but for now I think this is more of an intelligence collection operation."
Spying looked a lot different before the internet came along. "There's a time in our lives where the domains that we had espionage in - or the domains that we had combat in, or differences in - were land, sea, air, then space," FireEye CEO Kevin Mandia said in a Sunday interview with CBS news program "Face the Nation." "And now we have cyber. This is just one campaign in a long battle in cyberspace."
Many nations hack - or do their best to hack - each other.
As political scientist Thomas Rid, a professor of security studies at Johns Hopkins University, tweeted: "What if CIA and NSA have already been doing to Russia what SVR did to the United States - just without getting caught doing it?"
What if CIA and NSA have already been doing to Russia what SVR did to the United States-just without getting caught doing it?— Thomas Rid (@RidT) December 21, 2020
"One question always to remember - where are all the top-tier threat actors we haven't seen exposed recently? U.S., U.K., Israel, etc.," tweets Danny Moore, a threat intelligence engineer at Facebook. "Assume they've not only carried on operating (at scale), but also innovated on the already high bars they had previously set."
Life After Snowden
Consider the major revelations from Edward Snowden's 2013 leaks of National Security Agency information. For example, the leaks unveiled the extent to which U.S. intelligence was directly tapping U.S. cloud providers' data centers. They showed how, 10 years ago, as part of Operation ShotGiant, the NSA had hacked into Huawei to give it the ability to use its gear to remotely access Huawei's customers' networks. They also showed how, in 2010 and 2011, the NSA and the U.K.'s GCHQ allegedly hacked digital security firm Gemalto and stole encryption keys that would theoretically allow them to decrypt millions or billions of intercepted calls, around the world, in real time. And they outlined how, via "Operation Socialist," the same two countries' intelligence agencies allegedly hacked into the network of telecommunications company Belgacom, based in the allied nation of Belgium, from 2010 to 2013.
Another revelation was the glimpse into major nations' state of play - from an intelligence standpoint - and what it might take for businesses to better defend themselves.
"We can assume if NSA is doing it, then probably other intelligence agencies around the world are doing it too," said cybersecurity expert Jeff Moss, the founder of the Black Hat and Def Con conferences, in the wake of Snowden's leaks (see: Defending Against Government Intrusions).
Uncovering major hack attacks often leads to significant milestones that change the course of cybersecurity discussions, Moss has said. For example, look to 2010, when Google was the first major organization to disclose that it had been hacked as part of the Chinese government's Operation Aurora.
"Overnight, it was acceptable to talk about nation-states stealing your stuff," Moss said at last year's Black Hat Europe conference.
U.S. Intelligence Agencies' Greatest Hits
None of this sort of behavior is new. For more than 50 years, for example, Swiss firm Crypto AG sold encryption gear that had been backdoored by the CIA, which was a secret owner of the firm, together with West German intelligence. As The Washington Post reported earlier this year: "These spy agencies rigged the company's devices so they could easily break the codes that countries used to send encrypted messages."
But in the digital era, finding and publicizing these attacks is more important than ever so that potential victims can do more to defend their systems. Publishing nation-state hackers' TTPs also makes it more costly for foreign governments to run cyberespionage operations (see: Turla Teardown: Why Attribute Nation-State Attacks?).
Lesson: Make Breach Reporting Mandatory
One lesson to be learned from the SolarWinds supply chain attack is that rapidly publicizing all data breaches is more important than ever. Under the EU's General Data Protection Regulation, for example, organizations that handle Europeans' personal data must inform relevant authorities within 72 hours of discovering a breach.
But no such all-encompassing federal law exists in the U.S.
Per the SolarWinds supply chain attack, "had Kevin Mandia of FireEye not made the courageous - and arguably legally unnecessary - decision to publicly disclose their breach and threat analysis, we would likely not be aware of this massive campaign for many more months," says Dmitri Alperovitch, the former CTO of cybersecurity firm CrowdStrike, via Twitter.
We must urgently pass a federal data breach notification law that obligates companies and government agencies to publicly disclose all threat indicators as early as feasible (without jeopardizing the course of the investigation) REGARDLESS of whether the breach caused impact 3/3— Dmitri Alperovitch (@DAlperovitch) December 20, 2020
Information sharing is vital for rapidly bringing campaigns such as the backdooring of the SolarWinds Orion code to light.
"We must urgently pass a federal data breach notification law that obligates companies and government agencies to publicly disclose all threat indicators as early as feasible, without jeopardizing the course of the investigation, regardless of whether the breach caused impact," Alperovitch says.