Thomas P. Bossert
At the worst possible time, when the United States is at its most vulnerable — during a presidential transition and a devastating public health crisis — the networks of the federal government and much of corporate America are compromised by a foreign nation. We need to understand the scale and significance of what is happening.
Last week, the cybersecurity firm FireEye said it had been hacked and that its clients, which include the United States government, had been placed at risk. This week, we learned that SolarWinds, a publicly traded company that provides software to tens of thousands of government and corporate customers, was also hacked.
The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.
This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.
According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.
The magnitude of this ongoing attack is hard to overstate.
The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.
While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.
The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.
The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior.
What should be done?
On Dec. 13, the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security — itself a victim — issued an emergency directive ordering federal civilian agencies to remove SolarWinds software from their networks.
The removal is aimed at stopping the bleeding. Unfortunately, the move is sadly insufficient and woefully too late. The damage is already done and the computer networks are already compromised.
It also is impractical. In 2017, the federal government was ordered to remove from its networks software from a Russian company, Kaspersky Lab, that
was deemed too risky. It took over a year to get it off the networks. Even if we double that pace with SolarWinds software, and even if it wasn’t already too late, the situation would remain dire for a long time.
The remediation effort alone will be staggering. It will require the segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks. Somehow, the nation’s sensitive networks have to remain operational despite unknown levels of Russian access and control. A “do over” is mandatory and entire new networks need to be built — and isolated from compromised networks.
Cyber threat hunters that are stealthier than the Russians must be unleashed on these networks to look for the hidden, persistent access controls. These information security professionals actively search for, isolate and remove advanced, malicious code that evades automated safeguards. This will be difficult work as the Russians will be watching every move on the inside.
The National Defense Authorization Act, which each year provides the Defense Department and other agencies the authority to perform its work, is caught up in partisan wrangling. Among other important provisions, the act would authorize the Department of Homeland Security to perform network hunting in federal networks. If it wasn’t already, it is now a must-sign piece of legislation, and it will not be the last congressional action needed before this is resolved.
Network operators also must take immediate steps to more carefully inspect their internet traffic to detect and neutralize unexplained anomalies and obvious remote commands from hackers before the traffic enters or leaves their network.
The response must be broader than patching networks. While all indicators point to the Russian government, the United States, and ideally its allies, must publicly and formally attribute responsibility for these hacks. If it is Russia, President Trump must make it clear to Vladimir Putin that these actions are unacceptable. The U.S. military and intelligence community must be placed on increased alert; all elements of national power must be placed on the table.
While we must reserve our right to unilateral self-defense, allies must be rallied to the cause. The importance of coalitions will be especially important to punishing Russia and navigating this crisis without uncontrolled escalation.
President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government. He must use whatever leverage he can muster to protect the United States and severely punish the Russians.
President-elect Joe Biden must begin his planning to take charge of this crisis. He has to assume that communications about this matter are being read by Russia, and assume that any government data or email could be falsified.
At this moment, the two teams must find a way to cooperate.
President Trump must get past his grievances about the election and govern for the remainder of his term. This moment requires unity, purpose and discipline. An intrusion so brazen and of this size and scope cannot be tolerated by any sovereign nation.
We are sick, distracted, and now under cyberattack. Leadership is essential.