I’m reading a lot of saber-rattling about the Russian hacking of multiple federal departments and private companies. At DefenseOne Aaron Boyd warns that the problem is bigger than has been recognized:
The fallout from the SolarWinds breaches will be far more difficult and time-consuming to remediate than originally assumed, as the attackers likely found more ways to enter federal networks than just the SolarWinds Orion product and have been targeting IT and response personnel, according to the government’s lead cybersecurity agency.
while in an op-ed in the Wall Street Journal Mike Rogers demand an immediate and proportional response to the attacks:
The U.S. needs to respond in a smart, considered manner. Shutting off the lights in Moscow isn’t an appropriate or proportional response. Disrupting the networks of the SVR or GRU—Russian military intelligence—may well be. If the U.S. doesn’t define red lines today and demonstrate that there are consequences for crossing them, we will continue to be the victim of cyberattacks. The breaches will only get worse.
He finally arrives at what is almost certainly the wrong conclusion:
The incoming administration must appoint a national cyber director, a provision included in the recently passed National Defense Authorization Act, and an issue on which I testified this summer. We can’t afford to have dozens of offices and agencies running their own cybersecurity policies and budgets. The White House must assert itself.
Centralization is the problem not the solution. Centralization and monoculture render us more vulnerable not less.
The editors of the New York Daily News have their own proposals:
Step one is determining the extent of the damage done, while gathering forensic evidence to definitively nail the perpetrators. That’s no simple task, as the scale and duration of the invasion could allow a maddening web of crimes, including mass falsification of information.
Step two is making clear that an intrusion so sweeping will not go unpunished, lest America winds up inviting brazen attacks not only from Russia but from China, North Korea, Iran and others.
Step three is striking back with intensity — a job that, given Trump’s hesitancy, will likely fall to Joe Biden.
None of those would be my first step. I’d start enforcing the laws that are already on the books. If SolarWinds complied with its obligations under Sarbanes-Oxley, the problem could never have occurred. I would also point out that SolarWinds’s twenty some-odd patents impair competition. That, after all, is what patents are supposed to do.
A little back-of-the-envelope calculation suggests to me that the cost of investigating and remediating the attacks will be in the vicinity of $5 billion.
As I’ve already observed, prevention will be extremely difficult. Cyber-attack is asymmetric warfare. Hardening targets is possible but will require some pretty draconian measures that I can’t imagine actually taking place. Counter-attacking in kind not only legitimizes cyber-attacks but invites reprisals.
The human factor is always the weakest link. Designing secure systems is easy, but they also have to be usable for actual people so that they can perform their jobs and do so with a modicum of efficiency.
People don’t like inconvenience. People don’t understand why the “dumb” security policy is necessary so they ignore it. Hillary Clinton’s desire to only have “one device” is probably the best illustration of this tendency.
One option that was frequently discussed in the DoD when I was there was a separate unclassified system segregated from the internet like the classified systems are. The “secure” unclassified system would be encrypted like the classified systems and contain PII and other sensitive but unclassified information.
That’s not a simple solution, however, and would cause all kinds of other problems and add additional costs. The management of the cryptography alone would be immense. Compromises would have to be made.
All that assumes the attack actually happened. Considering the criminal behavior of our legal and intelligence agencies before and during the Trump administration, one can reasonably doubt it.
But more importantly, even if it did happen, we are being stampeded into some sort of precipitate action against Russia, and eventually China and Iran. There are people in our government, executive and legislative, who believe that Russia can be taken down without undue repercussions. They also believe that China can be strangled by a sea blockade, and that it will lie down and take it.
We are closer to nuclear war today than at any time since the Cuban Missile Crisis, which I am old enough to remember clearly.
None of the responses Mike Rogers or the New York Daily News recommend are proportional based on what is currently publicly known.
I wished there was disclosure on how SolarWind’s source code / build system was breached. Depending on the setup, there maybe repercussions for many other software companies.
Boy genius is home so we have been talking about this. Secure systems that would interact with the internet are probably not that easy to design, but what we have at present are a lot of old, faulty legacy systems. They are difficult to make secure. Designing a newer system and incorporating real security would be a big leap forward, but then you would risk losing a lot of information tied up in those legacy systems.
I am still wondering if having almost all government IT farmed out is an issue. Is it even possible in the military the way promotion systems work for someone to work in IT their entire career and get good at it?
Steve