In his column at Bloomberg Hal Brands outlines his plan for responding to the massive security breach of U. S. government departments and private companies by Russian hackers:
First, don’t fall asleep on Russia, even as the Chinese threat attracts the majority of America’s geopolitical attention. Putin’s Russia may be a declining, economically moribund power. But his high tolerance for risk, combined with Moscow’s talent for identifying and exploiting Western vulnerabilities, means that Washington downplays the Russian challenge at its peril.
Second, effective cyberstrategy must blend unilateral and multilateral measures. It seems likely that many other countries were victimized by the SolarWinds hack. The U.S. must therefore work more closely with other advanced democracies to strengthen shared warning networks, coordinate damage assessments, and impose sharp costs on malign actors. As Microsoft president Brad Smith argues, “In a world where authoritarian countries are launching cyberattacks against the world’s democracies, it is more important than ever for democratic governments to work together.â€
Third, those responses cannot be solely defensive. SolarWinds highlights the basic offense-defense asymmetry in cyberspace: A clever attack will require remediation efforts costing orders of magnitude more than the attack itself. Moreover, the relatively open nature of the democratic internet, and the fact that responsibility for cybersecurity is diffused among so many public and private actors, creates vectors of vulnerability that will always tempt authoritarian regimes.
all of which convince me that he doesn’t understand the scope of the problem.
The federal government and U. S. governments in general have major structural problems which render them peculiarly incapable of maintaining cybersecurity. Among these structural issues are:
- Security talent tends to be homegrown, i.e. provided by individuals, frequently self-taught, already working in their departments.
- Worse still, they may be outsourced. The incident involving Edward Snowden revealed the risks of doing that.
- Governments are unable to discipline public employees. They can move them but terminating civil service employees is incredibly cumbersome.
- Procurement rules make it practically impossible to respond in an agile manner.
- Governments don’t just tend to use software monocultures but they frequently use extremely outdated software monocultures.
Those leave just two strategies for making governments more secure. The first would be to detach their networks from the Internet entirely and not allow any devices which can be connected to the Internet to connect to their networks. That’s actually done in certain very highly secure facilities in the government. As should be needless to say, that would be extremely impractical to do across all levels of government, basically setting them back 30 years. That’s at least ten years more than they’re already behind the times.
The alternative would be to reorganize personnel, staffing, budgeting, procurement, and the very structure of the government from top to bottom. Governments should be much more distributed and resilient than they are. Need I belabor the point? Those things aren’t going to be done, either.
In the absence of one of those two strategies none of the measures Mr. Brands suggests will be particularly effective.
One more point. SolarWinds is publicly traded (it took an enormous hit following the revelations—practically a near-death experience). It should be sued under the provisions of Sarbanes-Oxley. It is pretty obviously in violation. That might be true of Microsoft as well.
Detaching Government systems from the internet is only solution that has a high likelihood it will work; or kicking out the Russians/Chinese/North Koreans/etc from the internet.
Implicit in the architecture of the internet (going back to ARPANET) is its goal of resiliency among a set of trusted actors.
Trying to secure these systems in an internet co-inhabited with untrusted actors is like putting a square into a round hole.
Even FireEye, experts in Cybersecurity, were also hacked in this incidents and had their red team tools (which is a crown jewel of the company) stolen. I think FireEye level of expertise is at the limit of what US Governments can do. If Government systems stay connected to the same internet as the Russians, Chinese, or hackers of all sorts, it is asking the Government to have a proficiency in cybersecurity that no organization on earth has demonstrated so far.
I agree with everything in that comment. Clearly, you DO understand the problem.
Given the will we might be able to shut China out of the Internet. I don’t think we have the will. They are not good cyber-citizens. Based on my personal experience if we shut the Chinese out it would eliminate 90% of the malicious traffic and an enormous amount of the overall traffic.
I don’t think we could shut Russia out of the Internet if we wanted to—the Germans wouldn’t stand for it. They’re too dependent on Russia.
Haven’t read a lot on this. Didn’t it affect private companies as well or was this only government? I assume it must have hacked only government since you are writing mostly about problems with govt systems. Separating off the net would seem to be the answer for a lot of this, when possible. Talking with son who is doing DoD work and his friends and some of his friends are doing cybersecurity work, I am always struck by how little we really spend on this issue in terms of time and money. I know our network spends some on this issue, but at the individual employee level, the source of a lot of hacks, training mostly consists of an occasional email going out to all employees directing us to not do something, in among the many other emails about the gift shop hours changing, employees of the month and billing changes.
Steve
According to the reports that I’ve read some 40 different entities in the U. S. public and private were breached. The only private company I’ve seen mentioned by name is SolarWinds. If the company escapes the death penalty, they’ll be darned lucky. There have been some rumors that Microsoft was breached, too, but I don’t find those very credible. I think it’s more likely that the rumors are exaggerations.
From my point of view the most egregious breach was the Department of Homeland Security. They’re supposed to be responsible for protecting the rest of us from this sort of thing and they can’t even protect themselves.
The key point, as mentioned in the post, is that with a private company employees who let down their guards can be disciplined, even terminated. Labor unions and civil service regulations make that extremely difficult for governments.
Has firing employees helped private companies keep from getting hacked? Seems like a read about a lot of private corporations getting hacked pretty often. They have the ability to fire employees and still get hacked. I am serious here. Has firing staff been part of a successful effort to avoid being hacked anywhere? It seems to me that get firings after the fact.
Steve
To maintain security there must be accountability. The possibility of termination is the highest level of accountability. As CuriousOnlooker notes, in the final analysis perfect security is impossible as long as you’re connected to a network to which China and Russia have access. But it is possible to make it harder.
The weak link here was apparently SolarWinds. I don’t see how their builds could have been compromised if they’d even observed basic security protocols. It will probably drown in the ensuing civil suits.
The incident definitely effected the private sector.
As mentioned, FireEye was breached; Microsoft stated the compromised Solar Winds software was in its networks; but no production systems or user data was compromised.
In general; Government procures software from a vendor after it is popularized in the private sector.
“Putin’s Russia may be a declining, economically moribund power. ”
That statement alone shows that Brand is an ignorant fraud. Russia’s economy is at least 10% larger than Germany’s. It has very little or no foreign debt. Its federal budget is balanced or in surplus. It runs a trade surplus without its gas and oil exports. Its strategic and tactical nuclear forces are more modern than ours. Its manufacturing economy is far more diversified than ours, and is becoming even more so, with high density chips in the offing and modern jet engines and commercial aircraft in production. Its military technology is on a par with the US’, and it is superior in some areas.
Russia has two or three times as many engineers per caput as the US. This reflects the loss of industrial base by the US. They are probably better trained.
Russia’s huge expansion (three times the area of the US with less than half the population) means that per caput infrastructure costs are enormous. The loss of half its population and industry in the Soviet collapse and the US induced economic collapse and looting that followed still cripples the Russian economy.
However, Putin’s ability to turn things around is one of the greatest achievements in recent history, exceeded only by Deng’s econominc reforms in China, which rescued almost 400 million people from poverty.
Our enemies are outperforming us across the board. Our current “elites” are a world joke.
Don’t know that cutting China off would solve anything. Plenty of folks willing to crack security for cash and/or S&G. We will have to accept security is an ongoing Lensman style conflict.
BTW, how would the FANG react when China is black hole routed?
Not well I presume. FWIW we wouldn’t have such gaping security issues if Microsoft cared as much about security as in expanding its market share.