20 January 2021

CES 2021: Microsoft's Brad Smith slams SolarWinds 'indiscriminate assault'


Microsoft's president has called the SolarWinds hack an "mass indiscriminate global assault" that should be a wake-up call to cyber-defenders.

Brad Smith was making a keynote speech at the CES technology trade show.

Earlier, it emerged President-elect Joe Biden had created a new post for a former National Security Agency official to help determine the US response to the attack.

Anne Neuberger had specialised in operations against Russia.

Pre-emptive strike

Plans to appoint her to the role of deputy national security adviser for cyber-security within the National Security Council were first reported by Politico and have now been confirmed by the New York Times.

The NYT said she had run the NSA's Russia Small Group, responsible for a pre-emptive strike on Kremlin operatives in 2018.

She is currently head of the agency's Cybersecurity Directorate.

US intelligence agencies believe Russia was behind the SolarWinds attack, which compromised email accounts at the US Department of Justice as well as giving the perpetrators access to the systems of government agencies, businesses and other organisations worldwide.

The full extent of the attack has yet to emerge.

The Kremlin has denied involvement.

'Mass assault'

SolarWinds sells a widely used network monitoring tool that was altered to provide the hackers with a backdoor.

Microsoft was among the victims and has confirmed some of its source code - the normally inaccessible instructions behind its software - had been accessed.

"Governments have spied on each other for centuries, it would be naive to think or even ask them to stop," said Mr Smith in his keynote.

"But we've long lived in a world where there were norms and rules that created expectations about what was appropriate and what was not.

"And what happened with SolarWinds was not.

"Why? Because this wasn't a case of one nation simply trying to spy on or hack its way into a computer network of another.

"It was a mass indiscriminate global assault on the technology supply chain that all of us are responsible for protecting.

"It is a danger that the world cannot afford."

Covid crisis

Security experts needed to learn one of the lessons of the 11 September 2001 terror attacks, which had exposed how different US government agencies had failed to share threat information, Mr Smith said.

"We need to move, as the 9/11 Commission said, from a culture where people only gave others information when they had a need to know," he said.

"And in the words of that commission, change the culture so that people feel a need to share."

Mr Smith also said there was a greater need to work together to tackle attacks linked to the Covid crisis.

"We have lived through the biggest pandemic in a century," he said.

"And what did some people use that pandemic to do?

"To launch cyber-attacks against hospitals, against the public health sector, against the World Health Organization, against the first line of critical responders.

"This too should be off limits."

Ms Neuberger will now be responsible for trying to persuade US agencies and the country's wider cyber-security sector to work together against such threats.

In her previous role, she coordinated the response of US government agencies to a flaw her team discovered suspected Russian hackers were using.

"It was really great to see five different cyber-security entities using that to identify other Russian intelligence infrastructure and then take that down," she told CBS News in August.

Last month, Mr Biden said once the extent of the damage the SolarWinds hack had caused was better known, the US would probably "respond in kind".

There will be many in the cyber-security industry who nodded along enthusiastically with Brad Smith.

The SolarWinds hack has stunned and terrified the sector - particularly those who make and sell software to protect us from hacks.

The last few weeks have been a nightmare scenario playing out in slow motion as more and more details of the scope and depth of the intrusion have been drip-fed to the public.

For the intelligence community though, at least in private, it's more of a case of: "Why didn't we think of that?"

All nations hack each other and supply chain attacks like this -albeit not as successful - have been used in the past for spying or disruption.

Clearly the Biden administration is preparing to respond in some way. But in truth, aside from perhaps a public naming and shaming of the hackers, there is little it can do directly to the perpetrators involved.

What happens behind closed doors is far more significant as cyber-defences will need to be rebuilt and potential offensive retaliation planned.

No comments: