There is a folktale about a band of monkeys who get soaked by rain every night and loudly promise they will build a better shelter. When daylight comes, they forget this and go about their business. The next night, there is more rain and more promises, and no action in the morning. This cycle resembles the discussion of cybersecurity.
There are many precedents for the sweeping SolarWinds hack. In 2010, Google and at least 80 other major companies were hacked by China (many never admitted publicly), and there have been other similar cases. An attacker finds a vulnerability in a widely used software, crawls the net to see who is using it, and harvests those of interest. One cyber researcher said a decade ago he could find as many as 10 such programs running globally in any given year, simultaneously targeting dozens of human rights activists, Tibetans, embassies, government agencies, and companies.
Capturing the updater is also an old trick. There are complaints that the government should have detected the malware embedded in SolarWinds software. Some go so far as to say that this shows the private sector is better at defense, but if that is true, why did the hundreds of commercially available cybersecurity tools also fail to detect the hack? We were “pwned” and blame can be shared equally.
The scale of the SolarWinds hack is impressive, but this probably is the result of better data management and data analytic tools now available. These let intelligence agencies manage huge pots of data, which is the way intelligence works now. Agencies can manage and exploit the collection from many more targets. Russia is not alone—all major intelligence agencies do something like this.
There were signs of improvement in the immediate response to the SolarWinds hack. In a 2008 incident where multiple federal agencies were hacked, some learned of it only after reading the newspaper. This time, the Department of Homeland Security (DHS) did quite well, getting a notice of the vulnerability and countermeasures out within a few days of discovery. But much of SolarWinds, from the cries of outrage and finger-pointing to the promises to do better, is tediously familiar.
This brings us to the three “Rs.” President Biden has promised to take action, placed a skilled and knowledgeable official in charge of the response, and already called President Vladimir Putin of Russia to warn him. This is very encouraging. We can speculate on Russian motives, but there should be no doubt that they interpreted the failure of the last administration to object to Moscow’s hacking as a green light for more attacks. But the light has changed to yellow.
The three “Rs” are response, regulation, and Russia. If we have learned anything in the last 20 years, it is that a failure to push back only encourages more attacks—this lesson goes back to the Bush administration. The Russians were surprised when the United States did nothing in 2016 in response to Moscow’s election interference, and decided that this meant they had overestimated the risk of retaliation and had a free hand for hacking. The Biden administration has taken a good first step in warning them that this is no longer the case.
But what form the response should take is an open question. More sanctions are useless; they no longer bother the Russians. While discussions with Russian officials show they have a neuralgic reaction to the word “indictment,” indicting a few people is not proportional to SolarWinds. The United States has been working on a menu of potential responses—it has not been made public, which is a mistake—but now is a good time to test it. A first task for the administration is to decide on a proportional response (SolarWinds does not justify bombing Yekaterinburg, for example, but a response must be more than words). This response should be made known to allies and, when appropriate, to opponents and to the public, and actually implemented. There are issues in messaging, coordination, and attribution that need to be addressed, but coercive response are the only actions likely to change Russian and Chinese calculations of the risk of hacking the United States.
Americans do not like to be regulated, and Congress has refused to give DHS or other agencies the needed authorities to regulate networks for cybersecurity purposes. The Obama administration developed a clever workaround to this political problem in 2013 (after the Senate blocked legislation) with Executive Order 13636, which created the National Institute of Standards and Technology Cybersecurity Framework and tasked “sector-specific” agencies with existing regulatory authorities to see that it was implemented. The Biden administration should do two things: the seven-year-old framework needs to be updated to take into account changes in technology that create third-party risk, such as software as a service (SAAS) and cloud computing. Second, Executive Order 13636 only applies to companies that are already regulated as critical infrastructure. We need to consider how to extend cybersecurity regulation to other sectors. Neither of those tasks is easy, but it is important to start now.
Finally, we need to recognize that two countries—Russia and China—are responsible for the most damaging cyberattacks. (There is some confusion over this in public discussion, but that is a comment on the quality of the debate, not the data.) Russia is the immediate threat since their goals in hacking are to damage as much as to collect. A response to SolarWinds should ultimately be part of a larger strategy for dealing with Russia. The previous administration was somewhat craven in this regard, so much needs to be repaired. Nor will reaching a more acceptable modus vivendi with Russia (or China) be easy. Their first inclination will be to test the Biden administration to see if it is serious.
Announcing these three Rs would be a good start in pushing back against SolarWinds and repairing some of the damage. We could add a fourth “R,” resilience. Greater cyber resilience is a good long-term goal, it is subsumed in part as an element of expanded regulation, and in part it is a political challenge. There is a technical aspect in hardening defenses and building redundancy in data and services, but the core of resilience is leadership that does not ignore a problem or crumple at the first defeat. Resilience can only be shown through action, and the three Rs would build on the good start this administration has already made.
James Andrew Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.
No comments:
Post a Comment